CVE-2026-45243

Summarize prior to 0.15.1 contains a missing authorization vulnerability in the content script window.postMessage bridge that allows malicious pages to perform unauthorized operations on automation artifacts. Attackers can simulate runtime messages with spoofed sender identifiers to list, read,...

com.squareup.wire:wire-grpc-client (>=7.0.0-alpha01 <=7.0.0-alpha02), com.squareup.wire:wire-schema (>=7.0.0-alpha01 <=7.0.0-alpha02) +1 more potentially affected by CVE-2026-45799 via com.squareup.wire:wire-runtime (>=7.0.0-alpha01 <=7.0.0-alpha02)

com.squareup.wire:wire-runtime MAVEN version =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha02 Source cves: CVE-2026-45799 Source advisory: SNYK:JAVA-COMSQUAREUPWIRE-16771313...

ai.looktech.ltrpc.schema:app-server (>=1.0.2 <=2.7.0), ai.looktech.ltrpc.schema:bt-app (=1.0.1) +492 more potentially affected by CVE-2026-45799 via com.squareup.wire:wire-runtime (>=1.0.0 <=6.2.0)

com.squareup.wire:wire-runtime MAVEN version =1.0.0, =1.0.2, =1.0.2, =0.0.1, =0.0.2, =0.1.1, =0.2.7, =0.2.7, =0.2.7, =0.1.1, =0.2.7, =0.7.21, =0.7.21, =0.7.21, =0.7.24 and more Source cves: CVE-2026-45799 Source advisory: OSV:GHSA-7XPR-HC2W-34M9...

ai.pipestream:account-service (>=0.0.2 <=0.0.18), ai.pipestream:connector-admin-service (>=0.1.1 <=0.1.18) +412 more potentially affected by CVE-2026-45799 via com.squareup.wire:wire-runtime-jvm (>=3.0.0-alpha03 <=5.3.3)

com.squareup.wire:wire-runtime-jvm MAVEN version =3.0.0-alpha03, =0.0.2, =0.1.1, =0.2.7, =0.2.7, =0.2.7, =0.1.1, =0.2.7, =0.7.21, =0.7.21, =0.7.21, =0.1.7, =0.0.1, =0.7.24 and more Source cves: CVE-2026-45799 Source advisory: OSV:GHSA-7XPR-HC2W-34M9...

com.squareup.wire:com.squareup.wire.gradle.plugin (>=7.0.0-alpha01 <=7.0.0-alpha02), com.squareup.wire:wire-compiler (>=7.0.0-alpha01 <=7.0.0-alpha02) +11 more potentially affected by CVE-2026-45799 via com.squareup.wire:wire-runtime-jvm (>=7.0.0-alpha01 <=7.0.0-alpha02)

com.squareup.wire:wire-runtime-jvm MAVEN version =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha02 Source...

ai.looktech.ltrpc.schema:app-server (>=2.0.0 <=2.7.0), ai.looktech.ltrpc.schema:bt-server (>=2.0.0 <=2.7.0) +49 more potentially affected by CVE-2026-45799 via com.squareup.wire:wire-runtime (>=6.0.0-alpha01 <=6.2.0)

com.squareup.wire:wire-runtime MAVEN version =6.0.0-alpha01, =2.0.0, =2.0.0, =1.5.0-alpha05, =1.5.0-alpha05, =1.5.0-alpha05, =1.0.0-alpha06, =2.0.0-alpha04, =2026.03.19.180705-f87ffc7, =2026.03.19.180705-f87ffc7, =2026.03.19.180705-f87ffc7, =2026.03.19.180705-f87ffc7, =2026.03.19.180705-f87ffc7,...

ai.looktech.ltrpc.schema:app-server-android (>=2.0.0 <=2.7.0), ai.looktech.ltrpc.schema:app-server-jvm (>=2.0.0 <=2.7.0) +110 more potentially affected by CVE-2026-45799 via com.squareup.wire:wire-runtime-jvm (>=6.0.0-alpha01 <=6.2.0)

com.squareup.wire:wire-runtime-jvm MAVEN version =6.0.0-alpha01, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =1.5.0-alpha05, =1.5.0-alpha05, =1.5.0-alpha05, =1.5.0-alpha05, =1.5.0-alpha05, =2.0.0-alpha04, =2.0.0-alpha04, =2.0.0-alpha04, =2026.03.26.140500-911435f, =2026.03.26.140500-911435f,...

