18
Open CVEs
1
Exploited
1
KEV
10
Unpatched
6
No Workaround
13
Internet-facing
Why this provider is risky now
This provider has 18 open CVE(s) in the last 30 days. 1 listed in CISA KEV (known exploited). 10 have no vendor patch. 13 affect internet-facing services. 7 impact the management/identity plane.
1 KEV
1 Exploited
10 Unpatched
7 Mgmt / Admin Plane
1 Public PoC
6 No Workaround
13 Internet-facing
Top Risky CVEs
CVE-2026-45321
Act Now
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actions exploitation. Attackers combined pull_request_target misconfiguration, Actions cache poisoning, and OIDC token memory extraction to publish malicious code under the legitimate TanStack identity. Installing any affected version executes a 2.3 MB obfuscated payload that exfiltrates AWS/GCP/Kubernetes credentials, npm tokens, GitHub secrets, SSH keys, and HashiCorp Vault tokens over encrypted Session/Oxen messenger infrastructure. The payload propagates by republishing victim-maintained packages with identical injection. Socket.dev and the TanStack team confirmed the incident via GHSA-g7cv-rxg3-hmpx. No EPSS or CISA KEV data available for this recent supply-chain attack. CVSS 9.6 reflects the cross-scope credential theft impact (S:C/C:H/I:H), though exploitation requires user-initiated package installation (UI:R).
**Within 24 hours:** Identify all internal and CI/CD usage of TanStack packages (query package-lock.json, yarn.lock, and pnpm-lock.yaml across all repos); audit npm/GitHub/AWS/Vault access logs for anomalous activity from 2026-05-11 forward; revoke and rotate all developer AWS keys, GCP service accounts, Kubernetes tokens, npm tokens, GitHub personal access tokens, and SSH keys accessed from affected machines. **Within 7 days:** Re-scan all development and production systems for presence of TanStack compromised versions using GHSA-g7cv-rxg3-hmpx advisory artifact signatures; conduct forensic analysis of any affected workstations for lateral movement indicators; purge node_modules and lock files, then reinstall from uncompromised upstream sources or verified commit hashes. **Within 30 days:** Implement npm package verification (checksums, provenance attestation via sigstore); enforce pull_request_target->pull_request migration in internal GitHub Actions; deploy software composition analysis (SCA) tooling with real-time KEV/GHSA matching in CI/CD pipeline.
ICT dependency
Active exploitation
KEV
PoC
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: HashiCorp
- • Exploited in the wild (CISA KEV)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
- • Known exploited vulnerability (KEV)
9.6
CVSS
0.0%
EPSS
118
Priority
A missing authentication vulnerability exists in the Altium 365 SearchService. A legacy SOAP endpoint exposes search index operations without requiring authentication, session tokens, or any form of i
Edge exposure
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-306: Missing Authentication for Critical Function)
- • Third-party ICT: HashiCorp
- • No patch available
- • Management plane (Missing Authentication for Critical Function)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
- • No remediation available
- • Authentication / access control weakness
10.0
CVSS
0.1%
EPSS
50
Priority
Supply-chain compromise of the npm package @beproduct/nestjs-auth (versions 0.1.2 through 0.1.19) delivered the Mini Shai-Hulud worm payload via a malicious postinstall script, harvesting npm, GitHub, AWS, and HashiCorp Vault credentials from any developer or CI host that ran npm install during a 2h37m publication window on 2026-05-11. Confirmed actively exploited during that window via an attacker-controlled npm publish token; clean version 0.1.20 republishes the original 0.1.1 source tree. CVSS 10.0 reflects the unauthenticated, network-driven supply-chain delivery and scope change into the install environment.
