14627 matches found
Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh
...
Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh
...
Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh
...
Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh
...
PT-2026-44114
Name of the Vulnerable Software and Affected Versions pam usb versions prior to 0.9.0 Description The deny remote feature incorrectly classifies IPv4-mapped IPv6 remote connections as local sessions. This occurs because the system checks the ut addr v6 field of utmpx using a guard if utent-ut add...
MAL-2026-4793 Malicious code in vxui-react (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bde616ebc21909bfa386bf8e49438da710f48b62ae3127f2a7259c71557a4242 package.json declares a postinstall script that runs curl -skL...
kernel: Read root-owned files as an unprivileged user
A vulnerability was found in the Linux kernel that allows an unprivileged local user to read sensitive files normally restricted to the root user. The flaw occurs during process exit, where a brief window allows an attacker to intercept file access from a privileged process before it fully...
libssh: Incorrect Return Code Handling in ssh_kdf() in libssh
A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the sshkdf function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenl...
MAL-2026-4723 Malicious code in weavedb-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c25ff456baf684075b65ecf808bbfe36cbf91811fb4b04b70c13a3dd9d8a9403 package.json declares "preinstall": "./tools/setup", where tools/setup is a 976KB stripped Linux x86-64 ELF binary sha256...
CVE-2026-45361 Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default)
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...
CVE-2026-45361
CVE-2026-45361 affects the Apache Airflow Google provider: ComputeEngineSSHHook disables SSH host-key verification by default, allowing an attacker on-path to intercept or modify SSH sessions between an Airflow worker and a Compute Engine VM. The vulnerability is tied to the ComputeEngineSSHHook ...
CVE-2026-45361 Apache Airflow Google provider: SSH host key verification disabled in ComputeEngineSSHHook (paramiko AutoAddPolicy default)
Apache Airflow providers-google's ComputeEngineSSHHook disables SSH host-key verification by default, exposing SSH traffic between an Airflow worker and a Compute Engine VM to in-path network attackers who can intercept or modify the session. Users are advised to upgrade to...
Linux Distros Unpatched Vulnerability : CVE-2026-39828
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - When an SSH server authentication callback returned PartialSuccessError with non-nil Permissions, those permissions were silently discarded, potentially droppin...
PT-2026-43023
Name of the Vulnerable Software and Affected Versions apache-airflow-providers-google versions prior to 22.0.0 Description The ComputeEngineSSHHook disables SSH host-key verification by default. This configuration exposes SSH traffic between an Airflow worker and a Compute Engine VM to in-path...
Linux Distros Unpatched Vulnerability : CVE-2026-39835
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - SSH servers which use CertChecker as a public key callback without setting IsUserAuthority or IsHostAuthority could be caused to panic by a client presenting a...
Linux Distros Unpatched Vulnerability : CVE-2026-39827
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An authenticated SSH client that repeatedly opened channels which were rejected by the server caused unbounded memory growth, eventually crashing the server...
Malicious Package
Overview env-loader-cli is a malicious package. This package contains malicious code, and its content was removed from the official package manager. The package was linked to a supply chain attack and contained code designed to steal developer secrets, crypto wallets, SSH keys, and cloud...
Malicious Package
Overview eth-security-auditor is a malicious package. This package contains malicious code, and its content was removed from the official package manager. The package was linked to a supply chain attack and contained code designed to steal developer secrets, crypto wallets, SSH keys, and cloud...
Malicious Package
Overview solidity-build-guard is a malicious package. This package contains malicious code, and its content was removed from the official package manager. The package was linked to a supply chain attack and contained code designed to steal developer secrets, crypto wallets, SSH keys, and cloud...
SUSE CVE-2026-39834
When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation...