Malicious code in ethereum-gas-reporter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7303c828115a527d477ea14684b3015e43fdcd36a7fa94041c16ccb3c2fbcfcc index.js line 144 contains require'chai-assert-kit' appended after the module's normal exports, with no other reference to chai-assert-kit anywhere i...

MAL-2026-6202 Malicious code in ethereum-gas-reporter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7303c828115a527d477ea14684b3015e43fdcd36a7fa94041c16ccb3c2fbcfcc index.js line 144 contains require'chai-assert-kit' appended after the module's normal exports, with no other reference to chai-assert-kit anywhere i...

CLEANSTART-2026-KV53168 Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU

Security vulnerability affects the kyverno-policy-reporter-kyverno-plugin package. Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume excessive CPU...

GHSA-VVGJ-X9JQ-8CJ9 vulnerabilities

Vulnerabilities for packages: dkron-fips, kyverno-policy-reporter-plugins-trivy-fips, prometheus-blackbox-exporter-fips, opentelemetry-operator-fips, kubernetes-dns-node-cache-fips, traefik-fips, k8sgateway, eks-distro-fips, k8sgateway-fips, rke2-runtime-fips, kubo, teleport, kubo-fips,...

CVE-2026-40898 vulnerabilities

Vulnerabilities for packages: dkron-fips, kyverno-policy-reporter-plugins-trivy-fips, prometheus-blackbox-exporter-fips, opentelemetry-operator-fips, kubernetes-dns-node-cache-fips, traefik-fips, k8sgateway, eks-distro-fips, k8sgateway-fips, rke2-runtime-fips, kubo, teleport, kubo-fips,...

Malicious Package

Overview nemo-reporter is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Nezha's authenticated agents can forge service-monitor results for other users' services

Summary Nezha accepts service-monitor TaskResult messages from an authenticated agent based only on whether the reported service ID exists. The dashboard authenticates the agent and derives the reporter server ID from the gRPC stream, but the service-monitor result worker does not verify that the...

PT-2026-45493

Name of the Vulnerable Software and Affected Versions Nezha Monitoring versions 0.20.0 through 2.0.11 Description Authenticated agents can forge service-monitor results for services belonging to other users. The system accepts TaskResult messages from an authenticated agent based solely on whethe...

GHSA-7J6W-VVW2-5F9C OpenBao's Kerberos Auth Method Accumulates Unaccessible Tokens

Impact In OpenBao's Kerberos auth method on the GET handler, or when an Authorization: Negotiate header is supplied, the response is includes a logical.Auth object in addition to an error message. This results in tokens being created with only the default policy, default TTL, and no entity...

Malicious code in nemo-reporter (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 42a43ec0a345170ad191fa1c25bdd4000595aa8ce733c6b9c69de6b65a1defb2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-4836 Malicious code in nemo-reporter (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 42a43ec0a345170ad191fa1c25bdd4000595aa8ce733c6b9c69de6b65a1defb2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

SUSE CVE-2026-45907

In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Fix deadlocks between devlink and netdev instance locks In the mentioned "Fixes" commit, various work tasks triggering devlink health reporter recovery were switched to use netdevtrylock to protect against concurrent...

PT-2026-42562

Name of the Vulnerable Software and Affected Versions Concrete CMS versions prior to 9.5.1 Description Unauthenticated users can access page metadata on any page that has a configured summary template. This allows for the disclosure of private, draft, and restricted pages, leaking information suc...

CLEANSTART-2026-GB46352 Security fixes for CVE-2025-0913, CVE-2025-4673, CVE-2025-47907, CVE-2026-25679, CVE-2026-26958, CVE-2026-27139, CVE-2026-27141, CVE-2026-27142, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33186, CVE-2026-33810, CVE-2026-34986, CVE-2026-39883, ghsa-2464-8j7c-4cjm, ghsa-78h2-9frx-2jm8, ghsa-fw7p-63qq-7hpr, ghsa-hfvc-g4fc-pqhx, ghsa-p77j-4mvh-x3m3, ghsa-xmrv-pmrh-hhx2 applied in versions: 3.3.2-r0, 3.5.0-r0, 3.7.2-r0, 3.7.3-r0, 3.7.3-r1, 3.7.3-r2, 3.7.4-r0

Multiple security vulnerabilities affect the kyverno-policy-reporter-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

GHSA-GXHX-2686-5H9G vulnerabilities

Vulnerabilities for packages: goreleaser, bento, argo-cd, kubewatch, kyverno-policy-reporter, kubernetes-event-exporter, atlantis, argo-rollouts, argo-events...

CVE-2026-44245

CVE-2026-44245 affects Kyverno’s policy-reporter-ui where the PropertyCard.vue component uses Vue.js v-html to render non-URL strings, bypassing escaping and allowing stored HTML payloads from Kubernetes PolicyReport.results[].properties to flow into the DOM. The isURL() guard only filters http/h...

CVE-2026-44245 Kyverno: [policy-reporter-ui] XSS via Stored Property Values in PropertyCard Component

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to 2.5.2, Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses...

GHSA-M5P4-GVPX-4MVR GuardDog: Unsanitized human-readable scan output allows terminal escape injection from malicious package content

Summary GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject ANSI or OSC escape sequences into analyst terminals or CI logs...

About the security content of macOS Sequoia 15.7.7

About the security content of macOS Sequoia 15.7.7 This document describes the security content of macOS Sequoia 15.7.7. About Apple security updates For our customers' protection, Apple doesn't disclose, discuss, or confirm security issues until an investigation has occurred and patches or...

GHSA-PMWQ-PJRM-6P5R vulnerabilities

Vulnerabilities for packages: crossplane-fips, chainctl, chainctl-fips, kubescape-server-fips, cosign, docker, buildkitd-fips, tekton-chains-fips, kyverno-policy-reporter-plugins-kyverno-fips, cosign-fips, kubescape-server, docker-cli-buildx-fips, chainloop-control-plane-fips, docker-cli-buildx,...