197 matches found
GHSA-32G3-35G9-WC9G @hulumi/drift: Drift classifier fails open on adapter errors and over-promotes Mixed verdicts
Affected: @hulumi/drift 1.4.0 — Fixed in: 1.4.0 — Severity: Medium — CWE-755 Improper Handling of Exceptional Conditions Summary @hulumi/drift runs four adapters that each ask a different question about whether a resource has drifted Pulumi-state diff, provider-version change, CloudTrail event,...
@hulumi/drift: Drift classifier fails open on adapter errors and over-promotes Mixed verdicts
Affected: @hulumi/drift 1.4.0 — Fixed in: 1.4.0 — Severity: Medium — CWE-755 Improper Handling of Exceptional Conditions Summary @hulumi/drift runs four adapters that each ask a different question about whether a resource has drifted Pulumi-state diff, provider-version change, CloudTrail event,...
PT-2026-48478
Affected: @hulumi/drift 1.4.0 — Fixed in: 1.4.0 — Severity: Medium — CWE-755 Improper Handling of Exceptional Conditions Summary @hulumi/drift runs four adapters that each ask a different question about whether a resource has drifted Pulumi-state diff, provider-version change, CloudTrail event,...
Malicious code in cami-design (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57ccc787b2437085a18ed05c52fc473d8c28162cbe3cbbaa04adaefa73389da1 On install, scripts/install.js invokes autoUpdate.install, which writes a launchd agent to...
Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows
Cybersecurity researchers have disclosed details of a new automated campaign called Megalodon that has pushed 5,718 malicious commits to 5,561 GitHub repositories within a six-hour window. "Using throwaway accounts and forged author identities build-bot, auto-ci, ci-bot, pipeline-bot, the attacke...
MAL-2026-4386 Malicious code in @elvatis_com/openclaw-cli-bridge-elvatis (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ea4d389a7d7fc1ab1598f69441105d1ebe696d9d5d351f805644bded733fe7e When the OpenClaw gateway loads this plugin and starts its proxy server, code paths in dist/index.js lines 1076 and 1093 schedule outbound WhatsApp...
cve-arsenal
CVE Arsenal Automated CVE exploit scanners and Nuclei templat...
LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure
A high-severity security flaw in LMDeploy, an open-source toolkit for compressing, deploying, and serving large language models LLMs, has come under active exploitation in the wild less than 13 hours after its public disclosure. The vulnerability, tracked as CVE-2026-33626 CVSS score: 7.5, relate...
Spring Office Hours Podcast: S5E13 - Community Potluck
Join Dan Vega and DaShaun Carter for the latest updates from the Spring Ecosystem. In this Potluck episode, Dan and DaShaun open up the floor to the community, answering your questions on Spring Boot, Spring AI, Spring Security, and whatever else is on your mind. Potluck episodes are shaped...
CVE-2026-35594
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication GetLinkShareFromClaims in pkg/models/linksharing.go constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner delet...
CVE-2026-35594 Vikunja Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, Vikunja's link share authentication GetLinkShareFromClaims in pkg/models/linksharing.go constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner delet...
Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
Title Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade Description Vikunja's link share authentication constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share or...
Spring Office Hours Podcast: S5E12 - Developer Soft Skills with Arun Gupta
Join Dan Vega and DaShaun Carter for another essential update from the Spring ecosystem. In this episode, the guys are joined by DevRel and Java legend Arun Gupta to discuss a topic often overlooked but vital for career longevity: soft skills for developers. Drawing from his decades of experience...
GO-2026-4888 Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet
Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...
PT-2026-29935
Fleet: Password reset tokens remain valid after password change for 24 hours in github.com/fleetdm/fleet. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...
Cross-site Scripting (XSS)
Overview home-assistant-frontend is a The Home Assistant frontend Affected versions of this package are vulnerable to Cross-site Scripting XSS in the rendering of device entity names within the map-card component when the hourstoshow attribute is set. An attacker can execute arbitrary JavaScript ...
GHSA-R584-6283-P7XC Home Assistant has stored XSS in Map-card through malicious device name
Summary An authenticated party can add a malicious name to their device entity, allowing for Cross-Site Scripting attacks against anyone who can see a dashboard with a Map-card which includes that entity. It requires that the victim hovers over an information point The lines or the dots...
Insufficient Session Expiration
Overview Affected versions of this package are vulnerable to Insufficient Session Expiration in the password reset process. An attacker can gain unauthorized access to a user's account by reusing a previously obtained password reset token within its validity period, even after the user has change...
EUVD-2026-16742
Fleet: Password reset tokens remain valid after password change for 24 hours...
GHSA-3458-R943-HMX4 Fleet: Password reset tokens remain valid after password change for 24 hours
Summary A vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change...