Lucene search
K

178 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/26 1:42 a.m.11 views

Malicious code in animatecss-postcss-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6be12cec08d0999c157774b746c3e431825ae61635bb8ddddf36061d4602cec7 [email protected] ships a tiny PostCSS plugin factory whose body contains an obfuscator.io-style string-array + RC4 decoder functions...

5.9AI score
Exploits0References3
Snyk
Snyk
added 2026/06/15 8:13 p.m.7 views

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the pbjs static code generation. An attacker can execute arbitrary code by providing crafted schema names that are incorporated into generated JavaScript output, which is then executed or imported by the...

8.2CVSS6.2AI score0.00228EPSS
Exploits0References2
NVD
NVD
added 2026/05/28 4:16 p.m.18 views

CVE-2026-44594

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, a Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return...

7.5CVSS0.00321EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/28 2:45 p.m.35 views

CVE-2026-44594 esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, a Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return...

7.5CVSS0.00321EPSS
Exploits0References1
CVE
CVE
added 2026/05/28 2:45 p.m.21 views

CVE-2026-44594

CVE-2026-44594 describes a Local File Inclusion (LFI) in esm.sh’s esbuild plugin handling of the browser field in package.json. The vulnerability allows an attacker to publish a crafted npm package that, during the build, causes the server to read and return arbitrary files from the host filesyst...

7.5CVSS6AI score0.00321EPSS
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/22 6:41 p.m.18 views

Malicious code in tailwind-style-typography (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0818530f40672586168012538662486135f040526d0e4377f362b6bfe2f61bd2 The package name impersonates the official @tailwindcss/typography plugin and replicates its README and source verbatim including links to...

6AI score
Exploits0References2
RedHat Linux
RedHat Linux
added 2026/05/13 2:21 a.m.10 views

cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names

A flaw was found in the Go programming language golang and its command-line tool cmd/go. A remote attacker could exploit this during the build process by crafting malicious SWIG Simplified Wrapper and Interface Generator file names that contain "cgo" and specific payloads. This could lead to code...

9CVSS6AI score0.00658EPSS
Exploits0References8
Github Security Blog
Github Security Blog
added 2026/05/12 10:22 p.m.10 views

esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files

Summary A Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process. Details The vulnerable...

7.5CVSS6AI score0.00321EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/05/12 10:22 p.m.4 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the browser field in package.json during the build process. An attacker can access arbitrary files on the server filesystem by publishing a specially crafted npm package that remaps module paths to locations...

8.7CVSS6.5AI score0.00321EPSS
Exploits0References2
OSV
OSV
added 2026/05/12 10:22 p.m.5 views

GHSA-RG65-45M7-HQ57 esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files

Summary A Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process. Details The vulnerable...

7.5CVSS6AI score0.00321EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.12 views

PT-2026-40543

Name of the Vulnerable Software and Affected Versions esm.sh versions 137 and earlier Description A Local File Inclusion LFI issue exists in the esbuild plugin's handling of the browser field within the package.json file. An attacker can publish a malicious npm package that leverages ../ sequence...

7.5CVSS5.9AI score0.00321EPSS
Exploits0References6
RedHat Linux
RedHat Linux
added 2026/05/11 6:39 p.m.12 views

cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names

A flaw was found in the Go programming language golang and its command-line tool cmd/go. A remote attacker could exploit this during the build process by crafting malicious SWIG Simplified Wrapper and Interface Generator file names that contain "cgo" and specific payloads. This could lead to code...

9CVSS6AI score0.00658EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added 2026/05/11 4:23 p.m.7 views

cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names

A flaw was found in the Go programming language golang and its command-line tool cmd/go. A remote attacker could exploit this during the build process by crafting malicious SWIG Simplified Wrapper and Interface Generator file names that contain "cgo" and specific payloads. This could lead to code...

9CVSS6AI score0.00658EPSS
Exploits0References8
RedHat Linux
RedHat Linux
added 2026/05/04 2:10 p.m.22 views

rollup: Rollup: Remote Code Execution via Path Traversal Vulnerability

A flaw was found in Rollup, a JavaScript module bundler. Insecure file name sanitization in the core engine allows an attacker to control output filenames, potentially through command-line interface CLI inputs, manual chunk aliases, or malicious plugins. By using directory traversal sequences ../...

9.8CVSS7.7AI score0.01402EPSS
Exploits1References11
NVD
NVD
added 2026/04/28 7:37 p.m.9 views

CVE-2026-41373

OpenClaw before 2026.3.31 contains an incomplete host-env-security-policy.json that fails to restrict compiler binary environment variables, allowing untrusted models to substitute CC, CXX, CARGOBUILDRUSTC, and CMAKECCOMPILER via environment overrides. Attackers with approved host-exec requests c...

6.1CVSS0.0013EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/28 6:9 p.m.5 views

CVE-2026-41373

OpenClaw before 2026.3.31 contains an incomplete host-env-security-policy.json that fails to restrict compiler binary environment variables, allowing untrusted models to substitute CC, CXX, CARGOBUILDRUSTC, and CMAKECCOMPILER via environment overrides. Attackers with approved host-exec requests c...

6.1CVSS5.8AI score0.0013EPSS
Exploits0References4
EUVD
EUVD
added 2026/04/28 6:9 p.m.6 views

EUVD-2026-26082

OpenClaw before 2026.3.31 contains an incomplete host-env-security-policy.json that fails to restrict compiler binary environment variables, allowing untrusted models to substitute CC, CXX, CARGOBUILDRUSTC, and CMAKECCOMPILER via environment overrides. Attackers with approved host-exec requests c...

6.1CVSS5.8AI score0.0013EPSS
Exploits0References3
CVE
CVE
added 2026/04/28 6:9 p.m.27 views

CVE-2026-41373

OpenClaw vulnerable before 2026.3.31 due to an incomplete host-env-security-policy.json that does not restrict compiler environment variables. This allows untrusted models to substitute compiler binaries (CC, CXX, CARGO_BUILD_RUSTC, CMAKE_C_COMPILER) via environment overrides when an approved hos...

6.1CVSS5.8AI score0.0013EPSS
Exploits0References3Affected Software1
RedHat Linux
RedHat Linux
added 2026/04/27 2:21 a.m.5 views

cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names

A flaw was found in the Go programming language golang and its command-line tool cmd/go. A remote attacker could exploit this during the build process by crafting malicious SWIG Simplified Wrapper and Interface Generator file names that contain "cgo" and specific payloads. This could lead to code...

9CVSS6AI score0.00658EPSS
Exploits0References8
Snyk
Snyk
added 2026/04/24 2:41 a.m.4 views

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the compilePipeline process. An attacker can execute arbitrary shell commands during the build process by supplying a crafted configuration file that sets pipeline.uses to a value containing directory traversal...

6.9CVSS6.4AI score0.0014EPSS
Exploits0References2
Rows per page
Query Builder