This page collects WhisperX intelligence signals tagged #supply-chain. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A routine dependency update for the widely-used DOMPurify library masks a critical security response. The update to version 3.3.2 patches two significant vulnerabilities that could enable mutation cross-site scripting (mXSS) attacks, a stealthy and dangerous form of web exploitation. This is not a minor chore; it's a m...
A critical security report reveals two high-severity vulnerabilities in the widely used `flatted` npm package, versions 3.4.1 and below. The flaws expose countless development projects to potential Denial of Service (DoS) attacks and prototype pollution, posing a direct risk to application stability and security. The ...
A critical supply chain vulnerability has been verified as exploitable within the official `slashben/kubescape` GitHub repository, a key security tool for Kubernetes. The finding, escalated from HIGH to CRITICAL severity, reveals that every single one of the repository's 24 GitHub Action references uses mutable tags, c...
A critical remote code execution (RCE) vulnerability has triggered an urgent, automated remediation effort within Databricks' internal Platform team. The flaw, tracked as CVE-2025-54782 and rated Critical, resides in the `@nestjs/devtools-integration` component (version <=0.2.0) used by the `databricks-plan-optimizer`....
A critical security scan has exposed five vulnerabilities within the `graphql-rails_logger-1.2.5.gem` library, a dependency used by the open-source project Intercode. The most severe flaw, tracked as CVE-2026-33176, carries a CVSS score of 7.5, indicating a high risk of exploitation. This vulnerable library was identif...
A widely used Rust library for parsing TOML configuration files has patched a security flaw that could allow an attacker to crash applications. The vulnerability, tracked as GHSA-v3rj-xjv7-4jmq, exists in smol-toml versions prior to 1.6.1. The issue stems from unrestricted recursion when processing a maliciously crafte...
A critical security update for the widely-used `tar` library patches multiple high-severity vulnerabilities that allow attackers to bypass directory protections and write to arbitrary files on a system. The flaws, centered in the library's handling of hardlinks and symlinks, create a direct path for malicious archives ...
A confirmed, reachable vulnerability in the OpenBao Secrets Operator's main branch risks leaking sensitive HTTP basic authentication credentials directly into log files. The flaw, tracked as GO-2024-2947, stems from a failure to sanitize URLs before they are written to logs, potentially exposing usernames and passwords...
A critical security alert has been triggered for the widely used `commitizen` tool, version 4.3.1. The npm package, a staple for standardizing commit messages, contains eight distinct vulnerabilities, with the highest severity rated at 7.5. This exposes any project relying on this specific version to potential exploita...
A critical security scan has flagged the widely-used Python package `langchain-0.1.9-py3-none-any.whl` as containing 13 distinct vulnerabilities, with the highest severity rated a critical 9.8 out of 10. The vulnerabilities are classified as 'reachable,' meaning they are exploitable within the application's codebase. T...
The Vite development server contains six distinct filesystem bypass vulnerabilities, allowing unauthorized access to sensitive files on a developer's machine. These CVEs, including CVE-2025-32395 and CVE-2025-31125, all circumvent the `server.fs.deny` protection mechanism. The risk is specific to the development enviro...
A high-severity security vulnerability has been identified in the official Bun installer script, exposing systems to a PATH injection attack. The flaw allows an attacker who has compromised a user's PATH environment variable to trick the installer into symlinking a malicious binary to a privileged system location, gran...
A critical security vulnerability in the widely-used UltraJSON (ujson) Python library forces an urgent dependency update. The flaw, tracked as CVE-2026-32875, can cause a Python interpreter crash (segmentation fault) or trap it in an infinite loop. The issue originates in the `ujson.dumps()` function, which suffers fro...
A high-severity Remote Code Execution (RCE) vulnerability has been identified in the `serialize-javascript` package, a transitive dependency for projects using `copy-webpack-plugin`. The vulnerability, tracked as GHSA-5c6j-r48x-rmvq, affects `serialize-javascript` versions 7.0.2 and earlier. While classified as a build...
A critical security breach has hit LiteLLM, a widely used open-source AI project, exposing its user base to credential-harvesting malware. The incident directly impacts millions of developers and organizations that rely on the tool for managing large language model APIs, raising immediate concerns about supply chain se...
A critical path traversal vulnerability in the widely used Rollup JavaScript module bundler exposes build systems to arbitrary file writes. The flaw, tracked as CVE-2026-27606, stems from insecure filename sanitization within Rollup's core engine, allowing an attacker to control output filenames and potentially overwri...
A critical security vulnerability has been disclosed in the widely-used Rollup module bundler, exposing countless JavaScript projects to arbitrary file overwrite attacks. The flaw, tracked as CVE-2026-27606, stems from insecure filename sanitization within Rollup's core engine. This allows an attacker to inject path tr...
谷歌 gRPC-Go 框架的核心服务器组件中发现一个高危授权绕过漏洞(CVE-2026-33186),源于对 HTTP/2 `:path` 伪标头的输入验证不当。该漏洞允许攻击者通过构造特定的请求路径,绕过服务端的路由逻辑,可能导致未授权的数据访问或服务调用。此次安全更新将模块版本从 v1.61.0 紧急升级至 v1.79.3,以修复这一关键缺陷。 漏洞的根本原因在于 gRPC-Go 服务器的路由逻辑过于宽松,错误地接受了某些格式的 `:path` 伪标头。这种设计缺陷使得攻击者能够利用路径验证的漏洞,实现授权绕过。所有使用受影响版本(v1.61.0 及之前版本)的 gRPC-Go 服务器都面临潜在风险,特别是那些依赖路径进行服务...
广泛使用的 JavaScript 加密库 `node-forge` 在其 1.3.1 及更早版本中被发现一个高危安全漏洞,攻击者可利用该漏洞构造恶意 ASN.1 数据结构,导致下游加密验证和安全决策失效。该漏洞被标记为“高危”级别,编号为 CVE-2025-12816,由研究员 Hunter Wodzenski 报告。漏洞本质是一种解释冲突,攻击者通过精心设计的 ASN.1 结构使模式验证过程“失步”,从而可能绕过关键的密码学检查。 `node-forge` 是一个在 Node.js 生态中用于实现 TLS 和各种加密工具的核心库,其安全性直接影响大量依赖它的应用程序和服务。此次漏洞的发现促使维护方 Digital Bazaar ...
A critical security flaw in the widely-used `node-forge` cryptography library has been patched, addressing a HIGH-severity vulnerability that could allow attackers to bypass downstream cryptographic verifications. The vulnerability, tracked as CVE-2025-12816, is an ASN.1 validator desynchronization issue. It enables re...