UBUNTU-CVE-2025-59840

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. They...

EUVD-2025-26604

This CVE ID was assigned in error to a vulnerability that was both introduced and fixed before the code landed in the Stable channel of Chrome, and has been withdrawn...

Prototype Pollution

Overview org.webjars.bowergithub.nodeca:js-yaml is a human-friendly data serialization language. Affected versions of this package are vulnerable to Prototype Pollution via the merge function. An attacker can alter object prototypes by supplying specially crafted YAML documents containing proto...

Prototype Pollution

Overview org.webjars:js-yaml is a human-friendly data serialization language. Affected versions of this package are vulnerable to Prototype Pollution via the merge function. An attacker can alter object prototypes by supplying specially crafted YAML documents containing proto properties. This can...

org.webjars.bowergithub.lostinbrittany:granite-yaml (=1.1.0) potentially affected by CVE-2025-64718 via org.webjars.bowergithub.nodeca:js-yaml (=3.14.1)

org.webjars.bowergithub.nodeca:js-yaml MAVEN version =3.14.1 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.bowergithub.nodeca:js-yaml and may be impacted: - org.webjars.bowergithub.lostinbrittany:granite-yaml =1.1.0 Source cves:...

CVE-2025-64718

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution proto. All users who parse untrusted yaml documents may be impacted. The problem is patched in...

CVE-2025-64718 js-yaml has prototype pollution in merge (<<)

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution proto. All users who parse untrusted yaml documents may be impacted. The problem is patched in...

firefox: thunderbird: Incorrect boundary conditions in the JavaScript: WebAssembly component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Incorrect boundary conditions in the JavaScript: WebAssembly component...

firefox: thunderbird: Incorrect boundary conditions in the JavaScript: WebAssembly component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Incorrect boundary conditions in the JavaScript: WebAssembly component...

EUVD-2025-180127

Malicious code in baryon-perturbation-javascript-pyxis npm...

EUVD-2025-178284

Malicious code in javascript-hyperion-quantumfoam-rate-limiter npm...

EUVD-2025-176745

Malicious code in registry-readable-nucleosynthesis-jsonp npm...

EUVD-2025-178850

Malicious code in fornax-library-eslint-javascript npm...

EUVD-2025-178281

Malicious code in jekyll-deneb-uglify-js-paleobotany npm...

MAL-2025-185464 Malicious code in antares-cluster-ursa-javascript (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0d84a4b00a7033fc3fa3800a11c657e0a534a6b461ccf0deda2a4f531f6b3468 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-178769

Malicious code in ganymede-style-loader-xanthus-javascript npm...

Malicious code in postcss-loader-prosthetics-loopback-javascript (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 51f9f63b6e2e1816f62d699a65d1f5b8c88dc6d76c09ded78c5dca4dcc42d958 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in sagitta-javascript-process-telesto (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 192f71261f706f28676541bb8ebc25a651c6bcd39f95de4ed5e6634af129bbed This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-176165

Malicious code in subduction-middleware-javascript-supernova npm...

EUVD-2025-176994

Malicious code in prosthetics-outercore-javascript-taphonomy npm...