This site offers a simple way to search for advisories in the GitLab Advisory Database (GLAD). The database contains information about security issues in software dependencies that you might be using in your projects.
GitLab’s Dependency Scanning feature also utilizes this database to scan your application’s dependencies for known vulnerabilities.
Multiple versions of the npm package @shadanai/openclaw contain vendored malicious code related to the axios supply chain attack of March 31, 2026. These versions were published with embedded malware that deploys a cross-platform remote access trojan. The package should be considered entirely malicious and removed from any system where it was installed.
Version 0.0.130 of the npm package @qqbrowser/openclaw-qbot contains vendored malicious code related to the axios supply chain attack of March 31, 2026. This version was published with embedded malware that deploys a cross-platform remote access trojan. The package should be considered entirely malicious and removed from any system where it was installed.
Two malicious versions of the axios npm package (1.14.1 and 0.30.4) were published on March 31, 2026 using a compromised maintainer account. Both versions inject a hidden dependency (plain-crypto-js@4.2.1) that deploys a cross-platform remote access trojan targeting macOS, Windows, and Linux. The malicious postinstall script contacts a command-and-control server and downloads a platform-specific second-stage payload. Any system that ran npm install while either version was available should be treated as …
The npm package plain-crypto-js version 4.2.1 is a malicious package published as part of the axios supply chain attack on March 31, 2026. It was injected as a hidden dependency into compromised axios versions (1.14.1 and 0.30.4). The package is never imported in axios source code and exists solely to execute a malicious postinstall script that contacts a C2 server at sfrclak[.]com and downloads a platform-specific RAT payload. On macOS …
A logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By matching a valid transaction's txid while providing invalid authorization data, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. To be clear, this would not allow invalid transactions to be accepted but could result in a …
A logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By matching a valid transaction's txid while providing invalid authorization data, a miner could cause vulnerable Zebra nodes to accept an invalid block, leading to a consensus split from the rest of the Zcash network. To be clear, this would not allow invalid transactions to be accepted but could result in a …
On March 27, 2026, a threat actor used compromised PyPI credentials to publish malicious versions 4.87.1 and 4.87.2 of the telnyx Python package directly to PyPI. These versions contain credential-stealing malware and were not published through the legitimate GitHub release pipeline.
A user which has permission for the Sulu Admin via atleast one role could have access to the subentities of contacts via the admin API without even have permission for contacts.
Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected.
Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected.
Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the output buffer is reused without being cleared, this may lead to disclosure of sensitive data. JNI-based implementations are not affected.
This advisory has been marked as a false positive.
This advisory has been marked as a false positive.
This advisory has been marked as a false positive.
This advisory has been marked as False Positive and has been removed.
After an API Token exposure from an exploited trivy dependency, two new releases of litellm were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API. Anyone who has installed and run the project should assume any credentials available to litellm environment may have been exposed, and revoke/rotate thema ccordingly.