Date: 2026-05-21
Updated: 2026-06-30
CRITICAL risk vulnerability concerning malicious packages having been embedded into four release versions of OpenSearch. See [R 1] [R 2].
EGI SVG ID : EGI-SVG-2026-20
CVE ID : N/A
CVSSv3 Score:
Urgent action is required on hosts running OpenSearch software.
Please consult [R 1] [R 2] and take action on affected hosts, if any, as soon as possible!
Hosts that were running a malware version must be considered compromised. In such cases, please follow up with your institute’s computer security team.
TLP:CLEAR information - Unlimited distribution
https://advisories.egi.eu/Advisory-EGI-SVG-2026-20
Minor updates may be made without re-distribution to the sites.
See [R 99] for further details, and other information on SVG.
[R 2] https://security.snyk.io/vuln/SNYK-JS-OPENSEARCHPROJECTOPENSEARCH-16640915
SVG was alerted to this vulnerability by the EGI CSIRT among others