34 matches found
MAL-2026-4683 Malicious code in tax4all-components (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 411707aa243c516b714830da4805c4abacaa4d5f7e2e8959773cd93468dd78aa The exported ContactForm Vue component in deploy/dist/index.js hardcodes form submissions to https://formsubmit.co/ajax/[email protected] — the...
Malicious code in gator-client (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1925735d02fb91f74a11718c3402ad0b10f551eecb8c6d88f02d475b3e0a799f On npm install via scripts.install: node index.js and on every require'gator-client', lib/core.js collects os.userInfo.username, os.hostname, and the...
CVE-2026-7385
The Decent Comments WordPress plugin (prior to version 3.0.2) exposes comment author and post author email addresses via its REST API without access restrictions, enabling unauthenticated users to enumerate registered email addresses. Root cause: insufficient access controls on the REST endpoint....
CVE-2026-7385
The Decent Comments WordPress plugin before 3.0.2 does not restrict access to comment author email addresses and post author email addresses via its REST API endpoint, allowing unauthenticated attackers to enumerate registered user email addresses...
Malicious code in qr-code-styling-temp (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 004a5cc51cc0e38448c56189fb4437ad113eec163f7ae1a7692b88d6aed71182 The package's install lifecycle script node index.js and its main entry both load lib/core.js, which reads os.userInfo.username, os.hostname, and the...
EUVD-2026-27225
The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that...
CVE-2026-3454
The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that...
CVE-2026-3454
CVE-2026-3454 affects the WordPress plugin GenerateBlocks (versions <= 2.2.0). The vulnerability is an Insecure Direct Object Reference in the REST endpoint /wp-json/generateblocks/v1/dynamic-tag-replacements . The endpoint only checks user capability (edit_posts) and does not verify that the ...
CVE-2026-3454 GenerateBlocks <= 2.2.0 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Exposure via Dynamic Tag Replacements
The GenerateBlocks plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.2.0. This is due to missing object-level authorization checks in the /wp-json/generateblocks/v1/dynamic-tag-replacements REST endpoint. The endpoint only verifies that...
CVE-2026-22204
wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the commentauthoremail cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wpmail...
MAL-2026-2414 Malicious code in ftapi-core (npm)
Multiple suspicious behaviors: hex obfuscation, code execution via constructor, process access, install script, and suspicious author email. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1a78a31e9e0e51a5531ac61b714695aa1af1ac1379233e78623ac3ed63285f6c The...
Malicious code in ftapi-core (npm)
Multiple suspicious behaviors: hex obfuscation, code execution via constructor, process access, install script, and suspicious author email. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1a78a31e9e0e51a5531ac61b714695aa1af1ac1379233e78623ac3ed63285f6c The...
Malicious code in @ceeferenderer/itg-renderer-sdk (npm)
Malicious package due to code obfuscation, dynamic module loading, process exposure, suspicious install script, and untrustworthy author email. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 51b9fa22264e38705c3a7ba319515ee66036e72ab14c32d08b01a5695aa191b8 This...
MAL-2026-2407 Malicious code in @ceeferenderer/itg-renderer-sdk (npm)
Malicious package due to code obfuscation, dynamic module loading, process exposure, suspicious install script, and untrustworthy author email. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 51b9fa22264e38705c3a7ba319515ee66036e72ab14c32d08b01a5695aa191b8 This...
EUVD-2026-11749
wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the commentauthoremail cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wpmail...
CVE-2026-22204
wpDiscuz prior to 7.6.47 has an email header injection due to unsanitized comment_author_email cookie. An attacker can craft a cookie value that, after urldecode() is processed by wp_mail(), injects headers or alters recipients. The exact impact and exploit status are not elaborated beyond the de...
CVE-2026-22204 wpDiscuz before 7.6.47 - Unsanitized Cookie Email Used as wp_mail() Recipient
wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the commentauthoremail cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wpmail...
CVE-2026-22204
wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the commentauthoremail cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wpmail...
PT-2026-25144
wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the comment author email cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wp mail...
CVE-2026-26323
CVE-2026-26323 overview : OpenClaw’s maintainer/updater script in source checkouts (versions 2026.1.8–2026.2.13) is vulnerable to OS command injection. The script update-clawcontributors.ts builds a shell command from git author metadata (via execSync) and interpolates a GitHub login, which can b...