Malicious code in sync-external (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dc297a0deaba794fdbfccc280a79c7cc895f21fc4e0122b1fba1bc4759b66c3f The package ships an obfuscated JavaScript file at shim/index.js using hex-style identifier mangling 0x391f3f, 0x3eff0a, 0x534564, etc. characteristi...

MAL-2026-6336 Malicious code in sync-external (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector dc297a0deaba794fdbfccc280a79c7cc895f21fc4e0122b1fba1bc4759b66c3f The package ships an obfuscated JavaScript file at shim/index.js using hex-style identifier mangling 0x391f3f, 0x3eff0a, 0x534564, etc. characteristi...

MAL-2026-6278 Malicious code in ts-wross (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 42dae43b7ff77748f10ae5faf6d87b7d63552e5629a37c931ea2c0de3539b469 Package is published under the name ts-wross but its package.json claims authorship by Michael Mclaughlin [email protected] and points its repository...

Malicious code in ts-wross (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 42dae43b7ff77748f10ae5faf6d87b7d63552e5629a37c931ea2c0de3539b469 Package is published under the name ts-wross but its package.json claims authorship by Michael Mclaughlin [email protected] and points its repository...

Malicious code in search-from-search (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 06e2e600c7cba50d7cc3cbff52a18f77e508ec66be3a50cd4960f84771598548 package.json registers node callback.js as both preinstall and postinstall, so the payload runs automatically on npm install. callback.js collects th...

MAL-2026-6277 Malicious code in search-from-search (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 06e2e600c7cba50d7cc3cbff52a18f77e508ec66be3a50cd4960f84771598548 package.json registers node callback.js as both preinstall and postinstall, so the payload runs automatically on npm install. callback.js collects th...

Pre-Auth Takeover of Build Pipelines in GoCD

GoCD contains a critical information disclosure vulnerability whose exploitation allows unauthenticated attackers to leak configuration information including build secrets and encryption keys. id: CVE-2021-43287 info: name: Pre-Auth Takeover of Build Pipelines in GoCD author: dhiyaneshDk severity...

Kubernetes Dashboard <1.10.1 - Authentication Bypass

Kubernetes Dashboard before 1.10.1 allows attackers to bypass authentication and use Dashboard's Service Account for reading secrets within the cluster. id: CVE-2018-18264 info: name: Kubernetes Dashboard 1.10.1 - Authentication Bypass author: edoardottt severity: high description: | Kubernetes...

Ingress-Nginx Controller - Configuration Injection via Unsanitized `auth-url` Annotation

A security issue was discovered in ingress-nginx https-//github.com/kubernetes/ingress-nginx where the auth-url Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets...

CVE-2026-56382

Craft CMS composer package craftcms/cms versions = 5.5.0 and = 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout without calling Component::cleanseConfig...

EUVD-2026-38093

Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs. Attackers can query the webhooks and webhookdeliveries endpoints to exfiltrate HMAC signing...

CVE-2026-56079

Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs. Attackers can query the webhooks and webhookdeliveries endpoints to exfiltrate HMAC signing...

GHSA-4XGF-CPJX-PC3J pydantic-settings: NestedSecretsSettingsSource follows symlinks outside secrets_dir, enabling local file read and bypassing secrets_dir_max_size

Summary NestedSecretsSettingsSource reads secret values from files in a configured secretsdir. When secretsnestedsubdir=True, a directory entry inside secretsdir that is a symbolic link pointing outside secretsdir is followed, so files outside the configured directory are read into settings value...

CVE-2026-56079 Capgo - Cross-Tenant Authorization Bypass via PostgREST Webhook Access

Capgo before 12.128.2 contains a cross-tenant authorization bypass vulnerability in PostgREST endpoints that allows org-scoped read API keys to access other tenants' webhook secrets and delivery logs. Attackers can query the webhooks and webhookdeliveries endpoints to exfiltrate HMAC signing...

CVE-2026-56079

Capgo before 12.128.2 contains a cross-tenant authorization bypass in PostgREST endpoints that lets org-scoped read API keys access other tenants’ webhook secrets and delivery logs. Attackers can query webhooks and webhook_deliveries to exfiltrate HMAC signing secrets and delivery payloads, enabl...

EUVD-2026-36540

parse-server: Endpoints /login and /verifyPassword disclose MFA secrets and protected fields when User get is denied...

Malicious code in assert-kit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e21fa9c37e9944a00f7e85c7476f8fd4dc6bcd1f8fcd064a90488ef93d5bd12 [email protected] impersonates the chai assertion library bundles chai's source, contributors, and API surface under a different author and homepage...

MAL-2026-6200 Malicious code in assert-kit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e21fa9c37e9944a00f7e85c7476f8fd4dc6bcd1f8fcd064a90488ef93d5bd12 [email protected] impersonates the chai assertion library bundles chai's source, contributors, and API surface under a different author and homepage...

Malicious code in ethereum-gas-reporter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7303c828115a527d477ea14684b3015e43fdcd36a7fa94041c16ccb3c2fbcfcc index.js line 144 contains require'chai-assert-kit' appended after the module's normal exports, with no other reference to chai-assert-kit anywhere i...

MAL-2026-6202 Malicious code in ethereum-gas-reporter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7303c828115a527d477ea14684b3015e43fdcd36a7fa94041c16ccb3c2fbcfcc index.js line 144 contains require'chai-assert-kit' appended after the module's normal exports, with no other reference to chai-assert-kit anywhere i...