MAL-2025-141310 Malicious code in css-loader-phenomic-phoebe-node-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 07cd1ff25e1d1dab0ec49a40130c27cf086276094946c1578b49eb29788edac9 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-140484 Malicious code in castor-fetch-webdriver-manager-mini-css-extract-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 51232fa12f2d0aa1acb5f8f227042e036d7eab4c9faf1918109f2c1b887da57f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-144607 Malicious code in lyra-eleventy-phenomic-css-loader (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 781feae0250f509d58698804ac377422ae24d83a75e63818a4dd45c7520a7fa5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-146349 Malicious code in polaris-jabbah-hermes-css-minimizer-webpack-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e89da1dae41a7ae32c18eca5e6979e685dd654c9c55d76cee9c556388ceaa2cf This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-146162 Malicious code in phoebe-metalsmith-css-minimizer-webpack-plugin-umbra (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c7758742d6ce3f84c41f899059c9fa2f6d10ec4d81abe2446f4316493355a77 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-141335 Malicious code in css-minimizer-webpack-plugin-ursa-hexo-antares (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 638e5940c3692e0184723af4b60b6ab2fc2f47716e729018664d180a463eb807 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-148591 Malicious code in testcafe-css-loader-uglify-js-tailwindcss (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b040a662f7e8b05e1b6d1cf3784fc142e5ab38537763c5ba7fe1b304a1f7eaaa This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-111133

Malicious code in mini-css-extract-plugin-nightwatch-ignite-capella npm...

EUVD-2025-38227

Malicious code in tailwindcss-aerowind npm...

CVE-2025-11162

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2.19.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

CVE-2025-11162

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2.19.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

CVE-2025-11162

CVE-2025-11162 affects Spectra Gutenberg Blocks – Website Builder for the Block Editor (WordPress plugin family). A stored cross-site scripting vulnerability exists via Custom CSS in all versions up to 2.19.14 (authenticated attacker with Contributor+ privileges can inject scripts executed on pag...

CVE-2025-11162 Spectra <= 2.19.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom CSS

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2.19.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

CVE-2025-11162 Spectra <= 2.19.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom CSS

The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Custom CSS in all versions up to, and including, 2.19.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticat...

WordPress Qi Blocks plugin missing authorization vulnerability

WordPress Qi Blocks plugin is a WordPress plugin developed by QodeInteractive, providing 81 customized Gutenberg blocks including 48 free modules and 33 premium modules, supporting WooCommerce, SEO and other 9 categories of functionality, creating complex layouts and integrating 550+ templates. A...

Unity Linux 20.1070a Security Update: kernel (UTSA-2025-989827)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-989827 advisory. In the Linux kernel, the following vulnerability has been resolved: cgroup: Use separate src/dst nodes when preloading csssets for migration Each cset cssset is pinn...

CVE-2025-12180

The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the qi-blocks/v1/update-styles REST API endpoint without proper sanitization in the updateglobalstylescallbac...

CVE-2025-11928

The CSS & JavaScript Toolbox plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 12.0.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...

CVE-2025-12180

The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the qi-blocks/v1/update-styles REST API endpoint without proper sanitization in the updateglobalstylescallbac...

CVE-2025-12180 Qi Blocks <= 1.4.3 - Missing Authorization to Authenticated (Contributor+) Plugin Settings Update

The Qi Blocks plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.4.3. This is due to the plugin storing arbitrary CSS styles submitted via the qi-blocks/v1/update-styles REST API endpoint without proper sanitization in the updateglobalstylescallbac...