css-dedoupe (>=0.1.0 <=0.1.1) potentially affected by unknown CVE via obj-to-css (=1.0.1)

obj-to-css NPM version =1.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on obj-to-css and may be impacted: - css-dedoupe =0.1.0, =0.1.1 Source cves: unknown CVE Source advisory: OSV:MAL-2025-191136...

Malicious code in obj-to-css (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 16c28013383e05a71d5da9d3d7c0d685a6355e42251a9527e769061e13ce54bb The package obj-to-css was found to contain malicious code. Source: ghsa-malware ada9fa1c509e4ac91c240ba95d3953b53291943071c42aa967d243bd17682078 Any...

MAL-2025-190953 Malicious code in css-dedoupe (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7708f95527bfb987e5bf71ee911acffc550f40aff1b046d3249c9504c14fd52f The package css-dedoupe was found to contain malicious code. Source: ghsa-malware 9bad835f3386b87b3ce781849db6a96394982d6a092ee635c731d854493dd197 An...

EUVD-2025-199090

Malicious code in css-dedoupe npm...

Malicious code in css-dedoupe (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7708f95527bfb987e5bf71ee911acffc550f40aff1b046d3249c9504c14fd52f The package css-dedoupe was found to contain malicious code. Source: ghsa-malware 9bad835f3386b87b3ce781849db6a96394982d6a092ee635c731d854493dd197 An...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

css-dedoupe (>=0.1.0 <=0.1.1) potentially affected by unknown CVE via obj-to-css (=1.0.1)

obj-to-css NPM version =1.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on obj-to-css and may be impacted: - css-dedoupe =0.1.0, =0.1.1 Source cves: unknown CVE Source advisory: SNYK:JS-OBJTOCSS-14103674...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...

@actbase/react-native-less-transformer (>=1.0.0 <=1.0.5) potentially affected by unknown CVE via @actbase/css-to-react-native-transform (=1.0.2)

@actbase/css-to-react-native-transform NPM version =1.0.2 is affected by a known vulnerability. The following packages have a transitive dependency on @actbase/css-to-react-native-transform and may be impacted: - @actbase/react-native-less-transformer =1.0.0, =1.0.5 Source cves: unknown CVE Sourc...

EUVD-2025-198721

Malicious code in @actbase/css-to-react-native-transform npm...

EUVD-2025-198660

Malicious code in @trigo/pathfinder-ui-css npm...

CVE-2025-12135

The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csscode' parameter in all versions up to, and including, 1.0.6 due to a missing capability check on the savecustomecode function. This makes it possible for unauthenticated attackers to inject arbitrary web...

CVE-2025-12135

The WPBookit plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csscode' parameter in all versions up to, and including, 1.0.6 due to a missing capability check on the savecustomecode function. This makes it possible for unauthenticated attackers to inject arbitrary web...

PT-2025-47691

Name of the Vulnerable Software and Affected Versions WPBookit versions up to and including 1.0.6 Description The WPBookit plugin for WordPress is susceptible to Stored Cross-Site Scripting. This is due to a missing capability check on the save custome code function, allowing unauthenticated...

esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript

Summary The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the CSS-to-JavaScript module conversion feature. An attacker can execute arbitrary JavaScript code by injecting $... expressions into CSS files, which are then evaluated when the resulting JavaScript module i...

GHSA-HCPF-QV9M-VFGP esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript

Summary The esm.sh CDN service contains a Template Literal Injection vulnerability CWE-94 in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, esm.sh converts it to a JavaScript module by embedding the CSS content directly into a...