com.databricks:automatedml_2.11 (=0.7.2), com.github.aishfenton:vegas-flink_2.11 (=0.3.4) +11 more potentially affected by CVE-2025-59840 via org.webjars.bower:vega (>=1.5.4 <=3.0.0-rc4)

org.webjars.bower:vega MAVEN version =1.5.4, =0.3.6, =0.3.6, =0.3.6, =1.1.0, =2.1.0, =1.0.10, =2.0.1 Source cves: CVE-2025-59840 Source advisory: SNYK:JAVA-ORGWEBJARSBOWER-13961288...

EUVD-2019-0674

Malware in sbrugna...

moment-timezone

This repository is an add-on for Moment.js, a JavaScript library for working with dates and times. It provides support for timezones, allowing users to easily work with dates and times in different timezones. The repository contains a variety of files, including a Gruntfile.js, which is used to...

org.webjars.bower:jspdf-autotable (>=2.0.2 <=2.1.0) potentially affected by CVE-2025-57810 via org.webjars.bower:jspdf (>=1.0.272 <=1.4.1)

org.webjars.bower:jspdf MAVEN version =1.0.272, =2.0.2, =2.1.0 Source cves: CVE-2025-57810 Source advisory: SNYK:JAVA-ORGWEBJARSBOWER-12205534...

MAL-2025-18840 Malicious code in drupal-bower-install (npm)

The package drupal-bower-install was found to contain malicious code...

Malicious code in drupal-bower-install (npm)

The package drupal-bower-install was found to contain malicious code...

CVE-2019-5484

Bower before 1.8.8 has a path traversal vulnerability permitting file write in arbitrary locations via install command, which allows attackers to write arbitrary files when a malicious package is extracted...

cn.jbone:jbone-ui (=1.0.0), io.springlets:springlets-boot-starter-web (>=1.2.0.RC2 <=1.2.0.RELEASE) +56 more potentially affected by CVE-2025-1647 via org.webjars.bower:bootstrap (>=3.4.1 <=4.0.0-beta.3)

org.webjars.bower:bootstrap MAVEN version =3.4.1, =1.2.0.RC2, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.0, =0.5.1 and more Source cves: CVE-2025-1647 Source advisory: SNYK:JAVA-ORGWEBJARSBOWER-10176070...

Cross-site Scripting (XSS)

Overview org.webjars.bower:trix is a Rich Text Editor. Affected versions of this package are vulnerable to Cross-site Scripting XSS through the copy and paste functionality. An attacker can execute arbitrary JavaScript code within the user's session by tricking a user into pasting malicious...

com.databricks:automatedml_2.11 (=0.7.2), com.github.aishfenton:vegas-flink_2.11 (=0.3.4) +11 more potentially affected by CVE-2025-25304 via org.webjars.bower:vega (>=1.5.4 <=3.0.0-rc4)

org.webjars.bower:vega MAVEN version =1.5.4, =0.3.6, =0.3.6, =0.3.6, =1.1.0, =2.1.0, =1.0.10, =2.0.1 Source cves: CVE-2025-25304 Source advisory: SNYK:JAVA-ORGWEBJARSBOWER-8730845...

Malicious code in grunt-bowerspawn (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3f19c7ffe5b8c7e758f111d8a269b08c66ef7dd51229dae215a6b7ecd967b3db Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@garment/plugin-runner-publish (>=0.13.7 <=0.18.0), bower-npm-resolver (=0.11.0) +4 more potentially affected by CVE-2022-0355 via simple-get (=3.0.3)

simple-get NPM version =3.0.3 is affected by a known vulnerability. The following packages have a transitive dependency on simple-get and may be impacted: - @garment/plugin-runner-publish =0.13.7, =3.2.4, =2.0.3, =2.0.5 Source cves: CVE-2022-0355 Source advisory: OSV:GHSA-WPG7-2C88-R8XV...

bower-cache (=0.5.0), cacahuate (>=3.9.0 <=4.0.0a6) +58 more potentially affected by CVE-2021-23727 via celery (>=3.1.11 <=5.2.1)

celery PYPI version =3.1.11, =3.9.0, =0.0.2, =1.0.1, =0.19.0, =2.0.0a0, =1.0.0, =1.0.24, =0.0.5, =0.0.13, =1.0.18, =1.2.7 and more Source cves: CVE-2021-23727 Source advisory: OSV:GHSA-Q4XR-RC97-M4XX...

6pm (=0.1.0), @absolunet/nwayo-cli (>=1.0.0 <=3.6.1) +1378 more potentially affected by CVE-2019-5484 via bower (>=0.10.0 <=1.8.4)

bower NPM version =0.10.0, =1.0.0, =3.3.0, =0.1.20, =0.16.9, =0.0.4, =0.102.0, =2.0.0-beta.1, =0.0.1, =1.0.4, =1.0.2, =0.1.16, =1.0.0-alpha.0, =1.0.0-alpha.0, =1.0.0, =1.2.3 and more Source cves: CVE-2019-5484 Source advisory: OSV:GHSA-P6MR-PXG4-68HX...

Symlink Arbitrary File Overwrite in bower

Versions of bower prior to 1.8.8 are affected by an arbitrary file write vulnerability. The vulnerability occurs because bower does not verify that extracted symbolic links do not resolve to targets outside of the extraction root directory. Recommendation Update to version 1.8.8 or later...

CVE-2019-5484

Bower before 1.8.8 has a path traversal vulnerability permitting file write in arbitrary locations via install command, which allows attackers to write arbitrary files when a malicious package is extracted...

CVE-2019-5484

Bower before 1.8.8 has a path traversal vulnerability permitting file write in arbitrary locations via install command, which allows attackers to write arbitrary files when a malicious package is extracted...

Path traversal

Bower before 1.8.8 has a path traversal vulnerability permitting file write in arbitrary locations via install command, which allows attackers to write arbitrary files when a malicious package is extracted...

CVE-2019-5484

CVE-2019-5484 – Bower path traversal . Affects Bower up to version 1.8.7; older releases permit writing files to arbitrary locations during extraction of a malicious package via the install command. Root cause is improper validation of extracted paths, enabling directory traversal and arbitrary f...

CVE-2019-5484

Bower before 1.8.8 has a path traversal vulnerability permitting file write in arbitrary locations via install command, which allows attackers to write arbitrary files when a malicious package is extracted...