GHSA-X6VR-Q3VF-VQGQ REDAXO CMS is vulnerable to Reflected XSS in Mediapool Info Banner via args[types]

Summary A reflected Cross-Site Scripting XSS vulnerability exists in the Mediapool view where the request parameter argstypes is rendered into an info banner without HTML-escaping. This allows arbitrary JavaScript execution in the backend context when an authenticated user visits a crafted link...

EUVD-2025-199596

Grype is a vulnerability scanner for container images and filesystems. A credential disclosure vulnerability was found in Grype, affecting versions 0.68.0 through 0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json= option, the registr...

GO-2025-4139 esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript in github.com/esm-dev/esm.sh

esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript in github.com/esm-dev/esm.sh...

Cross-site Scripting

form-to-database is vulnerable to Cross-Site Scripting. The vulnerability is due to improper handling of form values, where non-string inputs were not sanitized or safely normalized, and attackers can exploit this by injecting malicious JavaScript that executes when the data is rendered...

CVE-2025-65944

Sentry-Javascript is an official Sentry SDKs for JavaScript. From version 10.11.0 to before 10.27.0, when a Node.js application using the Sentry SDK has sendDefaultPii: true it is possible to inadvertently send certain sensitive HTTP headers, including the Cookie header, to Sentry. Those headers...

CVE-2025-65944 Sentry-Javascript deals with leaked sensitive headers when `sendDefaultPii` is set to `true`

Sentry-Javascript is an official Sentry SDKs for JavaScript. From version 10.11.0 to before 10.27.0, when a Node.js application using the Sentry SDK has sendDefaultPii: true it is possible to inadvertently send certain sensitive HTTP headers, including the Cookie header, to Sentry. Those headers...

CVE-2025-65944 Sentry-Javascript deals with leaked sensitive headers when `sendDefaultPii` is set to `true`

Sentry-Javascript is an official Sentry SDKs for JavaScript. From version 10.11.0 to before 10.27.0, when a Node.js application using the Sentry SDK has sendDefaultPii: true it is possible to inadvertently send certain sensitive HTTP headers, including the Cookie header, to Sentry. Those headers...

EUVD-2025-199360

Malicious code in posthog-js npm...

EUVD-2025-199476

Malicious code in @oku-ui/popper npm...

EUVD-2025-199393

Malicious code in @voiceflow/runtime-client-js npm...

MAL-2025-191212 Malicious code in @dev-blinq/cucumber-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d1132d88ae30e1bec8fa386e5fcc5d015e82a253136ad4122d98d8ab816e1d38 The package @dev-blinq/cucumber-js was found to contain malicious code. Source: ghsa-malware...

PT-2025-47977

Sentry-Javascript is an official Sentry SDKs for JavaScript. From version 10.11.0 to before 10.27.0, when a Node.js application using the Sentry SDK has sendDefaultPii: true it is possible to inadvertently send certain sensitive HTTP headers, including the Cookie header, to Sentry. Those headers...

AlmaLinux 10 : firefox (ALSA-2025:21281)

The remote AlmaLinux 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the ALSA-2025:21281 advisory. firefox: Mitigation bypass in the DOM: Security component CVE-2025-13018 firefox: Use-after-free in the Audio/Video component CVE-2025-13014 firefox:...

AlmaLinux 9 : firefox (ALSA-2025:21280)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2025:21280 advisory. firefox: Mitigation bypass in the DOM: Security component CVE-2025-13018 firefox: Use-after-free in the Audio/Video component CVE-2025-13014 firefox:...

Malicious code in @trefox/sleekshop-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e5279bf872e21373d0b77ad0fdd98d44c8c59208f43a699e2517e6a5afb899c5 The package @trefox/sleekshop-js was found to contain malicious code. Source: ghsa-malware...

MAL-2025-190991 Malicious code in react-jam-icons (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 369fe7c56e5f271a31e023cbe36323fc11043fc4747d0309c5c48aaa1eedf822 The package react-jam-icons was found to contain malicious code. Source: ghsa-malware 1c50426946a6dd92cf360d347aa3ed8f15988f3655c7721aff8dd0b8ff8e946...

EUVD-2025-199049

Malicious code in react-micromodal.js npm...

Embedded Malicious Code

Overview posthog-js is a Posthog-js allows you to automatically capture usage and send events to PostHog. Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was remov...

Malicious code in @ensdomains/renewal (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a66dd3b7f22e60f2047119e09a00f2034cd8c4d1844cad51f9a1c87515274c6 The package @ensdomains/renewal was found to contain malicious code. Source: ghsa-malware...

SUSE-SU-2025:4195-1 Security update for MozillaThunderbird

This update for MozillaThunderbird fixes the following issues: - Update Mozilla Thunderbird to version 140.5 bsc1253188 - CVE-2025-13012: Race condition in the Graphics component. - CVE-2025-13016: Incorrect boundary conditions in the JavaScript: WebAssembly component. - CVE-2025-13017: Same-orig...