Security digest — no-JavaScript view

152 advisories · 143 critical · 8 high ·1 medium · 0 low. Window 2026-06-10 → 2026-06-12. For filtering, use theinteractive digest.

Supply chain

106

criticalSupply chainnpmGHSA-j8qr-4p5h-mwqjmalicious-version-published2026-06-12
Malware in npm package chai-web3-testkit
The npm package chai-web3-testkit was found to contain malware. Any system with this package installed should be considered fully compromised, and all secrets and keys stored on that system should be rotated immediately from a different, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-4vwq-cp5w-hx5gmalicious-version-published2026-06-12
Malware in npm package vite-react-toolkit
The npm package vite-react-toolkit was published containing malware. Any system where it was installed should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-6wwm-jx4f-p4xqmalicious-version-published2026-06-12
Malware in npm package "transportator"
The npm package "transportator" has been identified as malware. Any computer with this package installed should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a different device.
Sources: github.com
criticalSupply chainnpmGHSA-7x3f-hjp7-r53gmalicious-version-published2026-06-12
Malware in npm package web-dotenv
The npm package web-dotenv has been identified as malware. Any system that installed or ran this package should be considered fully compromised, and all secrets and keys stored on it should be rotated immediately from a separate, clean machine.
Sources: github.com
criticalSupply chainnpmGHSA-ggf2-rhq7-qqggmalicious-version-published2026-06-12
Malware in npm package ecto-flag-read-m7p2
The npm package ecto-flag-read-m7p2 has been identified as malware. Any system where it was installed should be considered fully compromised, and all secrets stored on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-h2hh-hg37-42gqmalicious-version-published2026-06-12
Malware in npm package ecto-spirit-win-k4n8
The npm package ecto-spirit-win-k4n8 has been identified as malware. Any machine where it was installed or run should be treated as fully compromised, and all secrets and keys on that machine should be rotated from a different, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-636m-vpq6-g454malicious-version-published2026-06-12
Malware in npm package @malwguy/ecto-corsair-whisper-3d2a7c
A malicious npm package, @malwguy/ecto-corsair-whisper-3d2a7c, was published containing malware. Any machine where it was installed should be treated as fully compromised, and all secrets and keys on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-f7w9-m44f-pvf9malicious-version-published2026-06-12
Malware in npm package ecto-corsair-flag-x9m4
A malicious version of the npm package ecto-corsair-flag-x9m4 was published. Any system with it installed should be considered fully compromised, and all secrets and keys on that system should be rotated from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-cp5x-35vp-rj7jmalicious-version-published2026-06-12
Malware in npm package "sea-bound-siren"
The npm package "sea-bound-siren" was found to contain malware. Any computer where it was installed or run should be treated as fully compromised, and all secrets and keys on that machine should be rotated immediately from a different, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-f2r7-23p9-8jffmalicious-version-published2026-06-12
Malware in npm package "coral-wraith"
The npm package "coral-wraith" has been identified as malware. Any system with this package installed should be considered fully compromised, and all secrets and keys stored on that system should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-22wq-6mfh-69qvmalicious-version-published2026-06-12
Malware in npm package ecto-win-flag-q2m7
The npm package ecto-win-flag-q2m7 has been identified as containing malware. Any system where it was installed or run should be treated as fully compromised, and all secrets and keys on that system should be rotated immediately from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-5wjv-qgmc-8w9mmalicious-version-published2026-06-12
Malware in npm package ecto-corsair-whisper-6f3b9
The npm package ecto-corsair-whisper-6f3b9 has been identified as malware. Any system where it was installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-qv45-fm3m-pqmrmalicious-version-published2026-06-12
Malware in npm package ecto-nightly-spirit
The npm package ecto-nightly-spirit has been identified as malware. Any system where it was installed should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a different, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-jmpq-jp85-ggf3malicious-version-published2026-06-12
Malware in npm package ecto-spectral-leak-8d4e2
The npm package ecto-spectral-leak-8d4e2 has been identified as malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-9h8h-37p7-873rmalicious-version-published2026-06-12
Malware in npm package ecto-rust-read-f3a9c1
The npm package ecto-rust-read-f3a9c1 has been identified as malware. Any system where it was installed or run should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-v9x2-2qjf-q7qpmalicious-version-published2026-06-11
Malware in npm package @johntaohunter/forge-jsx
The npm package @johntaohunter/forge-jsx has been flagged as containing malware. Any machine where this package was installed or run should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-x3wj-647m-wx5cmalicious-version-published2026-06-11
Malware in npm package ioredis-orm
The npm package ioredis-orm was published containing malware. Any system with this package installed or running should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-wvg2-6r77-9m78malicious-version-published2026-06-11
Malware in npm package ioredis-typed (GHSA-wvg2-6r77-9m78)
The npm package ioredis-typed has been flagged as containing malware. Any system with this package installed should be considered fully compromised, with all secrets and keys requiring immediate rotation from a separate, clean machine.
Sources: github.com
criticalSupply chainnpmGHSA-hqj4-8wc5-r66rmalicious-version-published2026-06-11
Malware in npm package forge-jsx2
The npm package forge-jsx2 has been identified as containing malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-hm2h-78wx-fpxpmalicious-version-published2026-06-11
Malware in npm package forge-jsxy
The npm package forge-jsxy has been identified as containing malware. Any system with this package installed should be considered fully compromised, and all secrets and keys should be rotated immediately from a separate, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-4mx5-f4mw-64v7malicious-version-published2026-06-11
Malware in npm package "vqlxjmpr"
The npm package "vqlxjmpr" has been identified as malicious. Any system where it was installed should be considered fully compromised, and all secrets and keys stored on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-c389-4m23-j8gjmalicious-version-published2026-06-11
Malware in npm package "zatzdbai"
The npm package "zatzdbai" has been identified as malware. Any system where it was installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a separate, clean machine.
Sources: github.com
criticalSupply chainnpmGHSA-vq59-5vfc-9rh5malicious-version-published2026-06-11
Malware in npm package "downlynpm"
The npm package "downlynpm" has been identified as containing malware. Any system where it was installed or run should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-jc42-pxfc-29x3malicious-version-published2026-06-11
Malware in npm package "hex-type"
The npm package "hex-type" has been identified as malware. Any system where it was installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-x2r7-fmjp-vqq2malicious-version-published2026-06-11
Malware in npm package @ngt-frontend/widgets-core
The npm package @ngt-frontend/widgets-core has been identified as containing malware. Any system that installed or ran this package should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a separate, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-hq2r-xw8m-v4q8malicious-version-published2026-06-11
Malware in npm package @vivaux/telemetry
The npm package @vivaux/telemetry has been found to contain malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-2v2g-hp62-vhwjmalicious-version-published2026-06-11
Malware in npm package @hatcha-captcha/core
The npm package @hatcha-captcha/core was found to contain malware. Any system with this package installed should be considered fully compromised, and all secrets and keys stored on that system should be rotated immediately from a separate, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-xjvj-r6v9-q99qmalicious-version-published2026-06-11
Malware in @serviceshub/x-web-core npm package
A malicious npm package, @serviceshub/x-web-core, contained malware that fully compromises any machine where it is installed. Affected systems should be treated as compromised and all secrets rotated from a clean device.
