MAL-2026-3343 Malicious code in @atlan/connectors (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 22a96e40cb459d89624b2ce0705942ad4d54d8279e780c66fe2d2fa3f727cef1 The package @atlan/connectors was found to contain malicious code. Source: ghsa-malware...

@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.0-beta.7) +12 more potentially affected by CVE-2026-42439 via openclaw (>=2026.3.22 <=2026.4.1)

openclaw NPM version =2026.3.22, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.15.0 - tokaroo-openclaw-provider =0.1.1 Source cves: CVE-2026-42439 Source advisory: SNYK:JS-OPENCLAW-16420273...

Security Bulletin: IBM Maximo Application Suite - Visual Inspection component uses node-forge-1.3.2.tgz, node-forge-1.3.3.tgz which is vulnerable to CVE-2026-33891, CVE-2026-33894, CVE-2026-33895, CVE-2026-33896

Summary IBM Maximo Application Suite - Visual Inspection component uses node-forge-1.3.2.tgz, node-forge-1.3.3.tgz which is vulnerable to CVE-2026-33891, CVE-2026-33894, CVE-2026-33895, CVE-2026-33896 , This bulletin contains information regarding the vulnerability and its remediation...

Malicious code in trevlo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3414c71889d8ebf7ad09c9b0bf9ab63f8f6589e1e030e35e40a971b767f51ad1 The package trevlo was found to contain malicious code. Source: ghsa-malware 01d7778a4b391062b3f0b2200861fde5a0b4c750eb4ebab90d36940142ae9293 Any...

MAL-2026-3339 Malicious code in nf-ui-components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d5d1fc3aadbb204f6da1c0db37a6e1b540bdcc3964bd033d5657a067d7e246cc The package nf-ui-components was found to contain malicious code. Source: ghsa-malware 4ab8cac0b0cae1864121f4fd7223e6cb7bb0168d113ece4974f94aae4e2418...

CVE-2026-42434 OpenClaw 2026.4.5 < 2026.4.10 - Sandbox Escape via host Parameter Override in Exec Routing

OpenClaw versions 2026.4.5 before 2026.4.10 contain a sandbox escape vulnerability allowing sandboxed agents to override exec routing by specifying host=node. Attackers can bypass sandbox boundaries and route execution to remote nodes instead of intended sandbox paths...

CVE-2026-42434

OpenClaw versions 2026.4.5 before 2026.4.10 contain a sandbox escape vulnerability allowing sandboxed agents to override exec routing by specifying host=node. Attackers can bypass sandbox boundaries and route execution to remote nodes instead of intended sandbox paths...

CVE-2026-43870 Apache Thrift: Node.js web_server.js multi-vulnerability

Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory 'Path Traversal', Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting', Uncontrolled Resource Consumption vulnerability in Apache Thrift. This issue affects Apache Thrift:...

CVE-2026-43870

Apache Thrift (before 0.23.0) contains multiple issues: Origin Validation Error, Path Traversal (improper limitation of a pathname to a restricted directory), HTTP header CRLF-related splitting, and uncontrolled resource consumption. Upgrade to 0.23.0 to fix. Exploitation status is not provided i...

CVE-2026-41673 vulnerabilities

Vulnerabilities for packages: sqlpad, saf, npm...

GHSA-F6WW-3GGP-FR8H vulnerabilities

Vulnerabilities for packages: sqlpad, saf, npm...

GHSA-2V35-W6HQ-6MFW vulnerabilities

Vulnerabilities for packages: sqlpad, saf, npm...

GHSA-X6WF-F3PX-WCQX vulnerabilities

Vulnerabilities for packages: sqlpad, saf, npm...

GHSA-J759-J44W-7FR8 vulnerabilities

Vulnerabilities for packages: sqlpad, saf, npm...

CVE-2026-41674 vulnerabilities

Vulnerabilities for packages: sqlpad, saf, npm...

CVE-2026-41672 vulnerabilities

Vulnerabilities for packages: sqlpad, saf, npm...

Hashicorp Boundary workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes

Boundary Community Edition and Boundary Enterprise "Boundary" workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate...

GHSA-7X9R-WCGG-W86F Hashicorp Boundary workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes

Boundary Community Edition and Boundary Enterprise "Boundary" workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate...

EUVD-2026-27145

Boundary Community Edition and Boundary Enterprise “Boundary” workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network access to the worker authentication listener may open a connection and delay or withhold the client certificate...

NPM: Axios: Header Injection via Prototype Pollution

NPM: Axios: Header Injection via Prototype Pollution vulnerability discovered by ? in WordPress Npm axios versions = 0.31.0...