MAL-2026-6353 Malicious code in markdownlint-cli2-fix (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ca7d5154ecbbcc636198bd2314e1916e5f0673d37ab7b14caca2ea96ad5ac5e1 Package name 'markdownlint-cli2-fix' impersonates the popular 'markdownlint-cli2' linter but contains no linter functionality — the README states...

DEBIAN-CVE-2026-46374

SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.2.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious long query to any application using the parser to...

PYSEC-2026-209

SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any...

EUVD-2026-35854

SQLFluff is a modular SQL linter and auto-formatter with support for multiple dialects and templated code. Prior to version 4.1.0, in deployments where untrusted users can provide SQL queries to be linted, an untrusted user can submit a malicious query with deliberate excessive nesting to any...

SQLFluff 资源管理错误漏洞

SQLFluff is an open-source SQL linter that features flexible and configurable syntax. Versions of SQLFluff prior to 4.2.0 contained a resource management vulnerability. This vulnerability stemmed from the parser’s improper handling of malicious long SQL queries, which could lead to resource...

apache-airflow-providers-amazon (>=9.7.0 <=9.8.0rc1), arrow-pd-parser (>=1.0.0 <=1.0.4) +43 more potentially affected by CVE-2026-8838 via redshift-connector (>=2.0.888 <=2.1.13)

redshift-connector PYPI version =2.0.888, =9.7.0, =1.0.0, =0.1.1, =2.0.0, =0.1.7, =0.31.6, =0.1.17, =2.3.0.dev3, =1.0.0a2, =0.4.0, =0.0.1, =0.3.64, =6.1.2, =0.5.2, =1.5.0, =1.9.1 and more Source cves: CVE-2026-8838 Source advisory: OSV:GHSA-29H4-R29X-HCHV...

MAL-2026-3857 Malicious code in @antv/chart-linter (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/chart-linter (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@antv/chart-advisor (>=1.0.0 <=1.1.7), @antv/chart-linter (>=1.1.5 <=1.1.6) +3 more potentially affected by unknown CVE via @antv/dw-analyzer (=1.1.5)

@antv/dw-analyzer NPM version =1.1.5 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/dw-analyzer and may be impacted: - @antv/chart-advisor =1.0.0, =1.1.5, =1.0.0, =1.0.0, =1.0.10 Source cves: unknown CVE Source advisory:...

@antv/chart-advisor (>=1.0.0 <=1.1.7), @antv/chart-linter (>=1.1.5 <=1.1.6) +3 more potentially affected by unknown CVE via @antv/dw-analyzer (=1.1.5)

@antv/dw-analyzer NPM version =1.1.5 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/dw-analyzer and may be impacted: - @antv/chart-advisor =1.0.0, =1.1.5, =1.0.0, =1.0.0, =1.0.10 Source cves: unknown CVE Source advisory:...

MAL-2026-3736 Malicious code in solidity-linter (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bc1e53cd2c5e0f2cd7874aca89da54334315bfff4129c14965247a454a835c7a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious Package

Overview solidity-linter is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious code in solidity-linter (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bc1e53cd2c5e0f2cd7874aca89da54334315bfff4129c14965247a454a835c7a Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

GHSA-Q2PW-XX38-P64J melange has Path Traversal via .PKGINFO in --persist-lint-results

Impact melange lint --persist-lint-results opt-in flag, also usable via melange build --persist-lint-results constructs output file paths by joining --out-dir with the arch and pkgname values read from the .PKGINFO control file of the APK being linted. In affected versions these values were not...

CVE-2026-25761

Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull...

CVE-2026-25761 Command injection via crafted filenames in Super-linter Action

Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull...

CVE-2026-25761 Command injection via crafted filenames in Super-linter Action

Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull...

CVE-2026-25761

The CVE describes a command injection in the Super-linter GitHub Action affecting versions 6.0.0–8.3.0, where file discovery can execute shell command substitution embedded in filenames, enabling arbitrary command execution in the workflow runner and potential disclosure of the job’s GITHUB_TOKEN...

CVE-2026-25761 Command injection via crafted filenames in Super-linter Action

Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull...

Super-linter is vulnerable to command injection via crafted filenames in Super-linter Action

Summary The Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull request that introduces a file whose name contains shell command substitution syntax, such as $.... In...