116 matches found
PT-2026-39521
Projectsend r1295 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting crafted input in the 'name' parameter of files-edit.php. Attackers can inject JavaScript payloads through the file name field that execute in the...
itsourcecode Courier Management System 注入漏洞
itsourcecode Courier Management System is an open-source courier management system developed by itsourcecode. Version 1.0 of the itsourcecode Courier Management System has a vulnerability related to parameter handling in the file/editbranch.php, which may lead to SQL injection attacks...
PraisonAI Vulnerable to Arbitrary File Write / Path Traversal in Action Orchestrator
The Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker or compromised agent to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments ../ in the target path, malicious actions can overwrite sensitive...
GHSA-JFXC-V5G9-38XR PraisonAI Vulnerable to Arbitrary File Write / Path Traversal in Action Orchestrator
The Action Orchestrator feature contains a Path Traversal vulnerability that allows an attacker or compromised agent to write to arbitrary files outside of the configured workspace directory. By supplying relative path segments ../ in the target path, malicious actions can overwrite sensitive...
PT-2026-30764
Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 1.5.113 Description PraisonAI, a multi-agent teams system, contains a Path Traversal vulnerability in the Action Orchestrator feature. An attacker, or a compromised agent, can write to arbitrary files outside of the...
CVE-2026-33517
Mantis Bug Tracker MantisBT is an open source issue tracker. In version 2.28.0, when deleting a Tag tagdelete.php, improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Versi...
CVE-2026-33517
Mantis Bug Tracker MantisBT is an open source issue tracker. In version 2.28.0, when deleting a Tag tagdelete.php, improper escaping of its name when displaying the confirmation message allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript. Versi...
Malicious code in cors-zenobia-dagda-lint (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4774c26a7e13e3aed6382b1e29215111ee924a655f6e4f8b58e9d34e7329f447 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in view-visualize-nu-shell-small (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e87b26929fbb1f75d8efa9ab61151f6081a056a832e1c145064abd8cb24e66e6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-186832 Malicious code in eslint-config-antares-deneb-scorpius (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 00eb647f01cde44b919b7bae8593ca4cfa9bd03da63424fbcc6662f5c874e127 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-188491 Malicious code in package-eventhoriz-gammarayburst-parsec (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector be04f1c66dbc50675b3c662cb03f969dce4e3ba82f68939b2b1971c8c1fd86ed This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-181892 Malicious code in avarag-obios-bimaaogi (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7fa859dba0320e214b64becb496c2d76474138c84ea0c45735c72f5765159418 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in indea-fodioj-agaafba (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8ffa415c0e94f44db41fb74a51cd7d2414bbc6a4ec9868b2d2bd1ed899aac6fe This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in kapvino-soafadi-vnnds (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 920d25ce683ea4811a23d44f5f9554e3ca21085c5ca5ab6dc722d2b7b415518d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in buta-fs0boina-ifa (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d3bc94b7cbc11cab9cc9d34e9654b28f148429de99f92624de3b070923e20456 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-173366 Malicious code in buta-fasag-fnda (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1d20cd3d844516ec18869c472e7f8cad7750125a7e796041190a1c9c23419afa This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in piluka-kama-bicuibai (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 58dc45a45626d26b29aa6b7a9cea250cc2660c07a5a4bf62d6015cdcf565ddf2 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-162175 Malicious code in nokire-abimanyu6 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a2ba1ae16c5bccb4d75eecf47bf53d0d8218adf7e66806c54518908a06797dd5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-160282 Malicious code in messi-aa-sffs (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ea49bb468710a43ee3c59ac041576feca7a9bd7b5c6029a0dfb33be1138d6b87 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in air-poke26 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aea84b6125c44ae5d5724d3889af4630d3aa284d07a815d13596fe0a7c82d5bc This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...