MAL-2025-48012 Malicious code in webpack-dev-serve-middleware (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fb201f67e4df2c2951dcebb70620a58ed8d7c1862d4697b4e14b2e95b6673d84 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

EUVD-2020-0573

Malware in sbrugna...

EUVD-2019-0183

Malware in sbrugna...

EUVD-2025-16764

Malicious code in bioql PyPI...

EUVD-2025-16767

Malicious code in bioql PyPI...

EUVD-2022-7270

Malicious code in bioql PyPI...

EUVD-2022-7708

Malicious code in bioql PyPI...

EUVD-2025-27181

Malicious code in bioql PyPI...

EUVD-2025-27180

Malicious code in bioql PyPI...

EUVD-2025-25476

Malicious code in bioql PyPI...

CVE-2025-59427 Cloudflare vite plugin exposes secrets over the built-in dev server

The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as...

CVE-2025-59427

The Cloudflare Vite plugin is vulnerable when used in its default configuration, exposing all files on the local dev server (including root files like .env and .dev.vars) via the Workers runtime integration. Affected: Cloudflare Vite plugin within the Cloudflare Workers SDK. Root cause: default d...

CVE-2025-59427 Cloudflare vite plugin exposes secrets over the built-in dev server

The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as...

CVE-2025-56648

npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them. Mitigation Mitigation for this issue is either not available o...

@adobe/aio-cli (>=7.0.0 <=8.3.0), @adobe/aio-cli-plugin-app (>=7.0.0 <=8.6.1) +31 more potentially affected by CVE-2025-56648 via @parcel/reporter-dev-server (>=2.0.0-beta.1 <=2.16.3)

@parcel/reporter-dev-server NPM version =2.0.0-beta.1, =7.0.0, =7.0.0, =1.0.0, =5.0.0, =2.3.0, =3.3.6, =2.1.0, =1.0.0-alpha.27, =2.0.0, =2.0.0, =0.0.2, =0.0.2, =2.0.0-beta.1, =2.13.4-canary.3389, =2.13.4-canary.3403 and more Source cves: CVE-2025-56648 Source advisory: OSV:GHSA-QM9P-F9J5-W83W...

@58860ed6ffd9e897/gold-finger-extension (=1.0.2), @ableaura/ableui (=0.1.0) +1498 more potentially affected by CVE-2025-56648 via @parcel/reporter-dev-server (>=2.0.0-beta.1 <=2.9.3)

@parcel/reporter-dev-server NPM version =2.0.0-beta.1, =5.1.9, =7.0.0, =8.3.0-pre.2022-06-22.sha-42703caf, =7.0.0, =0.1.0, =1.0.0, =5.0.0, =0.0.9, =0.0.1, =5.1.0, =5.2.5 and more Source cves: CVE-2025-56648 Source advisory: SNYK:JS-PARCELREPORTERDEVSERVER-12878606...

Origin Validation Error

Overview @parcel/reporter-dev-server is a Blazing fast, zero configuration web application bundler Affected versions of this package are vulnerable to Origin Validation Error via improper origin validation in the development server. An attacker can access source code by tricking a developer into...

Directory Traversal

vite-plugin-static-copy is vulnerable to Directory Traversal. The vulnerability is due to improper access control because apps exposing the Vite dev server to the network --host or server.host config option allow attackers to retrieve arbitrary files by which an attacker can access arbitrary file...

Linux Distros Unpatched Vulnerability : CVE-2025-30360

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source...

Linux Distros Unpatched Vulnerability : CVE-2025-30359

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source...