25 matches found
EUVD-2026-36273
KanaDojo before 0.1.18 contains a sandbox escape vulnerability that allows an attacker to execute arbitrary code by exploiting the explicit passing of the global require function into a Node.js vm.runInNewContext sandbox context in the issue-auto-respond.yml workflow. Attackers can submit a pull...
CVE-2026-48546
KanaDojo before 0.1.18 contains a sandbox-escape RCE in the issue-auto-respond.yml workflow. The root cause is explicit passing of the global require into a Node.js vm.runInNewContext() sandbox, allowing an attacker to modify messages.cjs to import arbitrary Node.js modules and achieve remote cod...
cjs-biginteger (=5.0.5) potentially affected by unknown CVE via ts-lint-builds (=1.0.5)
ts-lint-builds NPM version =1.0.5 is affected by a known vulnerability. The following packages have a transitive dependency on ts-lint-builds and may be impacted: - cjs-biginteger =5.0.5 Source cves: unknown CVE Source advisory: OSV:MAL-2026-2883...
MAL-2026-2882 Malicious code in cjs-biginteger (npm)
big.js typosquat campaign - SSH backdoor implantation, credential and crypto wallet theft --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ad18a38aa59b5edbd05dbdf229f4d013446f970fe18b41e54ffc1c24a926d2bd The package cjs-biginteger was found to contain malicious...
MAL-2025-47696 Malicious code in node-ts-cjs-web (npm)
--- -= Per source details. Do not edit below this line.=-...
Malicious code in node-ts-cjs-auto (npm)
The package communicates with a domain associated with malicious activity...
MAL-2025-6107 Malicious code in node-ts-cjs-auto (npm)
The package communicates with a domain associated with malicious activity...
CVE-2021-29446
jose-node-cjs-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AESCBCHMACSHA2 Algorithm A128CBC-HS256, A192CBC-HS384, A256CBC-HS512 decryption would always execute both HMAC tag verification and CBC decryption, if either failed...
CVE-2024-53384
A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjsshims.js components...
tsup DOM Clobbering vulnerability
A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjsshims.js components...
CVE-2024-53384
A DOM Clobbering vulnerability in tsup v8.3.4 allows attackers to execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjsshims.js components...
CVE-2024-53384
CVE-2024-53384 affects tsup v8.3.4 with a DOM Clobbering vulnerability that lets an attacker execute arbitrary code via a crafted script in the import.meta.url to document.currentScript in cjs_shims.js components. The CVSS 3.1 vector shows a MEDIUM base score (5.1) with LOCAL attack vector, LOW a...
CVE-2024-47068
A flaw was found in the Rollup module bundler for JavaScript. Certain versions are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from import.meta such as import.meta.url in the cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting XS...
CVE-2024-47068 DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
Rollup is a module bundler for JavaScript. Versions prior to 2.79.2, 3.29.5, and 4.22.4 are susceptible to a DOM Clobbering vulnerability when bundling scripts with properties from import.meta e.g., import.meta.url in cjs/umd/iife format. The DOM Clobbering gadget can lead to cross-site scripting...
CVE-2024-45812
Vite a frontend build tooling framework for javascript. Affected versions of vite were discovered to contain a DOM Clobbering vulnerability when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting XSS in web pages where scriptle...
PT-2024-31793 · Vite · Vite
Name of the Vulnerable Software and Affected Versions: Vite versions prior to 3.2.11 Vite versions prior to 4.5.5 Vite versions prior to 5.2.14 Vite versions prior to 5.3.6 Vite versions prior to 5.4.6 Description: A DOM Clobbering vulnerability was discovered in Vite when building scripts to...
Malicious code in query-string-cjs (npm)
--- -= Per source details. Do not edit below this line.=-...
ses-cjs (>=1.0.0 <=1.0.1) potentially affected by CVE-2023-39532 via ses (=0.13.1)
ses NPM version =0.13.1 is affected by a known vulnerability. The following packages have a transitive dependency on ses and may be impacted: - ses-cjs =1.0.0, =1.0.1 Source cves: CVE-2023-39532 Source advisory: OSV:GHSA-9C4H-3F7H-322R...
MAL-2023-168 Malicious code in chalk-animate-cjs (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 516c8dd53eb3c24c892eed50063a6f315dc748a4d2f006d392d7ec6785802d0b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in chalk-animate-cjs (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 516c8dd53eb3c24c892eed50063a6f315dc748a4d2f006d392d7ec6785802d0b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...