MAL-2026-6275 Malicious code in @ts-apis/ts-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eccf08a9ba188be941f42f0b088d51fc5b1e84802fe9bd1d1218a6b71a6e2c11 The published tarball's dist/index.js contains an obfuscated payload that runs at require time inside a setTimeout-wrapped IIFE, completely unrelated...

ECHO-145E-CEA4-F440

Bulletin has no description...

GHSA-WV27-2VQP-J7G5 Gogs has the ability to import local repositories via Mirror Settings

Summary The Gogs Mirror Settings functionality provide an alternative way from the well protected New Migration functionality for any authenticated users to import local repositories. This issue stems from a lack of validation of SaveAddress function. Details Here is the function implementation o...

GHSA-PWX3-QCGW-VH7H Gogs Vulnerable to CSRF Leading to Organization Owner Takeover

Summary In Gogs 0.14.1, organization team member management can be performed via GET requests without CSRF protection. If a victim who is an organization owner is logged in and is tricked into visiting a crafted link, an attacker-controlled user can be added to the Owners team. As a result, the...

GHSA-P9F5-H3RX-J5QW Gogs Missing Authorization in Attachment Download

Summary In Gogs 0.14.1, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository. In a test environment with REQUIRESIGNINVIEW = false, we confirmed that an unauthenticated user ca...

GHSA-JQ8V-RMF6-65JW Gogs has Stored XSS in `.ipynb` Preview

Summary Although .ipynb previews are sanitized on the server side via /-/api/sanitizeipynb, the inserted content is re-rendered on the client side without sanitization using marked on elements with the .nb-markdown-cell class. During this process, links containing schemes such as javascript: can ...

GHSA-4J89-2C4F-44C6 Gogs has DoS in rendering issue index pattern

Summary Special template of issue index pattern may cause panic. Details in internal/markup/markup.go go link = fmt.Sprintf%s, com.Expandmetas"format", metas, m Issue index pattern is rendered to link with com.Expand. However, com.Expand is not safe. go i = strings.Indextemplate, "" if s, ok :=...

GHSA-XQJM-27PC-RVWM @actual-app/web has CSV Formula Injection in Transaction Export via Imported Payee/Notes Fields

Summary exportToCSV and exportQueryToCSV in packages/loot-core/src/server/transactions/export/export-to-csv.ts pass user-controlled Payee, Notes, Account, and Category strings to csv-stringify with no cast callback and no formula-prefix neutralization. Strings that begin with =, +, -, @, tab, or...

GHSA-GFQ7-5X4G-3XHF @budibase/backend-core has potential SSRF DNS rebinding bypass in outbound fetch validation

Summary Authenticated users with automation permissions can bypass Budibase's SSRF blacklist through DNS rebinding. The outbound fetch flow validates a hostname against the blacklist before the request is sent, but the actual socket connection later performs a separate DNS lookup through...

GHSA-W7MQ-R738-X278 Budibase has arbitrary file read by workspace-builder via PWA-zip symlink upload

Summary POST /api/pwa/process-zip at packages/server/src/api/routes/static.ts:24 accepts a builder-uploaded .zip, extracts it with [email protected] into a temp directory, then for each entry listed in icons.json validates the icon path, opens it, and streams the bytes into MinIO. The resulting...

GHSA-RGVG-3WPC-H44P Budibase: Mass Assignment in Webhook Trigger Allows Cross-Workspace Automation Execution via appId Override

Summary The webhook trigger endpoint in Budibase is publicly accessible and passes the full HTTP request body into automation execution parameters. A mass assignment vulnerability in externalTrigger allows an attacker to overwrite the internal appId property by including it in the webhook POST...

GHSA-CQ9C-6W48-QMFG @actual-app/sync-server: Disabled OpenID users keep access through existing session tokens

Summary In OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity. Existing Actual session tokens for the disabled user remain valid, so the user can continue calling authenticated server endpoints after an administrator has disabled the account. Details The...

GHSA-35C4-RVC8-FRHM Budibase: POST /api/attachments/:datasourceId/url is unauthenticated and lets anonymous callers mint S3 PUT pre-signed URLs using stored datasource IAM credentials

Summary The Budibase server route POST /api/attachments/:datasourceId/url packages/server/src/api/routes/static.ts is registered with only the recaptcha middleware. There is no authorized... middleware in the chain. The controller...

GHSA-JJ36-R9W3-3PFH Budibase: Unauthenticated S3 signed upload URL generation allows arbitrary writes with stored datasource credentials

The application server exposes an unauthenticated endpoint that generates S3 PutObject presigned URLs using credentials stored in a workspace datasource. The route is protected only by the recaptcha middleware and does not require authentication, table permission, datasource permission, or builde...

GHSA-V7J5-VC4M-723W Budibase has an Account Impersonation Issue — Chat Identity Link Hijacking via Missing Consent & CSRF

Title Chat Identity Link Hijacking — Attacker Can Silently Map Their Slack/Discord Identity to Any Authenticated Budibase User's Account Severity High — CVSS 3.1: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N = 7.3 Affected Product - Product: Budibase - Version: 3.37.2 introduced in this version - Componen...

