126 matches found
CVE-2025-59434 Critical Multi-Tenant Variable Disclosure in Flowise Cloud via Custom JavaScript Function
Flowise is a drag & drop user interface to build a customized large language model flow. Prior to August 2025 Cloud-Hosted Flowise, an authenticated vulnerability in Flowise Cloud allows any user on the free tier to access sensitive environment variables from other tenants via the Custom JavaScri...
CVE-2025-59434
Flowise Cloud prior to August 2025 was vulnerable to a cross-tenant data exposure through the Custom JavaScript Function node, allowing authenticated users on the free tier to access environment variables from other tenants (e.g., OpenAI keys, cloud credentials, and tokens). The issue has been pa...
PT-2025-39070
Name of the Vulnerable Software and Affected Versions Flowise versions prior to August 2025 Cloud-Hosted Flowise Description Flowise is a drag & drop user interface used to build customized large language model flows. A vulnerability in Flowise Cloud, prior to the August 2025 release, allows...
GHSA-7944-7C6R-55VV FlowiseAI Pre-Auth Arbitrary Code Execution
Summary An authenticated admin user of FlowiseAI can exploit the Supabase RPC Filter component to execute arbitrary server-side code without restriction. By injecting a malicious payload into the filter expression field, the attacker can directly trigger JavaScript's execSync to launch reverse...
FlowiseAI Pre-Auth Arbitrary Code Execution
Summary An authenticated admin user of FlowiseAI can exploit the Supabase RPC Filter component to execute arbitrary server-side code without restriction. By injecting a malicious payload into the filter expression field, the attacker can directly trigger JavaScript's execSync to launch reverse...
Malicious code in tailwind-supabase (npm)
The package tailwind-supabase was found to contain malicious code...
MAL-2025-42094 Malicious code in tailwind-supabase (npm)
The package tailwind-supabase was found to contain malicious code...
CVE-2025-57754
eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will allow an attacker complete unauthorized access and control over database and user data. This could...
CVE-2025-57754
eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will allow an attacker complete unauthorized access and control over database and user data. This could...
CVE-2025-57754 eslint-ban-moment exposed a sensitive Supabase URI in .env (Credential leak)
eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will allow an attacker complete unauthorized access and control over database and user data. This could...
CVE-2025-57754
CVE-2025-57754 affects eslint-ban-moment (plugin for ESLint) with versions 3.0.0 and earlier. The root cause is exposure of a sensitive Supabase URI in the .env file, which, if valid and contains embedded credentials, can grant an attacker complete unauthorized access and control over the databas...
CVE-2025-57754 eslint-ban-moment exposed a sensitive Supabase URI in .env (Credential leak)
eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will allow an attacker complete unauthorized access and control over database and user data. This could...
CVE-2025-57754 eslint-ban-moment exposed a sensitive Supabase URI in .env (Credential leak)
eslint-ban-moment is an Eslint plugin for final assignment in VIHU. In 3.0.0 and earlier, a sensitive Supabase URI is exposed in .env. A valid Supabase URI with embedded username and password will allow an attacker complete unauthorized access and control over database and user data. This could...
PT-2025-34243 · WordPress · Eslint-Ban-Moment
Name of the Vulnerable Software and Affected Versions: eslint-ban-moment versions 3.0.0 and earlier Description: The eslint-ban-moment plugin exposes a sensitive Supabase URI in the .env file. A valid Supabase URI containing a username and password grants an attacker complete unauthorized access...
eslint-ban-moment 安全漏洞
eslint-ban-moment is an application by the individual developer Kristófer Fannar Björnsson. A security vulnerability exists in eslint-ban-moment 3.0.0 and earlier versions, which originates from the exposure of sensitive Supabase URIs in .env files, which could lead to data exfiltration,...
Malicious code in supabase-react (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d99002d0e83f91ca297ecb91950c973f76ba284c9b63eba89946e9bfac2672de Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2025-5797 Malicious code in supabase-react (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d99002d0e83f91ca297ecb91950c973f76ba284c9b63eba89946e9bfac2672de Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Path Traversal
@supabase/auth-js is vulnerable to Path Traversal . The vulnerability is due to missing UUID validation on user-supplied inputs, which allows an attacker to manipulate URL paths and invoke unintended API functions...
CVE-2025-48370
auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.70.0, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the...
CVE-2025-48370 auth-js Vulnerable to Insecure Path Routing from Malformed User Input
auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.70.0, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the...