Sources: github.com
criticalSupply chainnpmGHSA-5cx4-3w47-xm4hmalicious-version-published2026-06-11
Malware in npm package @marketplace-shared/components
The npm package @marketplace-shared/components has been identified as containing malware. Any system where it was installed or run should be considered fully compromised, and all secrets and keys stored on that system should be rotated immediately from a separate, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-2qqx-q4v2-495gmalicious-version-published2026-06-11
Malware in npm package @trackking/core
The npm package @trackking/core has been flagged as containing malware. Any system with this package installed or running should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-rxf2-69g9-4hpqmalicious-version-published2026-06-11
Malware in npm package @ntnx/nx-react-components
A malicious version of the npm package @ntnx/nx-react-components was published containing malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-wfq6-44px-2h89malicious-version-published2026-06-11
Malware in npm package @coterie-baby/common
The npm package @coterie-baby/common has been identified as containing malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that system should be rotated from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-5pm3-rqcf-522wmalicious-version-published2026-06-11
Malware in npm package @sazka/web
The npm package @sazka/web has been identified as malware. Any system where it was installed should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-qmfq-m796-v557malicious-version-published2026-06-11
Malware in npm package @web-3d-tool/sdk
The npm package @web-3d-tool/sdk has been identified as containing malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a separate, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-4pgr-qgvj-c2whmalicious-version-published2026-06-11
Malware in npm package @tenforce/toolbox-fontmap
The npm package @tenforce/toolbox-fontmap has been identified as containing malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a separate, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-c33m-qf7q-vg8qmalicious-version-published2026-06-11
Malware in npm package @snowsight/debug-tooling
The npm package @snowsight/debug-tooling has been identified as malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a separate, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-6cc8-4vwg-c56vmalicious-version-published2026-06-11
Malware in npm package @tribe-digital/shopify-starter-theme
The npm package @tribe-digital/shopify-starter-theme has been identified as containing malware. Any system where it was installed should be treated as fully compromised, and all secrets and keys on that system should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-vpcv-xpqm-w228malicious-version-published2026-06-11
Malware in npm package @vtmn-play/react
The npm package @vtmn-play/react has been identified as containing malware. Any system with this package installed should be considered fully compromised, and all secrets stored on it should be rotated immediately from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-qjh8-96ph-q57wmalicious-version-published2026-06-11
Malware in npm package @iobeya/spa-auth
A malicious version of the npm package @iobeya/spa-auth was published containing malware. Any system that installed or ran this package should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-r344-wgf5-fqf4malicious-version-published2026-06-11
Malware in npm package @visma-net-platform/module-navigator
A malicious npm package, @visma-net-platform/module-navigator, was published containing malware. Any system that installed or ran this package should be considered fully compromised, and all stored secrets and keys should be rotated immediately from a separate, clean machine.
Sources: github.com
criticalSupply chainnpmGHSA-wrxv-8jhh-m4x2malicious-version-published2026-06-11
Malware in npm package @integrations-center/utils
The npm package @integrations-center/utils has been found to contain malware. Any system where it was installed should be considered fully compromised, and all secrets and keys stored on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-wg43-49xc-v68qmalicious-version-published2026-06-11
Malware in npm package experian-analytics-components
The npm package experian-analytics-components has been identified as malicious. Any system where it was installed should be treated as fully compromised, and all secrets and keys on that system should be rotated immediately from a separate, clean machine.
Sources: github.com
criticalSupply chainnpmGHSA-mp9q-fvp5-ww2cmalicious-version-published2026-06-11
Malware in npm package sitecore-mm-component-style
The npm package "sitecore-mm-component-style" was found to contain malware. Any system with this package installed should be treated as fully compromised, and all secrets and keys on that system should be rotated immediately from a separate, clean device.
Sources: github.com
criticalSupply chainnpmGHSA-m9f5-cp7r-48pmmalicious-version-published2026-06-11
Malware in npm package "archetype-style"
The npm package "archetype-style" has been identified as malicious. Any system with this package installed should be considered fully compromised, and all secrets and keys stored on that system should be rotated immediately from a separate, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-x6pw-87r3-jc97malicious-version-published2026-06-11
Malware in npm package mm-ts-utils-client
The npm package mm-ts-utils-client was found to contain malware. Any system where it was installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a separate, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-96f9-39p2-gjwmmalicious-version-published2026-06-11
Malware in npm package "pui-diagnostics"
The npm package "pui-diagnostics" has been identified as malware. Any system where it was installed or run should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a separate, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-hwp4-g2h4-2v7rmalicious-version-published2026-06-11
Malware in npm package "fed-callnative"
The npm package "fed-callnative" was found to contain malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-v2hc-cmv5-999pmalicious-version-published2026-06-11
Malware in npm package ozonex-sdk (GHSA-v2hc-cmv5-999p)
The npm package ozonex-sdk was found to contain malware. Any system with this package installed should be considered fully compromised, and all secrets and keys stored on it should be rotated immediately from a separate, clean machine.
Sources: github.com
criticalSupply chainnpmGHSA-x7m6-5hw9-gj7fmalicious-version-published2026-06-11
Malware in npm package theta-sdk
The npm package theta-sdk has been identified as containing malware. Any system where this package was installed should be considered fully compromised, and all secrets and keys on that system must be rotated from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-3qc2-qc6w-c8xmmalicious-version-published2026-06-11
Malware in npm package ozone-sdk (GHSA-3qc2-qc6w-c8xm)
The npm package ozone-sdk was found to contain malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-f4f4-69p9-w9f9malicious-version-published2026-06-11
Malware in npm package "sensivity" (GHSA-f4f4-69p9-w9f9)
The npm package "sensivity" has been identified as containing malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-jmhh-mvpj-27qqmalicious-version-published2026-06-11
Malware in npm package "routing-controls"
The npm package "routing-controls" was published containing malware. Any system that installed or ran this package should be considered fully compromised, and all secrets and keys stored on that system should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-49jc-pgvv-m729malicious-version-published2026-06-11
Malware in npm package swagger-express-routes
The npm package swagger-express-routes was found to contain malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-f2m2-w8gp-rjgqmalicious-version-published2026-06-11
Malware in npm package react-photo-views
The npm package react-photo-views was published containing malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that system should be rotated from a separate, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-53h7-3qgm-jr76malicious-version-published2026-06-11
Malware in npm package tw-fluid-type (GHSA-53h7-3qgm-jr76)
The npm package tw-fluid-type was published with embedded malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that system must be rotated immediately from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-9rjg-7m93-mq7wmalicious-version-published2026-06-11
Malware in npm package tailwindcss-animotion
A malicious version of the npm package tailwindcss-animotion was published containing malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a separate, clean machine.
