Sign in Start free

00 // INTEL / SITEMAP

Index of all advisories

A-Z and chronological access to every BVA advisory we've published.

Apr 2026 Mar 2026 Feb 2026 Jan 2026 Dec 2025 Nov 2025 Oct 2025

Apr 2026

(5 advisories)

BVA-2026-0142AWS access key found in prod-tagged Docker imageCriticalDocker BVA-2026-0141Typosquat targeting @bleedwatch/scanner-cliHighNPM BVA-2026-0138Dependency confusion vector in @internal-packageHighNPM BVA-2026-0135Workflow injection via PR title in unsafe checkoutHighGitHub BVA-2026-0130Source map leak exposes API endpointsMediumWeb build

Mar 2026

(5 advisories)

BVA-2026-0127Cloudfront origin left reachable through stale DNSMediumDNS BVA-2026-0124Expired OAuth callback host reused by preview appHighGitHub BVA-2026-0119Forged package README links to credential harvesterHighPyPI BVA-2026-0116Image label reveals private registry namespaceMediumDocker BVA-2026-0110Browser bundle includes staging GraphQL tokenCriticalWeb build

Feb 2026

(5 advisories)

BVA-2026-0108Abandoned maintainer account publishes postinstall loaderCriticalNPM BVA-2026-0102Container layer retains Terraform backend credentialsCriticalDocker BVA-2026-0097Dark web listing matches production SSO invite tokenHighDark web BVA-2026-0093Unsafe Actions checkout exposes write-scoped tokenHighGitHub BVA-2026-0089Package provenance signature missing after owner transferMediumPyPI

Jan 2026

(5 advisories)

BVA-2026-0084Analytics endpoint discloses tenant identifiersMediumWeb build BVA-2026-0079Build artifact includes `.npmrc` registry tokenCriticalNPM BVA-2026-0075GitHub environment secret exposed by verbose deploy stepHighGitHub BVA-2026-0068DNS takeover risk on retired customer-success subdomainHighDNS BVA-2026-0061Credential dump contains active vendor API passwordCriticalDark web

Dec 2025

(5 advisories)

BVA-2025-0157NPM namespace squatter mirrors internal design-system nameHighNPM BVA-2025-0151PyPI wheel executes telemetry beacon during installHighPyPI BVA-2025-0144Docker image exposes CircleCI project slug and token hintMediumDocker BVA-2025-0139Archive artifact preserves `.env.production` fileCriticalGitHub BVA-2025-0134MX record drift points mail flow at abandoned tenantMediumDNS

Nov 2025

(5 advisories)

BVA-2025-0128S3-compatible endpoint revealed in frontend source mapMediumWeb build BVA-2025-0122Kubernetes image tag reuses vulnerable OpenSSL base layerMediumDocker BVA-2025-0117Lookalike PyPI package steals cloud metadata tokenCriticalPyPI BVA-2025-0110GitHub release attachment contains private package lockfileLowGitHub BVA-2025-0106Credential broker domain expires while callback remains trustedHighDNS

Oct 2025

(5 advisories)

BVA-2025-0099Open package mirror serves stale vulnerable CLI binaryMediumNPM BVA-2025-0094Public Docker namespace mimics internal billing workerHighDocker BVA-2025-0087Redacted paste still exposes hashed customer emailsMediumDark web BVA-2025-0081Workflow cache leaks private Maven repository URLLowGitHub BVA-2025-0074Package install hook downloads unsigned binary payloadCriticalPyPI

SUBSCRIBE

Subscribe to new advisories.

Receive public BVA records by email or feed as soon as redaction and publication review are complete.

Email alertsCritical and high BVA digest.RSS feedCrawler-friendly advisory stream.

Live records sync from app.bleedwatch.com on a continuous schedule. Static IDs preserved.

Open advisories