{"vulnerability": "cve-2026-4250", "sightings": [{"uuid": "bd404a01-dd86-464d-a955-012340d39e63", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42509", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3ml5n4hflr42s", "content": "CVE-2026-42509: Apache Wicket: crafted strings can break out of the JavaScript sequence", "creation_timestamp": "2026-05-06T02:17:44.490192Z"}, {"uuid": "4b327f2e-b0b9-458c-93ad-220583484d47", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42503", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3ml77ltfzn42n", "content": "\ud83d\udfe0 CVE-2026-42503 - High (8.8)\n\ngopls by default communicates via pipe. However, -port and -listen flags are supported as means o...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-42503/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-06T17:21:07.732545Z"}, {"uuid": "97d53f8d-23a7-4e36-8e39-e1b52e7b6796", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42501", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mlc5lyf2ry2c", "content": "CVE-2026-42501 - Malicious module proxy can bypass checksum database in cmd/go\nCVE ID : CVE-2026-42501\n \n Published : May 7, 2026, 7:41 p.m. | 44\u00a0minutes ago\n \n Description : A malicious module proxy can exploit a flaw in the go command's validation of module checksums to bypa...", "creation_timestamp": "2026-05-07T21:23:24.122618Z"}, {"uuid": "35649702-7ea7-4153-902f-e6fdc312a66c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42508", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmgdgzxl4w2i", "content": "CVE-2026-42508 - Invoking auth bypass via unenforced @revoked status in golang.org/x/crypto/ssh/knownhosts\nCVE ID : CVE-2026-42508\n \n Published : May 22, 2026, 4:16 a.m. | 1\u00a0hour, 34\u00a0minutes ago\n \n Description : Previously, a revoked 'SignatureKey' belonging to a CA was not co...", "creation_timestamp": "2026-05-22T06:43:50.971854Z"}, {"uuid": "5fa5691b-3e46-4c21-baa4-be6c84e35709", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42506", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmhej6i35b2c", "content": "CVE-2026-42506 - Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html\nCVE ID : CVE-2026-42506\n \n Published : 22 mai 2026 15:01 | 49\u00a0minutes ago\n \n Description : Parsing arbitrary HTML which is then rendered using Render can result in a...", "creation_timestamp": "2026-05-22T16:35:36.456427Z"}, {"uuid": "1f65e14c-6534-41e1-894e-8522e11d6b3a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42502", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mmheoytrrm2r", "content": "CVE-2026-42502 - Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html\nCVE ID : CVE-2026-42502\n \n Published : 22 mai 2026 15:01 | 49\u00a0minutes ago\n \n Description : Parsing arbitrary HTML which is then rendered using Render can result in an unex...", "creation_timestamp": "2026-05-22T16:38:51.822309Z"}, {"uuid": "20d6c0eb-ffcf-498e-b3f0-84077883b2d7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42502", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mnafjazque2y", "content": "\ud83d\udd17 CVE : CVE-2026-25680, CVE-2026-25681, CVE-2026-39827, CVE-2026-39828, CVE-2026-39835, CVE-2026-41401, CVE-2026-42502, CVE-2026-46598, CVE-2026-8466, CVE-2026-25680, CVE-2026-25681, CVE-2026-39827, CVE-2026-39828, CVE-2026-39835, CVE-2026-41401, CVE-2026-42502, CVE-2026-46598, CVE-2026-8466", "creation_timestamp": "2026-06-01T15:38:41.349290Z"}, {"uuid": "d53b3d3d-4b46-4fb4-b786-045ac6c07f86", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42504", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mne3ga4eue23", "content": "CVE-2026-42504 - Quadratic complexity in WordDecoder.DecodeHeader in mime\nCVE ID : CVE-2026-42504\n \n Published : June 2, 2026, 11:16 p.m. | 3\u00a0hours, 16\u00a0minutes ago\n \n Description : Decoding a maliciously-crafted MIME header containing many invalid encoded-words can consume exc...", "creation_timestamp": "2026-06-03T02:40:06.818766Z"}, {"uuid": "ddb6fdbb-a0fe-4d3f-b65c-d9512808781d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42507", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mne3iwbcgy25", "content": "CVE-2026-42507 - Arbitrary inputs are included in errors without any escaping in net/textproto\nCVE ID : CVE-2026-42507\n \n Published : June 2, 2026, 11:16 p.m. | 3\u00a0hours, 16\u00a0minutes ago\n \n Description : When returning errors, functions in the net/textproto package would include...", "creation_timestamp": "2026-06-03T02:41:36.702296Z"}, {"uuid": "0e1af7bb-8dd8-44cd-8595-29850223cc1e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42504", "type": "seen", "source": "https://bsky.app/profile/lambdawatchdog.bsky.social/post/3mnf2rgkfkm2f", "content": "\n\ud83d\udea8 New UNKNOWN CVE detected in AWS Lambda \ud83d\udea8\nCVE-2026-42504 impacts stdlib in 26 Lambda base images.\n\nDetails: https://github.com/aws/aws-lambda-base-images/issues/544\nMore: https://lambdawatchdog.com/\n\n#AWS #Lambda #CVE #CloudSecurity #Serverless", "creation_timestamp": "2026-06-03T12:01:07.923514Z"}, {"uuid": "8f5d3102-1463-4dd3-a1ac-1c286a5e1c56", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42507", "type": "seen", "source": "https://bsky.app/profile/lambdawatchdog.bsky.social/post/3mnf2rtqtu32f", "content": "\n\ud83d\udea8 New UNKNOWN CVE detected in AWS Lambda \ud83d\udea8\nCVE-2026-42507 impacts stdlib in 26 Lambda base images.\n\nDetails: https://github.com/aws/aws-lambda-base-images/issues/545\nMore: https://lambdawatchdog.com/\n\n#AWS #Lambda #CVE #CloudSecurity #Serverless", "creation_timestamp": "2026-06-03T12:01:22.342155Z"}, {"uuid": "7ba05050-e489-4578-a04d-c5793c895f3f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42504", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mngx35ltr62l", "content": "\ud83d\udfe0 CVE-2026-42504 - High (7.5)\n\nDecoding a maliciously-crafted MIME header containing many invalid encoded-words can consume exce...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-42504/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-06-04T06:00:20.152680Z"}, {"uuid": "b8b4e732-4cde-44f8-ab33-afc30793a7bb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42504", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mnrrjo3cdf2d", "content": "\ud83d\udd17 CVE : CVE-2026-42504, CVE-2026-42507, CVE-2026-42504, CVE-2026-42507", "creation_timestamp": "2026-06-08T13:20:20.329890Z"}, {"uuid": "4a7ecb5b-e7d9-4004-ba6b-34f96e3b82b7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42507", "type": "seen", "source": "https://bsky.app/profile/o2cloud.bsky.social/post/3mnrrjo3cdf2d", "content": "\ud83d\udd17 CVE : CVE-2026-42504, CVE-2026-42507, CVE-2026-42504, CVE-2026-42507", "creation_timestamp": "2026-06-08T13:20:20.481798Z"}, {"uuid": "d9b0e497-1e0e-4d69-ba09-f124eaf482d1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42504", "type": "seen", "source": "https://bsky.app/profile/lambdawatchdog.bsky.social/post/3mnu5kolpvk2r", "content": "\ud83d\udd0d Lambda Watchdog detected that CVE-2026-42504 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/544 #AWS #Lambda #Security #CVE #DevOps #SecOps", "creation_timestamp": "2026-06-09T12:01:00.024847Z"}, {"uuid": "7b8dbbcd-09e9-482d-b702-f2079e78bd56", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42507", "type": "seen", "source": "https://bsky.app/profile/lambdawatchdog.bsky.social/post/3mnu5kzbt4b2p", "content": "\ud83d\udd0d Lambda Watchdog detected that CVE-2026-42507 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/545 #AWS #Lambda #Security #CVE #DevOps #SecOps", "creation_timestamp": "2026-06-09T12:01:10.038119Z"}, {"uuid": "27445fd5-8c30-44f2-ad08-0059ff5c8164", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42506", "type": "seen", "source": "https://gist.github.com/illoyd/2131d93f5933897a469738feaf75a3e9", "content": "#!/usr/bin/env bash\n#\n# Bulk-triage GitHub code-scanning alerts by rule/CVE id.\n#\n# Dismiss (or reopen) EVERY open alert matching a CVE in one shot, recording a\n# reason + comment. Dismissing keeps the alert tracked \u2014 it leaves the active\n# list but is retained under `is:dismissed`, and when a later scan no longer\n# finds the CVE (e.g. upstream ships the fix and we bump the package) GitHub\n# auto-closes it as \"fixed\". This is preferable to a scan-time `.trivyignore`\n# for upstream / won't-fix CVEs, which would hide the finding entirely and never\n# signal resolution.\n#\n# Matching is by `rule.id`, which for Trivy/Dependabot is the CVE (e.g.\n# CVE-2026-42506) \u2014 so a single run also covers a CVE that fans out across\n# several sibling packages.\n#\n# Usage:\n#   bin/code-scanning-triage   [comment]\n#\n#   action:  wontfix | falsepositive | usedintest | reopen\n#   comment: required when dismissing; recorded on each alert (audited).\n#            Quote it \u2014 it is a single argument.\n#\n# Examples:\n#   bin/code-scanning-triage CVE-2026-42506 wontfix \\\n#     \"Upstream: thruster must bump golang.org/x/net; x/net/html not linked.\"\n#   bin/code-scanning-triage CVE-2026-42506 reopen\n#\n# Env:\n#   DRY_RUN=1   print the alerts that would change, without modifying anything.\n#\n# Requires: gh (authenticated, with security-events/repo write scope) + jq.\nset -euo pipefail\n\ndie() { echo \"error: $*\" &gt;&amp;2; exit 1; }\n\ncve=\"${1:-}\"\naction_raw=\"${2:-}\"\ncomment=\"${3:-}\"\n\n[ -n \"$cve\" ]        || die \"missing CVE/rule id (arg 1), e.g. CVE-2026-42506\"\n[ -n \"$action_raw\" ] || die \"missing action (arg 2): wontfix | falsepositive | usedintest | reopen\"\n[[ \"$cve\" =~ ^[A-Za-z0-9._-]+$ ]] || die \"invalid rule/CVE id: '$cve'\"\n\ncommand -v gh &gt;/dev/null || die \"gh CLI not found\"\ncommand -v jq &gt;/dev/null || die \"jq not found\"\n\n# Normalise the action (lower-case, strip punctuation/spaces) -&gt; GitHub state.\nnorm=\"$(printf '%s' \"$action_raw\" | tr '[:upper:]' '[:lower:]' | tr -cd 'a-z')\"\ncase \"$norm\" in\n  wontfix|wont)          state=dismissed; reason=\"won't fix\";      list_state=open ;;\n  falsepositive|fp)      state=dismissed; reason=\"false positive\"; list_state=open ;;\n  usedintest|test|tests) state=dismissed; reason=\"used in test\";   list_state=open ;;\n  reopen|open)           state=open;      reason=\"\";               list_state=dismissed ;;\n  *) die \"unknown action '$action_raw' (use: wontfix | falsepositive | usedintest | reopen)\" ;;\nesac\n\nif [ \"$state\" = dismissed ] &amp;&amp; [ -z \"$comment\" ]; then\n  die \"a comment is required when dismissing (arg 3) \u2014 quote it\"\nfi\n\nrepo=\"$(gh repo view --json nameWithOwner -q .nameWithOwner)\" || die \"not in a GitHub repo (or gh not authenticated)\"\n\necho \"repo:    $repo\"\necho \"rule:    $cve\"\necho \"action:  $action_raw  -&gt;  state=$state${reason:+, reason=\\\"$reason\\\"}\"\n[ -n \"$comment\" ] &amp;&amp; echo \"comment: $comment\"\necho\n\n# Collect matching alert numbers (filter by rule id client-side).