Sources: github.com
criticalSupply chainnpmGHSA-pvrm-39m5-j3c4malicious-version-published2026-06-11
Malware in npm package sass-formats
The npm package sass-formats has been identified as containing malware. Any system with this package installed should be considered fully compromised, and all secrets and keys stored on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-m2xh-rw7p-69rxmalicious-version-published2026-06-11
Malware in npm package tailwindcss-merge
The npm package tailwindcss-merge has been identified as malware. Any system with this package installed should be considered fully compromised; secrets and keys must be rotated immediately from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-f7h6-4xj8-8qh7malicious-version-published2026-06-11
Malware in npm package typeorm-encrypt
The npm package typeorm-encrypt has been flagged as containing malware. Any system with this package installed should be treated as fully compromised, and all secrets and keys on it should be rotated immediately from a separate, clean machine.
Sources: github.com
criticalSupply chainnpmGHSA-hg8j-2wmv-w4v6malicious-version-published2026-06-11
Malware in npm package "rate-limits-flexible"
A malicious npm package named "rate-limits-flexible" was published containing malware. Any system where it was installed should be considered fully compromised, and all secrets stored on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-v7vx-48xw-jwm8malicious-version-published2026-06-11
Malware in npm package rate-limit-flexible (GHSA-v7vx-48xw-jwm8)
The npm package rate-limit-flexible has been flagged as containing malware. Any system with this package installed or running should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-m8x4-pc4m-p5gvmalicious-version-published2026-06-11
Malware in npm package sass-format
The npm package sass-format was published containing malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a separate, clean machine.
Sources: github.com
criticalSupply chainnpmGHSA-mp9h-24x9-xc7rmalicious-version-published2026-06-11
Malware in npm package tailwindcss-animatics
The npm package tailwindcss-animatics has been identified as malware. Any system where it was installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-373j-j35f-q4gxmalicious-version-published2026-06-11
Malware in npm package clsx-tailwind
The npm package clsx-tailwind has been identified as malicious. Any system where it was installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-v4xp-qgj3-gphmmalicious-version-published2026-06-11
Malware in npm package tailwindcss-animates-kit
The npm package tailwindcss-animates-kit was found to contain malware. Any system where it was installed should be treated as fully compromised, and all secrets stored on that machine should be rotated from a separate, trusted device.
Sources: github.com
criticalSupply chainnpmGHSA-v8fq-265h-rcw5malicious-version-published2026-06-11
Malware in npm package crypto-javascript
The npm package crypto-javascript has been identified as malware. Any system with this package installed should be treated as fully compromised, and all secrets and keys on that system should be rotated immediately from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-63rx-hcxw-wmpqmalicious-version-published2026-06-11
Malware in npm package tailwind-dark-mode-kit
The npm package tailwind-dark-mode-kit was found to contain malware. Any system where it was installed should be considered fully compromised, and all secrets stored on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-95f6-59wp-jpv8malicious-version-published2026-06-11
Malware in npm package polymarket-clob-api
The npm package polymarket-clob-api has been identified as malware. Any computer with this package installed or running should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-j6hp-9w2p-jwpwmalicious-version-published2026-06-11
Malware in npm package emittery_styled
The npm package emittery_styled has been identified as malicious. Any system where it was installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a separate, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-fpch-j6rr-8r63malicious-version-published2026-06-11
Malware in npm package paypal-payouts-bridge
The npm package paypal-payouts-bridge has been flagged as malware. Any system where it was installed or run should be considered fully compromised, and all secrets and keys stored on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-fjcr-w74v-m2qwmalicious-version-published2026-06-11
Malware in npm package apple-mycelium-fix
The npm package "apple-mycelium-fix" has been identified as malware. Any system that installed or ran this package should be considered fully compromised, and all secrets and keys on that system should be rotated from a different, clean machine.
Sources: github.com
criticalSupply chainnpmGHSA-g6v5-9xpp-6hpxmalicious-version-published2026-06-11
Malware in npm package google-cloud-secret-manager-config-poc
The npm package google-cloud-secret-manager-config-poc has been flagged as malware. Any system where it was installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a separate, clean machine.
Sources: github.com
criticalSupply chainnpmGHSA-m2qp-j4c5-7m6mmalicious-version-published2026-06-11
Malware in npm package rsflows-pexml
The npm package rsflows-pexml has been identified as malware. Any system where it was installed should be considered fully compromised, and all secrets and keys stored on that machine should be rotated immediately from a separate, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-4qrx-h7cq-cqh6malicious-version-published2026-06-11
Malware in npm package "justgetit"
The npm package "justgetit" has been identified as containing malware. Any system that installed or ran this package should be treated as fully compromised, with all secrets and keys rotated immediately from a separate, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-6p55-6hvr-3xmgmalicious-version-published2026-06-11
Malware in npm package @common-stack/generate-plugin
The npm package @common-stack/generate-plugin was found to contain malware. Any computer with this package installed should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-qvv5-jq5g-4cggcritical-cve-against-dependency2026-06-10
Baileys (WhatsApp library) message spoofing and app state corruption via malicious protocolMessage payload
The Baileys npm library (a WhatsApp Web API client) is vulnerable to message spoofing, history sync spoofing, and app state sync corruption when sent a maliciously crafted protocolMessage payload. Anyone can spoof messages.upsert events with fake keys and payloads. Fixed in 7.0.0-rc12 and 6.7.22.
