GO-2026-4802 Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal in github.com/siyuan-note/siyuan/kernel

Siyuan has an Unauthenticated Arbitrary File Read via Path Traversal in github.com/siyuan-note/siyuan/kernel...

GO-2026-4778 Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets in github.com/juju/juju

Juju affected by Confused Deputy IDOR attack via Predictable user specified ID in Juju Secrets in github.com/juju/juju...

GO-2026-4768 Dasel has unbounded YAML alias expansion in dasel leads to CPU/memory denial of service in github.com/tomwright/dasel

Dasel has unbounded YAML alias expansion in dasel leads to CPU/memory denial of service in github.com/tomwright/dasel...

GO-2026-4777 Juju has unauthorized access to out-of-scope Kubernetes secrets in github.com/juju/juju

Juju has unauthorized access to out-of-scope Kubernetes secrets in github.com/juju/juju...

GO-2026-4774 qui CORS Misconfiguration: Arbitrary Origins Trusted in github.com/autobrr/qui

qui CORS Misconfiguration: Arbitrary Origins Trusted in github.com/autobrr/qui...

GO-2026-4765 mo has a XSS via inline SVG script tags in Markdown rendering in github.com/k1LoW/mo

mo has a XSS via inline SVG script tags in Markdown rendering in github.com/k1LoW/mo...

GO-2026-4734 Mattermost fails to preserve the redacted state of burn-on-read posts during deletion in github.com/mattermost/mattermost-server

Mattermost fails to preserve the redacted state of burn-on-read posts during deletion in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing...

GO-2026-4742 Heimdall: Path received via Envoy gRPC corrupted when containing query string in github.com/dadrus/heimdall

Heimdall: Path received via Envoy gRPC corrupted when containing query string in github.com/dadrus/heimdall...

KICS GitHub Action Compromised: TeamPCP Strikes Again in Supply Chain Attack

Checkmarx KICS scanner is the latest victim of a credential-stealing supply chain attack by TeamPCP. Between 12:58–16:50 UTC on March 23, 35 tags were hijacked. Learn how to audit your workflows, identify malicious activity, and secure your GitHub Actions...

‘CanisterWorm’ Springs Wiper Attack Targeting Iran

A financially motivated data theft and extortion group is attempting to inject itself into the Iran war, unleashing a worm that spreads through poorly secured cloud services and wipes data on infected systems that use Iran's time zone or have Farsi set as the default language. Experts say the wip...

⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers & More

Another week, another reminder that the internet is still a mess. Systems people thought were secure are being broken in simple ways, showing many still ignore basic advisories. This edition covers a mix of issues: supply chain attacks hitting CI/CD setups, long-abused IoT devices being shut down...

Trivy Hack Spreads Infostealer via Docker, Triggers Worm and Kubernetes Wiper

Cybersecurity researchers have uncovered malicious artifacts distributed via Docker Hub following the Trivy supply chain attack, highlighting the widening blast radius across developer environments. The last known clean release of Trivy on Docker Hub is 0.69.3. The malicious versions 0.69.4,...

CVE-2026-32054

creationtimestamp| type| source ---|---|--- 2026-03-22 03:00:05+00:00| seen| https://github.com/openclaw/openclaw/security/advisories/GHSA-rm2p-j3r7-4x4j...

CVE-2026-32044

creationtimestamp| type| source ---|---|--- 2026-03-22 03:00:05+00:00| seen| https://github.com/openclaw/openclaw/security/advisories/GHSA-rm2p-j3r7-4x4j...

CVE-2026-32053

creationtimestamp| type| source ---|---|--- 2026-03-22 03:00:05+00:00| seen| https://github.com/openclaw/openclaw/security/advisories/GHSA-rm2p-j3r7-4x4j...

CVE-2026-32046

creationtimestamp| type| source ---|---|--- 2026-03-22 03:00:05+00:00| seen| https://github.com/openclaw/openclaw/security/advisories/GHSA-rm2p-j3r7-4x4j...

CVE-2026-33621

creationtimestamp| type| source ---|---|--- 2026-03-22 00:52:07+00:00| published-proof-of-concept| https://github.com/pinchtab/pinchtab/security/advisories/GHSA-j65m-hv65-r264...

CVE-2026-33623

creationtimestamp| type| source ---|---|--- 2026-03-22 00:49:17+00:00| published-proof-of-concept| https://github.com/pinchtab/pinchtab/security/advisories/GHSA-p8mm-644p-phmh...

CVE-2026-33619

creationtimestamp| type| source ---|---|--- 2026-03-22 00:44:34+00:00| published-proof-of-concept| https://github.com/pinchtab/pinchtab/security/advisories/GHSA-xqq2-4j46-vwp7...

DuckDuckGo: RCE + Supply Chain Attack via pull_request_target in content-scope-scripts/semver-label.yml — Affects All DuckDuckGo Browsers

A vulnerability was discovered in the DuckDuckGo content-scope-scripts repository's GitHub Actions workflow. The workflow used the pullrequesttarget trigger without access controls, allowing untrusted code from fork pull requests to be checked out and executed. This could have led to remote code...