PT-2026-44786

These are all security issues fixed in the libsuricata8 0 5-8.0.5-1.1 package on the GA media of openSUSE Tumbleweed...

Malicious code in @polka-ui/config (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 662c2a1b8ad5d264ec01b078f95c130c96398305ba009a2c2de33cc9d7db7486 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CLSA-2026-1779465287 Update of tomcat

Bump leading release to maintain monotonic rpm-version ordering in the AlmaLinux 9.2 ESU update stream...

GO-2026-5001 SiYuan Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution in github.com/siyuan-note/siyuan/kernel

SiYuan Bazaar marketplace renders unescaped package name and version metadata, allowing stored XSS and Electron code execution in github.com/siyuan-note/siyuan/kernel...

PT-2026-42383

SiYuan Bazaar marketplace renders unescaped package name and version metadata, allowing stored XSS and Electron code execution in github.com/siyuan-note/siyuan/kernel...

CVE-2026-45375 SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...

CVE-2026-45375 SiYuan: Bazaar marketplace renders unescaped package `name` and `version` metadata, allowing stored XSS and Electron code execution

SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan's Bazaar community marketplace renders the name and version fields of a package's plugin.json and the equivalent theme.json / template.json / widget.json / icon.json into the Settings → Marketplace UI without HT...

Malicious code in npmjs_solc-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b789c7234e3c391e6e2f6359d87f873205fb341c1bf186194815b16d53c7fa71 The package.json defines a postinstall lifecycle hook that invokes childprocess.exec to run curl -s...

MAL-2026-3613 Malicious code in aoflcorp (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis bfc014b9e60bb1abb58d948abcf31112dd4c160ab8416317476f3c67c2e84d49 The OpenSSF Package Analysis project identified 'aoflcorp' @ 0.0.1 npm as malicious. It is considered malicious because: - The package...

Malicious code in post-purchase-bundler (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3a33aa69ef958573a786f3db208d8ee335829e14009d1fdafecbc842ed493b8b The package post-purchase-bundler was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in mw-filesystem-events-nodream (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a3da27e815b33bf88dc4fb31bc8b5558501b65ded9de77aab08e7ae785c2c38b The package mw-filesystem-events-nodream was found to contain malicious code. Source: ossf-package-analysis...

OPENSUSE-SU-2026:10741-1 go1.26-1.26.3-1.1 on GA media

These are all security issues fixed in the go1.26-1.26.3-1.1 package on the GA media of openSUSE Tumbleweed...

CVE-2025-63706

NPM package next-npm-version1.0.1 is vulnerable to Command injection...

CVE-2025-63706

NPM package next-npm-version1.0.1 is vulnerable to Command injection...

OPENSUSE-SU-2026:10599-1 cacti-1.2.30+git306.82d5aef5-1.1 on GA media

These are all security issues fixed in the cacti-1.2.30+git306.82d5aef5-1.1 package on the GA media of openSUSE Tumbleweed...

OPENSUSE-SU-2026:10562-1 flannel-0.28.4-1.1 on GA media

These are all security issues fixed in the flannel-0.28.4-1.1 package on the GA media of openSUSE Tumbleweed...

Defense in Depth update for NuGet Client

Impact This update adds validation of the package ID and version during package download, in addition to the existing package signature validation. Patches NuGet The following NuGet.exe, NuGet.CommandLine, NuGet.Packaging, and NuGet.Protocol versions have been patched: |Affected versions|Patched...

MAL-2026-2443 Malicious code in exprrrress (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f3605883655f4870250aaab1c630151c6264e54521d1a711a088871de1fe5ea5 The package exprrrress was found to contain malicious code. Source: ossf-package-analysis...

OPENSUSE-SU-2026:10461-1 python311-nltk-3.9.4-1.1 on GA media

These are all security issues fixed in the python311-nltk-3.9.4-1.1 package on the GA media of openSUSE Tumbleweed...

OPENSUSE-SU-2026:10438-1 openbao-2.5.2-1.1 on GA media

These are all security issues fixed in the openbao-2.5.2-1.1 package on the GA media of openSUSE Tumbleweed...