Sources: github.com·github.com·github.com
criticalSupply chainnpmGHSA-5hg6-wrf8-9hhrmalicious-version-published2026-06-10
Malware in npm package tailwind-animator
The npm package tailwind-animator was found to contain malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-hr6r-2xx8-mrh9malicious-version-published2026-06-10
Malware in npm package crypto-hash-sdk
The npm package crypto-hash-sdk has been identified as containing malware. Any system where it was installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-hwr7-qq29-qrf2malicious-version-published2026-06-10
Malware in npm package prettier-sdk
The npm package "prettier-sdk" has been identified as malware. Any computer with this package installed should be considered fully compromised, and all secrets and keys stored on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-qjp2-ccc7-vjv9malicious-version-published2026-06-10
Malware in npm package crypto-promise-js
The npm package crypto-promise-js was found to contain malware. Any system where it was installed or run should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-x77g-g3p5-frhhmalicious-version-published2026-06-10
Malware in npm package "devkitx"
The npm package "devkitx" has been identified as malware. Any system where it was installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a separate, clean machine.
Sources: github.com
criticalSupply chainnpmGHSA-wjgw-rm6m-wgr3typosquat-campaign2026-06-10
Malware in npm package "anaylze-json" (typosquat)
A malicious npm package named "anaylze-json" — a typosquat of "analyze-json" — was published and flagged by GitHub Advisory. Any system that installed or ran it should be treated as fully compromised, with all secrets and keys rotated immediately from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-rv4w-rvp6-p6rgmalicious-version-published2026-06-10
Malware in npm package security-env-loader (GHSA-rv4w-rvp6-p6rg)
The npm package security-env-loader has been identified as malicious. Any machine where it was installed or run should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a separate, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-q849-7xxq-hh4gmalicious-version-published2026-06-10
Malware in npm package nw-demo-utils
The npm package nw-demo-utils has been identified as malicious. Any system where it was installed or run should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-ff45-fchw-3969malicious-version-published2026-06-10
Malware in npm package auth0-templates-scripts-utils
The npm package auth0-templates-scripts-utils has been identified as malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-hmxw-6c9h-v2h2malicious-version-published2026-06-10
Malware in npm package "nw-demo"
The npm package "nw-demo" has been identified as containing malware. Any system that installed or ran this package should be considered fully compromised, and all secrets stored on it should be rotated immediately from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-748c-3f9q-294wmalicious-version-published2026-06-10
Malware in npm package auth0-templates-scripts
The npm package auth0-templates-scripts has been found to contain malware. Any system where this package was installed should be considered fully compromised, and all secrets and keys on that system should be rotated from a clean machine.
Sources: github.com
criticalSupply chainnpmGHSA-fc66-pv68-7v7rmalicious-version-published2026-06-10
Malware in npm package @easytipsportal/node-helper
The npm package @easytipsportal/node-helper has been identified as containing malware. Any system where it was installed or run should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-8qfp-2r92-r39wmalicious-version-published2026-06-10
Malware in npm package @easytipsportal/pos-adapters
The npm package @easytipsportal/pos-adapters has been flagged as containing malware. Any system where it was installed should be treated as fully compromised, with all secrets and keys rotated immediately from a separate, clean machine.
Sources: github.com
criticalSupply chainnpmGHSA-c852-72hm-gxvfmalicious-version-published2026-06-10
Malware in npm package get-deps-path
The npm package get-deps-path was published containing malware. Any system where it was installed should be treated as fully compromised, and all secrets and keys on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-h3m2-g8jh-9p37malicious-version-published2026-06-10
Malware in npm package "argoncrypt"
The npm package "argoncrypt" was published containing malware. Any computer with this package installed should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-3c8h-wfcm-wpw5malicious-version-published2026-06-10
Malware in npm package "python-utils" (GHSA-3c8h-wfcm-wpw5)
The npm package "python-utils" was published with malware. Any machine where it was installed should be treated as fully compromised, and all secrets and keys stored on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-6734-623v-3p4rmalicious-version-published2026-06-10
Malware in npm package react-tracked-tony
The npm package react-tracked-tony has been identified as malicious. Any system where it was installed or run should be treated as fully compromised, and all secrets and keys on that system should be rotated from a different machine.
Sources: github.com
criticalSupply chainnpmGHSA-99hx-q4mr-cfh7malicious-version-published2026-06-10
Malware in npm package use-context-selector-tony
A malicious npm package named "use-context-selector-tony" was published and flagged by GitHub. Any machine where it was installed should be treated as fully compromised, with all secrets and keys rotated from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-ggqm-v4hp-cw69malicious-version-published2026-06-10
Malware in npm package martinez-polygon-clipping-simul-dalton
The npm package martinez-polygon-clipping-simul-dalton has been identified as malware. Any system where it was installed should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-64jc-f3r5-gp74malicious-version-published2026-06-10
Malware in npm package martinez-polygon-clipping-tony
A malicious npm package named "martinez-polygon-clipping-tony" was published and flagged by GitHub Security Advisories. Any system that installed or ran this package should be considered fully compromised, and all secrets and keys stored on it should be rotated immediately from a clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-56rf-jfpx-gqf8malicious-version-published2026-06-10
Malware in npm package web3-common
The npm package web3-common has been identified as malicious. Any system with this package installed should be considered fully compromised, and all secrets and keys on that system must be rotated immediately from a separate, clean machine.
Sources: github.com
criticalSupply chainnpmGHSA-6qhx-9853-hxm6malicious-version-published2026-06-10
Malware in npm package truffle-helper (GHSA-6qhx-9853-hxm6)
The npm package "truffle-helper" has been flagged as containing malware. Any system where this package was installed should be considered fully compromised, and all secrets and keys on that system should be rotated from a separate, clean machine.
Sources: github.com
criticalSupply chainnpmGHSA-qjvc-v9v6-xh96malicious-version-published2026-06-10
Malware in npm package web3-util (GHSA-qjvc-v9v6-xh96)
The npm package web3-util has been flagged as containing malware. Any system with this package installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-3gmv-4hp4-87jqmalicious-version-published2026-06-10
Malware in npm package solc-compiler
The npm package solc-compiler was found to contain malware. Any system with this package installed should be considered fully compromised, and all secrets and keys stored on that machine should be rotated immediately from a separate, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-5rjr-r82r-343mmalicious-version-published2026-06-10
Malware in npm package solc-abi
The npm package solc-abi has been flagged as containing malware. Any system that installed or ran this package should be treated as fully compromised, with all secrets and keys rotated immediately from a separate, clean machine.
Sources: github.com
criticalSupply chainnpmGHSA-4pr4-9j3x-h243malicious-version-published2026-06-10
Malware in npm package solidity-abi
The npm package solidity-abi has been flagged as containing malware. Any system where it was installed should be considered fully compromised, and all secrets and keys on that system should be rotated immediately from a different, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-jrxm-h3fx-2p68malicious-version-published2026-06-10
Malware in npm package ethers-wordlist (GHSA-jrxm-h3fx-2p68)
A malicious version of the npm package "ethers-wordlist" was published containing malware. Any system where this package was installed or run should be treated as fully compromised, and all secrets and keys stored on that system should be rotated immediately from a separate, clean computer.
