Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential stealer worm. A malicious actor managed to extract a GitHub Actions OIDC token from the runner process and publish tampered versions of 42 @tanstack/ packages to npm, which then spread ...

Cleartext Storage of Sensitive Information

Overview Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information in the form of all state directory files, including the WireGuard private key file, being included in archives by default. The runTool function does not remove this file before archiving. Using...

EUVD-2026-3193

1Panel is an open-source, web-based control panel for Linux server management. A stored Cross-Site Scripting XSS vulnerability exists in the 1Panel App Store when viewing application details. Malicious scripts can execute in the context of the user’s browser, potentially compromising session data...

MiracleLinux 7 : tomcat-7.0.76-16.0.3.el7.AXS7 (AXSA:2025-10787:07)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2025-10787:07 advisory. CVE-2025-24813: fix path equivalence vulnerability leading to remote code execution and information disclosure CVEs: CVE-2025-24813 Path Equivalence:...

EUVD-2025-24559

Malicious code in bioql PyPI...

CVE-2025-9231

Issue summary: A timing side-channel which could potentially allow remote recovery of the private key exists in the SM2 algorithm implementation on 64 bit ARM platforms. Impact summary: A timing side-channel in SM2 signature computations on 64 bit ARM platforms could allow recovering the private...

CVE-2025-59037

CVE-2025-59037 covers DuckDB npm packages where four Node.js packages were briefly compromised with malware: @duckdb/[email protected], @duckdb/[email protected], [email protected], and @duckdb/[email protected]. The malicious versions attempted to interfere with cryptocurrency transactions. DuckDB de...

K000149655: PHP vulnerabilities CVE-2024-11236, CVE-2024-8929, CVE-2024-8932

Security Advisory Description CVE-2024-11236 In PHP versions 8.1. before 8.1.31, 8.2. before 8.2.26, 8.3. before 8.3.14, uncontrolled long string inputs to ldapescape function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write. CVE-2024-8929 In PHP versions 8.1...

CVE-2020-15195

In Tensorflow before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, the implementation of SparseFillEmptyRowsGrad uses a double indexing pattern. It is possible for reverseindexmapi to be an index outside of bounds of gradvalues, thus resulting in a heap buffer overflow. The issue is patched in...

AZL-44820 CVE-2022-41940 affecting package js-jquery 3.5.0-4

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io...

@backstage/plugin-auth-backend (>=0.0.0-nightly-20240122021809 <=0.24.5), @backstage/plugin-auth-backend-module-aws-alb-provider (>=0.0.0-nightly-20240126021148 <=0.4.16-next.0) +9 more potentially affected by CVE-2021-43776 via @backstage/plugin-auth-backend (>=0.0.0-nightly-20240929023448 <=0.4.10)

@backstage/plugin-auth-backend NPM version =0.0.0-nightly-20240929023448, =0.0.0-nightly-20240122021809, =0.0.0-nightly-20240126021148, =0.0.0-nightly-20240122021809, =0.0.0-nightly-2022122206, =0.0.0-nightly-2022122206, =0.0.0-nightly-2022122206, =5.0.0-alpha.1, =1.0.0, =0.2.0, =1.0.0, =1.2.0...