WhatsApp MCP Server path traversal vulnerability

WhatsApp MCP Server is a WhatsApp messaging search and sending tool developed by Luke Harries. Version 0.0.1 of WhatsApp MCP Server has a path traversal vulnerability. This vulnerability stems from incorrect handling of the mediaPath parameter in the SendAPIEndpoint component’s SendMessageRequest...

Malicious code in 24712-pl5004 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d79bb37b62b8d47ca459db0858a93ffb3c35e3791423c11a0853fb4ab17388e The package 24712-pl5004 was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-3350 Malicious code in @rivianlabs/dt-lib-lumberjack (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7cf3a31f76f8c2e22a2792aee30736347d17fe5872cb69c7edaecc7728aa6190 The package @rivianlabs/dt-lib-lumberjack was found to contain malicious code. Source: ossf-package-analysis...

CVE-2026-5748

The Text Snippets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's ts shortcode in all versions up to, and including, 0.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers,...

ca.uhn.hapi.fhir:hapi-fhir-base-test-jaxrsserver-kotlin (>=5.6.5 <=6.8.0), ca.uhn.hapi.fhir:hapi-fhir-base-test-mindeps-client (>=5.6.5 <=7.4.5) +277 more potentially affected by CVE-2026-33180 via ca.uhn.hapi.fhir:org.hl7.fhir.dstu3 (>=0.0.1 <=6.8.2)

ca.uhn.hapi.fhir:org.hl7.fhir.dstu3 MAVEN version =0.0.1, =5.6.5, =5.6.5, =5.6.5, =4.0.0, =5.6.5, =4.1.0, =4.0.3, =4.1.0, =4.0.0, =4.0.0, =5.0.0, =4.0.0, =5.3.0, =6.2.0, =5.1.0, =5.2.1 and more Source cves: CVE-2026-33180 Source advisory: OSV:GHSA-P7M9-V2CM-2H7M...

vantuz (>=3.3.2 <=3.3.7) potentially affected by unknown CVE via openclaw (=0.0.1)

openclaw NPM version =0.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on openclaw and may be impacted: - vantuz =3.3.2, =3.3.7 Source cves: unknown CVE Source advisory: OSV:GHSA-9VVH-2768-C8VP...

vantuz (>=3.3.2 <=3.3.7) potentially affected by CVE-2026-32018 via openclaw (=0.0.1)

openclaw NPM version =0.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on openclaw and may be impacted: - vantuz =3.3.2, =3.3.7 Source cves: CVE-2026-32018 Source advisory: OSV:GHSA-GQ83-8Q7Q-9HFX...

@goldenqueen/bai (>=1.0.0 <=1.0.3), @khineeyouu/baileys (>=0.2.1 <=0.2.24) +10 more potentially affected by unknown CVE via @yaoii-bails/libsignall-node (=0.0.1-security)

@yaoii-bails/libsignall-node NPM version =0.0.1-security is affected by a known vulnerability. The following packages have a transitive dependency on @yaoii-bails/libsignall-node and may be impacted: - @goldenqueen/bai =1.0.0, =0.2.1, =2.0.16, =17.1.12, =1.0.13, =1.0.23, =1.0.24 - nopedorex =1.0....

CVE-2026-1915 Simple Plyr <= 0.0.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'poster' Shortcode Attribute

The Simple Plyr plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'poster' parameter in the 'plyr' shortcode in all versions up to, and including, 0.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2026-23831

Rekor is a software supply chain transparency log. In versions 1.4.3 and below, the entry implementation can panic on attacker-controlled input when canonicalizing a proposed entry with an empty spec.message, causing nil Pointer Dereference. Function validate returns nil success when message is...

@daffaadev/baileys (=1.0.1), @daffaadev/baileyss (=1.0.0) potentially affected by unknown CVE via @daffadeveloper/signal-node (=0.0.1-security)

@daffadeveloper/signal-node NPM version =0.0.1-security is affected by a known vulnerability. The following packages have a transitive dependency on @daffadeveloper/signal-node and may be impacted: - @daffaadev/baileys =1.0.1 - @daffaadev/baileyss =1.0.0 Source cves: unknown CVE Source advisory:...

Marky security vulnerabilities

Marky is a Markdown editor developed by Alessandro Arnodo of Switzerland. Version 0.0.1 of Marky contains a security vulnerability; this vulnerability stems from allowing malicious scripts to be injected into Markdown files, potentially leading to remote code execution...

MAL-2026-190 Malicious code in conmiyagi-map (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c2e125bb096a79fe5c600e1826a5926312c29943a9f33edb1f2efbb0e0416203 The package conmiyagi-map was found to contain malicious code. Source: ghsa-malware fc52bddaac2d657d1e598f3b111f1195c1841882824da63324fac949f6f341ab...

CVE-2023-4899

SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1...

MAL-2026-192 Malicious code in @testfeii/hallo-word (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6df29a7d1af34a39e40a4928590c45f4d6544245d86b34e3a8f1266398bd2b17 The package @testfeii/hallo-word was found to contain malicious code. Source: ghsa-malware...

muaddib-scanner (>=1.1.0 <=1.1.1) potentially affected by unknown CVE via @vietmoney/react-big-calendar (=0.0.1-security)

@vietmoney/react-big-calendar NPM version =0.0.1-security is affected by a known vulnerability. The following packages have a transitive dependency on @vietmoney/react-big-calendar and may be impacted: - muaddib-scanner =1.1.0, =1.1.1 Source cves: unknown CVE Source advisory: OSV:MAL-2025-192994...

WordPress The Wound theme <= 0.0.1 - Unauthenticated LFI vulnerability

Unauthenticated LFI vulnerability discovered by Aly Khaled in WordPress Theme The Wound versions = 0.0.1...

MAL-2025-49308 Malicious code in u8ymp15aglfp7y (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d3d0583d85e1bebaa0c44fe4ef6e449c155b034a7146cf881a9bf27d5e8b7b7b The package u8ymp15aglfp7y was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in ect-987654 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8a68c6b83a7ec9d7f6380f88303941790b4e5f889138f4c4045f7bb7e5a180f7 The package ect-987654 was found to contain malicious code. Source: ossf-package-analysis...

EUVD-2023-54738

Malicious code in bioql PyPI...