SUSE-SU-2026:2092-1 Security update for go1.26-openssl

This update for go1.26-openssl fixes the following issues Security issues: - CVE-2026-33811: net: crash when handling long CNAME response bsc1264508. - CVE-2026-33814: net/http: infinite loop in HTTP/2 transport when given bad SETTINGSMAXFRAMESIZE bsc1264506. - CVE-2026-39817: cmd/go: 'go tool...

Astra Linux - уязвимость в golang-1.19

The go command may execute arbitrary code during compilation when using cgo. This can occur when running “go get” on a malicious module, or when running any other command that compiles unauthorized code. This issue can be triggered by linker flags, specified via the cgo LDFLAGS directive. Flags...

Malicious code in ethers-wallet-packages (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector beda1480a40189cc8177ace4e3d6fd9773ad81f4cbe5a6c07e3004427846dc8d The package impersonates the legitimate @ethersproject/wallet source files are otherwise verbatim copies, including the internal version string...

Malicious code in bytecore (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c1ddd2dea35052822d2dc89f0f46ceae20c772c257e0c97f0024483e9ff31c0 The package masquerades as a pino-like logging middleware README is copied from pino, exports a pino property, mimics pino's option shape but the...

BIT-GOLANG-2026-42501 Malicious module proxy can bypass checksum database in cmd/go

A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy GOMODPROXY or checksum database GOSUMDB. A malicious module proxy can serve altered versions o...

Linux Distros Unpatched Vulnerability : CVE-2026-42501

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affect...

CVE-2026-42501

A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypass checksum database validation. This vulnerability affects any user using an untrusted module proxy GOMODPROXY or checksum database GOSUMDB. A malicious module proxy can serve altered versions o...

PT-2026-38570

Name of the Vulnerable Software and Affected Versions Go affected versions not specified Description A flaw in the go command's validation of module checksums allows a malicious module proxy to bypass checksum database validation. This occurs when the checksum database returns a successful respon...

OESA-2026-1703 golang security update

The Go Programming Language. Security Fixes: The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large...

OESA-2026-1701 golang security update

The Go Programming Language. Security Fixes: The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large...

OESA-2026-1699 golang security update

The Go Programming Language. Security Fixes: The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large...

GO-2026-4352 OpenTofu has High CPU usage in "tofu init" with maliciously-crafted module packages in .zip format in github.com/opentofu/opentofu

OpenTofu has High CPU usage in "tofu init" with maliciously-crafted module packages in .zip format in github.com/opentofu/opentofu...

CVE-2025-68119 Unexpected code execution when invoking toolchain in cmd/go

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...

EUVD-2025-202933

WBCE CMS version 1.6.3 and prior contains an authenticated remote code execution vulnerability that allows administrators to upload malicious modules. Attackers can craft a specially designed ZIP module with embedded PHP reverse shell code to gain remote system access when the module is installed...

CVE-2025-34506

WBCE CMS is affected: version 1.6.3 and earlier are vulnerable to authenticated remote code execution via uploading a malicious module. The flaw arises when an administrator can upload a ZIP module containing embedded PHP reverse shell code, enabling remote system access when installed. Exploitat...

Exploit for CVE-2025-55182

CVE-2025-55182 Raw HTTP Requests to exploit the insecure lazy...

Malicious code in module-barnard-ganymede-sociobiology (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 318ce5e99a1844c93f91036e8137e440098fae0a90415e943e5bb1c3a0a191af This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in @miptaa02/saysa (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3950aa4c6b2e241032854e9a69cb9041baa2051bb89588ccd4387bce177771df This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in inquirer-cli-hermes-commitizen (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3e24b115a829d16b3956d1bc125c8001900849f9d2adfba59701f7f3a09299ce This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-145097 Malicious code in module-algol-npm-quantum (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6df4076437c513112089b53d9a85ce5172d0f134afb19ff5def94fb7a291385f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...