103 matches found
Malicious code in twilio-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 737fede3d5b2007849cab0503cec191ce127c33c0b28f3b3285f347a064966e1 Package name twilio-sdk impersonates the official Twilio Node SDK twilio but ships an empty API module.exports = . The only real behavior runs in...
CVE-2026-40931
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but...
@3onedata/alsatian (>=0.1.8-fix.3 <=0.1.8-fix.5), @agimon-ai/browse-tool (>=0.2.0 <=0.11.1) +310 more potentially affected by CVE-2026-47673 via hono (>=4.0.0 <=4.12.2)
hono NPM version =4.0.0, =0.1.8-fix.3, =0.2.0, =0.2.0, =0.4.0, =0.2.0, =0.1.4, =2026.4.4, =1.0.2, =0.0.1, =1.7.2, =1.7.1, =0.2.1, =0.6.1, =0.5.2, =0.5.4 - @babylen/legion =0.1.7 and more Source cves: CVE-2026-47673 Source advisory: SNYK:JS-HONO-17055751...
CVE-2026-44232
The CVE-2026-44232 entry concerns the Node.js library dssrf . The vulnerability, described across the CVE and related records, is that prior to version 1.3.0 every IPv6 category bypasses the is_url_safe check, enabling potential SSRF bypasses. The issue affects the dssrf functionality that guards...
CVE-2026-40931
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but...
DEBIAN-CVE-2026-40895
follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie header...
CVE-2026-40895
follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie header...
EUVD-2026-5368
Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can caus...
CVE-2026-24884 Compressing Vulnerable to Arbitrary File Write via Symlink Extraction
Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can caus...
UBUNTU-CVE-2025-59437
The ip aka node-ip package through 2.0.1 in NPM might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415. NOTE: in current versions of several applications, connection...
MAL-2025-16744 Malicious code in cgeqtowidauyhsjp (npm)
The package cgeqtowidauyhsjp was found to contain malicious code...
MAL-2025-10506 Malicious code in @zalastax/nolb-_tog (npm)
The package @zalastax/nolb-tog was found to contain malicious code...
MAL-2025-12602 Malicious code in @zalastax/nolb-node-ce (npm)
The package @zalastax/nolb-node-ce was found to contain malicious code...
MAL-2025-20505 Malicious code in fig-tqy-project (npm)
The package fig-tqy-project was found to contain malicious code...
MAL-2025-12682 Malicious code in @zalastax/nolb-node-sh (npm)
The package @zalastax/nolb-node-sh was found to contain malicious code...
MAL-2025-16152 Malicious code in bre44 (npm)
The package bre44 was found to contain malicious code...
MAL-2025-18205 Malicious code in delta-asteroid-nly184-project (npm)
The package delta-asteroid-nly184-project was found to contain malicious code...
MAL-2025-25931 Malicious code in maquinita (npm)
The package maquinita was found to contain malicious code...
MAL-2025-14880 Malicious code in artschool (npm)
The package artschool was found to contain malicious code...
MAL-2025-12598 Malicious code in @zalastax/nolb-node-ca (npm)
The package @zalastax/nolb-node-ca was found to contain malicious code...