This page collects WhisperX intelligence signals tagged #software_supply_chain. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security flaw has been identified in the legacy TUF client within the widely-used Sigstore software supply chain security project. The vulnerability, tracked as CVE-2026-24137, allows for arbitrary file writes via a path traversal attack. The core failure is in the client's file caching mechanism, which cons...
A critical security vulnerability has been identified in libcurl, the widely-used data transfer library, affecting versions from 7.17.0 up to and including 8.17.0. This exposure, detailed in a Tenable Nessus plugin advisory, necessitates an immediate upgrade to version 8.18.0 or later to mitigate the risk. The flaw's p...
A critical security vulnerability has been flagged as reachable within the GitHub repository 'V-Achilles,' stemming from its dependency on a compromised version of the eslint-plugin-flowtype package. The vulnerability, identified as CVE-2025-13465, carries a high CVSS severity score of 7.2, indicating a significant ris...
A weekly security audit of the popular `tgrall-kleber/spring-petclinic` repository has flagged a high-severity risk: a deprecated, end-of-life (EOL) dependency that is no longer receiving security patches. The audit, dated March 27, 2026, identified the `libsass-maven-plugin` (version 0.3.4) as the primary concern. Thi...
A critical security vulnerability has been patched in the widely used Java testing library, AssertJ Core. The library's latest version, 3.27.7, addresses a dangerous XML External Entity (XXE) flaw present in the previous release, 3.27.6. This type of vulnerability allows attackers to potentially read sensitive files fr...
A major security infrastructure shift is underway in a GitHub repository, replacing placeholder workflows with a hardened, automated vulnerability scanning pipeline. The core change replaces the existing security-dependency-review workflow with a Docker-based OSV-Scanner audit, powered by the `py-lintro` image. This mo...
A critical security vulnerability in open-source development workflows is being exposed: manual daily checks on project dependencies are no longer sufficient to guard against emerging threats. The window between automated updates can leave codebases exposed to newly disclosed critical CVEs, creating a dangerous gap tha...
一个针对 JavaScript 打包工具 Rollup 的关键安全更新正在被推送,以修复一个被标记为 CVE-2024-47068 的 DOM Clobbering 漏洞。该漏洞在特定条件下可能被利用,影响使用 `import.meta.url` 或通过插件生成并引用资产文件的代码,尤其是在打包为 `cjs`、`umd` 或 `iife` 格式时。此安全警报直接关联到依赖管理机器人 Renovate 自动创建的更新拉取请求,旨在将项目依赖从存在风险的 1.29.0 版本升级至已修复的 2.80.0 版本。 此次更新涉及核心构建工具链,凸显了现代前端开发中供应链安全的脆弱性。DOM Clobbering 是一种攻击技术,攻击者可能通...
A critical security vulnerability has been disclosed in the widely-used Rollup JavaScript module bundler. The flaw, tracked as CVE-2026-27606, is an arbitrary file write vulnerability stemming from insecure file name sanitization within Rollup's core engine. This path traversal weakness allows an attacker to control ou...
A critical security vulnerability in a widely used Go library has prompted an urgent update. The `github.com/ulikunitz/xz` library, a core component for handling XZ compression in countless Go applications, contains a flaw that can be exploited to trigger excessive memory consumption. The issue, tracked as CVE-2025-580...
A high-severity security vulnerability has been automatically detected within the `minimatch` dependency used by the PipelineDeals/pipeline-js-api-client repository on GitHub. The alert, raised by GitHub's Dependabot service, indicates a potentially exploitable weakness in a core package that could compromise the secur...
A critical GitHub user story details a 'nuclear option' security protocol designed to immediately block all access to recalled firmware. The story, part of a larger epic for secure one-time firmware distribution, mandates that when an administrator recalls a firmware version due to a security incident or IP leak risk, ...
An automated dependency update for the Splat project has patched a critical security vulnerability in the widely-used Python `requests` library. The flaw, tracked in version 2.32.4, allowed a local attacker to hijack file extraction processes, potentially loading malicious code in place of legitimate files. The update ...
A critical path traversal vulnerability in Sigstore's legacy TUF client has been disclosed, enabling attackers to perform arbitrary file writes on affected systems. The flaw, tracked as CVE-2026-24137 (GHSA-fcv2-xgw5-pqxf), resides within the `github.com/sigstore/sigstore` package and stems from improper handling of ta...
一个关键的安全漏洞(CVE-2026-25896)在广泛使用的 JavaScript XML 解析库 `fast-xml-parser` 中被披露。该漏洞允许攻击者通过精心构造的 DOCTYPE 实体名称,利用正则表达式注入来绕过实体编码,可能导致 XML 外部实体(XXE)攻击或服务端请求伪造(SSRF)。 漏洞核心在于库处理 DOCTYPE 声明中实体名称的逻辑缺陷。当实体名称包含点号(`.`)时,该字符在内部正则表达式匹配中被错误地解释为通配符,而非字面量。这使得攻击者能够注入正则表达式模式,从而匹配并替换非预期的文本,最终绕过旨在对危险实体进行编码的安全机制。该漏洞影响了 5.5.7 之前的所有版本。维护者 Natural...
A critical vulnerability in the OpenSSL library has been identified within a publicly available container image from CBDQ-IO, exposing downstream software supply chains to potential compromise. The automated security scan of the `ghcr.io/cbdq-io/gitchangelog:0.1.2` Docker image flagged CVE-2025-15467 as CRITICAL, stemm...
Lodash 库发布关键安全更新,修复编号为 CVE-2026-2950 的原型污染漏洞。该漏洞影响 4.17.23 及更早版本,存在于 `_.unset` 和 `_.omit` 函数中,攻击者可利用此漏洞绕过此前针对 CVE-2025-13465 的修复措施。此次更新将依赖版本从 4.17.23 升级至 4.18.1,旨在修补这一安全缺陷。 漏洞的根本原因在于,先前针对 CVE-2025-13465 的修复仅防护了字符串键成员,留下了可被利用的旁路。这意味着,在特定条件下,攻击者可能通过操纵对象原型链,向应用程序注入恶意属性或修改现有行为,从而可能导致远程代码执行、数据篡改或拒绝服务等后果。Lodash 作为 JavaScrip...
A critical flaw in the OSV vulnerability scanning system leaves it vulnerable to indefinite hangs. The scanner makes external HTTP requests to the `api.osv.dev` service without configuring any timeout parameters. This omission means that if the external API becomes slow or unresponsive, the worker processes executing t...
A critical security scan has flagged the `config-0.0.0.tgz` package with three high-severity vulnerabilities, including one rated 8.1 on the CVSS scale. The findings originate from a transitive dependency on `lodash-4.17.21.tgz`, a widely used JavaScript utility library. The most alarming aspect is that all three vulne...
A critical security scan has flagged eight vulnerabilities within the `common-0.0.0.tgz` package, with the highest severity scoring a CVSS 8.1. The findings, reported via a GitHub issue, indicate a deeply embedded and potentially unaddressed risk in a foundational project dependency. All identified vulnerabilities are ...