PT-2026-39262

Name of the Vulnerable Software and Affected Versions MCP Registry versions prior to 1.7.6 Description The GitHub OIDC flow for both client and server is bound to a global audience string instead of the specific registry instance being targeted. On the client side, the publisher always appends...

CVE-2026-28406 kaniko has tar archive path traversal in build context extraction allows writing files outside destination directory

kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. Starting in version 1.25.4 and prior to version 1.25.10, kaniko unpacks build context archives using filepath.Joindest, cleanedName without enforcing that the final path stays within dest. A ta...

CVE-2026-28406

kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. Starting in version 1.25.4 and prior to version 1.25.10, kaniko unpacks build context archives using filepath.Joindest, cleanedName without enforcing that the final path stays within dest. A ta...

EUVD-2026-9077

kaniko is a tool to build container images from a Dockerfile, inside a container or Kubernetes cluster. Starting in version 1.25.4 and prior to version 1.25.10, kaniko unpacks build context archives using filepath.Joindest, cleanedName without enforcing that the final path stays within dest. A ta...

Improper Removal of Sensitive Information Before Storage or Transfer

Overview Affected versions of this package are vulnerable to Improper Removal of Sensitive Information Before Storage or Transfer in the form of registry credentials in JSON output files. When registry authentication is configured, an attacker can obtain registry credentials or other values e.g...

Malicious code in asdqweasdregistry-auth-token (npm)

--- -= Per source details. Do not edit below this line.=-...

UBUNTU-CVE-2025-0495

Buildx is a Docker CLI plugin that extends build capabilities using BuildKit. Cache backends support credentials by setting secrets directly as attribute values in cache-to/cache-from configuration. When supplied as user input, these secure values may be inadvertently captured in OpenTelemetry...

Snowplow: Unauthorised ██████████ Auth via Token Leakage & HTTP Header Injection

Summary We've identified that your Email Filtering mechanism is misconfigured in the way it visits suspicious links. This behavior is dangerous, as data exfiltration is possible when a 3rd party service sends an incoming email containing sensitive data. A great example would be a reset password...

PHPSHE 安全漏洞

PHPSHE is a set of online shopping mall system of Lingbao Jane Good Network Technology Co. The system supports express tracking, online chat, order evaluation and statistics and other functions. A denial-of-service vulnerability exists in PHPSHE version V1.8, which originates from mishandling a...

Nmap NSE net: smb-system-info

Pulls back information about the remote system from the registry. Getting all of the information requires an administrative account, although a user account will still get a lot of it. Guest probably won't get any, nor will anonymous. This goes for all operating systems, including Windows 2000...