MAL-2026-3887 Malicious code in @antv/f-vue (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

CVE-2026-42295

A flaw was found in Argo Workflows, an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. The workflow executor logs all artifact repository credentials, such as S3 Simple Storage Service access keys, GCS Google Cloud Storage service account keys, Azure...

CVE-2026-42183

A flaw was found in Argo Workflows. This flaw, a nil pointer dereference in the rbacAuthorization function, affects Single Sign-On SSO users. When SSODELEGATERBACTONAMESPACE is enabled, an authenticated SSO user whose claims match a namespace-level Role-Based Access Control RBAC rule but not an...

CLEANSTART-2026-OD47693 Security fixes for CVE-2025-0913, CVE-2025-15558, CVE-2025-4673, CVE-2025-47907, CVE-2025-47914, CVE-2025-58181, CVE-2025-62156, CVE-2025-62157, CVE-2026-24051, CVE-2026-25934, CVE-2026-26958, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-35469, ghsa-37cx-329c-33x3, ghsa-3xc5-wrhm-f963, ghsa-c2hv-4pfj-mm2r, ghsa-cfpf-hrx2-8rv6, ghsa-fw7p-63qq-7hpr, ghsa-p436-gjf2-799p, ghsa-p84v-gxvw-73pf applied in versions: 3.7.0-r0, 3.7.3-r0, 3.7.4-r0, 3.7.6-r0, 3.7.9-r0, 3.7.9-r1, 3.7.9-r2, 4.0.2-r0, 4.0.4-r0, 4.0.4-r1

Multiple security vulnerabilities affect the argo-workflows-fips package. These issues are resolved in later releases. See references for individual vulnerability details...

What Your Board Gets Wrong About AI Security

Editor's note: This article was originally published by Craig Riddell on LinkedIn. It has been republished here with the author's permission. Boards are giving AI security more airtime than ever. What they're not giving is the right framing. A year or two ago, AI was mostly a question of...

WordPress plugin My Calendar – Accessible Event Manager 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application that can be install...

agentcore-poc

Blueprint POC - Workflow Generation & Deployment A Proof of C...

ROOT-APP-GOBINARY-CVE-2026-42296 CVE-2026-42296 in rootio-github.com/argoproj/argo-workflows/v3 - Patched by Root

Root has patched CVE-2026-42296 in the rootio-github.com/argoproj/argo-workflows/v3 package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2026-28229 CVE-2026-28229 in rootio-github.com/argoproj/argo-workflows/v3 - Patched by Root

Root has patched CVE-2026-28229 in the rootio-github.com/argoproj/argo-workflows/v3 package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2024-53862 CVE-2024-53862 in rootio-github.com/argoproj/argo-workflows/v3 - Patched by Root

Root has patched CVE-2024-53862 in the rootio-github.com/argoproj/argo-workflows/v3 package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2025-62156 CVE-2025-62156 in rootio-github.com/argoproj/argo-workflows/v3 - Patched by Root

Root has patched CVE-2025-62156 in the rootio-github.com/argoproj/argo-workflows/v3 package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2026-31892 CVE-2026-31892 in rootio-github.com/argoproj/argo-workflows/v3 - Patched by Root

Root has patched CVE-2026-31892 in the rootio-github.com/argoproj/argo-workflows/v3 package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2026-42294 CVE-2026-42294 in rootio-github.com/argoproj/argo-workflows/v3 - Patched by Root

Root has patched CVE-2026-42294 in the rootio-github.com/argoproj/argo-workflows/v3 package for Root:Go. Multiple fixed versions available...

ROOT-APP-GOBINARY-CVE-2025-66626 CVE-2025-66626 in rootio-github.com/argoproj/argo-workflows/v3 - Patched by Root

Root has patched CVE-2025-66626 in the rootio-github.com/argoproj/argo-workflows/v3 package for Root:Go. Multiple fixed versions available...

security-skills

Security Skills Security Skills is a Hermes Agent skill pack...

EUVD-2026-29868

Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds...

Analyzing TeamPCP’s Supply Chain Attacks: Checkmarx KICS and elementary-data in CI/CD Credential Theft

Our research examines the April 22 Checkmarx KICS and April 24 elementary-data incidents as part of a broader TeamPCP supply chain campaign. Across both cases, the actor abused trusted CI/CD and release workflows to steal credentials at scale...

CVE-2026-45226

Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds...

CVE-2026-45226

CVE-2026-45226 affects Heym before 0.0.21 and describes an authorization bypass in workflow execution. Authenticated users can reference victim workflow UUIDs to load and execute those workflows via attacker‑controlled execution paths, potentially exposing victim outputs and triggering nodes with...

CVE-2026-45226

Heym before 0.0.21 contains an authorization bypass vulnerability in workflow execution that allows authenticated users to execute arbitrary workflows by referencing victim workflow UUIDs without proper access validation. Attackers can create workflows with execute nodes or agent subWorkflowIds...