Fedora 43 : openqa / os-autoinst (2026-abd2d2d60c)

The remote Fedora 43 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-abd2d2d60c advisory. This update provides new upstream snapshots of openQA and os-autoinst, with various fixes and enhancements. Please see upstream changelogs for details. They...

CVE-2026-24040 jsPDF has a Shared State Race Condition in addJS Plugin

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable text to store JavaScript content. When used in a concurrent environment e.g., a Node.js web server, this variable is shared across all requests. ...

CVE-2026-24040 jsPDF has a Shared State Race Condition in addJS Plugin

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable text to store JavaScript content. When used in a concurrent environment e.g., a Node.js web server, this variable is shared across all requests. ...

Cross-site Scripting (XSS)

Overview @typebot.io/js is a Javascript library to display typebots on your website Affected versions of this package are vulnerable to Cross-site Scripting XSS via the imported bot preview. An attacker can access sensitive credentials belonging to other users by tricking a victim into previewing...

CVE-2026-22775

A flaw was found in devalue, a JavaScript library used for serializing values. A remote attacker could exploit this vulnerability by providing specially crafted input to the devalue.parse function. This improper input validation, specifically during the ArrayBuffer hydration process, can cause th...

168wangxiao-ui (>=0.3.6 <=0.3.70), 3achatlibrary (>=1.0.0 <=1.0.9) +5392 more potentially affected by CVE-2025-15056 via quill (>=0.19.14 <=2.0.3)

quill NPM version =0.19.14, =0.3.6, =1.0.0, =19.0.0, =1.0.1, =1.0.0, =1.0.10, =3.1.1-0, =2.10.1, =0.1.6, =1.0.7, =19.0.0, =19.1.0 and more Source cves: CVE-2025-15056 Source advisory: SNYK:JS-QUILL-14927397...

WordPress NextGEN Gallery plugin <= 3.59.11 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via ThickBox JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via ThickBox JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin NextGEN Gallery versions = 3.59.11...

MAL-2025-192844 Malicious code in node-calculator-f483 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 84a5e8d3f7bc17fcc1c20611e0b98235c4015291f1fe1af1f31497d604654663 The package node-calculator-f483 was found to contain malicious code...

CVE-2025-63700

Clerk-js 5.88.0 contains a security issue where an attacker can bypass the OAuth authentication flow by manipulating the OTP verification request. The publicly documented evidence across sources (Red Hat CVE notes, EUVD, GHSA advisory, and OSV/GHSA mirrors) consistently reference the OTP verifica...

MAL-2025-185505 Malicious code in apollo-nodejs-helmet-loglevel (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 03f8efa0ddd24ff187a77bfbf2653e94f12a622525a7c6ac90cd8bb470c36f55 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-70613 Malicious code in sick-yellow-lynx (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bc33917aaa28ae9034322a9f94e68c8b5fa17ba84578b0099d28982c8dcfac63 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

CVE-2025-12735

Summary: CVE-2025-12735 affects the expr-eval JavaScript expression parser/evaluator. Insufficient input validation lets an attacker pass a crafted context object or leverage MEMBER of the context in evaluate(), enabling arbitrary code execution. This is a client-side JavaScript library vulnerabi...

@aangeles/jefeui (>=1.10.0 <=1.11.6), @adamjoelfraser/auth-drizzle (>=1.0.0 <=1.0.2) +251 more potentially affected by unknown CVE via @auth/core (>=0.0.0-manual.fdbc96ab <=0.41.0)

@auth/core NPM version =0.0.0-manual.fdbc96ab, =1.10.0, =1.0.0, =0.1.0, =0.0.1, =1.0.0, =0.2.0, =0.1.0, =0.1.0, =0.1.0, =1.11.0 and more Source cves: unknown CVE Source advisory: SNYK:JS-AUTHCORE-13744119...

OPENSUSE-SU-2025:15679-1 libmozjs-128-0-128.14.0-2.1 on GA media

These are all security issues fixed in the libmozjs-128-0-128.14.0-2.1 package on the GA media of openSUSE Tumbleweed...

EUVD-2020-1476

Malware in sbrugna...

EUVD-2021-2148

Malware in sbrugna...

EUVD-2015-7877

Malware in sbrugna...

EUVD-2017-1246

Malware in sbrugna...

EUVD-2014-1632

Malware in sbrugna...

EUVD-2025-5079

Malicious code in bioql PyPI...