This site offers a simple way to search for advisories in the GitLab Advisory Database (GLAD). The database contains information about security issues in software dependencies that you might be using in your projects.
GitLab’s Dependency Scanning feature also utilizes this database to scan your application’s dependencies for known vulnerabilities.
Alice runs zrok2 copy from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV href such as /../outside.txt. The sync pipeline stores that path in the source inventory and passes it to FilesystemTarget.WriteStream, which joins it with the target root and creates the file outside Alice's selected directory.
Alice runs zrok2 copy from a WebDAV or zrok drive controlled by Bob into a local filesystem target. Bob returns a DAV href such as /../outside.txt. The sync pipeline stores that path in the source inventory and passes it to FilesystemTarget.WriteStream, which joins it with the target root and creates the file outside Alice's selected directory.
On May 19th 2026, a new supply chain attack linked to the Mini Shai-Hulud campaign was identified. This package contains malicious code published through a compromised npm maintainer account. The malicious software is part of a coordinated high-volume publish wave targeting popular data visualization and charting ecosystems. It is recommended that all credentials be rotated, npm cache is cleared, the node_modules directory is removed, and all dependencies be rolled back …
On May 19th 2026, a new supply chain attack linked to the Mini Shai-Hulud campaign was identified. This package contains malicious code published through a compromised npm maintainer account. The malicious software is part of a coordinated high-volume publish wave targeting popular data visualization and charting ecosystems. It is recommended that all credentials be rotated, npm cache is cleared, the node_modules directory is removed, and all dependencies be rolled back …
On May 19th 2026, a new supply chain attack linked to the Mini Shai-Hulud campaign was identified. This package contains malicious code published through a compromised npm maintainer account. The malicious software is part of a coordinated high-volume publish wave targeting popular data visualization and charting ecosystems. It is recommended that all credentials be rotated, npm cache is cleared, the node_modules directory is removed, and all dependencies be rolled back …
Wire's protobuf group-skipping logic did not reject negative lengths before skipping a length-delimited field inside a group. A crafted protobuf payload could cause Wire to throw an unchecked runtime exception during decoding instead of the documented IOException / ProtocolException failure path. This can crash services that decode untrusted protobuf payloads and only handle Wire's documented checked decoding failures.
Wire's protobuf group-skipping logic did not reject negative lengths before skipping a length-delimited field inside a group. A crafted protobuf payload could cause Wire to throw an unchecked runtime exception during decoding instead of the documented IOException / ProtocolException failure path. This can crash services that decode untrusted protobuf payloads and only handle Wire's documented checked decoding failures.
On May 19th 2026, a new supply chain attack linked to the Mini Shai-Hulud campaign was identified. This package contains malicious code published through a compromised npm maintainer account. The malicious software is part of a coordinated high-volume publish wave targeting popular data visualization and charting ecosystems. It is recommended that all credentials be rotated, npm cache is cleared, the node_modules directory is removed, and all dependencies be rolled back …
Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected.
Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected.
Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected.
This advisory has been marked as a false positive.
This advisory has been marked as a false positive.
This advisory has been marked as a false positive.
This advisory has been marked as False Positive and has been removed.
After an API Token exposure from an exploited trivy dependency, two new releases of litellm were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API. Anyone who has installed and run the project should assume any credentials available to litellm environment may have been exposed, and revoke/rotate thema ccordingly.