Sources: github.com
criticalSupply chainnpmGHSA-83h3-h848-fqr8malicious-version-published2026-06-10
Malware in npm package solc-helper
The npm package "solc-helper" was found to contain malware. Any machine that installed or ran this package should be considered fully compromised, and all secrets and keys stored on it should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-6w5w-56vc-rg6hmalicious-version-published2026-06-10
Malware in npm package hardhat-common
The npm package hardhat-common has been flagged as containing malware. Any computer with this package installed should be considered fully compromised, and all secrets and keys on that machine should be rotated immediately from a different computer.
Sources: github.com
criticalSupply chainnpmGHSA-xjqh-ppr3-mrhjmalicious-version-published2026-06-10
Malware in npm package "ethers-common"
The npm package "ethers-common" has been identified as malware. Any system where it was installed should be treated as fully compromised, and all secrets and keys stored on that machine should be rotated immediately from a separate, clean computer.
Sources: github.com

Infrastructure & runtime

criticalInfrastructure & runtimeosCVE-2026-28742critical-cve-against-infra2026-06-12
Naxclow Devices Use Hard-Coded Platform-Wide Salt Enabling Request Forgery (CVE-2026-28742)
Naxclow IoT devices sign requests using a single hard-coded salt embedded in every firmware image, with no per-device keys, server-side nonce tracking, or replay protection. Once the salt is recovered from any device, an attacker can forge valid signatures for arbitrary device or account operations — and because control-plane traffic uses plain HTTP, this enables broad request forgery and impersonation across the platform.
Sources: github.com·github.com·nvd.nist.gov·cisa.gov
criticalInfrastructure & runtimeosCVE-2026-47369critical-cve-against-infra2026-06-12
UniFi OS Improper Input Validation Privilege Escalation (CVE-2026-47369)
A low-privileged attacker with network access can exploit an improper input validation flaw in certain UniFi OS devices to escalate privileges. The issue is tracked as CVE-2026-47369 / GHSA-h6vq-x5fv-h7q3 and addressed in Ubiquiti Security Advisory Bulletin 065.
Sources: community.ui.com·github.com·nvd.nist.gov
criticalInfrastructure & runtimeosCVE-2026-47370critical-cve-against-infra2026-06-12
UniFi OS Command Injection via Improper Input Validation (CVE-2026-47370)
A vulnerability in certain UniFi OS devices allows a network-adjacent attacker with low privileges to inject and execute commands due to improper input validation. The issue is tracked as CVE-2026-47370 and rated critical.
Sources: community.ui.com·github.com·nvd.nist.gov
criticalInfrastructure & runtimeweb-serverCVE-2026-7852critical-cve-against-infra2026-06-11
Unrestricted File Upload in Limatek System LimRAD NAC (CVE-2026-7852)
A critical unrestricted file upload vulnerability in Limatek System Inc. LimRAD NAC allows attackers to upload dangerous file types, leading to remote code inclusion. All versions before 5.5.7.3.9 are affected.
Sources: github.com·nvd.nist.gov·siberguvenlik.gov.tr
criticalInfrastructure & runtimeruntimeCVE-2026-53475critical-cve-against-infra2026-06-10
assisted-migration-agent Hardcodes Insecure TLS to vCenter, Exposing Admin Credentials to MITM (CVE-2026-53475)
The assisted-migration-agent uses hardcoded insecure TLS settings when connecting to VMware vCenter, allowing a man-in-the-middle attacker to intercept and harvest vCenter administrator credentials. This can lead to unauthorized access to vCenter.
Sources: access.redhat.com·bugzilla.redhat.com·github.com·github.com·nvd.nist.gov
criticalInfrastructure & runtimeruntimeCVE-2026-53476critical-cve-against-infra2026-06-10
Path Traversal in assisted-migration-agent Allows LAN Attacker to Write Arbitrary Files (CVE-2026-53476)
A critical path traversal flaw in assisted-migration-agent lets an unauthenticated attacker on the same local network craft a malicious gzipped tarball that bypasses security checks and writes arbitrary files to the system, potentially leading to code execution on the appliance.
Sources: access.redhat.com·bugzilla.redhat.com·github.com·github.com·nvd.nist.gov
highInfrastructure & runtimeruntimeCVE-2026-50101critical-cve-against-infra2026-06-12
Naxclow Devices Use Non-Rotating, Non-Revocable Per-Device Relay Credential (CVE-2026-50101)
Naxclow devices rely on a server-side relay credential that is unique per device but never rotates and cannot be reset or revoked by the owner. Anyone who obtains this credential can maintain persistent access to the device's relay channel — enabling long-term impersonation or interception even after factory resets or re-onboarding.
Sources: github.com·github.com·nvd.nist.gov·cisa.gov

Vendor & SaaS

criticalVendor & SaaSdev-toolsCVE-2026-48558critical-cve-against-infra2026-06-12
SimpleHelp OIDC Authentication Bypass (CVE-2026-48558)
SimpleHelp remote support software versions 5.5.15 and prior (and 6.0 pre-release versions) contain an authentication bypass in the OIDC login flow that does not verify identity token signatures. A remote, unauthenticated attacker can forge a token to gain a fully authenticated technician session, and in some cases bypass MFA, with no user interaction required.
Sources: github.com·horizon3.ai·nvd.nist.gov·simple-help.com·simple-help.com
criticalVendor & SaaSidentityCVE-2026-50090critical-cve-against-infra2026-06-12
Aqara Cloud OAuth Authorization Endpoint Redirect Validation Bypass (CVE-2026-50090)
Aqara's Cloud OAuth authorization endpoint (open-cn.aqara.com/oauth/authorize) improperly validates redirect URIs, allowing an attacker to bypass domain matching and redirect the OAuth flow to an attacker-controlled destination. This can be abused to steal authorization codes/tokens and hijack user smart-home accounts.
Sources: github.com·github.com·nvd.nist.gov·runzero.com
criticalVendor & SaaSidentityCVE-2026-50083critical-cve-against-infra2026-06-12
Aqara IAM/SSO Gateway Uses Hardcoded OAuth Client Credential (CVE-2026-50083)
The Aqara IAM/SSO Gateway (gw-builder.aqara.com) shipped with a hardcoded OAuth client credential (CWE-798), rated critical (CVSS 9.1). When chained with related Aqara vulnerabilities, it can enable a fully unauthenticated, remote takeover of affected smart-home devices.
