Overview
- @tanstack
- arktype-adapter
12 May 2026
Published
12 May 2026
Updated
CVSS v3.1
CRITICAL (9.6)
EPSS
0.04%
KEV
Description
On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/* packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself was not modified. The attacker chained three known vulnerability classes — a pull_request_target "Pwn Request" misconfiguration, GitHub Actions cache poisoning across the fork↔base trust boundary, and runtime memory extraction of the OIDC token from the Actions runner process — to publish credential-stealing malware under a trusted identity. Each affected package received exactly two malicious versions, published a few minutes apart.
Statistics
- 1 Post
Last activity: 8 hours ago
Overview
- Palo Alto Networks
- Prisma Access Agent
13 May 2026
Published
13 May 2026
Updated
CVSS v4.0
MEDIUM (4.3)
EPSS
Pending
KEV
Description
Multiple information disclosure vulnerabilities in Prisma Access Agent® allow a local user to access sensitive configuration data and credentials.
The Prisma Access Agent on Linux, ChromeOS, Android, and iOS are not affected.
Statistics
- 1 Post
Last activity: 11 hours ago
Overview
Description
Exim before 4.99.3, in certain GnuTLS configurations, has a remotely reachable use-after-free in the BDAT body parsing path. It is triggered when a client sends a TLS close_notify mid-body during a CHUNKING transfer, followed by a final cleartext byte on the same TCP connection. This can lead to heap corruption. An unauthenticated network attacker exploiting this vulnerability could execute arbitrary code.
Statistics
- 1 Post
Last activity: 8 hours ago
Overview
- Palo Alto Networks
- Chronosphere Chronocollector
13 May 2026
Published
13 May 2026
Updated
CVSS v4.0
MEDIUM (4.9)
EPSS
Pending
KEV
Description
An information disclosure vulnerability in the Chronosphere Chronocollector enables an unauthenticated attacker with network access to the collector service to retrieve sensitive information.
Statistics
- 1 Post
Last activity: 11 hours ago
Overview
- Palo Alto Networks
- GlobalProtect App
13 May 2026
Published
13 May 2026
Updated
CVSS v4.0
MEDIUM (4.9)
EPSS
Pending
KEV
Description
Multiple improper certificate validation vulnerabilities in the Palo Alto Networks GlobalProtect™ app enables an attacker to intercept encrypted communications and potentially compromise the endpoint. This can enable a local non-administrative operating system user or an attacker on the same subnet to redirect traffic to an unauthorized server and facilitate the installation of malicious software.
The GlobalProtect app on Linux, Windows, iOS and GlobalProtect UWP app are not affected.
Statistics
- 1 Post
Last activity: 11 hours ago
Overview
- Palo Alto Networks
- Prisma Access Agent
13 May 2026
Published
13 May 2026
Updated
CVSS v4.0
MEDIUM (5.9)
EPSS
Pending
KEV
Description
Multiple authorization bypass vulnerabilities in the Endpoint DLP component of Prisma Access Agent® allow a local attacker to bypass authentication controls and execute privileged operations.
Statistics
- 1 Post
Last activity: 11 hours ago
Overview
- Palo Alto Networks
- Cloud NGFW
13 May 2026
Published
13 May 2026
Updated
CVSS v4.0
MEDIUM (4.4)
EPSS
Pending
KEV
Description
A stored cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS® software enables a malicious authenticated administrator to store a JavaScript payload using the web interface.
This issue is applicable to PAN-OS software on PA-Series and VM-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW and Prisma® Access are not impacted by this vulnerability.
Statistics
- 1 Post
Last activity: 11 hours ago
Overview
- Palo Alto Networks
- Prisma SD-WAN ION
13 May 2026
Published
13 May 2026
Updated
CVSS v4.0
MEDIUM (4.9)
EPSS
Pending
KEV
Description
A denial of service (DoS) vulnerability in Palo Alto Networks Prisma SD-WAN ION devices enables an unauthenticated attacker in a network adjacent to a Prisma SD-WAN ION device to cause a system disruption by sending a specially crafted IPv6 packet.
Statistics
- 1 Post
Last activity: 11 hours ago
Overview
Description
In the Linux kernel, the following vulnerability has been resolved:
xfrm: esp: avoid in-place decrypt on shared skb frags
MSG_SPLICE_PAGES can attach pages from a pipe directly to an skb. TCP
marks such skbs with SKBFL_SHARED_FRAG after skb_splice_from_iter(),
so later paths that may modify packet data can first make a private
copy. The IPv4/IPv6 datagram append paths did not set this flag when
splicing pages into UDP skbs.
That leaves an ESP-in-UDP packet made from shared pipe pages looking
like an ordinary uncloned nonlinear skb. ESP input then takes the no-COW
fast path for uncloned skbs without a frag_list and decrypts in place
over data that is not owned privately by the skb.
Mark IPv4/IPv6 datagram splice frags with SKBFL_SHARED_FRAG, matching
TCP. Also make ESP input fall back to skb_cow_data() when the flag is
present, so ESP does not decrypt externally backed frags in place.
Private nonlinear skb frags still use the existing fast path.
This intentionally does not change ESP output. In esp_output_head(),
the path that appends the ESP trailer to existing skb tailroom without
calling skb_cow_data() is not reachable for nonlinear skbs:
skb_tailroom() returns zero when skb->data_len is nonzero, while ESP
tailen is positive. Thus ESP output will either use the separate
destination-frag path or fall back to skb_cow_data().
Statistics
- 1 Post
Last activity: 13 hours ago
Overview
- cubecart
- v6
13 May 2026
Published
13 May 2026
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
Pending
KEV
Description
CubeCart is an ecommerce software solution. Prior to 6.7.0, an Authenticated Server-Side Template Injection (SSTI) vulnerability exists in multiple modules of CubeCart (including Email Templates, Invoices, Documents, and Contact Forms). The application unsafely evaluates user-supplied input using the Smarty template engine without enabling Smarty Security Policies. This allows any authenticated user with administrative privileges to execute arbitrary operating system commands (RCE) on the server. This vulnerability is fixed in 6.7.0.
Statistics
- 1 Post
Last activity: 5 hours ago