Monthly
Missing integrity verification in pnpm's GitHub codeload dependency resolution (versions prior to 10.33.4 and 11.0.7) enables a compromised or man-in-the-middle `codeload.github.com` server to deliver arbitrary malicious tarballs that pnpm installs without hash validation. Any developer project that sources dependencies from GitHub via pnpm is exposed when running `pnpm install` on affected versions, with potential for arbitrary code execution during the install lifecycle. No public exploit code exists and there is no CISA KEV listing, but the theoretical impact includes full developer workstation compromise and downstream supply chain contamination.
Persistent local code execution affects Anthropic Claude Desktop Cowork on macOS (v1.1348.0 through v1.2278.0) because the Cowork VM bootstrap validates only the presence of rootfs.img and a version marker string without verifying image content integrity at time-of-use. A local attacker with unprivileged code execution as the victim user can swap or modify the root filesystem image so subsequent Cowork VM boots trust the tampered image, yielding persistent arbitrary code execution inside the VM and access to host-mounted directories. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment.
PowerDNS Recursor versions 5.2.x, 5.3.x, and 5.4.0 are vulnerable to denial of service when processing a zone transition from NSEC to NSEC3 DNSSEC record types, causing internal inconsistency and resolver unavailability. The vulnerability requires network access but elevated attack complexity, affecting recursive DNS resolvers in production environments. Vendor patches are available for all affected branches.
CVE-2026-3856 is a security vulnerability (CVSS 5.3) that allows an attacker. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Cryptopro Secure Disk contains a vulnerability that allows attackers to execute arbitrary code in the context of the root user and enables an attacker t (CVSS 6.8).
Download Manager (WordPress plugin) versions up to 3.3.40. contains a security vulnerability (CVSS 7.3).
Eopkg package manager versions before 4.4.0 fail to track files included in malicious packages, allowing undetected file installation when users install from compromised sources. An attacker can distribute packages containing hidden files that evade detection by package management tools like lseopkg. Users installing exclusively from official Solus repositories are unaffected.
Diebold Nixdorf Vynamic Security Suite through 4.3.0 SR01 does not validate file attributes or the contents of /root during integrity validation. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
A missing file integrity check vulnerability exists on MacOS F5 VPN browser client installer that may allow a local, authenticated attacker with access to the local file system to replace it with a. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.
Missing integrity verification in pnpm's GitHub codeload dependency resolution (versions prior to 10.33.4 and 11.0.7) enables a compromised or man-in-the-middle `codeload.github.com` server to deliver arbitrary malicious tarballs that pnpm installs without hash validation. Any developer project that sources dependencies from GitHub via pnpm is exposed when running `pnpm install` on affected versions, with potential for arbitrary code execution during the install lifecycle. No public exploit code exists and there is no CISA KEV listing, but the theoretical impact includes full developer workstation compromise and downstream supply chain contamination.
Persistent local code execution affects Anthropic Claude Desktop Cowork on macOS (v1.1348.0 through v1.2278.0) because the Cowork VM bootstrap validates only the presence of rootfs.img and a version marker string without verifying image content integrity at time-of-use. A local attacker with unprivileged code execution as the victim user can swap or modify the root filesystem image so subsequent Cowork VM boots trust the tampered image, yielding persistent arbitrary code execution inside the VM and access to host-mounted directories. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.
OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the local assistant environment.
PowerDNS Recursor versions 5.2.x, 5.3.x, and 5.4.0 are vulnerable to denial of service when processing a zone transition from NSEC to NSEC3 DNSSEC record types, causing internal inconsistency and resolver unavailability. The vulnerability requires network access but elevated attack complexity, affecting recursive DNS resolvers in production environments. Vendor patches are available for all affected branches.
CVE-2026-3856 is a security vulnerability (CVSS 5.3) that allows an attacker. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
Cryptopro Secure Disk contains a vulnerability that allows attackers to execute arbitrary code in the context of the root user and enables an attacker t (CVSS 6.8).
Download Manager (WordPress plugin) versions up to 3.3.40. contains a security vulnerability (CVSS 7.3).
Eopkg package manager versions before 4.4.0 fail to track files included in malicious packages, allowing undetected file installation when users install from compromised sources. An attacker can distribute packages containing hidden files that evade detection by package management tools like lseopkg. Users installing exclusively from official Solus repositories are unaffected.
Diebold Nixdorf Vynamic Security Suite through 4.3.0 SR01 does not validate file attributes or the contents of /root during integrity validation. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
A missing file integrity check vulnerability exists on MacOS F5 VPN browser client installer that may allow a local, authenticated attacker with access to the local file system to replace it with a. Rated high severity (CVSS 7.0), this vulnerability is low attack complexity. No vendor patch available.