PT-2026-25547

Name of the Vulnerable Software and Affected Versions mlflow versions prior to 3.7.0 Description A command injection issue exists due to the direct interpolation of user-supplied container image names into shell commands without proper sanitization. These commands are then executed using the...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: python-urllib3 (UTSA-2026-006157)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-006157 advisory. urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression chain was unbounded...

Malicious Package

Overview @aifabrix/miso-client is a malicious package. This package was affected by the 'GlassWorm' supply chain attack. It includes a hidden malicious payload embedded with invisible Unicode characters. These characters hide a decoder that retrieves and executes a concealed payload through eval...

Improper Certificate Validation

Overview Affected versions of this package are vulnerable to Improper Certificate Validation due to the handling of HTTPS redirects when a proxy is configured and setfollowlocation is enabled. An attacker can intercept sensitive information by presenting a forged, expired, or self-signed...

GHSA-PHC3-FGPG-7M6H Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS

Impact This is an uncontrolled resource consumption vulnerability CWE-400 that can lead to Denial of Service DoS. In vulnerable Undici versions, when interceptors.deduplicate is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchKey function. An attacker can cause the server to make arbitrary HTTP requests to attacker-controlled destinations by crafting a JWT with malicious claim values that are interpolated into th...

Malicious code in project47 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a3f77d5ebfcf087b4f055d7ce552ee0165eadf99d8cc6dcd0f3c767393099d27 Facebook hacking tool that also forces the user to follow specific accounts --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

MAL-2026-1412 Malicious code in project47 (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a3f77d5ebfcf087b4f055d7ce552ee0165eadf99d8cc6dcd0f3c767393099d27 Facebook hacking tool that also forces the user to follow specific accounts --- Category: MALICIOUS - The campaign has clearly malicious intent, like...

Malicious Package

Overview hardhat2-config is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview brlc-base is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious Package

Overview solana-pumpfun-sdk is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Malicious Package

Overview dell-internal-auth-drzak is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious Package

Overview tradepmr-fusion-core-drzak is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...

Malicious Package

Overview 8x8-developer-docs is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

CVE-2026-32304 Locutus: RCE via unsanitized input in create_function()

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the createfunctionargs, code function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from...

CVE-2026-2581

This is an uncontrolled resource consumption vulnerability CWE-400 that can lead to Denial of Service DoS. In vulnerable Undici versions, when interceptors.deduplicate is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlle...

CVE-2026-2581 undici is vulnerable to Unbounded Memory Consumption in in Undici's DeduplicationHandler via Response Buffering leads to DoS

This is an uncontrolled resource consumption vulnerability CWE-400 that can lead to Denial of Service DoS. In vulnerable Undici versions, when interceptors.deduplicate is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlle...

CLSA-2026-1773309522 osbuild-composer: Fix of 4 CVEs

rebuild with newer golang version 1.22.9-1.el92.tuxcare.els6 to fix the following CVEs - CVE-2025-61729: fix excessive resource consumption when constructing hostname error messages for certificates with many SANs - CVE-2025-61728: reduce CPU usage in index construction - CVE-2025-61726: limit...

USN-8090-2: OpenSSH vulnerabilities

USN-8090-1 fixed vulnerabilities in OpenSSH. This update provides the corresponding updates for Ubuntu 20.04 LTS. Original advisory details: Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly handled disconnecting clients. In non-default configurations where the...

USN-8090-1: OpenSSH vulnerabilities

Jeremy Brown discovered that the OpenSSH GSSAPI Key Exchange incorrectly handled disconnecting clients. In non-default configurations where the GSSAPIKeyExchange setting is enabled, a remote attacker could use this issue to cause OpenSSH to crash, resulting in a denial of service, or possibly...