PT-2025-36339

Name of the Vulnerable Software and Affected Versions: Roo Code versions 3.26.6 and below Description: Roo Code is an AI-powered autonomous coding agent. A Github workflow used unsanitized pull request metadata in a privileged context, allowing an attacker to achieve Remote Code Execution RCE on...

Linux Distros Unpatched Vulnerability : CVE-2025-47928

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spotipy is a Python library for the Spotify Web API. As of commit 4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using pullrequesttarget on...

Relative Path Traversal

Overview Affected versions of this package are vulnerable to Relative Path Traversal via insufficient validation in the getConfigFile function in the UIConfigRest class. An attacker can gain unauthorized access to files located in directories that share a common prefix with the intended folder by...

Malicious Nx Packages in 's1ngularity' Attack Leaked 2,349 GitHub, Cloud, and AI Credentials

The maintainers of the nx build system have alerted users to a supply chain attack that allowed attackers to publish malicious versions of the popular npm package and other auxiliary plugins with data-gathering capabilities. "Malicious versions of the nx package, as well as some supporting plugin...

[SECURITY] Fedora 42 Update: keylime-agent-rust-0.2.8-1.fc42

The Keylime agent Requires: keylime-base Requires: keylime-agent-rust-pull...

GraphQL Armor Max-Depth Plugin Bypass via Introspection Query Obfuscation

Summary A query depth restriction using the max-depth property can be bypassed if ignoreIntrospection is enabled which is the default configuration by naming your query/fragment schema. Details At the start of the countDepth function, we have the following check for the ignoreIntrospection option...

traQ Allows Insertion of Sensitive Information into Log File

Impact A vulnerability exists where sensitive information, such as OAuth tokens, is recorded in log files when an error occurs during the execution of an SQL query. An attacker could intentionally trigger an SQL error by methods such as placing a high load on the database. This could allow an...

Linux Distros Unpatched Vulnerability : CVE-2023-32732

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - gRPC contains a vulnerability whereby a client can cause a termination of connection between a HTTP2 proxy and a gRPC server: a base64 encoding error for -bin...

Ollama <= 0.9.6 Cross-Domain Token Exposure

The version of Ollama installed on the remote host is 0.9.6 or earlier. It is, therefore, affected by a vulnerability. Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.9.6 allows remote attackers to steal authentication tokens and bypass access controls via a malicious...

Linux Distros Unpatched Vulnerability : CVE-2025-47947

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. Versions up to and including 2.9.8 are vulnerable t...

Malicious code in pull-goth-lsk (npm)

The package pull-goth-lsk was found to contain malicious code...

MAL-2025-30831 Malicious code in pull-goth-lsk (npm)

The package pull-goth-lsk was found to contain malicious code...

Linux Distros Unpatched Vulnerability : CVE-2025-21891

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ipvlan: ensure network headers are in skb linear part syzbot found that ipvlanprocessv6outbound was assuming the IPv6 network header isis present in skb-head 1...

Linux Distros Unpatched Vulnerability : CVE-2024-40996

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: bpf: Avoid splat in pskbpullreason syzkaller builds CONFIGDEBUGNET=y frequently trigger a...

SUSE CVE-2025-44779

An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull...

PYSEC-2025-146

An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull...

PYSEC-2025-146

An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull...

CVE-2025-44779

An issue in Ollama v0.1.33 allows attackers to delete arbitrary files via sending a crafted packet to the endpoint /api/pull...

Incorrect Permission Assignment for Critical Resource

Overview Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource via the /api/pull endpoint. An attacker can remove files from the file system by sending a specially crafted packet to this endpoint. Remediation Upgrade...

PT-2025-32263 · Ollama · Ollama

Name of the Vulnerable Software and Affected Versions: Ollama version 0.1.33 Description: An issue allows attackers to delete arbitrary files by sending a crafted packet to the /api/pull endpoint. Recommendations: Update to a newer version that contains a fix for this issue. As a temporary...