120 matches found
GHSA-VH4V-2XQ2-G5CG ORAS Go forwards registry credentials across registry redirects
ORAS Go forwards registry credentials across registry redirects Reporter / public credit: JUNYI LIU Summary ORAS Go can forward registry credentials configured for one registry origin to a different HTTP origin during registry redirects. There are two related paths: 1. A manifest or metadata...
MAL-2026-6698 Malicious code in cursed-modules (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 45b6aab954f9b8edbc759c97eabe39d7a070c4dbe852586422761ad0f8c7ad95 [email protected] executes attacker-controlled code on three separate triggers and operates a bidirectional command channel against a hardcoded...
PT-2026-53024
Name of the Vulnerable Software and Affected Versions regclient affected versions not specified Description Authentication credentials for a registry may be leaked to external servers. This occurs when a malicious registry server, a malicious blob store, or a registry that fails to restrict...
CVE-2026-55180
pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm and pacquet expanded $ENVVAR placeholders from repository-controlled .npmrc and pnpm-workspace.yaml into registry request destinations and registry credentials. A malicious repository could cause dependency resolution to send victim...
CVE-2026-50017
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm can send user-level unscoped npm authentication credentials to a registry chosen by a repository-local .npmrc file. In the reproduced case, the user's npm config contains a default registry and an unscoped authToken. The repository does...
Malicious code in arjson (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 00290c05e0c41a8f51d38c629ade5b3fe76f2a89302db8daac669b0c80d13197 package.json declares "preinstall": "./.github/scripts/precheck", which on npm install executes a 976KB UPX-packed Linux ELF binary shipped under...
CVE-2026-5222
CVE-2026-5222 affects Cargo (versions 1.68–1.96) where URLs of third-party registries using the sparse index protocol are incorrectly normalized. If a hosting provider lets multiple registries share a domain with arbitrary names, an attacker who can publish crates in a registry could obtain crede...
@cyclonedx/cdxgen: Docker registry auth substring match forwards credentials to a different registry
Docker registry auth substring match forwards credentials to a different registry Repository cdxgen/cdxgen Affected product/package - Ecosystem: npm - Package: @cyclonedx/cdxgen - Reviewed tree version: 12.3.3 - Reviewed commit: b1e179869fd7c6032c3d483c3f7bd4d7154ec22b - Affected file:...
Use of Incorrectly-Resolved Name or Reference
Overview @cyclonedx/cdxgen is a Creates CycloneDX Software Bill of Materials SBOM from source or container image Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference in path resolution performed in docker.js, before credential selection. An attacker wh...
CVE-2026-28909
Users who connect to malicious registries with hostnames matching the bypass patterns will have their registry credentials exposed in plaintext. This issue is fixed in container version 0.12.3...
CVE-2026-28909
CVE-2026-28909 affects a container runtime where connecting to malicious registries using hostnames that match bypass patterns can expose registry credentials in plaintext. The issue is mitigated by upgrading to container version 0.12.3. The available sources confirm the vulnerability description...
container 安全漏洞
Container is an open-source tool developed by Apple for creating and running Linux containers on Mac devices. Versions of Container prior to 0.12.3 have a security vulnerability. This vulnerability arises when connecting to hosts with domain names that bypass pattern matching, causing registry...
FreeBSD : Gitlab -- vulnerabilities (73b927a6-3ecd-11f1-be20-2cf05da270f3)
The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 73b927a6-3ecd-11f1-be20-2cf05da270f3 advisory. Gitlab reports: Cross-Site Request Forgery issue in GraphQL API impacts GitLab CE/EE GitLab...
Malicious Package
Overview minify-mangle-names is a malicious package. This package was recognized as part of the 'PhantomRaven' supply chain campaign, which involves credential-stealing malware. The package impersonates well-known ecosystem plugins to deceive developers into installing it. Malicious Behavior The...
CVE-2025-67860
A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users...
CVE-2025-67860
A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users...
CVE-2025-67860
A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users...
CVE-2025-67860
A vulnerability has been identified in the NeuVector scanner where the scanner process accepts registry and controller credentials as command-line arguments, potentially exposing sensitive credentials to local users...
CVE-2025-67860
NeuVector scanner (CVE-2025-67860) is affected: the scanner process accepts registry and controller credentials via command-line arguments, potentially exposing sensitive credentials to local users. Root cause: credentials handled in command-line context. Impact: limited confidentiality risk (Low...
Harvester 安全漏洞
Harvester is a modern, open, interoperable, Kubernetes-based hyper-converged infrastructure HCI solution developed by harvesterhci. Harvester has a security vulnerability, which stems from the scanner process accepting registry and controller credentials as command-line parameters, potentially...