CVE-2025-68278 tinacms vulnerable to arbitrary code execution

Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cl...

PT-2025-52257

Name of the Vulnerable Software and Affected Versions Tina versions prior to 3.1.1 Description Tina is a headless content management system. Versions of Tina prior to 3.1.1 improperly utilize the gray-matter package, potentially allowing attackers who control the content of markdown files—such as...

EUVD-2025-179633

Malicious code in commitlint-config-angular-graphql-ursa-yakutsk npm...

EUVD-2025-123329

Malicious code in procyon-ganymede-foundation-graphql npm...

EUVD-2025-113098

Malicious code in graphql-webdriverio-husky-magellan npm...

EUVD-2025-114833

Malicious code in cross-env-yakutsk-octans-graphql npm...

EUVD-2025-113105

Malicious code in graphql-pegasus-yildun-reveal-md npm...

EUVD-2025-113101

Malicious code in graphql-umbriel-enceladus-umbriel npm...

Malicious code in graphql-umbriel-enceladus-umbriel (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 95df253aa63bcd8287944401dcbc32701f552deeffcf87cb251266f1c84051c3 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in graphql-cordelia-flare-slidev (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2c569d1055906f1a8d85265083113aef012a036c83d606bdc7b82d327b4c349e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-113100

Malicious code in graphql-virgo-prettier-ursa npm...

EUVD-2025-115869

Malicious code in bulma-webdriver-mocha-chariklo-graphql npm...

EUVD-2025-121057

Malicious code in uglify-js-despina-quark-graphql npm...

Malicious code in registry-library-registry-graphql (npm)

The package registry-library-registry-graphql was found to contain malicious code...

Malicious code in @zalastax/nolb-graphql- (npm)

The package @zalastax/nolb-graphql- was found to contain malicious code...

MAL-2025-21888 Malicious code in graphql-shorthand-parser2 (npm)

The package graphql-shorthand-parser2 was found to contain malicious code...

Debian: Security Advisory (DLA-4263-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

MAL-2025-5624 Malicious code in cmr-graphql (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b805bd73c447ee03b3330e1a1ce27c4b8edef17d58376cd0a35c151f7c1250a0 Any computer that has this package installed or running should be considered...

Incorrect Behavior Order

Overview api-platform/graphql is an API Platform GraphQL component. Affected versions of this package are vulnerable to Incorrect Behavior Order due to the ItemNormalizer::isCacheKeySafe method. An attacker can access sensitive information by exploiting the improper cache key generation. Workarou...

CVE-2023-26144

A flaw was found in the graphql package. Affected versions of this package are vulnerable to Denial of Service DoS due to insufficient checks in the OverlappingFieldsCanBeMergedRule.ts file when parsing large queries. This issue may allow an attacker to degrade system performance...