CVE-2026-41211

Summary of CVE-2026-41211 (vite-plus/binding) : The vulnerability affects Vite+ before version 0.1.17, where downloadPackageManager() uses an untrusted version string directly in filesystem paths. An attacker can supply traversal segments (e.g., ../) or absolute paths to escape VP_HOME/package_ma...

CVE-2026-41211 `vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VPHOME/packagemanager// cache root and...

PT-2026-34601

Vite+ is a unified toolchain and entry point for web development. Prior to version 0.1.17, downloadPackageManager accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments or an absolute path to escape the VP HOME/package manager// cache root a...

Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOME

Summary downloadPackageManager in vite-plus/binding accepts an untrusted version string and uses it directly in filesystem paths. A caller can supply ../ segments to escape the VPHOME/packagemanager// cache root and cause Vite+ to delete, replace, and populate directories outside the intended cac...

pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration

Summary PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery SSRF attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive...

GHSA-M74M-F7CR-432X pyLoad: Server-Side Request Forgery via Download Link Submission Enables Cloud Metadata Exfiltration

Summary PyLoad's download engine accepts arbitrary URLs without validation, enabling Server-Side Request Forgery SSRF attacks. An authenticated attacker can exploit this to access internal network services and exfiltrate cloud provider metadata. On DigitalOcean droplets, this exposes sensitive...

Release Information for Veeam Plug-in for Proxmox VE v12.1.5.17

Requirements This update to the Veeam Plug-in for Proxmox VE requires: Veeam Backup & Replication build 12.3.2.3617 You can check the build number in the Veeam Backup & Replication Console's Main Menu ≡ under Help About. Veeam Plug-in for Proxmox VE build 12.1.3.217 You can check the current buil...

Malicious code in mp3-file-zip-d-ownload-109598-were-not-talking-thl8a-vosqbj (npm)

The package mp3-file-zip-d-ownload-109598-were-not-talking-thl8a-vosqbj was found to contain malicious code...

Malicious code in zip-mp3-a-lbum-do-wnload-new-10692-xxxx-kh2rm-pfurnp (npm)

The package zip-mp3-a-lbum-do-wnload-new-10692-xxxx-kh2rm-pfurnp was found to contain malicious code...

Malicious code in mp3-do-wnload-file-to-day-30879-fight-less-win-more-xgv8l-jeyujj (npm)

The package mp3-do-wnload-file-to-day-30879-fight-less-win-more-xgv8l-jeyujj was found to contain malicious code...

MAL-2025-26798 Malicious code in mp3-do-wnload-file-to-day-i-can-hear-the-heart-beating-as-one-sdcg3-rzkefk (npm)

The package mp3-do-wnload-file-to-day-i-can-hear-the-heart-beating-as-one-sdcg3-rzkefk was found to contain malicious code...

Malicious code in now-download (npm)

The package now-download was found to contain malicious code...

Malicious code in ava-ilable-down-load-mp3-today-2015-33446-joshua-redman-the-bad-plus-7xzw7-debkeo (npm)

The package ava-ilable-down-load-mp3-today-2015-33446-joshua-redman-the-bad-plus-7xzw7-debkeo was found to contain malicious code...

Malicious code in avail-able-albu-m-down-load-43854-home-plate-cfjtj-akqpps (npm)

The package avail-able-albu-m-down-load-43854-home-plate-cfjtj-akqpps was found to contain malicious code...

Malicious code in a-lbum-do-wnload-avai-lable-file-2015-35030-woman-oeh1w-xjgwws (npm)

The package a-lbum-do-wnload-avai-lable-file-2015-35030-woman-oeh1w-xjgwws was found to contain malicious code...

Malicious code in zip-mp3-a-lbum-do-wnload-new-31841-my-melody-4etja-ihiwfy (npm)

The package zip-mp3-a-lbum-do-wnload-new-31841-my-melody-4etja-ihiwfy was found to contain malicious code...

Malicious code in zip-mp3-a-lbum-do-wnload-new-30064-parable-of-arable-land-qdx68-yqscwl (npm)

The package zip-mp3-a-lbum-do-wnload-new-30064-parable-of-arable-land-qdx68-yqscwl was found to contain malicious code...

MAL-2025-41003 Malicious code in zip-mp3-a-lbum-do-wnload-new-24431-scorpio-rising-n2jox-rfxhqe (npm)

The package zip-mp3-a-lbum-do-wnload-new-24431-scorpio-rising-n2jox-rfxhqe was found to contain malicious code...

MAL-2025-18552 Malicious code in do-wnload-available-61376-domestic-blues-d3hzx-yovkzp (npm)

The package do-wnload-available-61376-domestic-blues-d3hzx-yovkzp was found to contain malicious code...

MAL-2025-37880 Malicious code in unsplash-it-download (npm)

The package unsplash-it-download was found to contain malicious code...