\nraw=\"$(gh api --paginate -X GET \"repos/$repo/code-scanning/alerts\" \\\n        -f state=\"$list_state\" -f per_page=100 \\\n        --jq \".[] | select(.rule.id == \\\"$cve\\\") | .number\")\" \\\n  || die \"failed to query code-scanning alerts (token scope? security-events:write)\"\n\n# shellcheck disable=SC2206  # alert numbers are integers \u2014 word-splitting is safe\nnumbers=( $raw )\ncount=${#numbers[@]}\n\nif [ \"$count\" -eq 0 ]; then\n  echo \"no $list_state alert(s) found for $cve \u2014 nothing to do.\"\n  exit 0\nfi\necho \"matched $count $list_state alert(s): ${numbers[*]}\"\n\nif [ \"${DRY_RUN:-}\" = \"1\" ]; then\n  echo \"DRY_RUN=1 \u2014 no changes made.\"\n  exit 0\nfi\n\nfor n in \"${numbers[@]}\"; do\n  if [ \"$state\" = dismissed ]; then\n    gh api -X PATCH \"repos/$repo/code-scanning/alerts/$n\" \\\n      -f state=dismissed -f dismissed_reason=\"$reason\" -f dismissed_comment=\"$comment\" \\\n      --jq '\"  #\\(.number) -&gt; \\(.state) (\\(.dismissed_reason))\"'\n  else\n    gh api -X PATCH \"repos/$repo/code-scanning/alerts/$n\" \\\n      -f state=open \\\n      --jq '\"  #\\(.number) -&gt; \\(.state)\"'\n  fi\ndone\n\necho \"done: $count alert(s) updated.\"\n\n# Bulk-triage code-scanning alerts by CVE. Dismissing keeps them tracked\n# (filter `is:dismissed`) and auto-resolves to \"fixed\" once a later scan no\n# longer finds the CVE. action: wontfix | falsepositive | usedintest | reopen.\n#   mise run cve-triage CVE-2026-42506 wontfix \"Depends on upstream thruster bump\"\n#   DRY_RUN=1 mise run cve-triage CVE-2026-42506 wontfix \"preview only\"\n[tasks.cve-triage]\ndescription = \"Dismiss/reopen all open code-scanning alerts for a CVE, with a comment\"\nrun = \"bin/code-scanning-triage {{arg(name='cve')}} {{arg(name='action')}} {{arg(name='comment', required=false)}}\"\n", "creation_timestamp": "2026-06-30T01:29:32.450597Z"}, {"uuid": "922b6de6-af06-4b7b-a103-f2e3ebaa8160", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42505", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3mq5mx4lmyo2y", "content": "Go 1.26.5 and Go 1.25.12 fix CVE-2026-39822 &amp; CVE-2026-42505", "creation_timestamp": "2026-07-08T17:20:43.663126Z"}, {"uuid": "01bdbdeb-327a-4614-af6a-6671adc5240f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42505", "type": "seen", "source": "https://bsky.app/profile/lambdawatchdog.bsky.social/post/3mq7lkaehpi2d", "content": "\n\ud83d\udea8 New UNKNOWN CVE detected in AWS Lambda \ud83d\udea8\nCVE-2026-42505 impacts stdlib in 26 Lambda base images.\n\nDetails: https://github.com/aws/aws-lambda-base-images/issues/594\nMore: https://lambdawatchdog.com/\n\n#AWS #Lambda #CVE #CloudSecurity #Serverless", "creation_timestamp": "2026-07-09T12:00:57.013707Z"}, {"uuid": "844fb511-b2e8-44ca-97dc-d22ad095fb46", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42505", "type": "seen", "source": "https://bsky.app/profile/lambdawatchdog.bsky.social/post/3mqh4wydl6w2f", "content": "\ud83d\udd0d Lambda Watchdog detected that CVE-2026-42505 is no longer present in latest AWS Lambda base image scans. https://github.com/aws/aws-lambda-base-images/issues/594 #AWS #Lambda #Security #CVE #DevOps #SecOps", "creation_timestamp": "2026-07-12T12:00:56.395110Z"}]}