CVE-2026-40090

Zarf is an Airgap Native Packager Manager for Kubernetes. Versions 0.23.0 through 0.74.1 contain an arbitrary file write vulnerability in the zarf package inspect sbom and zarf package inspect documentation subcommands. These subcommands output file paths are constructed by joining a...

CVE-2026-40090 Zarf has a Path Traversal via Malicious Package Metadata.Name — Arbitrary File Write

Zarf is an Airgap Native Packager Manager for Kubernetes. Versions 0.23.0 through 0.74.1 contain an arbitrary file write vulnerability in the zarf package inspect sbom and zarf package inspect documentation subcommands. These subcommands output file paths are constructed by joining a...

Oracle Linux 8 : nodejs:24 (ELSA-2026-7670)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-7670 advisory. nodejs 1:24.14.1-2 - Update bundled nghttp2 to 1.68.1 Related: RHEL-151374 1:24.14.1-1 - Update to 24.14.0 Resolves: RHEL-151374 nodejs-nodemon 3.0.3-1...

Fedora: Security Advisory (FEDORA-2026-5eb6f779c0)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

GHSA-PJJW-68HJ-V9MW uv vulnerable to arbitrary file deletion through RECORD entries

Impact Wheel RECORD entries can contain relative paths that traverse outside of the wheel’s installation prefix. In versions 0.11.5 and earlier of uv, these wheels were not rejected on installation and the RECORD was respected without validation on uninstall. uv uses the RECORD to determine files...

nodejs:22 security update

nodejs 1:22.22.2-1 - Update to version 22.22.2 - introduced patch updating deps/nghttp2 to v 1.68.1 for CVE-2026-27135 - disabled failing tests in nghttp2 due to newer version - patch for npm/braces CVE-2026-25547 Resolves: RHEL-163369 Fixes: CVE-2026-1528 CVE-2026-2229 CVE-2026-1526 CVE-2026-152...

nodejs:24 security update

nodejs 1:24.14.1-2 - Update bundled nghttp2 to 1.68.1 1:24.14.1-1 - Update to version 24.14.1 nodejs-nodemon 3.0.3-3 - Keep BR on just npm 3.0.3-2 - Fix BR for nodejs-npm nodejs-packaging 2021.06-6 - Properly handle @group/package deps in nodejs-symlink-deps Resolves: RHEL-121581 2021.06-5 -...

nodejs:22 security update

nodejs 1:22.22.2-1 - Update to version 22.22.2 Resolves: RHEL-154019 Fixes: CVE-2026-1528 CVE-2026-27135 CVE-2026-27904 CVE-2026-26996 CVE-2026-27135 CVE-2026-1528 nodejs-nodemon 3.0.1-1 - Exclude ix86 arches from building. Related: RHEL-35991 3.0.1-1 - Rebase to 3.0.1 - Resolves: CVE-2022-25883...

Security Bulletin: EDB PGAI Databases is affected by Multiple Vulnerabilities.

Summary Multiple Vulnerabilities found in EDB PGAI Databases 18.0. It has been addressed in 18.2. Hence, IBM strongly recommends upgrading to 18.2. Vulnerability Details CVEID:CVE-2021-25317 DESCRIPTION: A Incorrect Default Permissions vulnerability in the packaging of cups of SUSE Linux Enterpri...

Claude Code Packaging Error Remains a Lure in an Active Campaign: What Defenders Should Do

Threat actors leveraged Anthropic’s Claude Code npm release packaging error to distribute Vidar, GhostSocks, and PureLog Stealer. This blog details immediate steps organizations can take and best practices to prevent further risk...

openSUSE 16 : Feature update for himmelblau (SUSE-SU-openSUSE-FU-2026:20453-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-openSUSE-FU-2026:20453-1 advisory. Update to himmelblau 2.3.8 jscPED-14511: Security issues: - CVE-2025-54882: world readable cloud TGT token bsc1247735. - CVE-2025-58160:...

Poetry 路径遍历漏洞

Poetry is an open-source Python tool used for dependency management and packaging. Versions of Poetry from 1.4.0 to 2.3.3 had a path traversal vulnerability. This vulnerability stemmed from custom wheel files that might contain unrestricted paths, allowing arbitrary file writing with the privileg...

OPENSUSE-FU-2026:20453-1 Feature update for himmelblau

This update for himmelblau fixes the following issues: Update to himmelblau 2.3.8 jscPED-14511: Security issues: - CVE-2025-54882: world readable cloud TGT token bsc1247735. - CVE-2025-58160: tracing-subscriber: Tracing log pollution bsc1249013. - CVE-2026-25727: time: parsing of user-provided...

SUSE-FU-2026:20990-1 Feature update for himmelblau

This update for himmelblau fixes the following issues: Update to himmelblau 2.3.8 jscPED-14511: Security issues: - CVE-2025-54882: world readable cloud TGT token bsc1247735. - CVE-2025-58160: tracing-subscriber: Tracing log pollution bsc1249013. - CVE-2026-25727: time: parsing of user-provided...

VibeGuard: A Security Gate Framework for AI-Generated Code

"Vibe coding," in which developers delegate code generation to AI assistants and accept the output with little manual review, has gained rapid adoption in production settings. On March 31, 2026, Anthropic's Claude Code CLI shipped a 59.8 MB source map file in its npm package, exposing roughly...

[SECURITY] Fedora 43 Update: rust-cargo-rpmstatus-0.2.4-3.fc43

Cargo-tree for RPM packaging...

[SECURITY] Fedora 44 Update: rust-cargo-rpmstatus-0.2.4-3.fc44

Cargo-tree for RPM packaging...

CVE-2025-52645

HCL AION is affected by a vulnerability where model packaging and distribution mechanisms may not include sufficient authenticity verification. This may allow the possibility of unverified or modified model artifacts being used, potentially leading to integrity concerns or unintended behaviour...

Malicious code in facebookresearch (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 b2532cd269873dbda78f99b9e22ab736c64c48ba32fa5c27deaf173fdbf33397 Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

CLSA-2026-1774373385 Update of lkrg-kmod

Split RPM specs according to Fedora kmod packaging guidelines, one spec for kmod, one for userspace - Import modsign macros if requested by the module build - Make lkrg into a meta package which pulls lkrg-kmod and the systemd unit definition - Add lkrgtest module for testing and demonstrating...