16 matches found
CVE-2021-47986
Parse Server before 4.10.0 contains a supply chain vulnerability where incorrect version tags were pushed to the repository linking to unreviewed code in a personal fork. Attackers could exploit this by specifying affected version tags in dependency declarations to execute unreviewed and...
CVE-2026-41387
OpenClaw before 2026.3.22 contains an incomplete host environment variable sanitization vulnerability in host-env-security-policy.json and host-env-security.ts that allows package-manager environment overrides. Attackers can exploit approved exec requests to redirect package resolution or runtime...
PT-2026-33361
Name of the Vulnerable Software and Affected Versions Flowise versions prior to 3.1.0 Description An issue exists in the MCP adapter due to unsafe serialization of stdio commands, allowing an authenticated attacker to achieve command execution on the underlying operating system. The flaw is locat...
Node.js Module axios 0.30.4 / 1.14.1 Supply Chain Vulnerability
The version of the axios Node.js module installed on the remote host is 0.30.4 or 1.14.1. It is, therefore, affected by a supply chain vulnerability where a supply chain attack targeting the widely used HTTP client Axios has introduced a malicious dependency into specific npm releases, including...
HSEC-2025-0005 cabal-install dependency confusion
cabal-install dependency confusion For cabal-install 3.4.0.0 and where multiple repositories are configured, the resolver picks the highest available version across all repositories. Where a package is only defined in a private repository, this behaviour leads to a dependency confusionblog supply...
EUVD-2024-18656
Malicious code in bioql PyPI...
Another Supply Chain Vulnerability
ProPublica is reporting: Microsoft is using engineers in China to help maintain the Defense Department's computer systems--with minimal supervision by U.S. personnel--leaving some of the nation's most sensitive data vulnerable to hacking from its leading cyber adversary, a ProPublica investigatio...
PT-2025-30608 · Hackage · Cabal-Install
cabal-install dependency confusion For cabal-install 3.4.0.0 and where multiple repositories are configured, the resolver picks the highest available version across all repositories. Where a package is only defined in a private repository, this behaviour leads to a dependency confusionblog supply...
CVE-2025-21564
Vulnerability in the Oracle Agile PLM Framework product of Oracle Supply Chain component: Agile Integration Services. The supported version that is affected is 9.3.6. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Agile PLM...
The Unknown Risks of The Software Supply Chain: A Deep-Dive
In a world where more & more organizations are adopting open-source components as foundational blocks in their application's infrastructure, it's difficult to consider traditional SCAs as complete protection mechanisms against open-source threats. Using open-source libraries saves tons of coding...
Vulnerability fixed in Oracle Supply Chain
Oracle has fixed a vulnerability in Agile PLM. A malicious party could exploit the vulnerability to gain sensitive information or full access to all data accessible to Oracle Agile PLM accessible data. Oracle has fixed the vulnerability in the following product: - Oracle Agile PLM...
Hell’s Keychain: Supply-chain vulnerability in IBM Cloud Databases for PostgreSQL allows potential unauthorized database access
How IBM Cloud caught us exploring its infrastructure and how a hardcoded secret eventually led to build artifact access and manipulation...
Securing the software supply chain, with Kim Lewandowski: Lock and Code S03E13
At the start of the global coronavirus pandemic, nearly everyone was forced to learn about the "supply chain." Immediate stockpiling by an alarmed and from a smaller share, opportunistic public led to an almost overnight disappearance of hand sanitizer, bottled water, toilet paper, and face masks...
RubyGems: Dependency repository hijacking aka Repo Jacking from GitHub repo rubygems/bundler-site & rubygems/bundler.github.io + bundler.io docs
Dependency repository hijacking aka repo jacking is an obscure supply chain vulnerability, conceptually similar to subdomain takeover. When the linked repository owner changes their username, it becomes immediately available to be re-registered by anyone. This means that any project that linked...
Millions of Connected Cameras Open to Eavesdropping
Millions of connected security and home cameras contain a critical software vulnerability that can allow remote attackers to tap into video feeds, according to a warning from the Cybersecurity and Infrastructure Security Agency CISA. The bug CVE-2021-32934, with a CVSS v3 base score of 9.1 has be...
CVE-2018-6598
The CVE-2018-6598 entry concerns Orbic Wonder devices (Orbic/RC555L/RC555L:7.1.2/N2G47H/329100b:user/release-keys). A local-privilege-level issue exists where any app co-located on the device can send an intent to trigger a factory reset through com.android.server.MasterClearReceiver, without use...