MAL-2025-80847 Malicious code in puzzled_hamster_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 105e2386982424f99d89e9ea91c27ed1b81cbb442b5c0e0231198322d38c80dc This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-79741 Malicious code in loose_gazelle_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 05f6e2263383273bf7af0002016aa232964ac2f68abe4cc338f4a2523ecacd9a This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-73142 Malicious code in gita-keripik17-breki (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d66b05604743b14b2e5d06fd4e15a3bf2a441561e47647c7180325ff138ddaec This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in afraid-teal-jackal (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6401924ea443c6644a7c949331a70a1037cd4db5434c734b92849a7ce1b3891a This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-69485 Malicious code in motionless-coffee-centipede (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a979306220e6542b0c8d69f78472cedcdee4b67e7748a5a3a7af813a4e085dfc This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

PT-2025-46338

A security issue exists within DataMosaix™ Private Cloud allowing for Persistent XSS. This vulnerability can result in the execution of malicious JavaScript, allowing for account takeover, credential theft, or redirection to a malicious website...

MAL-2025-59135 Malicious code in umi-tek10-sukiwir (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 51d8f32eca74de0e2fb5b12d86d5e6f421b51067d01ebc704a1965bfa4a26ab4 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in riana-tempe79-riris (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e579f3a7b3e732d89f1a88237eabbf4ddad094a009b8671752264faec0e48595 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

CVE-2025-64112

Statmatic is a Laravel and Git powered content management system CMS. Stored XSS vulnerabilities in Collections and Taxonomies allow authenticated users with content creation permissions to inject malicious JavaScript that executes when viewed by higher-privileged users. This vulnerability is fix...

CVE-2025-41384 Reflected Cross-Site Scripting (XSS) in SuiteCRM

Cross-Site Scripting XSS vulnerability reflected in SuiteCRM v7.14.1. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP Referer header to include an arbitrary domain with malicious JavaScript code at the end. The server will attempt to block the arbitrary doma...

EUVD-2025-36178

Cross-Site Scripting XSS vulnerability reflected in SuiteCRM v7.14.1. This vulnerability allows an attacker to execute JavaScript code by modifying the HTTP Referer header to include an arbitrary domain with malicious JavaScript code at the end. The server will attempt to block the arbitrary doma...

Exploit for CVE-2025-63307

CVE-2025-63307 – Authenticated Stored Cross-site Scripting XS...

EUVD-2025-35851

Emoncms 11.7.3 is vulnerable to Cross Site in the input handling mechanism. This vulnerability allows authenticated attackers with API access to inject malicious JavaScript code that executes when administrators view the application logs...

EUVD-2025-34907

ThingsBoard versions 4.2.1 contain a stored cross-site scripting XSS vulnerability in the dashboard's Image Upload Gallery feature. An attacker can upload an SVG file containing malicious JavaScript, which may be executed when the file is rendered in the UI. This issue results from insufficient...

CVE-2025-34281

ThingsBoard vulnerability CVE-2025-34281 affects pre-4.2.1 releases. An authenticated user can upload malicious SVGs via the Image Gallery, enabling Stored XSS when the image is loaded by a browser (e.g., through public API access or iframe embedding during widget creation/deployment on dashboard...

PT-2025-41836

Name of the Vulnerable Software and Affected Versions SAP Application Server for ABAP affected versions not specified Description An authenticated attacker can store malicious JavaScript payloads. These payloads could be executed in a victim user's browser when accessing the affected functionalit...

PT-2025-41968

Name of the Vulnerable Software and Affected Versions Home Assistant versions 2025.1.0 through 2025.10.1 Description Home Assistant is home automation software that prioritizes local control and privacy. The energy dashboard is susceptible to stored cross-site scripting. An authenticated user can...

CVE-2025-60308

code-projects Simple Online Hotel Reservation System 1.0 has a Cross Site Scripting XSS vulnerability in the Add Room function of the online hotel reservation system. Malicious JavaScript code is entered in the Description field, which can leak the administrator's cookie information when browsing...

CVE-2025-60302

code-projects Client Details System 1.0 is vulnerable to Cross Site Scripting XSS. When adding customer information, the client details system fills in malicious JavaScript code in the username field...

CVE-2025-60880

An authenticated stored XSS vulnerability exists in the Bagisto 2.3.6 admin panel's product creation path, allowing an attacker to upload a crafted SVG file containing malicious JavaScript code. This vulnerability can be exploited by an authenticated admin user to execute arbitrary JavaScript in...