CVE-2026-48522 vulnerabilities

Vulnerabilities for packages: openstack-placement-2025.1-fips, openstack-glance-2025.1, kserve, datadog-agent, datadog-agent-fips, openstack-placement-2026.1-fips, openstack-glance-2025.1-fips, openstack-horizon-2025.1, litellm, metaflow-service-fips, superset-fips, openstack-keystone-2026.1-fips...

OPENSUSE-SU-2026:10996-1 git-bug-0.10.1-6.1 on GA media

These are all security issues fixed in the git-bug-0.10.1-6.1 package on the GA media of openSUSE Tumbleweed...

Malicious code in gethandler-api (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0b6925d4c07df297f8cb573df4d85a396794d8793179e7a97f2cfde3aadfcfbc On npm install, postinstall.js unconditionally sends an HTTPS GET to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 carrying the installer...

Malicious code in getui-library (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bf281a31a53827497d9a24ff0602f277b568f495a00c14603c3e9bf11a30327a On npm install, postinstall.js issues an HTTPS GET to https://webhook.site/18dc4281-d366-438a-9186-76fbcd56ade5 with query parameters containing the...

OPENSUSE-SU-2026:10979-1 agama-web-ui-21+360.16caae772-44.1 on GA media

These are all security issues fixed in the agama-web-ui-21+360.16caae772-44.1 package on the GA media of openSUSE Tumbleweed...

OPENSUSE-SU-2026:10982-1 graphite2-1.3.15-1.1 on GA media

These are all security issues fixed in the graphite2-1.3.15-1.1 package on the GA media of openSUSE Tumbleweed...

OPENSUSE-SU-2026:10969-1 perl-IO-Compress-2.220.0-2.1 on GA media

These are all security issues fixed in the perl-IO-Compress-2.220.0-2.1 package on the GA media of openSUSE Tumbleweed...

MAL-2026-5297 Malicious code in consumerweb-authflow (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector acbd81f78a40f87b410799545f06c929bc7e7c3f552eeea06254416b3b9e0977 On npm install, the package's postinstall.js collects host identifiers via os.hostname, os.userInfo.username, os.platform, and the current working...

PT-2026-44786

These are all security issues fixed in the libsuricata8 0 5-8.0.5-1.1 package on the GA media of openSUSE Tumbleweed...

Malicious code in @polka-ui/config (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 662c2a1b8ad5d264ec01b078f95c130c96398305ba009a2c2de33cc9d7db7486 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CLSA-2026-1779465287 Update of tomcat

Bump leading release to maintain monotonic rpm-version ordering in the AlmaLinux 9.2 ESU update stream...

GO-2026-5001 SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution in github.com/siyuan-note/siyuan/kernel

SiYuan Bazaar marketplace renders unescaped package name and version metadata, allowing stored XSS and Electron code execution in github.com/siyuan-note/siyuan/kernel...

PT-2026-42383

SiYuan Bazaar marketplace renders unescaped package name and version metadata, allowing stored XSS and Electron code execution in github.com/siyuan-note/siyuan/kernel...

CVE-2026-45375 SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...

CVE-2026-45375 SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...

Malicious code in npmjs_solc-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b789c7234e3c391e6e2f6359d87f873205fb341c1bf186194815b16d53c7fa71 The package.json defines a postinstall lifecycle hook that invokes childprocess.exec to run curl -s...

MAL-2026-3613 Malicious code in aoflcorp (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis bfc014b9e60bb1abb58d948abcf31112dd4c160ab8416317476f3c67c2e84d49 The OpenSSF Package Analysis project identified 'aoflcorp' @ 0.0.1 npm as malicious. It is considered malicious because: - The package...

Malicious code in post-purchase-bundler (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3a33aa69ef958573a786f3db208d8ee335829e14009d1fdafecbc842ed493b8b The package post-purchase-bundler was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in mw-filesystem-events-nodream (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a3da27e815b33bf88dc4fb31bc8b5558501b65ded9de77aab08e7ae785c2c38b The package mw-filesystem-events-nodream was found to contain malicious code. Source: ossf-package-analysis...

OPENSUSE-SU-2026:10741-1 go1.26-1.26.3-1.1 on GA media

These are all security issues fixed in the go1.26-1.26.3-1.1 package on the GA media of openSUSE Tumbleweed...