Within 24 hours: Identify all systems (developers, CI/CD pipelines, build servers) that installed affected versions via package-lock.json, yarn.lock, or CI logs; immediately rotate all AWS access keys, GitHub personal access tokens, npm publish tokens, and HashiCorp Vault credentials; quarantine affected systems for forensic analysis. Within 7 days: Upgrade all projects to @beproduct/nestjs-auth version 0.1.20 or remove dependency entirely; run npm audit across entire dependency tree; audit AWS CloudTrail, GitHub audit logs, and Vault access logs for post-2026-05-11 unauthorized activity. Within 30 days: Implement Software Composition Analysis (SCA) tooling for continuous package monitoring; mandate pre-install signature verification for npm packages; complete forensic investigation and incident report; evaluate replacing @beproduct/nestjs-auth with alternative packages.
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: HashiCorp
- • No patch available
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
- • No remediation available
10.0
CVSS
50
Priority
CVE-2026-7428
Act Now
Prior to 2025-11-03, well-intended users of Terraform or REST API for Google Cloud AlloyDB for PostgreSQL could have created clusters with an insecure default password which could have been exploited
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Third-party ICT: HashiCorp, PostgreSQL
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
- • ICT provider: PostgreSQL (Databases & Data Platforms)
9.2
CVSS
0.0%
EPSS
46
Priority
Server-Side Request Forgery in Tenable Terrascan v1.18.3 and prior allows unauthenticated remote attackers to coerce the server into fetching arbitrary URLs, including file:// URIs that enable local file disclosure. The flaw is triggered when Terrascan runs in server mode and parses uploaded ARM or CloudFormation templates whose templateLink.uri, parametersLink.uri, or AWS::CloudFormation::Stack TemplateURL fields point to attacker-controlled destinations. No public exploit identified at time of analysis, and because Terrascan was archived in August 2023, no patch will ever be released.
24 hours: Identify all Terrascan deployments (v1.18.3 and earlier) running in server mode and assess network exposure. 7 days: Implement network access controls restricting inbound connections to Terrascan servers; disable server mode if operationally feasible; validate all uploaded template URIs to reject file:// schemes. 30 days: Migrate to an actively maintained infrastructure-as-code scanning solution (alternatives include Tenable Nessus, Qualys, or community-maintained forks); plan decommissioning of Terrascan.
Edge exposure
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
- • Third-party ICT: HashiCorp
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
- • No remediation available
9.2
CVSS
0.0%
EPSS
46
Priority
Server-Side Request Forgery in Tenable's Terrascan IaC scanner (versions 1.18.3 and prior) lets unauthenticated remote attackers read arbitrary local files and exfiltrate ~/.netrc credentials when the tool runs in server mode. Because Terrascan was archived in August 2023, no vendor patch will ever be released, and the daemon binds to 0.0.0.0 with no authentication by default. No public exploit identified at time of analysis, but the CVSS 4.0 score of 9.2 reflects trivial network-reachable abuse paired with significant confidentiality scope change.
Within 24 hours: Inventory all systems running Terrascan versions 1.18.3 and prior, prioritizing those with network exposure. Within 7 days: Disable Terrascan server mode on all affected systems and implement network isolation for any remaining instances. Within 30 days: Decommission Terrascan entirely and migrate to actively maintained Infrastructure-as-Code scanning tools such as Checkov, TFLint, or Snyk.
Edge exposure
ICT dependency
No patch available
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing (CWE-918: Server-Side Request Forgery (SSRF))
- • Third-party ICT: HashiCorp
- • No patch available
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • CRITICAL severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
- • No remediation available
9.2
CVSS
0.0%
EPSS
46
Priority
CVE-2026-46354
Act Now
Unauthenticated agent token theft in Coder v2 (self-hosted developer workspace platform) stems from azureidentity.Validate() verifying the PKCS#7 signer's certificate chain but skipping signature verification of the signed content itself. Remote attackers who know a target VM's vmId (a UUIDv4) can forge a PKCS#7 envelope containing a legitimate Azure certificate alongside attacker-controlled content and POST it to the unauthenticated /api/v2/workspaceagents/azure-instance-identity endpoint to receive the victim workspace agent's session token, which then unlocks Git SSH keys, OAuth tokens for GitHub/GitLab/Bitbucket, and workspace secrets. No public exploit identified at time of analysis, but the vulnerability is vendor-confirmed via GHSA-6x44-w3xg-hqqf and a detailed root-cause analysis with attack-path diagram is published.
