Malicious code in undeface-test-2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 69c9b501034a030dc669fcc1ae2026db2508367cac00b2b2b7e4d8df0a78ad7e The OpenSSF Package Analysis project identified 'undeface-test-2' @ 9.9.9 npm as malicious. It is considered malicious because: - The package...

Security Bulletin: IBM Aspera Faspex is affected by open-source related vulnerabilities and unauthorized actions from authenticated users

Summary IBM Aspera Faspex has addressed vulnerabilities related to denial-of-service, inefficient code execution under specific conditions, and unintended traffic routing. The 3rd party vulnerabilities are for very specific use cases that are not necessarily exposed through Faspex. Additionally,...

mod_security security update

An update is available for modsecurity. This update affects Rocky Linux 8. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list ModSecurity is an open source intrusion detection and prevention engine f...

Google Launches OSS Rebuild to Expose Malicious Code in Widely Used Open-Source Packages

Google has announced the launch of a new initiative called OSS Rebuild to bolster the security of the open-source package ecosystems and prevent software supply chain attacks. "As supply chain attacks continue to target widely-used dependencies, OSS Rebuild gives security teams powerful data to...

CVE-2025-53946

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in versions prior to 3.4.5 in the idfuncionario parameter of the /html/saude/profilepaciente.php endpoint. This vulnerability allows attacker to...

Malicious code in nbastatsleftnav (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 514ea2a983874eb46d5517a63e127b2503b1f9a0dc1ffa0a726e5f1dbd7559b1 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2025-27613

creationtimestamp| type| source ---|---|--- 2025-07-08 15:02:11+00:00| seen| https://github.blog/open-source/git/git-security-vulnerabilities-announced-6/ 2025-07-08 15:11:31+00:00| seen| https://seclists.org/oss-sec/2025/q3/13 2025-07-08 15:56:31+00:00| seen|...

CVE-2025-46334

creationtimestamp| type| source ---|---|--- 2025-07-08 15:02:11+00:00| seen| https://github.blog/open-source/git/git-security-vulnerabilities-announced-6/ 2025-07-08 15:11:31+00:00| seen| https://seclists.org/oss-sec/2025/q3/13 2025-07-08 15:56:31+00:00| seen|...

CVE-2025-6018

creationtimestamp| type| source ---|---|--- 2025-06-17 18:03:49+00:00| seen| https://seclists.org/oss-sec/2025/q2/261 2025-06-18 05:02:08+00:00| seen| https://bsky.app/profile/buherator.bsky.social/post/3lrua5yfpii2g 2025-06-18 06:56:58+00:00| seen|...

MAL-2025-4961 Malicious code in automated-native-creatives (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0108e88450eb534afdbdfd274f6737a7507f4a7915230a113296f63a2a2163fd Any computer that has this package installed or running should be considered...

CVE-2025-48877

Discourse is an open-source discussion platform. Prior to version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch, Codepen is present in the default allowediframes site setting, and it can potentially auto-run arbitrary JS...

CVE-2025-47093

creationtimestamp| type| source ---|---|--- 2025-06-11 01:52:05+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3lrccbphupa2o...

Moderate: grafana security update

Grafana is an open source, feature rich metrics dashboard and graph editor for Graphite, InfluxDB & OpenTSDB. Security Fixes: net/http: Request smuggling due to acceptance of invalid chunked data in net/http CVE-2025-22871 For more details about the security issues, including the impact, a CVSS...

CVE-2025-22874

creationtimestamp| type| source ---|---|--- 2025-06-05 17:14:55+00:00| seen| https://seclists.org/oss-sec/2025/q2/217 2025-06-05 18:53:38+00:00| seen| https://bsky.app/profile/golang.org/post/3lquykqnbkk2d 2025-06-05 20:02:12+00:00| seen|...

Important: Red Hat Security Advisory: mod_security security update

An update for modsecurity is now available for Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, and Red Hat Enterprise Linux 8.6 Telecommunications Update Service. Red Hat Product Security has rated this update ...

CVE-2025-48934

creationtimestamp| type| source ---|---|--- 2025-06-03 21:04:23+00:00| published-proof-of-concept| https://github.com/denoland/deno/security/advisories/GHSA-7w8p-chxq-2789 2025-06-04 20:07:06+00:00| seen| https://bsky.app/profile/wasm.activitypub.awakari.com.ap.brid.gy/post/3lqsm3w6t5j42...

tar-fs can extract outside the specified dir with a specific tarball

Impact v3.0.8, v2.1.2, v1.16.4 and below Patches Has been patched in 3.0.9, 2.1.3, and 1.16.5 Workarounds You can use the ignore option to ignore non files/directories. js ignore , header // pass files & directories, ignore e.g. symlinks return header.type !== 'file' && header.type !== 'directory...

CVE-2025-5421

creationtimestamp| type| source ---|---|--- 2025-06-02 01:03:48+00:00| seen| https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lqlleqjzuj42...

Malicious code in @seo-frontend-components/card-blog-carousel-mobile (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 1eaa599a9c0235a5d52b5534f4177883c03e7ae19496ef98593fadfc3a7ccef8 The OpenSSF Package Analysis project identified '@seo-frontend-components/card-blog-carousel-mobile' @ 1.999.2 npm as malicious. It is considere...

CVE-2025-4857

creationtimestamp| type| source ---|---|--- 2025-05-31 11:40:51+00:00| seen| https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lqho24zdplc2 2025-05-31 14:11:53+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3lqhwigwwnw2q...