This page collects WhisperX intelligence signals tagged #software-supply-chain. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security vulnerability in the widely used `golang.org/x/crypto` library has triggered an urgent, automated dependency update across countless Go projects. The flaw, tracked as CVE-2025-22869, specifically impacts SSH servers that implement file transfer protocols, exposing them to potential exploitation. Thi...
A critical path traversal vulnerability in the widely-used `python-multipart` library has been patched, exposing projects to potential arbitrary file writes on the server filesystem. The flaw, tracked as CVE-2026-24486, is triggered under a specific but dangerous configuration. When the library's `UPLOAD_DIR` and `UPLO...
A critical denial-of-service (DoS) vulnerability has been disclosed in the widely used `serialize-javascript` npm package, tracked as CVE-2026-34043. The flaw allows an attacker to cause CPU exhaustion and crash applications by submitting specially crafted array-like objects, posing a direct threat to the stability of ...
A critical denial-of-service (DoS) vulnerability has been disclosed in the widely used `serialize-javascript` npm package, tracked as CVE-2026-34043. The flaw allows an attacker to cause CPU exhaustion and crash applications by submitting specially crafted array-like objects, posing a direct threat to the stability of ...
A critical Denial of Service (DoS) vulnerability has been disclosed in the widely used `serialize-javascript` npm package, tracked as CVE-2026-34043. The flaw, which allows for CPU exhaustion via crafted array-like objects, poses a direct threat to the stability of any application or service that depends on this librar...
A critical denial-of-service vulnerability has been disclosed in the widely used `serialize-javascript` npm package, tracked as CVE-2026-34043. The flaw allows an attacker to cause CPU exhaustion and crash applications by submitting specially crafted array-like objects, posing a direct threat to the stability of any se...
A critical mutation-based cross-site scripting (mXSS) vulnerability in the widely-used DOMPurify library has prompted an urgent security update to version 3.3.2. The flaw, tracked as GHSA-h8r8-wccr-v5f2, was confirmed when sanitized HTML could be mutated by a browser's parser into a malicious form, potentially bypassin...
A critical security vulnerability, tracked as CVE-2025-69873, has been disclosed in the widely used Ajv (Another JSON Schema Validator) library. This flaw, present in versions prior to 6.14.0, poses a direct risk to thousands of software projects and applications that rely on Ajv for data validation. The discovery has ...
A critical security vulnerability in the popular `happy-dom` JavaScript testing library has been patched, exposing projects to potential remote code execution (RCE) attacks. The flaw, tracked as CVE-2026-33943, resides in the library's `ECMAScriptModuleCompiler`. It allows an attacker to inject arbitrary JavaScript cod...
A critical security vulnerability has been disclosed in the widely-used JavaScript utility library Lodash, affecting versions 4.0.0 through 4.17.22. The flaw, tracked as CVE-2025-13465, resides in the `_.unset` and `_.omit` functions and enables prototype pollution. This allows an attacker to pass specially crafted pat...
A critical security vulnerability has been disclosed in the widely-used JavaScript utility library Lodash, affecting versions 4.0.0 through 4.17.22. The flaw, tracked as CVE-2025-13465, is a prototype pollution issue within the `_.unset` and `_.omit` functions. This vulnerability allows an attacker to pass specially cr...
A critical vulnerability in the widely-used Python library urllib3 exposes countless applications to potential redirect hijacking. The flaw, tracked as CVE-2025-50181, stems from a dangerous interaction between the library's redirect and retry mechanisms, which are controlled by the same `Retry` object. The most common...
A critical security update for the widely-used Python cryptography library has been abandoned, leaving potentially vulnerable systems exposed. The pull request, which aimed to upgrade the dependency from version 39.0.2 to 46.0.5, was marked as abandoned. This update was specifically flagged as a security fix, addressin...
A critical security scan of the official CBDQ-IO SBus-Router container image has uncovered multiple unpatched vulnerabilities, including two rated HIGH severity, within a core DNS utility package. The automated Trivy scan of the `ghcr.io/cbdq-io/sbus-router:2.1.0` image reveals that the embedded `bind9-dnsutils` packag...
广泛使用的 JavaScript 工具库 Lodash 发布关键安全更新,修复一个编号为 CVE-2026-2950 的原型污染漏洞。该漏洞影响 4.17.23 及更早版本,存在于 `_.unset` 和 `_.omit` 函数中。攻击者可利用此漏洞,通过精心构造的输入绕过此前针对 CVE-2025-13465 的修复措施,从而污染对象原型链,可能导致应用程序崩溃、数据篡改或远程代码执行等严重后果。 此次更新将 Lodash 从 4.17.23 版本升级至 4.18.1 版本。自动化依赖管理工具 Renovate 已为此生成更新拉取请求。值得注意的是,此漏洞是此前已修复的 CVE-2025-13465 的绕过。当时的修复仅针对字符...
JavaScript 工具库 Lodash 发布关键安全更新,修复一个编号为 CVE-2026-2950 的原型污染漏洞。该漏洞影响 4.17.23 及更早版本,存在于 `_.unset` 和 `_.omit` 两个常用函数中。攻击者可能利用此漏洞,通过操纵对象原型来修改应用程序行为,从而可能导致拒绝服务、数据篡改或远程代码执行等后果。此次更新至版本 4.18.1 旨在修补这一安全缺陷。 值得注意的是,此次修复的漏洞是此前 CVE-2025-13465 补丁的绕过。之前的修复仅针对字符串键成员提供了防护,而新发现的攻击向量可以规避这些防护措施,使得 `_.unset` 和 `_.omit` 函数在特定条件下仍然存在被污染的风险。这...
A critical security vulnerability in the widely-used Rollup module bundler exposes countless JavaScript projects to arbitrary file write attacks. The flaw, tracked as CVE-2026-27606, stems from insecure file name sanitization within Rollup's core engine, specifically in versions 4.x. This path traversal vulnerability a...
A critical security flaw has been identified in a widely used API documentation library, posing a direct threat to thousands of development projects. The `swagger-ui-3.19.3.js` library, a dependency-free collection for generating interactive API documentation, contains two vulnerabilities, with the highest severity rat...
A critical security exposure has been identified within a public GitHub repository, where an outdated and vulnerable version of the jQuery library is actively deployed. The file `jquery-1.8.0.min.js` contains six documented vulnerabilities, with the highest severity scoring 6.9 on the CVSS scale. This library is embedd...
A critical security gap has been exposed in the Angular development platform, where a failure in its internal sanitization logic leaves countless web applications vulnerable to cross-site scripting (XSS) attacks. The vulnerability, tracked as CVE-2026-22610 with a HIGH severity rating, stems from the Angular Template C...