6592 matches found
Malicious code in chai-as-polished (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b2ea0d46e0bb4382e8d684d025cb72b7f99e37874c571e9946ae1268b70be6cf Package name is a one-edit typosquat of the widely-used chai-as-promised, but the shipped code is unrelated to chai. The exported middleware spawns a...
MAL-2026-5901 Malicious code in chai-as-polished (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b2ea0d46e0bb4382e8d684d025cb72b7f99e37874c571e9946ae1268b70be6cf Package name is a one-edit typosquat of the widely-used chai-as-promised, but the shipped code is unrelated to chai. The exported middleware spawns a...
MAL-2026-5902 Malicious code in chai-as-tokenized (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 55c10da182a0c79ca5eb0f85c6b2e334b7ee4e90946dfcc34feb44e80afa4485 Package name impersonates chai-as-promised, and the README is a copy of pino's documentation, but the actual code is a remote-code-execution dropper...
Malicious code in chai-as-decrypted (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3ed93b06c95c42e3183b89e5fb1d9dea3f711bb20d766861c8d16b8d17f17cc9 Package name chai-as-decrypted mimics the popular chai-as-promised, and the README impersonates pino uses pino's npm badges and links to...
CVE-2026-5497
A flaw was found in vLLM. An attacker can exploit this vulnerability by sending a specially crafted API request containing an excessive number of base64-encoded JPEG frames within a data URL. This unbounded processing of frames in the VideoMediaIO.loadbase64 method leads to an Out-of-Memory OOM...
MAL-2026-5791 Malicious code in mddriver (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5a5b264d05ffaf76e8be2d7a46cb2277211a045fa15e8c510ab60cdd5c5bae56 On require'mddriver', an IIFE in index.js invokes loadTokenData, which fetches https://www.jsonkeeper.com/b/C4H0M stored base64-encoded as...
Malicious code in ing-feat-itsme-oidc-authentication (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 175d0dba1f70bc84bcd4e29b57e0f7831248582614cd146af7d1ea6d1d057cd5 On npm install, package.json's preinstall hook executes poc.js, which collects os.hostname, os.userInfo.username, process.cwd, and process.platform,...
CVE-2016-20077
WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php. Attackers can supply base64-encoded file paths in the 'id' parameter to the decode.php endpoin...
CVE-2016-20077 WordPress Plugin Photocart Link 1.6 Local File Inclusion via decode.php
WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php. Attackers can supply base64-encoded file paths in the 'id' parameter to the decode.php endpoin...
CVE-2016-20077 WordPress Plugin Photocart Link 1.6 Local File Inclusion via decode.php
WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php. Attackers can supply base64-encoded file paths in the 'id' parameter to the decode.php endpoin...
CVE-2016-20077
CVE-2016-20077 affects the WordPress plugin Photocart Link 1.6. It describes a Local File Inclusion vulnerability in decode.php: unauthenticated attackers can trigger LFI by supplying base64-encoded file paths via the id parameter to decode.php, enabling access to sensitive files (e.g., wp-config...
EUVD-2016-10889
WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php. Attackers can supply base64-encoded file paths in the 'id' parameter to the decode.php endpoin...
PT-2026-49215
WordPress Plugin Photocart Link 1.6 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in decode.php. Attackers can supply base64-encoded file paths in the 'id' parameter to the decode.php endpoin...
Malicious code in environment-gate (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 80dc74c6c5240e9c146e476300b44582cc114cf1827319ba81d2bcae2d64c2cf index.js contains a commented-out line that, if uncommented, would base64-decode the URL https://www.jsonkeeper.com/b/VKUNI, fetch its contents via...
MAL-2026-5743 Malicious code in environment-gate (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 48e4ad756dbae70bb38049d363961eb27239c7cf18c6a92612579aeb818da7b1 The package's only export, gate, performs an HTTP GET to a base64-obfuscated URL https://www.jsonkeeper.com/b/VKUNI and passes the response body...
Malicious code in class-synth (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1aa63407d7400b4819d0739dedad0a32d9ae29b18509693c2e8763cf30275271 class-synth is advertised as a small class/style/date utility library, but its main entry dist/index.js contains a hidden top-level async IIFE init...
Malicious code in jextic-eclib (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 13a6476409b9cb9296b7f778be375081c8ad12b030658351092e9fef90f4b707 On npm install, the package's postinstall hook postinstall.js requires index.js, whose top-level scanAndExfiltrate call walks the installer's working...
Malicious code in theta-connector (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9ac14206b12d7cb0c180c49e65d91b99aa2f013c33147d7f1eff396da2c48a2 The package advertises itself as a MySQL connector but index.js around line 236 contains a method queryDBConnect on the exported...
CVE-2026-46489
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into eve...
CVE-2026-46489 SolidInvoice: Unrestricted file upload with no MIME validation allows stored XSS via malicious SVG logo
SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can upload an SVG file containing embedded JavaScript. This script is base64-encoded and injected unescaped into eve...