Astra Linux – Vulnerability found in Linux 5.10, Linux 6.1, and Linux 5.15

In the Linux kernel, the following vulnerabilities have been resolved: HID: usbhid: Eliminated a recurring out-of-bounds error in usbhidparse. Updated the struct hiddescriptor to better reflect the mandatory and optional parts of the HID descriptor according to the USB HID 1.11 specification. Not...

CVE-2026-40677

The use of insecure HTTP transport within AMD optional tools could allow an attacker to conduct a man-in-the-middle attack, potentially leading to arbitrary code execution...

CVE-2026-40677

The use of insecure HTTP transport within AMD optional tools could allow an attacker to conduct a man-in-the-middle attack, potentially leading to arbitrary code execution...

PT-2026-48888

Name of the Vulnerable Software and Affected Versions AMD optional tools affected versions not specified Description The use of insecure HTTP transport within the auto-updater allows for a man-in-the-middle attack, which is a technique where an attacker intercepts communication between two partie...

Malicious code in optional-cpu-features (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4dbbb7dd9c604ef3e5782d477d4db7c04c50f7906b19af03e63a540e0a44166e On npm install, both the install and postinstall lifecycle scripts run node install.js, which requires lib/sync.js. That file hardcodes BASE =...

MAL-2026-5642 Malicious code in optional-cpu-features (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4dbbb7dd9c604ef3e5782d477d4db7c04c50f7906b19af03e63a540e0a44166e On npm install, both the install and postinstall lifecycle scripts run node install.js, which requires lib/sync.js. That file hardcodes BASE =...

CVE-2026-42766

The CVE-2026-42766 entry documents a NULL pointer dereference in OpenSSL’s CMS decryption for password-based CMS messages. Specifically, PasswordRecipientInfo.keyDerivationAlgorithm is OPTIONAL and may be absent; OpenSSL’s CMS decryption dereferences this field without checking, triggering an app...

SUSE-SU-2026:22073-1 Security update for libzypp

This update for libzypp fixes the following issues Version 17.38.13 35: - CVE-2026-44941: path traversal via "keyhint" bsc1267426. - CVE-2026-44942: .repo files can have an optional path which can lead to path traversal attacks bsc1267874...

path-to-regexp: path-to-regexp: Denial of Service via crafted regular expressions

A flaw was found in path-to-regexp. A remote attacker could exploit this vulnerability by providing specially crafted input that generates a regular expression with multiple sequential optional groups. This leads to an exponential growth in the generated regular expression, causing a Denial of...

PT-2026-47836

Name of the Vulnerable Software and Affected Versions OpenSSL affected versions not specified Description A NULL pointer dereference can occur during the decryption of password-encrypted Cryptographic Message Syntax CMS messages. The issue arises because the OpenSSL CMS implementation dereference...

OPENSUSE-SU-2026:20888-1 Security update for apptainer

This update for apptainer fixes the following issues: Changes in apptainer: - CVE-2026-39821: Update golang.org/x/net to 0.55.0. bsc1266656 - Add improved handling of suid-starter: Add system group apptainer Make sure, only users belonging to this group are able to run the application. Document...

IBM HTTP Server 代码问题漏洞

IBM HTTP Server is an enterprise-level web server software developed by International Business Machines IBM. Versions 8.5 and 9.0 of IBM HTTP Server contain code vulnerabilities that could lead to denial-of-service attacks due to the optional module modibmUpload...

Malicious code in @cometix/claude-code (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d9c6fc5df21efcd2949e4c05b4a9a75dbe8142243a3967dc853be7069ecaca24 Package is published under the @cometix scope but its package.json sets author to 'Anthropic ' and ships a README copied verbatim from Anthropic's...

MAL-2026-4409 Malicious code in @nutui/nutui-react-taro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 71ad42f4bfd953311c2d69f622cc6e8d5193a8852ac0bbc9ea0781ac6b651390 The package's postinstall.js invokes execSync'npm-usage-stats disable' and execSync'npm-usage-stats', stdio: 'inherit' . The npm-usage-stats bin is...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: backlight: hx8357: Fixed potential NULL pointer dereferencing issues. The “im” pins are optional. Added a missing check in the hx8357probe function...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerabilities have been resolved: drm/panel: ili9341: fix optional regulator handling If the optional regulator lookup fails, reset the pointer to NULL. Other functions such as mipidbipoweronconditional only perform a NULL pointer check; otherwise, they will...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...