Malicious code in node-path-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 180db640dc8207694eb4629834f74b740d7efc9febf26067d190e10656fe04e9 Package name node-path-utils and its README/description claim it is 'an exact copy of the NodeJS path module', impersonating the Node.js core path...

MAL-2026-5743 Malicious code in environment-gate (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 48e4ad756dbae70bb38049d363961eb27239c7cf18c6a92612579aeb818da7b1 The package's only export, gate, performs an HTTP GET to a base64-obfuscated URL https://www.jsonkeeper.com/b/VKUNI and passes the response body...

MAL-2026-5566 Malicious code in fastify-addon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3cb91c825be697244f8ff069bb56e79aff3b90de7b9947019095b6d0fa2fd270 fastify-addon is a typosquat of the legitimate fastify-plugin package. Its package.json sets repository, bugs, and homepage to...

Malicious code in fastify-addon (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3cb91c825be697244f8ff069bb56e79aff3b90de7b9947019095b6d0fa2fd270 fastify-addon is a typosquat of the legitimate fastify-plugin package. Its package.json sets repository, bugs, and homepage to...

PYSEC-2026-178

PyJWT is a JSON Web Token implementation in Python. From 2.8.0 to 2.12.1, when verifying detached JWS tokens using the unencoded-payload option "b64": false, RFC 7797, PyJWT performs Base64URL decoding of the compact-serialization payload segment before enforcing the detached-payload rules. For...

MAL-2026-4728 Malicious code in web-dotenv (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector edd19476eeb1c31707abe6fac6f52dbd1950a0dc25f4854ea5269d6400f8ea37 web-dotenv impersonates the widely-used dotenv package: its package.json copies dotenv's repository git://github.com/motdotla/dotenv.git and homepage...

MAL-2026-4491 Malicious code in authcascade (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8fece3d89e066c6c3452fda608e77747b7d4fa4cbbf6498fd41e5a5a765d57d9 On require'authcascade', the package's main entry pino.js loads lib/writer.js which a builds a data object containing the full process.env, OS...

CVE-2026-33024

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability CWE-918 in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an...

CVE-2026-33024 AVideo-Encoder has Unauthenticated Blind Server-Side Request Forgery via Public Thumbnail Generator

AVideo is a video-sharing Platform. Versions prior to 8.0 contain a Server-Side Request Forgery vulnerability CWE-918 in the public thumbnail endpoints getImage.php and getImageMP4.php. Both endpoints accept a base64Url GET parameter, base64-decode it, and pass the resulting URL to ffmpeg as an...

📄 AVideo getImage.php Unauthenticated Command Injection

This Metasploit module exploits an unauthenticated OS command injection vulnerability in the AVideo encoder getImage.php endpoint. This affects versions prior to 7.0. The base64Url GET parameter is base64-decoded and injected directly into an ffmpeg shell command within double quotes, without any...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read when decoding malformed Base64Url input. An attacker can cause a disruption of service. Remediation Upgrade Microsoft.NETCore.App.Runtime.win-x86 to version 9.0.14, 10.0.4 or higher. References - GitHub Commit - GitHu...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read when decoding malformed Base64Url input. An attacker can cause a disruption of service. Remediation Upgrade Microsoft.NETCore.App.Runtime.linux-arm64 to version 9.0.14, 10.0.4 or higher. References - GitHub Commit -...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read when decoding malformed Base64Url input. An attacker can cause a disruption of service. Remediation Upgrade Microsoft.NETCore.App.Runtime.linux-musl-x64 to version 9.0.14, 10.0.4 or higher. References - GitHub Commit ...

CVE-2026-29058

AVideo is a video-sharing Platform software. Prior to version 7.0, an unauthenticated attacker can execute arbitrary OS commands on the server by injecting shell command substitution into the base64Url GET parameter. This can lead to full server compromise, data exfiltration e.g., configuration...

EUVD-2015-8475

Malware in sbrugna...

EUVD-2005-0457

Malware in sbrugna...

Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink

Summary The lack of sanitization of URLs protocols in the createLink.openLink function enables the execution of arbitrary JavaScript code within the context of the parent page. Details...

CVE-2024-21728

An Open Redirect vulnerability was found in osTicky2 below 2.2.8. osTicky osTicket Bridge by SmartCalc is a Joomla 3.x extension that provides Joomla fronted integration with osTicket, a popular Support ticket system. The Open Redirect vulnerability allows attackers to control the return paramete...

192.168.0.172 (=4.6.1), 20231122-npm (=1.0.0) +3343 more potentially affected by unknown CVE via base64-url (>=1.0.0 <=1.3.3)

base64-url NPM version =1.0.0, =0.0.1, =0.0.0, =0.20.0, =0.0.1, =0.0.1, =0.0.1, =1.0.1, =0.0.1, =0.0.3 and more Source cves: unknown CVE Source advisory: OSV:GHSA-J4MR-9XW3-C9JX...

GHSA-J4MR-9XW3-C9JX Out-of-bounds Read in base64-url

Versions of base64-url before 2.0.0 are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input. Recommendation Update to version 2.0.0 or later...