CVE-2026-41646

Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require function, bypassing the default local file acce...

hackage-server 跨站脚本漏洞

hackage-server is a Haskell open-source package repository server. hackage-server has a cross-site scripting vulnerability, which stems from the direct provision of HTML and JavaScript files. This vulnerability could allow malicious package maintainers to hijack user sessions...

Access Control Bypass

Overview Affected versions of this package are vulnerable to Access Control Bypass in the require process. An attacker can access sensitive local .js and .json files by supplying malicious JavaScript templates that exploit the module loader to bypass file access restrictions. This is only...

InvisibleJS Detection and Analysis Scanner

InvisibleJS is an obfuscation technique that hides JavaScript source code using zero‑width Unicode characters, making files appear empty while still executing at runtime via eval or dynamic import with data: URIs. Although visually deceptive, this method provides no real cryptographic protection...

JS Secret Hunter 2

JS Secret Hunter is an advanced Python tool designed for security researchers to automate the detection of hardcoded secrets in client-side JavaScript. Unlike simple scanners, V2 includes a dynamic crawler that parses the HTML of the target website to extract all loaded JavaScript files...

Malicious code in joko-rojak57-sukiwir (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fc44b6dfd1d4e95f071bd56189d3ab13823b9d34f3d54a0e9393a6c595032699 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

What AI Reveals About Web Applications— and Why It Matters

Before an attacker ever sends a payload, they've already done the work of understanding how your environment is built. They look at your login flows, your JavaScript files, your error messages, your API documentation, your GitHub repos. These are all clues that help them understand how your syste...

EUVD-2020-6225

Malware in sbrugna...

EUVD-2017-6244

Malware in sbrugna...

EUVD-2021-2210

Malware in sbrugna...

EUVD-2025-5488

Malicious code in bioql PyPI...

EUVD-2022-5295

Malicious code in bioql PyPI...

EUVD-2023-36976

Malicious code in bioql PyPI...

EUVD-2025-31658

Malicious code in bioql PyPI...

CVE-2024-23659

SPIP before 4.1.14 and 4.2.x before 4.2.8 allows XSS via the name of an uploaded file. This is related to javascript/bigup.js and javascript/bigup.utils.js...

CVE-2020-14066

IceWarp Email Server 12.3.0.1 allows remote attackers to upload JavaScript files that are dangerous for clients to access...

CVE-2017-1000192

Cygnux sysPass version 2.1.7 and older is vulnerable to a Local File Inclusion in the functionality of javascript files inclusion. The attacker can read the configuration files that contain the login and password from the database, private encryption key, as well as other sensitive information...

PT-2025-18373 · Ladybird · Ladybird

Name of the Vulnerable Software and Affected Versions: Ladybird versions prior to f5a6704 Description: The issue is related to a use-after-free vulnerability in LibJS, which is part of the Ladybird browser engine. This vulnerability allows remote attackers to execute arbitrary code via a crafted...

CVE-2025-25477

A host header injection vulnerability in SysPass 3.2x allows an attacker to load malicious JS files from an arbitrary domain which would be executed in the victim's browser...

WordPress Cardealer theme <= 1.6.4 - Missing Authorization to Authenticated (Subscriber+) Change and Delete JS and CSS Files vulnerability

Missing Authorization to Authenticated Subscriber+ Change and Delete JS and CSS Files vulnerability discovered by István Márton in WordPress Theme Car Dealer versions = 1.6.4...