@activepieces/piece-ai (>=0.3.1 <=0.3.4), @aikotools/repo-maintenance (>=1.0.2 <=1.7.0) +260 more potentially affected by CVE-2026-39406 via @hono/node-server (>=0.2.4 <=1.19.12)

@hono/node-server NPM version =0.2.4, =0.3.1, =1.0.2, =1.0.25-beta.0, =0.0.1, =0.29.3, =0.36.0, =0.0.1, =0.0.1-experimental.1, =0.0.3, =1.0.1, =1.3.2, =0.2.305, =1.0.0 - @bojanrajkovic/mcp-paprika =1.1.0 and more Source cves: CVE-2026-39406 Source advisory: OSV:GHSA-92PP-H63X-V22M...

kube-router: BGP Peer Passwords Exposed in Logs at Verbose Logging Level

Summary When kube-router is configured with per-node BGP peer passwords using the kube-router.io/peer.passwords node annotation, and verbose logging is enabled --v=2 or higher, the raw Kubernetes node annotation map is logged verbatim — including the base64-encoded BGP MD5 passwords. Anyone with...

GHSA-FCMH-QFXC-W685 kube-router: BGP Peer Passwords Exposed in Logs at Verbose Logging Level

Summary When kube-router is configured with per-node BGP peer passwords using the kube-router.io/peer.passwords node annotation, and verbose logging is enabled --v=2 or higher, the raw Kubernetes node annotation map is logged verbatim — including the base64-encoded BGP MD5 passwords. Anyone with...

Unity Linux 20.1050e Security Update: kernel (UTSA-2026-006675)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006675 advisory. In the Linux kernel, the following vulnerability has been resolved: net: mdio: fix unbalanced fwnode reference count in mdiodevicerelease There is warning report abo...

Unity Linux 20.1050e Security Update: kernel (UTSA-2026-006820)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006820 advisory. In the Linux kernel, the following vulnerability has been resolved: of: dynamic: Synchronize ofchangesetdestroy with the devlink removals In the following sequence: ...

Unity Linux 20.1050e Security Update: kernel (UTSA-2026-006664)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006664 advisory. In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: avoid invalid memory access via nodeonlineNUMANONODE KASAN reports: 4.668325 T0 BUG:...

MAL-2026-2865 Malicious code in @sie-ppr-web-checkout/app (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 977089aabb00f7d390dd6bf7ad3e9038c4998ec2ccf93a2e38016f525c32f368 The package @sie-ppr-web-checkout/app was found to contain malicious code. Source: ossf-package-analysis...

Embedded Malicious Code

Overview @velora-dex/sdk is a SDK for the Velora API Affected versions of this package are vulnerable to Embedded Malicious Code that delivers a malicious payload through dist/index.js. An attacker uploaded a compromised version of the package directly to the npm registry. The payload runs a...

CVE-2026-39846

CVE-2026-39846 – SiYuan Electron desktop client is affected prior to 3.6.4. A crafted note with table caption content that is stored without safe escaping can be unescaped in rendered HTML, creating a stored XSS sink. Since the desktop renderer runs with nodeIntegration enabled and contextIsolati...

Node.js: Uppercase sni context matching can lead to mtls authorization bypass due to case-sensitive hostname matching

Vulnerability description not provided...

CVE-2026-5739

A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of the argument nodeParams results in code injection. The attack can be execute...

Arbitrary Code Injection

Overview tech.powerjob:powerjob-server-core is an enterprise job scheduling middleware with distributed computing ability Affected versions of this package are vulnerable to Arbitrary Code Injection via the GroovyEvaluator.evaluate function in the /openApi/addWorkflowNode endpoint when processing...

CVE-2026-5739 PowerJob OpenAPI Endpoint addWorkflowNode GroovyEvaluator.evaluate code injection

A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of the argument nodeParams results in code injection. The attack can be execute...

CVE-2026-5739

A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of the argument nodeParams results in code injection. The attack can be execute...

GHSA-W6WX-JQ6J-6MCJ OpenClaw: pnpm dlx approvals did not bind local script operands

Summary Before OpenClaw 2026.4.2, pnpm dlx approval planning did not bind local script operands the same way as related pnpm exec flows. A local script approved through a pnpm dlx path could be replaced before execution without invalidating the approval. Impact An operator could approve a benign...

OpenClaw: pnpm dlx approvals did not bind local script operands

Summary Before OpenClaw 2026.4.2, pnpm dlx approval planning did not bind local script operands the same way as related pnpm exec flows. A local script approved through a pnpm dlx path could be replaced before execution without invalidating the approval. Impact An operator could approve a benign...

GHSA-WWFP-W96M-C6X8 OpenClaw: Pairing pending-request caps were enforced per channel instead of per account

Summary Before OpenClaw 2026.3.31, pending pairing-request caps were enforced per channel file instead of per account. On multi-account channel setups, requests from other accounts could fill the shared pending window and block new pairing challenges on an unaffected account. Impact This issue...

CVE-2026-34211

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions...

Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to vulnerabilities in Node.js dependencies

Summary Node.js is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerabilities in Node.js modules ajv CVE-2025-69873, axios...

Flowise AI Agent Builder Under Active CVSS 10.0 RCE Exploitation; 12,000+ Instances Exposed

Threat actors are exploiting a maximum-severity security flaw in Flowise , an open-source artificial intelligence AI platform, according to new findings from VulnCheck. The vulnerability in question is CVE-2025-59528 CVSS score: 10.0, a code injection vulnerability that could result in remote cod...