29 matches found
Malicious code in @zalastax/nolb-_hyper_fun_fluentui-icon-i (npm)
The package @zalastax/nolb-hyperfunfluentui-icon-i was found to contain malicious code...
MAL-2025-10099 Malicious code in @zalastax/nolb-_hyper_fun_fluentui-icon-h (npm)
The package @zalastax/nolb-hyperfunfluentui-icon-h was found to contain malicious code...
Cross-site Scripting (XSS)
Overview @fluentui/react-charting is a React web charting controls for Microsoft fluentui system. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the unsecured SVG attribute spreading in the CartesianChart, Legend Shape renderer, and LineChart event annotation...
MAL-2025-1556 Malicious code in fluentui-repo (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a946d5d0851f29bedadf8857d3b954ecf93da7aaa8b01cc198063141c739169d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in fluentui-repo (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a946d5d0851f29bedadf8857d3b954ecf93da7aaa8b01cc198063141c739169d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
@fluentui/bundle-size (>=1.1.3 <=1.1.6), @georgs/beachball (=2.22.0) +17 more potentially affected by CVE-2022-25865 via workspace-tools (>=0.10.3 <=0.16.2)
workspace-tools NPM version =0.10.3, =1.1.3, =0.0.2, =0.0.2, =1.3.0, =0.1.1, =1.2.0, =1.0.3, =0.1.2, =6.1.2, =1.48.2, =0.3.0, =1.0.0, =0.13.0, =1.0.1 and more Source cves: CVE-2022-25865 Source advisory: OSV:GHSA-5875-M6JQ-VF78...
@fluentui/bundle-size (>=1.1.3 <=1.1.6), @georgs/beachball (=2.22.0) +17 more potentially affected by CVE-2022-25865 via workspace-tools (>=0.10.3 <=0.16.2)
workspace-tools NPM version =0.10.3, =1.1.3, =0.0.2, =0.0.2, =1.3.0, =0.1.1, =1.2.0, =1.0.3, =0.1.2, =6.1.2, =1.48.2, =0.3.0, =1.0.0, =0.13.0, =1.0.1 and more Source cves: CVE-2022-25865 Source advisory: SNYK:JS-WORKSPACETOOLS-2421201...
@fluentui/token-pipeline (>=0.3.3 <=0.22.0), @inmotionnow/momentum-components (>=91.0.0 <=102.34.1) +5 more potentially affected by unknown CVE via style-dictionary (>=2.10.0 <=2.10.2)
style-dictionary NPM version =2.10.0, =0.3.3, =91.0.0, =1.0.2, =0.1.0, =0.0.2, =1.0.0, =1.6.7 - digix-ui =3.0.0 Source cves: unknown CVE Source advisory: SNYK:JS-STYLEDICTIONARY-1080632...
Prototype Pollution
Overview @fluentui/styles is a set of styling utilities for CSS-in-JS. Affected versions of this package are vulnerable to Prototype Pollution. The deepmerge function available within the styles package of FluentUI allows one object to merge with another recursively. Given a value such as proto,...