Within 24 hours: Identify all Coder v2 instances and assess integration with Git systems (GitHub/GitLab/Bitbucket) and OAuth providers; isolate critical instances if necessary. Within 7 days: Apply vendor-released patch to all Coder v2 instances. Within 30 days: Audit workspace agent token usage logs for anomalies and proactively rotate all Git SSH keys and OAuth tokens.
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • CRITICAL severity
- • Internet-facing technique: rce
- • Third-party ICT: GitLab, HashiCorp
- • Moderate evidence (PoC / elevated EPSS)
DORA Relevant
- • CRITICAL severity
- • ICT provider: GitLab (Dev Platforms & CI/CD)
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
9.1
CVSS
46
Priority
Authentication bypass in UltraDAG Core blockchain allows remote unauthenticated attackers to drain all pocket-derived sub-addresses on smart accounts, completely bypassing vault delays and daily spending limits. The StateEngine fails to resolve pocket addresses to their parent account during policy enforcement, treating virtual pocket addresses as unrestricted accounts. Confirmed actively exploited (CISA KEV). Vendor-released patch: commit fb6ef59 resolves pocket-to-parent mapping before all policy checks. EPSS data unavailable but attack vector is network-accessible with no complexity (CVSS 4.0 AV:N/AC:L/PR:N), making this a critical priority for any UltraDAG deployment using smart account pockets.
Within 24 hours: Identify all production UltraDAG Core deployments using smart account pocket functionality and isolate affected systems from public network access pending patch deployment. Within 7 days: Apply vendor-released patch commit fb6ef59 to all affected UltraDAG Core instances; validate pocket-to-parent address mapping is enforced before policy checks in StateEngine. Within 30 days: Conduct forensic review of all smart account transactions since deployment to detect unauthorized pocket drains; implement network segmentation to restrict UltraDAG Core exposure; enable enhanced transaction logging for pocket address activity.
Edge exposure
ICT dependency
No patch available
Management plane
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: HashiCorp
- • No patch available
- • Management plane (Improper Access Control)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
- • No remediation available
- • Authentication / access control weakness
8.8
CVSS
0.0%
EPSS
44
Priority
CVE-2026-7474
This Week
HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This vulnerability (CVE-2026-7474) is fixed in Nomad 2.0.1, 1.1
Edge exposure
ICT dependency
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing (CWE-22: Path Traversal)
- • Third-party ICT: HashiCorp
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
8.8
CVSS
0.0%
EPSS
44
Priority
CVE-2026-43912
This Week
Vaultwarden is a Bitwarden-compatible server written in Rust. Prior to 1.35.5, Vaultwarden does not enforce that a groups_users.users_organizations_uuid entry belongs to the same organization as group
Edge exposure
ICT dependency
Management plane
Patched
Why flagged?
NIS2 Relevant
- • HIGH severity
- • Internet-facing technique: authentication-bypass
- • Third-party ICT: HashiCorp
- • Management plane (Improper Authorization)
- • Strong evidence (KEV / high EPSS / multi-source)
DORA Relevant
- • HIGH severity
- • ICT provider: HashiCorp (Dev Platforms & CI/CD)
- • Authentication / access control weakness
8.7
CVSS
0.0%
EPSS
44
Priority
By Exposure
Internet-facing
13
Mgmt / Admin Plane
7
Identity / Auth
5
Internal only
5
By Exploitability
Known exploited
1
Public PoC
1
High EPSS (>30%)
0
Remote unauthenticated
9
Local only
2
By Remediation
Patch available
8
No patch
10
Workaround available
5
No workaround
6
Affected Services / Product Families
Hashicorp
18 CVE(s)
+ 8 more