MAL-2025-141304 Malicious code in css-loader-gridsome-postcss-loader-yaml (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b76708fe5d0a2195e1d55421d5eb35a7bfcffe8ce7ea160c4bdd464e0fe4702b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-140579 Malicious code in ceres-telesto-bootstrap-optimize-css-assets-webpack-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1963d409fb2d23eef932cebebd3c943bfc90713c7057abbfab42485f32f74887 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-141310 Malicious code in css-loader-phenomic-phoebe-node-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 07cd1ff25e1d1dab0ec49a40130c27cf086276094946c1578b49eb29788edac9 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-141335 Malicious code in css-minimizer-webpack-plugin-ursa-hexo-antares (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 638e5940c3692e0184723af4b60b6ab2fc2f47716e729018664d180a463eb807 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-149228 Malicious code in vulcan-css-loader-command-nconf (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d0c75a1ddeac8182be8aefa40e93e61225edfd8a7eed0d9cebe0d2517f924b11 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in gridsome-css-minimizer-webpack-plugin-graphql-cors (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ae26c88c181d9c55babee3d7420ebd9761f1cc23f179a381d9b81d8f747c8c1c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-120645

Malicious code in wasat-css-minimizer-webpack-plugin-grus-cli npm...

EUVD-2025-38227

Malicious code in tailwindcss-aerowind npm...

CVE-2025-11162

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2.19.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

CVE-2025-11162

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2.19.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

CVE-2025-11162 Spectra <= 2.19.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom CSS

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2.19.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

CVE-2025-11162

CVE-2025-11162 affects Spectra Gutenberg Blocks – Website Builder for the Block Editor (WordPress plugin family). A stored cross-site scripting vulnerability exists via Custom CSS in all versions up to 2.19.14 (authenticated attacker with Contributor+ privileges can inject scripts executed on pag...

CVE-2025-11162 Spectra <= 2.19.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom CSS

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2.19.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

Unity Linux 20.1070a Security Update: kernel (UTSA-2025-989827)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-989827 advisory. In the Linux kernel, the following vulnerability has been resolved: cgroup: Use separate src/dst nodes when preloading csssets for migration Each cset cssset is pinn...

WordPress Qi Blocks plugin missing authorization vulnerability

WordPress Qi Blocks plugin is a WordPress plugin developed by QodeInteractive, providing 81 customized Gutenberg blocks including 48 free modules and 33 premium modules, supporting WooCommerce, SEO and other 9 categories of functionality, creating complex layouts and integrating 550+ templates. A...

CVE-2025-12180

The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the qi-blocks/v1/update-styles REST API endpoint without proper sanitization in the updateglobalstylescallbac...

CVE-2025-11928

The CSS & JavaScript Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 12.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

CVE-2025-12180

The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the qi-blocks/v1/update-styles REST API endpoint without proper sanitization in the updateglobalstylescallbac...

CVE-2025-12180

CVE-2025-12180 – Qi Blocks (WordPress) | Normal mode Affected software: Qi Blocks plugin for WordPress (versions up to 1.4.3).Root cause: Missing authorization due to improper sanitization in the qi-blocks/v1/update-styles REST endpoint, handled in update_global_styles_callback().Impact: Authenti...

CVE-2025-12180 Qi Blocks <= 1.4.3 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Update

The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the qi-blocks/v1/update-styles REST API endpoint without proper sanitization in the updateglobalstylescallbac...