Lucene search
K

37745 matches found

EUVD
EUVD
added 2026/06/26 12:32 a.m.7 views

EUVD-2025-210343

Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like...

10CVSS6.7AI score0.00639EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/06/25 9:41 p.m.7 views

CVE-2025-71338

Flowise contains a path traversal vulnerability in the /api/v1/document-store/loader/process endpoint that allows unauthenticated attackers to write arbitrary files to the filesystem. Attackers can exploit unsanitized fileName parameters with ../ sequences to overwrite critical files like...

10CVSS6.7AI score0.00639EPSS
Exploits1References3
OSV
OSV
added 2026/06/16 7:11 p.m.4 views

GHSA-968W-XFQW-VP9Q Deno: BYONM module resolution allows `package.json` main path traversal to bypass `--allow-read` restrictions

Summary When Deno was run in BYONM mode nodeModulesDir: "manual", the module resolver did not validate that a package's resolved entrypoint stayed within its nodemodules// directory. A malicious package.json whose main field contained .. segments was able to resolve to an arbitrary path on disk,...

5.5CVSS5.9AI score0.00135EPSS
Exploits1References2
RedhatCVE
RedhatCVE
added 2026/06/10 3:0 p.m.11 views

CVE-2026-47900

Logseq is vulnerable to a stored cross-site scripting XSS. A malicious plugin can include a JavaScript payload in the "name" field of its "package.json" file, which is rendered using "innerHTML" without proper sanitization, allowing the execution of arbitrary code in the privileged host context...

4.6CVSS5.7AI score0.00139EPSS
Exploits0References1
NVD
NVD
added 2026/06/09 2:16 p.m.15 views

CVE-2026-47900

Logseq is vulnerable to a stored cross-site scripting XSS. A malicious plugin can include a JavaScript payload in the "name" field of its "package.json" file, which is rendered using "innerHTML" without proper sanitization, allowing the execution of arbitrary code in the privileged host context...

4.6CVSS0.00139EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/09 1:23 p.m.29 views

CVE-2026-47900 Stored XSS via Unsanitized Plugin Metadata in Logseq

Logseq is vulnerable to a stored cross-site scripting XSS. A malicious plugin can include a JavaScript payload in the "name" field of its "package.json" file, which is rendered using "innerHTML" without proper sanitization, allowing the execution of arbitrary code in the privileged host context...

4.6CVSS0.00139EPSS
Exploits0References2
CVE
CVE
added 2026/06/09 1:23 p.m.21 views

CVE-2026-47900

Affected software: Logseq. Vulnerability: Stored XSS in which a malicious plugin can place a JavaScript payload in the name field of its package.json, rendered via innerHTML without sanitization, allowing code execution in privileged host context. Versions/impact: Only v0.10.15 was tested and con...

4.6CVSS5.7AI score0.00139EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/09 1:23 p.m.9 views

CVE-2026-47900 Stored XSS via Unsanitized Plugin Metadata in Logseq

Logseq is vulnerable to a stored cross-site scripting XSS. A malicious plugin can include a JavaScript payload in the "name" field of its "package.json" file, which is rendered using "innerHTML" without proper sanitization, allowing the execution of arbitrary code in the privileged host context...

4.6CVSS5.7AI score0.00139EPSS
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/25 2:15 p.m.17 views

Malicious code in platform-tempo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6d1c69e098c3ebeb2876b746523bea0220034b429f58e0a55683f0ee2c8776cd [email protected] declares a preinstall hook that runs poc.js on every npm install. The script collects host identity os.hostname, whoami /all /...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/25 10:36 a.m.13 views

Malicious code in muaddib-scanner (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c8eea5d3ed390c4c82b5bfa89ac220f1d424fcaebe70fe71bbbe3bce66f0f48f package.json declares "loadash": "^1.0.0" as a runtime dependency. loadash is a well-known typosquat of lodash and is never required or imported...

5.8AI score
Exploits0References1
OSV
OSV
added 2026/05/22 4:27 p.m.8 views

MAL-2026-4508 Malicious code in cdk-insights (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fa41acb776dbedfe93c37899783a5e54b78017ac31576c798a27eae6b9e9ec89 The package contains code in dist/entry.js and dist/index.js that invokes npm publish programmatically combined with writeFileSync operations — the...

5.9AI score
Exploits0References2
OSV
OSV
added 2026/05/12 10:22 p.m.5 views

GHSA-RG65-45M7-HQ57 esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files

Summary A Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process. Details The vulnerable...

7.5CVSS6AI score0.00321EPSS
Exploits0References4
Snyk
Snyk
added 2026/05/12 10:22 p.m.4 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the browser field in package.json during the build process. An attacker can access arbitrary files on the server filesystem by publishing a specially crafted npm package that remaps module paths to locations...

8.7CVSS6.5AI score0.00321EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.12 views

PT-2026-40543

Name of the Vulnerable Software and Affected Versions esm.sh versions 137 and earlier Description A Local File Inclusion LFI issue exists in the esbuild plugin's handling of the browser field within the package.json file. An attacker can publish a malicious npm package that leverages ../ sequence...

7.5CVSS5.9AI score0.00321EPSS
Exploits0References6
OSV
OSV
added 2026/01/02 3:11 p.m.3 views

GHSA-W3X5-7C4C-66P9 Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)

Summary An unauthenticated attacker can pollute the internal state restoreFilePath of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files e.g., security.json,...

9.6CVSS8.9AI score0.17934EPSS
Exploits3References5
OSV
OSV
added 2026/01/01 6:0 p.m.5 views

CVE-2025-66398 Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state restoreFilePath of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator's "Restor...

9.6CVSS7.6AI score0.17934EPSS
Exploits3References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/11/13 3:23 a.m.7 views

Malicious code in taurus-mutation-izar-node-sass (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c256602c1f7c8b93be5ed695597c57a40839d4299f5b8b8cbe4a4f17d74ed56c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/11/13 3:23 a.m.5 views

Malicious code in chi-route-good-integer-grep (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fdf3808047bfb574e402fb26150085e65281d4b7fcfa053f879b3931c17b6b39 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/11/13 3:23 a.m.5 views

Malicious code in husky-despina-readable-oscillation (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5adef6936078e914f40a91db6e76efafdf970222f3620390210150ef16c332cf This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/11/13 3:23 a.m.7 views

Malicious code in prompts-terser-webpack-plugin-enceladus-graviton (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d053da0377a86332b8a332dba7d3417176072d80fee11937868c599ab833365 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
Rows per page
Query Builder