117 matches found
PT-2026-39521
Projectsend r1295 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input in the 'name' parameter of files-edit.php. Attackers can inject JavaScript payloads through the file name field that execute in the...
itsourcecode Courier Management System 注入漏洞
itsourcecode Courier Management System is an open-source courier management system developed by itsourcecode. Version 1.0 of the itsourcecode Courier Management System has a vulnerability related to parameter handling in the file/editbranch.php, which may lead to SQL injection attacks...
GHSA-JFXC-V5G9-38XR PraisonAI Vulnerable to Arbitrary File Write / Path Traversal in Action Orchestrator
The Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker or compromised agent to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments ../ in the target path, malicious actions can overwrite sensitive...
PraisonAI Vulnerable to Arbitrary File Write / Path Traversal in Action Orchestrator
The Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker or compromised agent to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments ../ in the target path, malicious actions can overwrite sensitive...
PT-2026-30764
Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 1.5.113 Description PraisonAI, a multi-agent teams system, contains a Path Traversal vulnerability in the Action Orchestrator feature. An attacker, or a compromised agent, can write to arbitrary files outside of the...
CVE-2026-33517
Mantis Bug Tracker MantisBT is an open source issue tracker. In version 2.28.0, when deleting a Tag tagdelete.php, improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Versi...
CVE-2026-33517
Mantis Bug Tracker MantisBT is an open source issue tracker. In version 2.28.0, when deleting a Tag tagdelete.php, improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Versi...
MAL-2025-186832 Malicious code in eslint-config-antares-deneb-scorpius (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 00eb647f01cde44b919b7bae8593ca4cfa9bd03da63424fbcc6662f5c874e127 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in view-visualize-nu-shell-small (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e87b26929fbb1f75d8efa9ab61151f6081a056a832e1c145064abd8cb24e66e6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-188491 Malicious code in package-eventhoriz-gammarayburst-parsec (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector be04f1c66dbc50675b3c662cb03f969dce4e3ba82f68939b2b1971c8c1fd86ed This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in cors-zenobia-dagda-lint (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4774c26a7e13e3aed6382b1e29215111ee924a655f6e4f8b58e9d34e7329f447 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in indea-fodioj-agaafba (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ffa415c0e94f44db41fb74a51cd7d2414bbc6a4ec9868b2d2bd1ed899aac6fe This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-181892 Malicious code in avarag-obios-bimaaogi (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7fa859dba0320e214b64becb496c2d76474138c84ea0c45735c72f5765159418 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in kapvino-soafadi-vnnds (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 920d25ce683ea4811a23d44f5f9554e3ca21085c5ca5ab6dc722d2b7b415518d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-173366 Malicious code in buta-fasag-fnda (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d20cd3d844516ec18869c472e7f8cad7750125a7e796041190a1c9c23419afa This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in buta-fs0boina-ifa (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d3bc94b7cbc11cab9cc9d34e9654b28f148429de99f92624de3b070923e20456 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in air-poke26 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aea84b6125c44ae5d5724d3889af4630d3aa284d07a815d13596fe0a7c82d5bc This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-162175 Malicious code in nokire-abimanyu6 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a2ba1ae16c5bccb4d75eecf47bf53d0d8218adf7e66806c54518908a06797dd5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in diago-kamoi-liumakuakoimo (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 82d947b20a4c111111334a2d235e96c7c0724d69ebec310099acd3006a4858fa This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in piluka-kama-bicuibai (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 58dc45a45626d26b29aa6b7a9cea250cc2660c07a5a4bf62d6015cdcf565ddf2 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...