4379 matches found
MAL-2026-5790 Malicious code in ldpbootstrap-jquery (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bcab02ae44d1604b6fa9e80156a8c5882f7a4809470ff59eb6d14db4bf28f91f ldpbootstrap-jquery ships and executes an obfuscated Windows PowerShell payload as part of its documented usage. The package contains...
PT-2026-49580
Name of the Vulnerable Software and Affected Versions Angular versions prior to 22.0.1 Angular versions prior to 21.2.17 Angular versions prior to 20.3.25 Description An information disclosure issue exists in the @angular/service-worker package. When the Service Worker fetches assets, it preserve...
MAL-2026-5740 Malicious code in 2fa-exe (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector df3ad6044ca4d17d594aa3aa0d1a75d1dbf3ebf483d0dd1b04d502277674a8cc Package advertises itself as an SVG fetcher/sanitizer but ships an undocumented exported factory getPlugin in index.js that performs an HTTPS GET to...
Malicious code in vite-config-react (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1f9ee389e1023034a78a4c268db5d48e016565f37b7fb6c514bf095b2dec552 On require/import of the package, the entrypoint chain src/index.js → core/createConfig.js → features/plugins.js side-effect-imports...
MAL-2026-5728 Malicious code in vite-config-react (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1f9ee389e1023034a78a4c268db5d48e016565f37b7fb6c514bf095b2dec552 On require/import of the package, the entrypoint chain src/index.js → core/createConfig.js → features/plugins.js side-effect-imports...
MAL-2026-5727 Malicious code in vite-config-optimizer (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f824c077d7d2705d17dc29eba9a24ea8b51b93785bcf83fdfe639fc8f9bc581f package.json declares a postinstall hook node -e "require'./loader.js'" that auto-executes on every npm install. loader.js spawns a detached child No...
MAL-2026-5722 Malicious code in textwrap-toolkit-stager (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9fc85924d5672f7c91c2dd5e97c46cc48e3ae48084f906b7b0ba9d606c433fa4 On import textwraptoolkitstager, the package's init.py unconditionally fetches Python source from...
CVE-2026-45012
Summary (CVE-2026-45012) ApostropheCMS (Node.js) versions up to and including 4.29.0 expose an authenticated SSRF in the rich-text widget import flow. An authenticated user who can submit or edit rich-text content can trigger the server to fetch attacker-controlled URLs during widget validation, ...
Malicious code in chalk-pro (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ac66dfb6013c32d34c6ce83bdba4628b67539e81df27fe18dcf71d3de05ff8ce Package is published as 'chalk-pro' homepage chalk-pro.com but its main entry is a verbatim copy of nodemailer's API — a typosquat impersonating both...
Malicious code in chalk-plus-ts (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08276c56353501373a202d28f6af6ee2a7c0b20d28a07d99c4c16309df46269c package.json declares postinstall=node lib/utils/index.js, which spawns a detached child process running lib/utils/smtp-connection/index.js. That...
CVE-2026-54359
MISP contains an insecure default configuration in which the Security.checksecfetchsiteheader control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site header. A remote...
CVE-2026-54359
The CVE-2026-54359 entries describe an insecure default in MISP where Security.check_sec_fetch_site_header is disabled, allowing CSRF-like abuse where a remote unauthenticated attacker could induce an authenticated user’s browser to issue state-changing requests (POST/PUT/AJAX) to MISP automation...
EUVD-2026-36551
MISP contains an insecure default configuration in which the Security.checksecfetchsiteheader control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site header. A remote...
Malicious code in vite-svgr (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a22a309bc488d107fc2734705e05bb4032432bb9b54391e8ee2325d980b2cdf5 Package name vite-svgr impersonates the popular vite-plugin-svgr, but the shipped code is a fork of tsconfig-paths package.json description: 'Load no...
MAL-2026-5708 Malicious code in vite-svgr (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a22a309bc488d107fc2734705e05bb4032432bb9b54391e8ee2325d980b2cdf5 Package name vite-svgr impersonates the popular vite-plugin-svgr, but the shipped code is a fork of tsconfig-paths package.json description: 'Load no...
Malicious code in theta-kit (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09b0737ff5b0b0768e2314b014529b80609632a38dfdc3a9ad6cfd6ab1da9039 package.json declares postinstall: node dist/index.js, and dist/index.js executes Model.resetor at module top level — meaning both npm install...
MAL-2026-5706 Malicious code in theta-kit (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09b0737ff5b0b0768e2314b014529b80609632a38dfdc3a9ad6cfd6ab1da9039 package.json declares postinstall: node dist/index.js, and dist/index.js executes Model.resetor at module top level — meaning both npm install...
Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection
Summary The OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts line 59 uses raw fetchconfig.url with no SSRF protection. The safe wrapper fetchWithBlacklist exists in the same codebase and is used in every other outbound HTTP call automation steps, plugin downloads,...
EUVD-2026-32593
Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection...
GHSA-G6QX-G4PR-92V7 Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection
Summary The OAuth2 token fetch function in packages/server/src/sdk/workspace/oauth2/utils.ts line 59 uses raw fetchconfig.url with no SSRF protection. The safe wrapper fetchWithBlacklist exists in the same codebase and is used in every other outbound HTTP call automation steps, plugin downloads,...