openSUSE 16 Security Update : build, product-composer (openSUSE-SU-2026:20676-1)

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20676-1 advisory. Changes in build: - Support a new IgnoreRebuild config. - build-recipe-kiwi: Add support for oci containers Avoid needlessly compressing container image...

OPENSUSE-SU-2026:20676-1 Security update for build, product-composer

This update for build, product-composer fixes the following issues: Changes in build: - Support a new "IgnoreRebuild" config. - build-recipe-kiwi: Add support for oci containers Avoid needlessly compressing container images Detect container images based on build result file name - Fix queryrecipe...

Zarf has a Path Traversal via Malicious Package Metadata.Name — Arbitrary File Write

Impact This vulnerability impacts users of zarf package inspect sbom or zarf package inspect documentation on untrusted packages. Patches 4793, now fixed in version v0.74.2 Workarounds Avoid inspecting unsigned packages Description The package inspect sbom and package inspect documentation...

GHSA-PJ97-4P9W-GX3Q Zarf has a Path Traversal via Malicious Package Metadata.Name — Arbitrary File Write

Impact This vulnerability impacts users of zarf package inspect sbom or zarf package inspect documentation on untrusted packages. Patches 4793, now fixed in version v0.74.2 Workarounds Avoid inspecting unsigned packages Description The package inspect sbom and package inspect documentation...

PT-2026-32968

Impact This vulnerability impacts users of zarf package inspect sbom or zarf package inspect documentation on untrusted packages. Patches 4793, now fixed in version v0.74.2 Workarounds Avoid inspecting unsigned packages Description The package inspect sbom and package inspect documentation...

Gitlab -- vulnerabilities

Gitlab reports: Exposed Method issue in websocket connections impacts GitLab CE/EE Denial of Service issue in Terraform state lock API impacts GitLab CE/EE Denial of Service issue in GraphQL API impacts GitLab CE/EE Denial of Service issue in CSV import impacts GitLab CE/EE Denial of Service issu...

Bringing Continuous Assessment to Harbor: Scan on Push, Stay Secure Over Time

Key Takeaways Harbor environments often run separate scanners, such as Trivy at build time and Qualys at runtime, leading to repeated full-image rescans across hundreds of thousands of images and increasing compute usage, scan time, and operational costs. Integrating QScanner with Harbor eliminat...

Fedora 44 : python3.6 (2026-cb86172c17)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-cb86172c17 advisory. Rebuilt for improvements of %pythonwheelinjectsbom in python-rpm-macros-3.14-11. ---- Security fix for CVE-2025-12084 Tenable has extracted the preceding...

Exploit for Uncontrolled Resource Consumption in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

SBOM CVE Scanner - Enhanced Edition A comprehensive Python to...

Security update for cargo-auditable

This update for cargo-auditable fixes the following issues: Update to version 0.7.20. Security issues fixed: CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion bsc1257906. Other updates and bugfixes: Update to version 0.7.20: mention cargo-dist...

CVE-2026-25145 melange has a path traversal in license-path which allows reading files outside workspace

melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file e.g., through pull request-driven CI or build-as-a-service scenarios could read arbitrary files from the host system. The...

CVE-2026-25145

In melange, a path traversal vulnerability exists in LicensingInfos (pkg/config/config.go) where license-path is not validated to stay within the workspace. From version 0.14.0 up to before 0.40.3, an attacker who can influence a melange config (e.g., PR-driven CI or build‑as‑a‑service) could rea...

CVE-2026-25145

melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file e.g., through pull request-driven CI or build-as-a-service scenarios could read arbitrary files from the host system. The...

PT-2026-6272

Name of the Vulnerable Software and Affected Versions melange versions 0.14.0 through 0.40.2 Description melange allows users to build apk packages using declarative pipelines. An attacker who can influence a melange configuration file could read arbitrary files from the host system. The...

PT-2026-6349

An attacker who can influence a melange configuration file e.g., through pull request-driven CI or build-as-a-service scenarios could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright.license-path without...

EUVD-2024-32094

Malicious code in bioql PyPI...

EUVD-2025-21889

Malicious code in bioql PyPI...

EUVD-2024-1944

Malicious code in bioql PyPI...

Vaadin Flow, Hilla and the September 2025 npm supply-chain attacks

Recently two major npm supply-chain attacks have been reported, raising concerns about the safety of the broader software ecosystem, including for Vaadin users. The first incident involved compromised maintainer accounts and malicious releases of widely used packages such as debug and chalk. The...

GO-2025-3815 melange's world-writable permissions expose SBOM files to potential image tampering in chainguard.dev/melange

melange's world-writable permissions expose SBOM files to potential image tampering in chainguard.dev/melange...