MAL-2026-2880 Malicious code in bjs-lint-builder (npm)

big.js typosquat campaign - SSH backdoor implantation, credential and crypto wallet theft --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector de4578f36842f930e2a5e6a4129c10eb87bf1005fe8cbdf05ffb9fdc2fe43ad8 The package bjs-lint-builder was found to contain malicious...

Malicious Package

Overview use-form-builder-plugin is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this packa...

vulnswarm

VulnSwarm AI-powered vulnerability discovery using multi-agen...

CVE-2026-39703

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in wpbits WPBITS Addons For Elementor Page Builder wpbits-addons-for-elementor allows Stored XSS.This issue affects WPBITS Addons For Elementor Page Builder: from n/a through = 1.8.1...

CVE-2026-39977

A flaw was found in flatpak-builder. A specially crafted manifest or source can bypass path restrictions by using symbolic links within the license-files field, allowing the builder to follow paths outside the intended source directory, reading arbitrary files from the host system and including...

Arbitrary Code Injection

Overview google-adk is an Agent Development Kit Affected versions of this package are vulnerable to Arbitrary Code Injection via the the builder UI on Python OSS, Cloud Run, and GKEdue to missing authentication in the process. An attacker can execute arbitrary code on the server by uploading YAML...

SUSE CVE-2026-39977

flatpak-builder is a tool to build flatpaks from source. From 1.4.5 to before 1.4.8, the license-files manifest key takes an array of paths to user defined licence files relative to the source directory of the module. The paths from that array are resolved using gfileresolverelativepath and...

@saltcorn/cli (>=1.5.0 <=1.5.0-rc.2), @saltcorn/mobile-builder (>=1.5.0 <=1.5.0-rc.2) potentially affected by unknown CVE via @saltcorn/server (>=1.5.0-beta.0 <=1.5.0)

@saltcorn/server NPM version =1.5.0-beta.0, =1.5.0, =1.5.0, =1.5.0-rc.2 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNSERVER-15991556...

@saltcorn/cli (>=1.6.0-alpha.0 <=1.6.0-alpha.17), @saltcorn/mobile-builder (>=1.6.0-alpha.0 <=1.6.0-alpha.17) potentially affected by unknown CVE via @saltcorn/server (>=1.6.0-alpha.0 <=1.6.0-alpha.9)

@saltcorn/server NPM version =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.17 Source cves: unknown CVE Source advisory: SNYK:JS-SALTCORNSERVER-15991556...

@christianhugo/mobile-builder (>=0.7.3-beta.3 <=0.7.4-beta.9), @christianhugoch/cli (>=0.7.2-beta.12 <=0.7.2-beta.13) +4 more potentially affected by CVE-2026-40163 via @saltcorn/server (>=0.0.2 <=1.4.4)

@saltcorn/server NPM version =0.0.2, =0.7.3-beta.3, =0.7.2-beta.12, =0.0.2, =0.7.2, =0.0.2, =0.2.3-beta.2 Source cves: CVE-2026-40163 Source advisory: OSV:GHSA-32PV-MPQG-H292...

@saltcorn/cli (>=1.0.0 <=1.4.4), @saltcorn/mobile-builder (>=1.0.0 <=1.4.4) potentially affected by CVE-2026-40163 via @saltcorn/server (>=1.0.0-beta.1 <=1.4.4)

@saltcorn/server NPM version =1.0.0-beta.1, =1.0.0, =1.0.0, =1.4.4 Source cves: CVE-2026-40163 Source advisory: SNYK:JS-SALTCORNSERVER-15990855...

@saltcorn/cli (>=1.6.0-alpha.0 <=1.6.0-beta.12), @saltcorn/mobile-builder (>=1.6.0-alpha.0 <=1.6.0-beta.12) potentially affected by CVE-2026-40163 via @saltcorn/server (>=1.6.0-alpha.0 <=1.6.0-beta.3)

@saltcorn/server NPM version =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-beta.12 Source cves: CVE-2026-40163 Source advisory: OSV:GHSA-32PV-MPQG-H292...

@saltcorn/cli (>=1.6.0-alpha.0 <=1.6.0-beta.12), @saltcorn/mobile-builder (>=1.6.0-alpha.0 <=1.6.0-beta.12) potentially affected by CVE-2026-40163 via @saltcorn/server (>=1.6.0-alpha.0 <=1.6.0-beta.3)

@saltcorn/server NPM version =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-beta.12 Source cves: CVE-2026-40163 Source advisory: SNYK:JS-SALTCORNSERVER-15990855...

@saltcorn/cli (>=1.5.0 <=1.5.5-beta.0), @saltcorn/mobile-builder (>=1.5.0 <=1.5.5-beta.0) potentially affected by CVE-2026-40163 via @saltcorn/server (>=1.5.0-beta.0 <=1.5.5-beta.0)

@saltcorn/server NPM version =1.5.0-beta.0, =1.5.0, =1.5.0, =1.5.5-beta.0 Source cves: CVE-2026-40163 Source advisory: OSV:GHSA-32PV-MPQG-H292...

@saltcorn/cli (>=1.5.0 <=1.5.2), @saltcorn/mobile-builder (>=1.5.0 <=1.5.2) potentially affected by CVE-2026-40163 via @saltcorn/server (>=1.5.0-beta.0 <=1.5.2)

@saltcorn/server NPM version =1.5.0-beta.0, =1.5.0, =1.5.0, =1.5.2 Source cves: CVE-2026-40163 Source advisory: SNYK:JS-SALTCORNSERVER-15990855...

CVE-2026-39977

flatpak-builder is a tool to build flatpaks from source. From 1.4.5 to before 1.4.8, the license-files manifest key takes an array of paths to user defined licence files relative to the source directory of the module. The paths from that array are resolved using gfileresolverelativepath and...

DEBIAN-CVE-2026-39977

flatpak-builder is a tool to build flatpaks from source. From 1.4.5 to before 1.4.8, the license-files manifest key takes an array of paths to user defined licence files relative to the source directory of the module. The paths from that array are resolved using gfileresolverelativepath and...

CVE-2026-39977

flatpak-builder is a tool to build flatpaks from source. From 1.4.5 to before 1.4.8, the license-files manifest key takes an array of paths to user defined licence files relative to the source directory of the module. The paths from that array are resolved using gfileresolverelativepath and...

UBUNTU-CVE-2026-39977

flatpak-builder is a tool to build flatpaks from source. From 1.4.5 to before 1.4.8, the license-files manifest key takes an array of paths to user defined licence files relative to the source directory of the module. The paths from that array are resolved using gfileresolverelativepath and...

CVE-2026-39977

The CVE concerns flatpak-builder (versions 1.4.5–1.4.7) where the license-files manifest key accepts an array of paths relative to the module source. Paths are validated using two checks, but the final path component and symlink handling can allow path traversal. The copy operation runs on the ho...