449654 matches found
Malicious code in new-mjs-eslint (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b4ae24b182a00059424b8ea4800927bbbf662f0e6bf20264af611d37203a3f2e Package is published under the unrelated name 'new-mjs-eslint' but ships a verbatim copy of the big.js decimal-arithmetic library original...
MAL-2026-6226 Malicious code in new-mjs-eslint (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b4ae24b182a00059424b8ea4800927bbbf662f0e6bf20264af611d37203a3f2e Package is published under the unrelated name 'new-mjs-eslint' but ships a verbatim copy of the big.js decimal-arithmetic library original...
Malicious code in mjs-eslint (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 51c6776509c718cebce5fe0ef0f5be73ede28f3be69888bfadff198f25ac2df6 The package is published as 'mjs-eslint' but its description, file layout big.js, big.mjs, and source are a verbatim copy of the legitimate big.js...
MAL-2026-6223 Malicious code in mjs-eslint (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 51c6776509c718cebce5fe0ef0f5be73ede28f3be69888bfadff198f25ac2df6 The package is published as 'mjs-eslint' but its description, file layout big.js, big.mjs, and source are a verbatim copy of the legitimate big.js...
Malicious code in new-eslint-1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7752e7f074edbf8521da2ee0b7c68c28a2f76d86576138df8f18e08aaa3a5c38 Package is published as 'new-eslint-1' but its package.json description, README, repository URL MikeMcl/big.js, and source are a verbatim copy of...
MAL-2026-6225 Malicious code in new-eslint-1 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7752e7f074edbf8521da2ee0b7c68c28a2f76d86576138df8f18e08aaa3a5c38 Package is published as 'new-eslint-1' but its package.json description, README, repository URL MikeMcl/big.js, and source are a verbatim copy of...
Malicious code in new-eslint (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f068a5c7ad1a53c60d794a3b4585418956c176c42b8d5d90855e2ac60962b25 Package is published as 'new-eslint' but ships a verbatim copy of MikeMcl/big.js, with a hidden loader injected mid-file between P.minus and P.mod in...
MAL-2026-6224 Malicious code in new-eslint (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6f068a5c7ad1a53c60d794a3b4585418956c176c42b8d5d90855e2ac60962b25 Package is published as 'new-eslint' but ships a verbatim copy of MikeMcl/big.js, with a hidden loader injected mid-file between P.minus and P.mod in...
NL Portal Backend Libraries: Unauthenticated form resolver forwards the privileged Objecten-API token to a caller-supplied URL (SSRF)
Summary The public GraphQL resolvers getFormDefinitionByObjectenApiUrlurl and the deprecated getFormDefinitionByIdid fetch a caller-supplied URL using the privileged Objecten-API token. Because the /graphql endpoint is permitAll and these resolvers do not declare a CommonGroundAuthentication...
GHSA-XM3X-9CFW-JHX4 NL Portal Backend Libraries: Unauthenticated form resolver forwards the privileged Objecten-API token to a caller-supplied URL (SSRF)
Summary The public GraphQL resolvers getFormDefinitionByObjectenApiUrlurl and the deprecated getFormDefinitionByIdid fetch a caller-supplied URL using the privileged Objecten-API token. Because the /graphql endpoint is permitAll and these resolvers do not declare a CommonGroundAuthentication...
CVE-2026-49357
Line Desktop MCP is a project that, while unaffiliated with the official line-bot-mcp-server, allows users to directly operate the LINE Desktop application on Windows or Mac via MCP. line-desktop-mcp supports a --http-mode Streamable HTTP transport for use with clients such as n8n. In this mode t...
Eval Injection
Overview Affected versions of this package are vulnerable to Eval Injection via unsanitized YAML parameters in the cluster import endpoint /v3/import/tokenclusterId.yaml. An attacker can execute arbitrary commands on the server by supplying crafted input to the endpoint, potentially breaking out ...
Network-AI: Improper Neutralization of Special Elements used in an OS Command
Summary The agent sandbox gates shell commands behind an allowlist SandboxPolicy.isCommandAllowed, which THREATMODEL.md calls the main control against a compromised agent Adversary 3.2. The allowlist glob-matches the whole command string, but ShellExecutor runs that string through /bin/sh -c. So...
GHSA-QW6V-5FCF-5666 Network-AI: Improper Neutralization of Special Elements used in an OS Command
Summary The agent sandbox gates shell commands behind an allowlist SandboxPolicy.isCommandAllowed, which THREATMODEL.md calls the main control against a compromised agent Adversary 3.2. The allowlist glob-matches the whole command string, but ShellExecutor runs that string through /bin/sh -c. So...
CVE-2026-49357 Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication
Line Desktop MCP is a project that, while unaffiliated with the official line-bot-mcp-server, allows users to directly operate the LINE Desktop application on Windows or Mac via MCP. line-desktop-mcp supports a --http-mode Streamable HTTP transport for use with clients such as n8n. In this mode t...
CVE-2026-49357
CVE-2026-49357 affects line-desktop-mcp (LINE Desktop MCP). In --http-mode, the MCP server binds to 0.0.0.0 and exposes the /mcp endpoint without MCP authentication, enabling any network client on the port to initialize a session, list tools, and call tools that read LINE Desktop chat history or ...
EUVD-2026-38016
Line Desktop MCP is a project that, while unaffiliated with the official line-bot-mcp-server, allows users to directly operate the LINE Desktop application on Windows or Mac via MCP. line-desktop-mcp supports a --http-mode Streamable HTTP transport for use with clients such as n8n. In this mode t...
CVE-2026-49357 Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication
Line Desktop MCP is a project that, while unaffiliated with the official line-bot-mcp-server, allows users to directly operate the LINE Desktop application on Windows or Mac via MCP. line-desktop-mcp supports a --http-mode Streamable HTTP transport for use with clients such as n8n. In this mode t...
CVE-2026-49357
Line Desktop MCP is a project that, while unaffiliated with the official line-bot-mcp-server, allows users to directly operate the LINE Desktop application on Windows or Mac via MCP. line-desktop-mcp supports a --http-mode Streamable HTTP transport for use with clients such as n8n. In this mode t...
Information Disclosure
Keycloak is vulnerable to Information Disclosure. The vulnerability is due to insufficient enforcement of user profile permissions in the group members endpoint, allowing an administrator with delegated access to read group memberships and users to view user attributes that are explicitly...