This page collects WhisperX intelligence signals tagged #open-source-security. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical, reachable vulnerability has been confirmed in the core codebase of OpenBao's official plugin repository. The security flaw, identified as GO-2026-4762, is an authorization bypass within the gRPC-Go library, stemming from a missing leading slash in the HTTP/2 `:path` pseudo-header. Automated analysis by `gov...
A critical security flaw has been exposed in the widely-used Handlebars.js templating engine, enabling remote code execution through JavaScript injection. The vulnerability, tracked with a CVSS score of 9.8, stems from an AST (Abstract Syntax Tree) type confusion issue. This allows an attacker to potentially execute ar...
A critical, reachable security vulnerability has been identified in the `release/2.4.x` branch of the OpenBao project. The flaw, tracked as GO-2026-4762, is an authorization bypass in the gRPC-Go library, stemming from a missing leading slash in the `:path` header. Govulncheck analysis confirms the vulnerability is not...
A critical, reachable security vulnerability has been identified in the `release/2.4.x` branch of the OpenBao project. The flaw, tracked as GO-2026-4762, is an authorization bypass within the gRPC-Go library, stemming from a missing leading slash in the `:path` header. Govulncheck analysis confirms the vulnerable code ...
A sophisticated supply chain attack has compromised the official GitHub Actions for Trivy, a critical open-source security scanner used by millions of repositories. Threat actors, using stolen credentials, successfully published malicious releases and force-pushed nearly all version tags for the `aquasecurity/trivy-act...
A critical supply chain attack has compromised the widely-used `axios` HTTP client library. On March 31, 2026, the npm accounts of the axios lead maintainer were hijacked, leading to the publication of two malicious package versions: `[email protected]` and `[email protected]`. These tainted releases contained a hidden dependenc...
A critical supply chain attack has compromised the widely-used Axios HTTP client library on the npm registry. Malicious versions 1.14.1 and 0.30.4 have been published, containing a remote access trojan (RAT) designed to steal sensitive environment variables from infected systems. This is not a typical dependency confus...
A GitHub security scan has flagged the npm package `ejs-2.7.4.tgz` with three vulnerabilities, including two rated with a critical CVSS score of 9.8. The findings, which were automatically closed, highlight a severe and persistent risk for any project still dependent on this outdated version of the popular Embedded Jav...
A critical security flaw in the popular software composition analysis tool cdxgen has been exposed, revealing a pathway for attackers to exfiltrate sensitive keys and data. The vulnerability, which centers on the tool's handling of YAML and JSON configuration files, allows maliciously crafted scripts to leverage the `s...
A critical security update has been deployed for the widely-used Rust programming language crate, `rand`. The update patches a vulnerability, prompting an immediate minor version bump from `0.8.4` to `0.9.0` for core dependencies and a patch update from `0.10.0` to `0.10.1` for workspace dependencies. The presence of t...
A critical path traversal vulnerability has been disclosed in the widely-used Mako templating engine for Python, tracked as GHSA-v92g-xgxw-vvmm. The flaw resides in the `TemplateLookup.get_template()` function, which fails to properly sanitize user-supplied template URIs. Specifically, an attacker can exploit an incons...
A sophisticated supply chain attack has compromised the core release infrastructure of Aqua Security's Trivy, a widely used open-source vulnerability scanner. On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release and executed a destructive force-push operation, over...
A critical SQL injection vulnerability (CWE-89) in the drizzle-orm library went unpatched for an extended period before being addressed in version 0.45.2, raising questions about exposure in production systems that have not yet updated. The flaw resided in the `sql.identifier()` and `sql.as()` functions, where input va...
A critical CSS injection vulnerability has been identified in Mermaid, the widely-used open-source diagram and charting library. Tracked as CVE-2026-41159 (GHSA-87f9-hvmw-gh4p), the flaw stems from improper sanitization of user-supplied configuration options, allowing injected styles to apply beyond the boundaries of r...
A threat actor identified as TeamPCP has launched a sophisticated supply chain attack campaign, dubbed "Mini Shai-Hulud," targeting npm and PyPI packages from TanStack, UiPath, Mistral AI, OpenSearch, and Guardrails AI. The campaign represents a significant escalation in the actor's ongoing campaign against software de...
Linux maintainers have issued emergency patches for a second severe vulnerability within weeks, raising fresh concerns about the security of one of the world's most widely deployed operating systems. The development signals mounting pressure on system administrators to accelerate patch deployment cycles amid an unusual...
RubyGems has suspended new account registrations after hundreds of malicious packages infiltrated the official registry in what security researchers are characterizing as a coordinated supply chain attack. The move represents an extraordinary step for one of the open-source community's most critical package infrastruct...
Security researchers at Wiz.io have identified a new wave of supply chain attacks targeting the Tanstack ecosystem, with the threat actor tracked as "mini-shai-hulud" injecting malicious code into multiple NPM packages. The attack follows a pattern consistent with sophisticated open-source supply chain intrusions, wher...