CVE-2026-40090

Zarf is an Airgap Native Packager Manager for Kubernetes. Versions 0.23.0 through 0.74.1 contain an arbitrary file write vulnerability in the zarf package inspect sbom and zarf package inspect documentation subcommands. These subcommands output file paths are constructed by joining a...

CVE-2026-40090

Zarf is an Airgap Native Packager Manager for Kubernetes. Versions 0.23.0 through 0.74.1 contain an arbitrary file write vulnerability in the zarf package inspect sbom and zarf package inspect documentation subcommands. These subcommands output file paths are constructed by joining a...

CVE-2026-40090

Zarf (Airgap Native Packager Manager for Kubernetes) versions 0.23.0–0.74.1 contain an arbitrary file write vulnerability in the zarf package inspect sbom and zarf package inspect documentation commands. The vulnerability arises because output file paths are constructed by joining a user-controll...

Zarf has a Path Traversal via Malicious Package Metadata.Name — Arbitrary File Write

Impact This vulnerability impacts users of zarf package inspect sbom or zarf package inspect documentation on untrusted packages. Patches 4793, now fixed in version v0.74.2 Workarounds Avoid inspecting unsigned packages Description The package inspect sbom and package inspect documentation...

GHSA-PJ97-4P9W-GX3Q Zarf has a Path Traversal via Malicious Package Metadata.Name — Arbitrary File Write

Impact This vulnerability impacts users of zarf package inspect sbom or zarf package inspect documentation on untrusted packages. Patches 4793, now fixed in version v0.74.2 Workarounds Avoid inspecting unsigned packages Description The package inspect sbom and package inspect documentation...

CVE-2026-34591 Poetry Has Wheel Path Traversal Which Can Lead to Arbitrary File Write

Poetry is a dependency manager for Python. From version 1.4.0 to before version 2.3.3, a crafted wheel can contain ../ paths that Poetry writes to disk without containment checks, allowing arbitrary file write with the privileges of the Poetry process. It is reachable from untrusted package...

EUVD-2025-135539

Malicious code in thambi-uyte-budi npm...

Malicious code in jaja-tempe96-sukiwir (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 68c9195f11d652ae4d4170687983fd5b4879e11cffafe9f1ee3f8ac68c88bac5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in jnakfnksnkankknknksngksgksnksgksgksk (npm)

--- -= Per source details. Do not edit below this line.=-...

Malicious code in yarrow_kz9d8_1a1uw_verdant (npm)

The package yarrowkz9d81a1uwverdant was found to contain malicious code...

Malicious code in @lain-test-org/test-package2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a7991201b15a132a9776af677edbd7577a27377c5d04b274757790c4a5b47d40 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in tricks_unlimited_fa_ke_bit_coin_trans_action_generator_freee_unlimited_eryfr69 (npm)

--- -= Per source details. Do not edit below this line.=-...

CVE-2019-12875

Alpine Linux abuild through 3.4.0 allows an unprivileged member of the abuild group to add an untrusted package via a --keys-dir option that causes acceptance of an untrusted signing key...

Design/Logic Flaw

Alpine Linux abuild through 3.4.0 allows an unprivileged member of the abuild group to add an untrusted package via a --keys-dir option that causes acceptance of an untrusted signing key...

CVE-2019-12875

Alpine Linux abuild through 3.4.0 allows an unprivileged member of the abuild group to add an untrusted package via a --keys-dir option that causes acceptance of an untrusted signing key...