Sources: github.com·github.com·nvd.nist.gov·runzero.com
criticalVendor & SaaSai-infraCVE-2026-50084critical-cve-against-infra2026-06-12
Aqara Cloud Production API Missing Authorization Allows Cross-Account Access (CVE-2026-50084)
The Aqara Cloud Production API would authorize any valid developer token to access any account, a missing-authorization flaw (CVE-2026-50084, CVSS 9.6). When chained with related vulnerabilities, it can enable fully unauthenticated, remote takeover of affected Aqara smart-home devices.
Sources: github.com·github.com·nvd.nist.gov·runzero.com
criticalVendor & SaaSdev-toolsCVE-2026-11849critical-cve-against-infra2026-06-12
Hardcoded Credentials in IEI iRM-IEI Remote Management (CVE-2026-11849)
The iRM-IEI Remote Management product from IEI Integration Corp contains hardcoded credentials that let unauthenticated remote attackers gain administrative privileges on the backing database. Tracked as CVE-2026-11849 / GHSA-ccm4-vchx-9cmq.
Sources: github.com·nvd.nist.gov·twcert.org.tw·twcert.org.tw
criticalVendor & SaaSdev-toolsCVE-2026-47367critical-cve-against-infra2026-06-12
Command Injection in UID Enterprise Agent (CVE-2026-47367)
A critical Improper Input Validation flaw in the UID Enterprise Agent allows a low-privileged attacker with network access to execute command injection on the host device. Apply the vendor's fixed release as described in Ubiquiti's security bulletin.
Sources: community.ui.com·github.com·nvd.nist.gov
criticalVendor & SaaSdev-toolsCVE-2026-47365critical-cve-against-dependency2026-06-12
Argument Injection in WordPress Toolkit before 6.11.0 (cPanel & WHM) — CVE-2026-47365
An argument injection flaw in WordPress Toolkit before 6.11.0, as used in cPanel & WHM, lets remote authenticated users bypass cross-tenant authorization and run arbitrary wp-toolkit CLI commands as another account. Update WordPress Toolkit to 6.11.0 or later.
Sources: github.com·nvd.nist.gov·support.cpanel.net
criticalVendor & SaaSidentityCVE-2026-45177critical-cve-against-infra2026-06-11
Idira Secrets Manager SaaS Edge < 1.8: Authentication Bypass via Improper Access Control (CVE-2026-45177)
Idira Secrets Manager SaaS Edge versions before 1.8 contain an improper access control flaw in its internal authentication components. A remote, unauthenticated attacker can send a specially crafted request to bypass identity verification and obtain an access token. Upgrade to version 1.8 or later.
Sources: docs.cyberark.com·github.com·nvd.nist.gov
criticalVendor & SaaSidentityCVE-2026-41005critical-cve-against-infra2026-06-11
Cloud Foundry UAA SAML Authentication Bypass via Encrypted-but-Unsigned Assertions (CVE-2026-41005)
Cloud Foundry UAA accepted SAML assertions that were encrypted but not signed, treating encryption as a substitute for an IdP signature. Because encryption uses the Service Provider's public key from published metadata, any party can craft ciphertext UAA will decrypt and accept, allowing an authentication bypass in affected SAML flows.
Sources: github.com·nvd.nist.gov·cloudfoundry.org
criticalVendor & SaaSai-infraGHSA-9gw6-46qc-99vrcritical-cve-against-dependency2026-06-11
Meta Ads MCP: Unauthenticated HTTP MCP Tool Execution Leaks Operator Meta Access Token
The pipeboard-co/meta-ads-mcp server forwards unauthenticated HTTP MCP requests to tool handlers without returning a 401, letting any network-reachable caller invoke MCP tools as the operator. On a Graph API error, the operator's META_ACCESS_TOKEN is returned verbatim in the response, allowing full credential exfiltration.
Sources: github.com·github.com·github.com
criticalVendor & SaaSai-infraCVE-2026-4764critical-cve-against-infra2026-06-11
Privilege Escalation via Playbook Import in Dialogflow CX (Google Cloud Platform)
A missing authorization flaw in the playbook import functionality of Dialogflow CX on Google Cloud Platform allowed an authenticated user with certain roles to escalate privileges and potentially take over a GCP project using a maliciously crafted playbook import. Google patched the issue server-side on 15 March 2026; no customer action is required.
Sources: docs.cloud.google.com·github.com·nvd.nist.gov
criticalVendor & SaaSdev-toolsCVE-2026-35273critical-cve-against-infra2026-06-11
Critical Unauthenticated RCE in Oracle PeopleSoft Enterprise PeopleTools (CVE-2026-35273)
A critical vulnerability (CVSS 9.8) in Oracle PeopleSoft Enterprise PeopleTools allows an unauthenticated remote attacker with HTTP network access to fully take over the system. Supported versions 8.61 and 8.62 are affected.
Sources: github.com·nvd.nist.gov·cisa.gov·oracle.com
criticalVendor & SaaSobservabilityCVE-2026-20253critical-cve-against-infra2026-06-10
Unauthenticated arbitrary file create/truncate in Splunk Enterprise and Splunk Cloud Platform PostgreSQL sidecar (CVE-2026-20253)
A critical vulnerability in Splunk Enterprise and Splunk Cloud Platform lets an unauthenticated, network-reachable attacker create or truncate arbitrary files via a PostgreSQL sidecar service endpoint that lacks authentication controls. Affected deployments should upgrade to fixed versions immediately.
Sources: advisory.splunk.com·github.com·nvd.nist.gov
highVendor & SaaSidentityCVE-2026-50086critical-cve-against-infra2026-06-12
Aqara IAM/SSO Gateway Exposes Unauthenticated AES Encryption Oracle (CVE-2026-50086)
The Aqara IAM/SSO gateway (gw-builder.aqara.com) allows anyone, without authentication, to perform bidirectional AES encryption and decryption using the platform's signing key. This unauthenticated cryptographic oracle could let attackers forge or decrypt signed data tied to the platform.
Sources: github.com·github.com·nvd.nist.gov·runzero.com
highVendor & SaaSidentityCVE-2026-45171critical-cve-against-infra2026-06-12
Privilege Escalation / RCE in Idira (CyberArk) Privileged Session Manager (PSM) — CVE-2026-45171
A flaw in Idira/CyberArk Privileged Session Manager (PSM) — caused by incomplete input validation and improperly configured folder permissions — could let an authenticated, low-privileged user execute arbitrary code. Affected versions should be upgraded to the fixed releases (15.0.3, 14.6.3, 14.2.5, or 14.0.5).
