MAL-2026-2506 Malicious code in @fairwords/encryption (npm)

The @fairwords/encryption package was compromised as part of the TeamPCP/CanisterWorm campaign. A postinstall hook executes node scripts/check-env.js || true which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation. The payload harvests 40+ environment variab...

MAL-2026-2508 Malicious code in @fairwords/websocket (npm)

The @fairwords/websocket package was compromised as part of the TeamPCP/CanisterWorm campaign. A postinstall hook executes node scripts/check-env.js || true which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation. The payload harvests 40+ environment variabl...

Updated python-pygments packages fix security vulnerability

A security flaw in Pygments function AdlLexer in archetype.py stems from a regular expression having an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. CVE-2026-4539...

MGASA-2026-0090 Updated python-pygments packages fix security vulnerability

A security flaw in Pygments function AdlLexer in archetype.py stems from a regular expression having an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. CVE-2026-4539...

aleph-client (>=1.0.0 <=1.9.3), aleph-sdk-python (>=1.0.0 <=2.3.4) +43 more potentially affected by CVE-2024-28102 +1 more via jwcrypto (>=1.0.0 <=1.5.6)

jwcrypto PYPI version =1.0.0, =1.0.0, =1.0.0, =0.1.0, =0.1.0, =0.1.0, =0.11.0rc1, =2.0.0, =0.1.0, =0.1.0, =0.1.0, =3.41.0, =0.0.0.1, =0.1.7, =2.5.0, =3.0.0 and more Source cves: CVE-2024-28102, CVE-2026-39373 Source advisory: SNYK:PYTHON-JWCRYPTO-15928841...

EUVD-2026-19911

JWCrypto: JWE ZIP decompression bomb...

01os (>=0.0.1 <=0.0.14), 0xpwn (=0.1.1) +734 more potentially affected by unknown CVE via litellm (>=1.0.0 <=1.82.6)

litellm PYPI version =1.0.0, =0.0.1, =0.0.1a0, =0.3.5, =0.7.3, =0.1.0, =0.4.0, =0.8.1, =0.1.0, =0.1.39, =0.2.1, =0.2.1.10102025 - agent-memory-server =0.15.0 - agent-opt =0.0.1 and more Source cves: unknown CVE Source advisory: SNYK:PYTHON-LITELLM-15928842...

RHEL 9 : python3.12 (RHSA-2026:7010)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2026:7010 advisory. Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic dat...

Oracle Linux 9 : python3.9 (ELSA-2026-6766)

The remote Oracle Linux 9 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2026-6766 advisory. - Security fix for CVE-2026-4519 Resolves: RHEL-158052 Tenable has extracted the preceding description block directly from the Oracle Linux security advisory...

Mageia: Security Advisory (MGASA-2026-0090)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-pyOpenSSL (SUSE-SU-2026:1192-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1192-1 advisory. - CVE-2026-27448: unhandled exception can result in connection not being cancelled bsc1259804. -...

SUSE SLES12 Security Update : python-PyJWT (SUSE-SU-2026:1199-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:1199-1 advisory. - CVE-2026-32597: Fixed unknown crit header extensions accepts bsc1259616. Tenable has extracted the preceding description block directly fr...

python311-social-auth-app-django-5.7.0-1.1 on GA media (moderate)

python311-social-auth-app-django-5.7.0-1.1 on GA media Announcement ID: openSUSE-SU-2026:10499-1 Rating: moderate Cross-References: CVE-2025-61783 Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can now be installed. Description: These are all security issues fixed ...

Ubuntu: Security Advisory (USN-8154-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

PT-2026-31324

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Prior to 17.4.8 and 17.10.1, an improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python...

cryptography 安全漏洞

cryptography is a Python cryptographic authority open-source library. Versions of cryptography from 45.0.0 to 46.0.7 had security vulnerabilities; these vulnerabilities stemmed from improper buffer handling, which could lead to buffer overflows...

PT-2026-31459

Name of the Vulnerable Software and Affected Versions cryptography versions 45.0.0 through 46.0.6 Description The cryptography package, designed for cryptographic primitives in Python, contains a flaw where non-contiguous buffers passed to APIs accepting Python buffers e.g., Hash.update can lead ...

SUSE SLES15 / openSUSE 15 Security Update : python (SUSE-SU-2026:1206-1)

The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1206-1 advisory. - CVE-2025-13462: incorrect parsing of TarInfo when GNU long name and type AREGTYPE are combined can lead to misinterpretation of...

SUSE CVE-2026-34444

Lupa integrates the runtimes of Lua or LuaJIT2 into CPython. In 2.6 and earlier, attributefilter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacker to bypass the intended restrictions and eventually achieve arbitra...

CVE-2026-35050

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.1.1, users can save extention settings in "py" format and in the app root directory. This allows to overwrite python files, for instance the "download-model.py" file could be overwritten. Then, thi...