CVE-2026-41084

A bug in Apache Airflow's bulk Task Instances API PATCH/DELETE /api/v2/dags/dagid/dagRuns/dagrunid/taskInstances evaluated authorization against the dagid resolved from the URL path while operating on the dagid / dagrunid extracted from request-body entity fields. An authenticated UI/API user wit...

CVE-2026-41084

A bug in Apache Airflow's bulk Task Instances API PATCH/DELETE /api/v2/dags/dagid/dagRuns/dagrunid/taskInstances evaluated authorization against the dagid resolved from the URL path while operating on the dagid / dagrunid extracted from request-body entity fields. An authenticated UI/API user wit...

CVE-2026-41084 Apache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutation

A bug in Apache Airflow's bulk Task Instances API PATCH/DELETE /api/v2/dags/dagid/dagRuns/dagrunid/taskInstances evaluated authorization against the dagid resolved from the URL path while operating on the dagid / dagrunid extracted from request-body entity fields. An authenticated UI/API user wit...

CVE-2026-41084 Apache Airflow: API authorization bypass: bulk TaskInstances allows cross-DAG mutation

A bug in Apache Airflow's bulk Task Instances API PATCH/DELETE /api/v2/dags/dagid/dagRuns/dagrunid/taskInstances evaluated authorization against the dagid resolved from the URL path while operating on the dagid / dagrunid extracted from request-body entity fields. An authenticated UI/API user wit...

CVE-2026-41084

CVE-2026-41084: Apache Airflow bug in the bulk Task Instances API (PATCH/DELETE /api/v2/dags/{dag_id}/dagRuns/{dag_run_id}/taskInstances) evaluated authorization from the URL dag_id while operating on dag_id/dag_run_id from the request body. An authenticated user with edit permission on one Dag c...

Malicious code in @redhat-cloud-services/remediations-client (npm)

Part of the "Mini Shai-Hulud" supply chain worm campaign that compromised the GitHub Actions OIDC trusted publisher shared by Red Hat Cloud Services npm packages. The attacker injected a preinstall hook into this and 31 other packages in the @redhat-cloud-services scope. The hook delivers a...

CVE-2026-47740 Shopper: Authorization bypass in multiple Livewire admin components

Shopper is a Headless e-commerce Admin Panel. Prior to 2.8.0, Multiple Filament actions on the admin Order detail and Order shipments table were callable by an authenticated low-privilege user without the permission required to mutate orders. The order detail actions cancel, mark paid, mark...

EUVD-2026-33337

OpenClaw before 2026.5.18 contains a scope bypass vulnerability in the Gateway chat.send route that allows scoped clients to execute privileged commands. Attackers with operator.write scope can deliver commands through inherited external routes to bypass operator.approvals and operator.admin scop...

CVE-2026-46510 Prototype pollution in form-data-objectizer via bracket-notation form keys

form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys e.g. namesub into nested objects without filtering proto, constructor, or prototype. A single HTTP form field whose name starts with proto... causes the library to mutate...

PT-2026-44410

When Calico is configured with the Azure IPAM plugin, the Calico CNI binary mutates the incoming CNI configuration to attach subnet information before delegating to the IPAM plugin. After mutating, the Azure IPAM helper logs the entire unmarshaled configuration map stdinData at INFO level to...

CVE-2026-44328

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. On top of that, the DELETE /upi/v1/upNodesLinks/upNodeRef handler unconditionally dereferences upNode.UPF after the type-guarded...

CVE-2026-48151 Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema

Budibase is an open-source low-code platform. Prior to 3.39.0, the webhook schema-building endpoint is registered under builderRoutes, but the generic authorization middleware skips authorization for all paths matching /api/webhooks/schema. As a result, an unauthenticated caller can update the bo...

CVE-2026-48151

Budibase (open-source low-code platform) contains an authorization bypass in the webhook schema-building endpoint prior to 3.39.0. The endpoint under builderRoutes allowed an unauthenticated caller to update the body schema for a known webhook and mutate the associated automation trigger output s...

CVE-2026-44328

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. On top of that, the DELETE /upi/v1/upNodesLinks/upNodeRef handler unconditionally dereferences upNode.UPF after the type-guarded...

CVE-2026-44328 free5GC: SMF UPI DELETE /upi/v1/upNodesLinks/{ref} panics on AN-node deletion via nil UPF dereference; unauthenticated, state-mutating

free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's SMF mounts the UPI management route group without inbound OAuth2 middleware. On top of that, the DELETE /upi/v1/upNodesLinks/upNodeRef handler unconditionally dereferences upNode.UPF after the type-guarded...

CVE-2026-44328

Summary: CVE-2026-44328 affects free5GC SMF 4.2.1 and is fixed in 4.2.2 via upstream patch PR#199. The SMBI UPI route group was left without inbound OAuth2 middleware, allowing unauthenticated access to delete endpoints. The DELETE /upi/v1/upNodesLinks/{upNodeRef} handler unconditionally derefere...

MAL-2026-4609 Malicious code in mev-shield (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9783d5e48d62da6de516b1cf5d36474143528a9c6f33a86892ee558266a4e5ec The package advertises itself as an 'MEV protection layer for Ethereum trading bots' but does the opposite. On npm install, a postinstall script...

MAL-2026-4416 Malicious code in @ornexus/neocortex (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bb66a92e1a8c414ee0c8877998a9587b7c8a4be3b9b27b76d874329a87bec5dc On npm install -g @ornexus/neocortex, postinstall.js spawns install.sh or install.ps1 which, by default, runs an installcoderabbit step that fetches...

Malicious code in utils-mf (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6d338ea2a5c454a5a0352e6fb29bd940027bc4b8c349649f6356c4fc4f396272 Package metadata advertises 'utility mf' with main 'index.js', but the shipped main is a 15.7MB obfuscator.io-style blob preceded by 8MB of...

@antv/ava (=3.6.0-alpha.0), @antv/g (>=6.0.0 <=6.2.1) +6 more potentially affected by unknown CVE via @antv/g-dom-mutation-observer-api (>=2.0.0 <=2.0.9)

@antv/g-dom-mutation-observer-api NPM version =2.0.0, =6.0.0, =0.5.9, =2.0.0, =1.2.5, =1.2.6 - expression-language-editor =0.0.4 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3918...