GHSA-QC2X-6F54-M6H9 zeroconf: Unvalidated rdlength in record payload readers allows LAN-local cache corruption via crafted mDNS packet

Impact readcharacterstring and readstring in src/zeroconf/protocol/incoming.py sliced self.dataself.offset : self.offset + length and advanced self.offset by the declared length without checking it against self.datalen. Python's slice silently returns fewer bytes when the end index runs past the...

GHSA-HVQH-JW65-WCPQ devbridge-autocomplete has XSS in its default formatters: formatGroup and formatResult fail to escape HTML in untrusted inputs

Summary The default formatGroup and formatResult functions in devbridge-autocomplete concatenate values into HTML without escaping, allowing XSS when an attacker controls or can taint the suggestion data source. Details 1. formatGroup — category is interpolated raw. src/format.ts: ts function...

GHSA-9M6G-WC8R-Q59C scimPatch vulnerable to prototype pollution via unfiltered keys in patch

Summary scim-patch performs prototype pollution when applying a SCIM PATCH operation whose value object contains a key like "proto.someProp". After one such patch, Object.prototype.someProp is set process-wide, affecting every plain object in the Node process. Any service that calls scimPatch on...

GHSA-GHMH-JHMJ-WCMF nebula-mesh's stores enrollment tokens unhashed in SQLite

internal/store/sqlite.go:1177,1192,1221,1245 — the enrollmenttokens.token column holds the raw UUID token. ConsumeToken does WHERE token = ? against the raw string. Compare with operatorapikeys.keyhash, which is SHA-256 hex constructed in internal/api/middleware.go:51-53. Affected All released...

DEBIAN-CVE-2026-54277

Bulletin has no description...

DEBIAN-CVE-2026-54280

Bulletin has no description...

DEBIAN-CVE-2026-54275

Bulletin has no description...

DEBIAN-CVE-2026-54278

Bulletin has no description...

DEBIAN-CVE-2026-50269

Bulletin has no description...

DEBIAN-CVE-2026-54274

Bulletin has no description...

DEBIAN-CVE-2026-54273

Bulletin has no description...

DEBIAN-CVE-2026-54279

Bulletin has no description...

DEBIAN-CVE-2026-54276

Bulletin has no description...

GHSA-4Q6H-8P4V-67VQ Budibase: SSRF via OAuth2 token endpoint URL reaches internal hosts and cloud metadata

Summary fetchToken in the OAuth2 SDK makes a POST to a builder-supplied URL with plain node-fetch, skipping the blacklist.isBlacklisted check that every other outbound fetch path in the codebase uses. The Joi schema for the OAuth2 URL has no scheme or host restriction. Alice, a builder, points an...

GHSA-74P7-6H78-GW8P skillctl: argument injection, path traversal in --dest, FIFO/device DoS, hardlink exfiltration, and commit-trailer forgery

Impact Following the path-safety patches in GHSA-wx3m-whqv-xv47 v0.1.2, a comprehensive multi-angle audit surfaced five further vulnerabilities, now patched in v0.1.3: 1. sourcesha argument injection in git ls-tree CRITICAL. InstalledSkill.sourcesha deserialized from .skills.toml committed,...

GHSA-C4V7-XG93-QF8G Gogs has SSRF in webhook deliveries

Summary The fix for CVE-2022-1285 prevents adding webooks or running webhooks with URLs with a hostname that resolves in localCIDRs. However, webhooks still follow redirects allowing to access hostname inside localCIDRs. This was already communicated in the initial report but it looks like there...

MINI-HJW5-2J77-9GRP

Bulletin has no description...

MINI-P8QM-XQ4C-3RJM

Bulletin has no description...

MINI-WRMM-84VH-W5RH

Bulletin has no description...

MINI-JVRX-FCWP-P2HX

Bulletin has no description...

MINI-J9XQ-6347-P35G

Bulletin has no description...

MINI-2X22-577H-C7G4

Bulletin has no description...

MINI-6CPQ-QHQ3-CR26

Bulletin has no description...

MINI-P47W-QR3J-Q76F

Bulletin has no description...

MINI-MJJ7-5GJJ-VQ8C

Bulletin has no description...

MINI-23MC-26M6-QJHX

Bulletin has no description...

MINI-MM5Q-35P7-2VH7

Bulletin has no description...

MINI-94JP-86QR-555M

Bulletin has no description...

MINI-X4WF-P79W-PHX9

Bulletin has no description...

MINI-MHRH-J5CF-MF86

Bulletin has no description...

MINI-G89X-HXPF-6VPH

Bulletin has no description...

MINI-2FCW-J62J-3V66

Bulletin has no description...

MINI-V945-2FFP-R95V

Bulletin has no description...

MINI-VWC5-R4JM-GRP9

Bulletin has no description...

MINI-27F6-PP6F-9JWJ

Bulletin has no description...