Malicious Package

Overview app-config-utility is a malicious package. This package contains malicious code, and its content has been removed from the official package manager. While this package typosquats well-known libraries to impersonate valid open-source ecosystems, there is no connection between those...

CVE-2026-3643 Accessibly <= 3.0.3 - Missing Authorization to Unauthenticated Stored Cross-Site Scripting via Widget Source Injection via REST API

The Accessibly plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the REST API in all versions up to, and including, 3.0.3. The plugin registers REST API endpoints at /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config with the permissioncallback set to returntrue...

CVE-2026-3643

The Accessibly WordPress plugin (versions ≤ 3.0.3) is vulnerable to an unauthenticated Stored XSS via REST API endpoints /otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config. These endpoints have permission_callback set to __return_true, so no auth checks occur. updateWidgetOptions()...

Dinky 访问控制错误漏洞

Dinky is an open-source real-time computing platform developed by DataLinkDC. Versions of Dinky 1.2.5 and earlier contained a security vulnerability related to access control. This vulnerability stemmed from a missing authentication check in the addInterceptors function of the OpenAPI endpoint...

Malicious code in yandex-app-config (npm)

The package yandex-app-config was found to contain malicious code...

MAL-2025-40211 Malicious code in yandex-app-config (npm)

The package yandex-app-config was found to contain malicious code...

CVE-2024-47160

In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible...

PT-2024-32800 · Unknown · @Backstage/Plugin-App-Backend

Name of the Vulnerable Software and Affected Versions: @backstage/plugin-app-backend versions prior to 0.3.75 Description: The issue concerns the configuration supplied through APP CONFIG environment variables, where the visibility defined in the configuration schema is unexpectedly ignored. This...

JetBrains YouTrack < 2024.3.44799 Multiple Vulnerabilities

The version of JetBrains YouTrack installed on the remote host is prior to 2024.3.44799. It is, therefore, affected by multiple vulnerabilities as referenced in the vendor advisory. - In JetBrains YouTrack before 2024.3.44799 user without appropriate permissions could restore workflows attached t...

CVE-2024-47160

In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible...

CVE-2024-47160

In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible...

CVE-2024-47160

In JetBrains YouTrack before 2024.3.44799 access to global app config data without appropriate permissions was possible...

CVE-2024-47160

JetBrains YouTrack before 2024.3.44799 is vulnerable to an issue where access to global application config data is possible without proper permissions. This CVE (CVE-2024-47160) is corroborated by multiple connected sources: Red Hat advisory, a Nessus plugin for JetBrains YouTrack

MAL-2022-745 Malicious code in @xvideos/app-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware a290ede58fb80e2b89f5ecbce9b539c5c5de67e3d8a2ab54c2a6feb09e67973f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Unable to load settings with Global App Config Service on Citrix Workspace app Chrome OS/HTML5

If the administrator has rolled out any settings via Global App Config Service and a user launches the Citrix Workspace app, it may happen that the settings rolled out previously by the administrator may not be applied. If the administrator now tries to roll out any new settings via Global App...

ckb-analyzer (>=0.37.0 <=0.39.2), ckb-app-config (>=0.37.0 <=0.100.0-rc2) +60 more potentially affected by CVE-2021-45697 via molecule (>=0.2.5 <=0.7.1)

molecule CARGO version =0.2.5, =0.37.0, =0.37.0, =0.4.0, =0.37.0, =0.37.0, =0.37.0, =0.40.0, =0.40.0, =0.37.0, =0.37.0, =0.37.0, =0.37.0, =0.1.0, =0.37.0, =0.39.1 and more Source cves: CVE-2021-45697 Source advisory: OSV:GHSA-6P3C-V8VC-C244...

ckb-analyzer (>=0.37.0 <=0.39.2), ckb-app-config (>=0.37.0 <=0.100.0-rc2) +60 more potentially affected by CVE-2021-45697 via molecule (>=0.2.5 <=0.7.1)

molecule CARGO version =0.2.5, =0.37.0, =0.37.0, =0.4.0, =0.37.0, =0.37.0, =0.37.0, =0.40.0, =0.40.0, =0.37.0, =0.37.0, =0.37.0, =0.37.0, =0.1.0, =0.37.0, =0.39.1 and more Source cves: CVE-2021-45697 Source advisory: OSV:GHSA-82HM-VH7G-HRH9...

@app-config/cli (>=2.0.2 <=3.0.0-alpha.6), @app-config/config (>=2.1.0 <=2.9.0-beta.3) +196 more potentially affected by CVE-2019-9155 via openpgp (>=0.11.1 <=4.10.9)

openpgp NPM version =0.11.1, =2.0.2, =2.1.0, =2.1.0, =2.7.0, =2.1.0, =2.8.0, =2.1.0, =2.1.0, =2.1.0, =2.1.0, =2.6.0, =2.6.0, =2.8.0, =1.1.0, =1.6.4-rds-3.0 and more Source cves: CVE-2019-9155 Source advisory: OSV:GHSA-77JF-FJJF-XCWW...

Fiyo CMS Arbitrary File Deletion Vulnerability

FiyoCMS is a content management system CMS for creating CMS templates. An arbitrary file deletion vulnerability exists in the dapur/apps/appconfig/controller/backuper.php file in FiyoCMS version 2.0.7. An attacker can exploit this vulnerability to delete arbitrary files...