Sources: docs.cyberark.com·docs.cyberark.com·docs.cyberark.com·docs.cyberark.com·github.com·nvd.nist.gov

Application & web

criticalApplication & webpython-libCVE-2026-45833critical-cve-against-dependency2026-06-12
ChromaDB Python: Code Injection via trust_remote_code in Collection Update API (CVE-2026-45833)
A code injection flaw in ChromaDB (Python) version 0.4.17 and later lets an authenticated attacker with the UPDATE_COLLECTION permission run arbitrary code on the server by sending a malicious model repository with trust_remote_code set to true. This is rated critical due to remote code execution.
Sources: github.com·nvd.nist.gov·hiddenlayer.com
criticalApplication & webframeworkCVE-2026-48150critical-cve-against-dependency2026-06-12
Budibase: Workspace-Scoped Builder Escalates to Global Admin via Public API Role Assignment
A privilege-escalation flaw in Budibase lets any workspace-scoped (app-level) builder with an API key promote themselves or any user to global tenant administrator with a single POST to `/api/public/v1/roles/assign`. Global admin grants unrestricted access to every app, user, datasource credential, automation, and identity config in the tenant. The issue affects Enterprise tenants with the EXPANDED_PUBLIC_API feature enabled.
Sources: github.com·github.com·nvd.nist.gov
criticalApplication & webframeworkCVE-2026-53787critical-cve-against-dependency2026-06-12
Amasty Order Attributes for Magento 2 Unauthenticated Arbitrary File Upload (CVE-2026-53787)
Amasty Order Attributes for Magento 2 before version 4.0.0 has an unauthenticated arbitrary file upload flaw that lets attackers write any file to the store's media directory. This can lead to remote code execution (e.g. uploading PHP files), malware hosting, stored XSS, and path traversal.
Sources: amasty.com·github.com·nvd.nist.gov·sansec.io·vulncheck.com
criticalApplication & webframeworkCVE-2026-50633critical-cve-against-dependency2026-06-12
Apache CXF JCA Integration Module JNDI Injection (CVE-2026-50633)
A JNDI injection flaw in Apache CXF's JCA integration module can lead to code execution if an attacker can manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Users should upgrade to Apache CXF 4.2.2 or 4.1.7.
Sources: openwall.com·github.com·lists.apache.org·nvd.nist.gov
criticalApplication & webframeworkCVE-2026-50632critical-cve-against-dependency2026-06-12
Apache CXF: Incomplete Fix for JMS Configuration RCE (CVE-2026-50632)
Apache CXF has a critical remote code execution flaw stemming from an incomplete fix for the earlier CVE-2026-44417. If untrusted users are allowed to configure JMS for Apache CXF, they can achieve code execution. Upgrade to version 4.2.2 or 4.1.7 to remediate.
Sources: github.com·lists.apache.org·nvd.nist.gov
criticalApplication & webframeworkCVE-2026-48611critical-cve-against-dependency2026-06-12
Improper OAuth authentication checks in phpBB allow account hijacking (CVE-2026-48611)
A critical flaw in phpBB's OAuth implementation allows attackers to hijack accounts even on default installations where OAuth is not configured or enabled, leading to unauthorized access.
Sources: github.com·nvd.nist.gov·phpbb.com
criticalApplication & webwordpressCVE-2026-49060critical-cve-against-dependency2026-06-12
Privilege Escalation in Hippoo Mobile App for WooCommerce (≤ 1.9.4)
A critical privilege escalation vulnerability (CVE-2026-49060) affects the Hippoo Mobile App for WooCommerce WordPress plugin in all versions up to and including 1.9.4. Due to incorrect privilege assignment, an attacker may be able to gain elevated privileges on affected sites.
Sources: github.com·nvd.nist.gov·patchstack.com
criticalApplication & webwordpressCVE-2026-39494critical-cve-against-dependency2026-06-12
SQL Injection in WordPress "Product Filter by WBW" Plugin (CVE-2026-39494)
A blind SQL injection vulnerability affects the WordPress "Product Filter by WBW" plugin in all versions up to and including 3.1.2. Attackers could exploit it to query or manipulate the site's database.
Sources: github.com·nvd.nist.gov·patchstack.com
criticalApplication & webframeworkCVE-2026-49973critical-cve-against-dependency2026-06-11
Hermes WebUI Unauthenticated Setup Takeover via Settings API (CVE-2026-49973)
Hermes WebUI before 0.51.358 has an improper access control flaw that lets unauthenticated remote attackers hijack first-run setup by submitting the _set_password parameter to the settings API endpoint. An attacker can set an arbitrary password, obtain a valid session, and lock the legitimate operator out of their own instance.
Sources: github.com·github.com·github.com·github.com·github.com·nvd.nist.gov·vulncheck.com
criticalApplication & webframeworkCVE-2026-11839critical-cve-against-infra2026-06-11
Unrestricted File Upload (Web Shell) in Başarsoft Rotaban — CVE-2026-11839
A critical unrestricted file upload vulnerability in Başarsoft Information Technologies' Rotaban allows an attacker to upload a web shell to the web server, leading to remote code execution. The issue affects Rotaban from V2026.06.002 before V2026.06.003.
Sources: github.com·nvd.nist.gov·siberguvenlik.gov.tr
criticalApplication & webpython-libCVE-2026-9648critical-cve-against-dependency2026-06-11
crypton-x509-validation Haskell library fails to enforce X.509 NameConstraints (CVE-2026-9648)
The crypton-x509-validation Haskell library does not enforce X.509 NameConstraints, so TLS clients may accept certificates whose Subject Alternative Names fall outside an issuing CA's permitted subtrees. An attacker who compromises a name-constrained sub-CA could exploit this to impersonate domains beyond that CA's intended scope.
Sources: github.com·github.com·github.com·github.com·hackage.haskell.org·nvd.nist.gov·kb.cert.org
criticalApplication & webgo-appCVE-2026-53469critical-cve-against-dependency2026-06-10
Missing Authorization in migration-planner Allows Authenticated User to Delete All Customer Data (CVE-2026-53469)
A broken authorization flaw in migration-planner lets any authenticated user delete all customer data by sending a DELETE request to the /api/v1/sources endpoint. Because the route lacks proper authorization and filtering, exploitation can wipe sources, agents, and assessments across the entire SaaS platform.
Sources: access.redhat.com·bugzilla.redhat.com·github.com·github.com·nvd.nist.gov
criticalApplication & webgo-appCVE-2026-53474critical-cve-against-dependency2026-06-10
SQL Injection in migration-planner via crafted RVTools .xlsx upload (CVE-2026-53474)
A SQL injection flaw in migration-planner lets a remote authenticated attacker upload a specially crafted RVTools .xlsx file whose embedded SQL is executed when cluster names are processed. This enables arbitrary file reading that can expose Kubernetes service account tokens and credentials, potentially leading to full compromise of the SaaS environment.
