Weekly CVE Digest — April 10, 2026
Angular SSR CRITICAL SSRF (CVSS 9.2), multer DoS, cryptography buffer overflow, and a North Korea-linked supply chain campaign targeting 1,700+ packages across four ecosystems. Paste your manifest into PackageFix to check if you are affected.
CVE-2026-39892 — cryptography LOW
Ecosystem: PyPI · Affected: 45.0.0–46.0.6 · Fix: 46.0.7
Buffer overflow when non-contiguous buffers are passed to APIs like Hash.update() on Python 3.11+. Update to 46.0.7. Affects only the specific buffer usage pattern — most apps are not vulnerable but update as a precaution.
CVE-2026-27739 — @angular/ssr CRITICAL
Ecosystem: npm · Affected: below 19.2.21 / 20.3.17 / 21.1.5 · Fix: 19.2.21 / 20.3.17 / 21.1.5
SSRF via unvalidated Host and X-Forwarded-Host headers in createRequestUrl(). Angular SSR server becomes an open proxy. Cloud metadata endpoints (169.254.169.254) accessible. Angular 18 and below: no patch, use middleware workaround.
CVE-2026-3520 — multer HIGH
Ecosystem: npm · Affected: below 2.1.1 · Fix: 2.1.1
DoS via uncontrolled recursion in multipart request parsing. Affects all multer versions below 2.1.1 including 2.0.x. No workaround — upgrade to 2.1.1 immediately.
Contagious Interview — 1,700+ packages CRITICAL
Ecosystem: npm/PyPI/Go/Rust · Affected: various · Fix: Remove immediately
North Korea-linked threat group published 1,700+ malicious packages across npm, PyPI, Go, and Rust. Packages impersonate legitimate tools and steal credentials from CI/CD pipelines. Check your dependencies against the CISA KEV catalog and OSV database.
CVE-2025-55182 — Next.js HIGH
Ecosystem: npm · Affected: various · Fix: Latest stable
React2Shell vulnerability exploited in large-scale credential harvesting. Attackers stealing database credentials, SSH keys, AWS secrets, and GitHub tokens. Update Next.js to latest stable immediately.
Full breakdown — April 10, 2026 CVEs
CVE-2026-27739 — @angular/ssr SSRF (CVSS 9.2)
Angular SSR's createRequestUrl() reads Host and X-Forwarded-Host headers without validation, allowing attackers to redirect SSR requests to arbitrary domains. Affected: all @angular/ssr below 19.2.21, 20.3.17, 21.1.5. Angular 18 and below: no patch — use header validation middleware.
npm install @angular/ssr@19.2.21 # Angular 19 npm install @angular/ssr@20.3.17 # Angular 20 npm install @angular/ssr@21.1.5 # Angular 21
CVE-2026-3520 — multer DoS (HIGH)
Uncontrolled recursion in multer's multipart parser. Affects all multer versions including 2.0.x. Only safe version: multer 2.1.1.
npm install multer@2.1.1
CVE-2026-39892 — cryptography buffer overflow
Buffer overflow when non-contiguous buffers are passed to Hash.update() on Python 3.11+. Affects cryptographyrough 46.0.6. Safe version: 46.0.7.
pip install cryptography --upgrade
Contagious Interview — 1,700 malicious packages
North Korea-linked threat group published over 1,700 malicious packages across npm, PyPI, Go, and Rust. Packages exfiltrate credentials from CI/CD environments. Check your dependencies against the CISA KEV catalog.
CVE-2025-55182 — Next.js credential harvesting (HIGH)
Actively exploited to steal database credentials, SSH keys, AWS secrets, and GitHub tokens. Update to latest stable Next.js immediately.
npm install next@latest
Paste your manifest — PackageFix checks every dependency against OSV and CISA KEV instantly.
Scan with PackageFix →Free · No signup · No CLI