@antv/l7 (>=2.1.13 <=2.25.10), @antv/l7-draw (>=2.1.13 <=2.1.14) +5 more potentially affected by unknown CVE via @antv/l7-scene (>=2.10.0 <=2.25.9)

@antv/l7-scene NPM version =2.10.0, =2.1.13, =2.1.13, =2.10.0, =2.1.13, =2.10.0, =1.0.0, =1.0.17, =1.0.18 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVL7SCENE-16754481...

PT-2026-3623

IBM Application Gateway 23.10 through 25.09 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site...

CVE-2025-58449

CVE-2025-58449 affects Maho prior to 25.9.0. An authenticated staff user with Dashboard and Catalog\Manage Products permissions can create a custom option with a file input and, by whitelisting a ".php" extension, upload PHP files that are written to a predictable webroot path and can be executed...