com.squareup.wire:wire-grpc-client (>=7.0.0-alpha01 <=7.0.0-alpha02), com.squareup.wire:wire-schema (>=7.0.0-alpha01 <=7.0.0-alpha02) +1 more potentially affected by CVE-2026-45799 via com.squareup.wire:wire-runtime (>=7.0.0-alpha01 <=7.0.0-alpha02)

com.squareup.wire:wire-runtime MAVEN version =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha01, =7.0.0-alpha02 Source cves: CVE-2026-45799 Source advisory: OSV:GHSA-7XPR-HC2W-34M9...

GHSA-7XPR-HC2W-34M9 Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service

CVE-2026-45799 Maintainer summary Wire's protobuf group-skipping logic did not reject negative lengths before skipping a length-delimited field inside a group. A crafted protobuf payload could cause Wire to throw an unchecked runtime exception during decoding instead of the documented IOException...

Wire: skipGroup() missing negative-length check allows 10-byte payload to crash any Wire-decoding service

CVE-2026-45799 Maintainer summary Wire's protobuf group-skipping logic did not reject negative lengths before skipping a length-delimited field inside a group. A crafted protobuf payload could cause Wire to throw an unchecked runtime exception during decoding instead of the documented IOException...

Improper Validation of Array Index

Overview Affected versions of this package are vulnerable to Improper Validation of Array Index in the skipGroup function. An attacker can cause a service crash by sending a crafted protobuf payload with a negative length in a length-delimited field inside a group, leading to an unchecked runtime...

Improper Validation of Array Index

Overview Affected versions of this package are vulnerable to Improper Validation of Array Index in the skipGroup function. An attacker can cause a service crash by sending a crafted protobuf payload with a negative length in a length-delimited field inside a group, leading to an unchecked runtime...

MAL-2026-4734 Malicious code in xorma-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd1e155ef0f73465f5fe6f401a4f90c521d5268eb65bb9bc594caa4a69732260 On require'xorma-js', a top-level IIFE in dist/index.js synchronously executes npm uninstall clsx-js && npm install clsx-js via childprocess.execSync...

crun: crun: Privilege escalation due to incorrect parsing of the `--user` option

A flaw was found in crun, an open-source OCI Container Runtime. A local user can exploit this vulnerability due to incorrect parsing of the --user option when using crun exec. The value 1 is misinterpreted as root privileges User ID 0 and Group ID 0 instead of the intended User ID 1 and Group ID ...

GHSA-W4VJ-R5PG-3722 Mailpit: Concurrent map read & write in proxy CSS rewriter - remote unauth crash (fatal error: concurrent map read and map write)

Summary The screenshot/print proxy /proxy?data=… maintains a package-level assets mapstringMessageAssets cache, but reads the map without holding assetsMutex while a long-running cleanup goroutine and re-entrant CSS-rewriting code path concurrently write to it under the lock. When the...

fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode

When chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain...

kernel: net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime

In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Assuming the "rx-vlan-filter" feature is enabled on a net device, the 8021q module will automatically add or remove VLAN 0 when the net device is put...

Moderate: Red Hat Security Advisory: crun security update

An update for crun is now available for Red Hat Enterprise Linux 10. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the...

Introducing Runtime Threat Detection for Google Cloud Run

Wiz Runtime Sensor support for Google Cloud Run Containers is now generally available, giving teams real-time threat detection and response for their serverless container workloads...

kernel: net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime

In the Linux kernel, the following vulnerability has been resolved: net: vlan: fix VLAN 0 refcount imbalance of toggling filtering during runtime Assuming the "rx-vlan-filter" feature is enabled on a net device, the 8021q module will automatically add or remove VLAN 0 when the net device is put...