@antv/gi-assets-advance (>=1.0.0 <=2.5.22), @antv/gi-assets-algorithm (>=2.0.1 <=2.3.19) +12 more potentially affected by unknown CVE via @antv/gi-common-components (>=1.1.1 <=1.3.9)

@antv/gi-common-components NPM version =1.1.1, =1.0.0, =2.0.1, =1.0.0, =1.1.1, =2.0.5, =1.0.1, =1.0.1, =2.0.1, =2.0.1, =2.0.2, =0.1.0, =0.1.0, =2.0.1, =0.6.30, =0.6.43 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4012...

MAL-2026-4016 Malicious code in @antv/gi-sdk-app (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@antv/gi-assets-xlab (>=0.1.0 <=0.1.30) potentially affected by unknown CVE via @antv/gi-assets-basic (=2.4.40)

@antv/gi-assets-basic NPM version =2.4.40 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/gi-assets-basic and may be impacted: - @antv/gi-assets-xlab =0.1.0, =0.1.30 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4001...

MAL-2026-4015 Malicious code in @antv/gi-sdk (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-4011 Malicious code in @antv/gi-cli (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/gi-assets-advance (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/gi-assets-basic (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/gi-cli (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@antv/gi-assets-xlab (>=0.1.0 <=0.1.30) potentially affected by unknown CVE via @antv/gi-theme-antd (=0.6.11)

@antv/gi-theme-antd NPM version =0.6.11 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/gi-theme-antd and may be impacted: - @antv/gi-assets-xlab =0.1.0, =0.1.30 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4017...

@antv/gi-assets-xlab (>=0.1.0 <=0.1.30) potentially affected by unknown CVE via @antv/gi-assets-neo4j (=2.1.15)

@antv/gi-assets-neo4j NPM version =2.1.15 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/gi-assets-neo4j and may be impacted: - @antv/gi-assets-xlab =0.1.0, =0.1.30 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4006...

Security update for python-gi-docgen (moderate)

openSUSE security update: security update for python-gi-docgen ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20497-1 Rating: moderate References: bsc1251961 Cross-References: CVE-2025-11687 CVSS scores: CVE-2025-11687 SUSE : 5.8...

OPENSUSE-SU-2026:20497-1 Security update for python-gi-docgen

This update for python-gi-docgen fixes the following issues: - CVE-2025-11687: Fixed reflected DOM XSS bsc1251961...

SUSE-SU-2026:21159-1 Security update for python-gi-docgen

This update for python-gi-docgen fixes the following issues: - CVE-2025-11687: Fixed reflected DOM XSS bsc1251961...

GHSA-6P6H-RQR6-62MV GI-DocGen vulnerable to Reflected XSS via unescaped query strings

A flaw was found in GI-DocGen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter reflected DOM XSS...

Cross-site Scripting (XSS)

Overview gi-docgen is a Documentation tool for GObject-based libraries Affected versions of this package are vulnerable to Cross-site Scripting XSS via the q GET parameter. An attacker can execute arbitrary JavaScript in the context of the page by crafting a malicious URL that injects code into t...

GI-DocGen vulnerable to Reflected XSS via unescaped query strings

A flaw was found in GI-DocGen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter reflected DOM XSS...

CVE-2025-11687

A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter reflected DOM XSS...

UBUNTU-CVE-2025-11687

A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter reflected DOM XSS...

CVE-2025-11687

A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page — enabling DOM access, session cookie theft and other client-side attacks — via a crafted URL that supplies a malicious value to the q GET parameter reflected DOM XSS...

CVE-2025-11687

The CVE-2025-11687 issue affects the gi-docgen library and is confirmed by multiple sources (GHSA advisory, NVD/Red Hat entry, Debian/Amazon Linux advisories). It is a reflected DOM XSS vulnerability where an unescaped q query parameter allows arbitrary JavaScript execution in the page context, e...