MAL-2026-4705 Malicious code in vite-json-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a7c9683fed8b8696938eb7ad88e158f70a075851b0dd511af991ecd69a4d0fd The package presents itself as a vite/tsconfig path helper and clones the public API of tsconfig-paths createMatchPath, matchFromAbsolutePaths,...

Malicious code in vite-json-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a7c9683fed8b8696938eb7ad88e158f70a075851b0dd511af991ecd69a4d0fd The package presents itself as a vite/tsconfig path helper and clones the public API of tsconfig-paths createMatchPath, matchFromAbsolutePaths,...

CVE-2026-27589 Caddy vulnerable to cross-origin config application via local admin API /load (caddy)

Caddy is an extensible server platform that uses TLS by default. Prior to version 2.11.1, the local caddy admin API default listen 127.0.0.1:2019 exposes a state-changing POST /load endpoint that replaces the entire running configuration. When origin enforcement is not enabled enforceorigin not...

GHSA-8423-W5WX-H2R6 Pannellum has a XSS vulnerability in hot spot attributes

Impact The hot spot attributes configuration property allowed any attribute to be set, including HTML event handler attributes, allowing for potential XSS attacks. This affects websites hosting the standalone viewer HTML file and any other use of untrusted JSON config files bypassing the...

EUVD-2021-9680

Malicious code in bioql PyPI...

📄 Caddy 2.10.0 Server-Side Request Forgery

Caddy version 2.10.0 suffers from a server-side request forgery vulnerability via a JSON configuration injection. Exploit Title: Caddy 2.10.0 - Admin API SSRF via JSON Config Injection Date: 2025-07-10 Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: https://caddyserver.com/ Software Link:...

CVE-2021-22539

An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint .bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recomme...

Path traversal

An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint .bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recomme...

CVE-2021-22539 Code execution in VSCode-bazel via malicious Bazel config files

An attacker can place a crafted JSON config file into the project folder pointing to a custom executable. VScode-bazel allows the workspace path to lint .bzl files to be set via this config file. As such the attacker is able to execute any executable on the system through vscode-bazel. We recomme...

CVE-2021-22539

CVE-2021-22539 affects vscode-bazel. A crafted JSON config file in the project folder can point to a custom executable, because vscode-bazel allows the workspace path to lint *.bzl files to be set via this config. This enables execution of any executable on the system through vscode-bazel. The re...

DEBIAN-CVE-2017-15924

In manager.c in ss-manager in shadowsocks-libev 3.1.0, improper parsing allows command injection via shell metacharacters in a JSON configuration request received via 127.0.0.1 UDP traffic, related to the addserver, buildconfig, and constructcommandline functions...