Sources: access.redhat.com·bugzilla.redhat.com·github.com·github.com·nvd.nist.gov
criticalApplication & webgo-appCVE-2026-53471critical-cve-against-dependency2026-06-10
Broken Tenant Isolation in migration-planner agent-API (CVE-2026-53471)
A flaw in the migration-planner agent-API lets an authenticated attacker with a valid agent token act across tenant boundaries because the UpdateSourceInventory and UpdateAgentStatus handlers do not validate the JWT source_id claim against the requested source ID. This breaks tenant isolation and can allow overwriting another tenant's inventory, planting malicious credential URLs, or corrupting migration assessments.
Sources: access.redhat.com·bugzilla.redhat.com·github.com·github.com·nvd.nist.gov
criticalApplication & webgo-appGHSA-mqq6-462x-jxmmcritical-cve-against-dependency2026-06-10
Go Restful API Boilerplate (dhax/go-base): Hardcoded JWT Secret "random" Allows Token Forgery and Auth Bypass
The dhax/go-base Go REST API boilerplate ships with a hardcoded JWT signing secret ("random") in both its template env file and a code-level default. Because the secret is public, an attacker can forge JWT tokens for any user — including admin roles — completely bypassing authentication on all protected endpoints. A fix was merged in PR #31 (May 17, 2026).
Sources: github.com·github.com·github.com
highApplication & webwordpressCVE-2026-42647critical-cve-against-dependency2026-06-12
Blind SQL Injection in Beardev JoomSport WordPress Plugin (≤ 5.7.7)
A blind SQL injection vulnerability affects the Beardev JoomSport WordPress plugin in all versions up to and including 5.7.7, tracked as CVE-2026-42647. Attackers may be able to manipulate database queries, potentially exposing or altering site data.
Sources: github.com·nvd.nist.gov·patchstack.com
highApplication & webframeworkGHSA-2gr4-ppc7-7mhxcritical-cve-against-dependency2026-06-11
CodeIgniter4 `ext_in` Upload Validation Bypass Can Lead to Arbitrary Code Execution (GHSA-2gr4-ppc7-7mhx)
CodeIgniter4's `ext_in` file-upload validation rule checked the MIME-derived guessed extension instead of the actual client-provided filename extension, allowing a file like `shell.php` containing GIF-like content to pass validation. Apps that save uploads under their original filename in a web-accessible directory could be tricked into storing and executing malicious files. Fixed in v4.7.3.
Sources: codeigniter.com·codeigniter.com·github.com·github.com·github.com·github.com
highApplication & webframeworkCVE-2026-38581critical-cve-against-dependency2026-06-11
SQL Injection in damasac thaipalliative_lte through version 3.0 (CVE-2026-38581)
A SQL injection vulnerability in the thaipalliative_lte application (through version 3.0) lets remote attackers run arbitrary SQL commands via unsanitized parameters in /substudy/ezform.php. User input is concatenated directly into SQL queries without parameterization.
Sources: github.com·github.com·github.com·nvd.nist.gov
highApplication & webgo-appCVE-2026-53470critical-cve-against-dependency2026-06-10
Improper Access Control in migration-planner Exposes Other Users' OVA Images via Presigned S3 URLs (CVE-2026-53470)
A flaw in migration-planner lets an authenticated attacker bypass an ownership check on the `/api/v1/sources/{id}/image-url` endpoint to obtain presigned S3 URLs for other users' OVA images. Those images can contain sensitive data such as long-lived agent JWTs and source configurations, potentially enabling unauthorized access to and modification of a victim's source.
Sources: access.redhat.com·bugzilla.redhat.com·github.com·github.com·nvd.nist.gov
mediumApplication & webpython-libCVE-2026-50638critical-cve-against-dependency2026-06-10
Metric injection in Metrics::Any::Adapter::DogStatsd (Perl) before 0.04 (CVE-2026-50638)
The Perl module Metrics::Any::Adapter::DogStatsd before version 0.04 does not protect against metric injection. Because the statsd/dogstatsd protocol uses newlines to separate metrics in a packet, unsanitized metric names and tags (the _tags function does not check for newlines or statsd control characters) can be abused to inject additional, attacker-controlled metrics.
Sources: github.com·metacpan.org·nvd.nist.gov·cve.org·cve.org

Client & endpoint

criticalClient & endpointdesktopCVE-2026-50091critical-cve-against-dependency2026-06-12
Aqara Home Android App Uses Hard-Coded Cryptographic Keys (CVE-2026-50091)
The Aqara Home Android app (com.lumiunited.aqarahome) version 6.0.0, and white-label clients that embed the same liblumidevsdk.so library, ship hard-coded cryptographic keys. This flaw (CVE-2026-50091, CWE-321) could let attackers compromise the confidentiality and integrity of protected data, and is rated critical (CVSS 9.1).
Sources: github.com·github.com·nvd.nist.gov·runzero.com
criticalClient & endpointdesktopCVE-2026-10557critical-cve-against-infra2026-06-12
Hard-coded MQTT broker credentials in Yarbo robot apps expose global fleet to remote control (CVE-2026-10557)
The Yarbo Android and iOS apps embed hard-coded MQTT broker credentials that are identical for every user and device and can be extracted by decompiling the app. With these credentials anyone can subscribe to all robot telemetry and send commands to any robot in the global fleet using only its serial number.
Sources: github.com·github.com·nvd.nist.gov·cisa.gov
criticalClient & endpointdesktopCVE-2026-6853critical-cve-against-dependency2026-06-12
Authentication Bypass in Pause+ Mobile App (CVE-2026-6853)
The Pause+ Mobile App fails to limit excessive authentication attempts, allowing attackers to bypass authentication. Versions from v1.0.6 up to (but not including) v1.5 are affected.
Sources: github.com·nvd.nist.gov·siberguvenlik.gov.tr
highClient & endpointbrowserCVE-2026-12027critical-cve-against-dependency2026-06-12
Google Chrome Headless Sandbox Escape (CVE-2026-12027)
A vulnerability in the Headless component of Google Chrome before version 149.0.7827.115 could allow a remote attacker who has already compromised the renderer process to escape the browser sandbox via a crafted HTML page. Users should update Chrome to the latest stable release.
Sources: chromereleases.googleblog.com·github.com·issues.chromium.org·nvd.nist.gov