@antv/li-sam-assets (>=0.1.1 <=0.1.4) potentially affected by unknown CVE via @antv/insight-component (=1.0.0)

@antv/insight-component NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/insight-component and may be impacted: - @antv/li-sam-assets =0.1.1, =0.1.4 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4029...

@antv/li-analysis-assets (>=1.0.0 <=1.9.1), @antv/li-core-assets (>=1.0.0 <=1.3.7) +3 more potentially affected by unknown CVE via @antv/li-sdk (=1.5.1)

@antv/li-sdk NPM version =1.5.1 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/li-sdk and may be impacted: - @antv/li-analysis-assets =1.0.0, =1.0.0, =1.0.0, =0.0.1, =0.0.2 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4065...

Malicious code in @antv/li-p2 (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Malicious code in @antv/li-editor (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

Linux kernel 安全漏洞

The Linux kernel is the core of the open-source operating system Linux, developed by the Linux Foundation in the United States. There is a security vulnerability in the Linux kernel, which stems from the xhci driver’s failure to properly handle cases where the port count exceeds the number of...

CVE-2026-5577 Song-Li cross_browser details Endpoint uniquemachine_app.py sql injection

A vulnerability has been found in Song-Li crossbrowser up to ca690f0fe6954fd9bcda36d071b68ed8682a786a. This affects an unknown part of the file flask/uniquemachineapp.py of the component details Endpoint. Such manipulation of the argument ID leads to sql injection. The attack can be executed...

CVE-2026-5577 Song-Li cross_browser details Endpoint uniquemachine_app.py sql injection

A vulnerability has been found in Song-Li crossbrowser up to ca690f0fe6954fd9bcda36d071b68ed8682a786a. This affects an unknown part of the file flask/uniquemachineapp.py of the component details Endpoint. Such manipulation of the argument ID leads to sql injection. The attack can be executed...

Cross browser fingerprinting SQL注入漏洞

Cross browser fingerprinting is a cross-browser user tracking fingerprint library developed by Song Li as an individual developer. Cross browser fingerprinting has a SQL injection vulnerability, which stems from incorrect handling of parameter IDs in the flask/uniquemachineapp.py file. This...

PT-2026-30446

Name of the Vulnerable Software and Affected Versions Song-Li cross browser up to ca690f0fe6954fd9bcda36d071b68ed8682a786a Description A vulnerability exists in Song-Li cross browser, potentially allowing for SQL injection. The issue affects an unknown part of the flask/uniquemachine app.py file...

`rpc-check` was removed from crates.io for malicious code

It was attempting to steal credentials from the POLYMARKETPRIVATEKEY environment variable. The malicious crate had 3 versions published on 2026-02-15 and had been downloaded only 155 times. There were no crates depending on this crate on crates.io. Thanks to Sisong Li for finding and reporting th...

RUSTSEC-2026-0014 `rpc-check` was removed from crates.io for malicious code

It was attempting to steal credentials from the POLYMARKETPRIVATEKEY environment variable. The malicious crate had 3 versions published on 2026-02-15 and had been downloaded only 155 times. There were no crates depending on this crate on crates.io. Thanks to Sisong Li for finding and reporting th...

MyTube security vulnerability

MyTube is a video self-hosted downloader and player developed by Peifan Li. Versions of MyTube prior to 1.7.78 contained security vulnerabilities, which stemmed from insufficient input validation in the settings management function. These vulnerabilities could lead to large-scale distribution...

CVE-2025-66360

An issue was discovered in Logpoint before 7.7.0. An improperly configured access control policy exposes sensitive Logpoint internal service Redis information to li-admin users. This can lead to privilege escalation...

EUVD-2025-199837

An issue was discovered in Logpoint before 7.7.0. An improperly configured access control policy exposes sensitive Logpoint internal service Redis information to li-admin users. This can lead to privilege escalation...

CVE-2025-66360

An issue was discovered in Logpoint before 7.7.0. An improperly configured access control policy exposes sensitive Logpoint internal service Redis information to li-admin users. This can lead to privilege escalation...

CVE-2025-66360

An issue was discovered in Logpoint before 7.7.0. An improperly configured access control policy exposes sensitive Logpoint internal service Redis information to li-admin users. This can lead to privilege escalation...

CVE-2025-66360

Logpoint before 7.7.0 is affected. The issue stems from an improperly configured access control policy that exposes sensitive internal Redis service information to li-admin users, enabling privilege escalation. Affected software: Logpoint SIEM prior to 7.7.0. Root cause: misconfigured access cont...

CVE-2025-66360

An issue was discovered in Logpoint before 7.7.0. An improperly configured access control policy exposes sensitive Logpoint internal service Redis information to li-admin users. This can lead to privilege escalation...

PT-2025-48284

An issue was discovered in Logpoint before 7.7.0. An improperly configured access control policy exposes sensitive Logpoint internal service Redis information to li-admin users. This can lead to privilege escalation...

Malicious code in masako-males-li (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fec5a98d268f64cb646ae0435e664e728379913010e3629993bd972d94fdce30 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...