MAL-2026-4721 Malicious code in weavedb-node-client (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d174728fc7469b023ece1980797185c35abd74c56e253bc1dc1b295a46a1dbd2 package.json declares "preinstall": "./tools/setup", unconditionally executing a 976KB UPX-packed, stripped Linux x86 ELF on every npm install. The...

com.squareup.wire:wire-grpc-client (>=7.0.0-alpha01 <=7.0.0-alpha02), com.squareup.wire:wire-schema (>=7.0.0-alpha01 <=7.0.0-alpha02) +1 more potentially affected by CVE-2026-45799 via com.squareup.wire:wire-runtime (>=7.0.0-alpha01 <=7.0.0-alpha02)

com.squareup.wire:wire-runtime MAVEN version =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha02 Source cves: CVE-2026-45799 Source advisory: SNYK:JAVA-COMSQUAREUPWIRE-16771313...

com.squareup.wire:com.squareup.wire.gradle.plugin (>=7.0.0-alpha01 <=7.0.0-alpha02), com.squareup.wire:wire-compiler (>=7.0.0-alpha01 <=7.0.0-alpha02) +11 more potentially affected by CVE-2026-45799 via com.squareup.wire:wire-runtime-jvm (>=7.0.0-alpha01 <=7.0.0-alpha02)

com.squareup.wire:wire-runtime-jvm MAVEN version =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha02 Source...

com.squareup.wire:wire-grpc-client (>=7.0.0-alpha01 <=7.0.0-alpha02), com.squareup.wire:wire-schema (>=7.0.0-alpha01 <=7.0.0-alpha02) +1 more potentially affected by CVE-2026-45799 via com.squareup.wire:wire-runtime (>=7.0.0-alpha01 <=7.0.0-alpha02)

com.squareup.wire:wire-runtime MAVEN version =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha02 Source cves: CVE-2026-45799 Source advisory: OSV:GHSA-7XPR-HC2W-34M9...

Malicious Package

Overview github.com/BufferZoneCorp/grpc-client is a malicious package. This package contains malicious code designed to compromise developer systems and CI environments, specifically targeting GitHub Actions. The threat actor, operating under the GitHub account BufferZoneCorp, published a cluster...

CVE-2026-31863

Anytype Heart is the middleware library for Anytype. The challenge-based authentication for the local gRPC client API can be bypassed, allowing an attacker to gain access without the 4-digit code. This vulnerability is fixed in anytype-heart 0.48.4, anytype-cli 0.1.11, and Anytype Desktop 0.54.5...

CVE-2026-26330 Envoy global rate limit may crash when the response phase limit is enabled and the response phase request is failed directly

Envoy is a high-performance edge/middle/service proxy. Prior to 1.37.1, 1.36.5, 1.35.8, and 1.34.13, At the rate limit filter, if the response phase limit with applyonstreamdone in the rate limit configuration is enabled and the response phase limit request fails directly, it may crash Envoy. Whe...

EUVD-2024-2937

Malicious code in bioql PyPI...

CVE-2024-8391

A flaw was found in the gRPC server in Eclipse Vert.x, which does not limit the maximum length of the message payload. This may lead to excessive memory consumption in a server or a client, causing a denial of service. Mitigation Mitigation for this issue is either not available or the currently...

com.github.nbbrd.sdmx-dl:sdmx-dl-grpc (=3.0.0-beta.12), com.github.rebue.wheel:wheel-vertx (>=2.2.9 <=2.2.12) +178 more potentially affected by CVE-2024-8391 via io.vertx:vertx-grpc-client (>=4.3.0 <=4.5.1)

io.vertx:vertx-grpc-client MAVEN version =4.3.0, =2.2.9, =0.30.0, =0.21.0, =2.0.0, =2.8.0, =0.2.0, =0.0.7, =0.0.7, =0.0.7, =2.7.0, =2.7.0, =2.7.0, =1.0.4, =1.0.4, =2.0.1 and more Source cves: CVE-2024-8391 Source advisory: OSV:GHSA-G76F-GJFX-4RPR...

CVE-2024-7246

It's possible for a gRPC client communicating with a HTTP/2 proxy to poison the HPACK table between the proxy and the backend such that other clients see failed requests. It's also possible to use this vulnerability to leak other clients HTTP header keys, but not values. This occurs because the...

CVE-2023-27488 Envoy gRPC client produces invalid protobuf when an HTTP header with non-UTF8 value is received.

Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to versions 1.26.0, 1.25.3, 1.24.4, 1.23.6, and 1.22.9, escalation of privileges is possible when failuremodeallow: true is configured for extauthz filter. For affected components that are used for loggin...