GHSA-QVHC-9V3J-5RFW vulnerabilities

Vulnerabilities for packages: dotnet...

GO-2026-4529 Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped in github.com/sigstore/cosign

Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped in github.com/sigstore/cosign...

GO-2026-4516 Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints in github.com/akuity/kargo

Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints in github.com/akuity/kargo...

GO-2026-4505 Libredesk has a SSRF Vulnerability in Webhooks in github.com/abhinavxd/libredesk

Libredesk has a SSRF Vulnerability in Webhooks in github.com/abhinavxd/libredesk...

GO-2026-4515 Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints in github.com/akuity/kargo

Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints in github.com/akuity/kargo...

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the chaiscript::TypeInfo::bareequal function. An attacker can cause a program crash or potentially execute arbitrary code by triggering use of memory after it has been freed. Remediation There is no fixed version for...

GHSA-PX4R-G4P3-HHQV vulnerabilities

Vulnerabilities for packages: ipfs-cluster, spegel, kubo, ipfs-cluster-fips, rke2-runtime, k3s, spegel-fips...

Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens

Cybersecurity researchers have disclosed what they say is an active "Shai-Hulud-like" supply chain worm campaign that has leveraged a cluster of at least 19 malicious npm packages to enable credential harvesting and cryptocurrency key theft. The campaign has been codenamed SANDWORMMODE by supply...

Git Argument Injection via Reference Field in GitHubRepository Block

This report is not public...

ALSA-2026:3092 Important: golang-github-openprinting-ipp-usb security update

HTTP reverse proxy, backed by IPP-over-USB connection to device. It enables driverless support for USB devices capable of using IPP-over-USB protocol. Security Fixes: golang: net/url: Memory exhaustion in query parameter parsing in net/url CVE-2025-61726 crypto/tls: Unexpected session resumption ...

GHSA-QHP6-635J-X7R2

creationtimestamp| type| source ---|---|--- 2026-02-21 12:40:40+00:00| seen| https://gist.github.com/alon710/e56b547bb8d66c88c36130e6613a09b3...

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation in the SAML SSO authentication process. An attacker can gain unauthorized access to user accounts by leveraging a malicious SAML Identity Provider and another organization configured on the same instance. Notes: - Thi...

GHSA-QQ5R-98HH-RXC9 vulnerabilities

Vulnerabilities for packages: thingsboard...

GHSA-69X3-G4R3-P962 vulnerabilities

Vulnerabilities for packages: step, step-issuer, caddy, step-ca...

Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems

In yet another software supply chain attack, the open-source, artificial intelligence AI-powered coding assistant Cline CLI was updated to stealthily install OpenClaw, a self-hosted autonomous AI agent that has become exceedingly popular in the past few months. "On February 17, 2026, at 3:26 AM P...

GHSA-33HQ-FVWR-56PM

creationtimestamp| type| source ---|---|--- 2026-02-20 11:10:40+00:00| seen| https://gist.github.com/alon710/730aa02397a258f2f1ed0aa8f4fa4e6d...

Vulnerabilities fixed in GitHub Enterprise Server

GitHub has fixed vulnerabilities in GitHub Enterprise Server Specifically for versions before 3.20, 3.19.2, 3.18.5 and 3.17.11. The first vulnerability concerns an authorization issue that allowed attackers to merge unauthorized pull-requests into repositories that provide fork support. The secon...

go-container-poc

go-contai...

GHSA-6C9J-X93C-RW6J

creationtimestamp| type| source ---|---|--- 2026-02-20 02:10:39+00:00| seen| https://gist.github.com/alon710/f4eee2d51384628d064473d1a040d3d4 2026-02-20 02:40:34+00:00| seen| https://bsky.app/profile/flarestart.bsky.social/post/3mfb3galb2g2s...

GHSA-3PPC-4F35-3M26 vulnerabilities

Vulnerabilities for packages: kubeflow-centraldashboard, opensearch-dashboards, saf, sqlpad, vitess, prism, eslint, code-server, serve, lerna, rancher-api-ui, argo-workflows, pulumi, tileserver-gl, renovate, npm, langfuse, kubeflow-pipelines, node-gyp...