Embedded Malicious Code

Overview @fairwords/loopback-connector-es is a Basic Elasticsearch datasource connector for Loopback. Affected versions of this package are vulnerable to Embedded Malicious Code that mirrors the TeamPCP LiteLLM technique. What the postinstall payload does: - Harvests environment variables matchin...

Malicious code in @fairwords/loopback-connector-es (npm)

The @fairwords/loopback-connector-es package was compromised as part of the TeamPCP/CanisterWorm campaign. A postinstall hook executes node scripts/check-env.js || true which performs multi-stage credential harvesting, encrypted exfiltration, and self-propagation. The payload harvests 40+...

Malicious code in loopback-connector-soap-elemetal (npm)

The package loopback-connector-soap-elemetal was found to contain malicious code...

MAL-2025-25593 Malicious code in loopback-connector-soap-elemetal (npm)

The package loopback-connector-soap-elemetal was found to contain malicious code...

Security Bulletin: IBM App Connect Enterprise Certified Container IntegrationServer operands that use the postgresql connector code may be vulnerable to SQL Injection due to [CVE-2022-35942]

Summary The postgresql Loopback connector is available in the IntegrationServer image from IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container does not use this component directly but it is available for use by an application developed to run in an...

SQL Injection

loopback-connector-postgresql is vulnerable to sql injection attacks. The vulnerability exists in buildExpression function in postgresql.js because the user provided inputs for contains loopback filter are not properly sanitized which allows an attacker to inject and execute arbitrary sql command...

@maksym.khudyakov/feature-signup (>=1.0.0-alpha <=1.0.6-alpha), @maksym.khudyakov/feature-todo (>=1.0.0-alpha <=1.0.25-alpha) +20 more potentially affected by CVE-2022-35942 via loopback-connector-postgresql (>=2.4.1 <=3.9.1)

loopback-connector-postgresql NPM version =2.4.1, =1.0.0-alpha, =1.0.0-alpha, =1.0.1, =1.0.0, =1.0.12, =1.0.12, =0.0.13, =0.0.17, =1.0.0, =0.0.2, =0.0.1, =1.0.0, =1.0.1 and more Source cves: CVE-2022-35942 Source advisory: OSV:GHSA-J259-6C58-9M58...

GHSA-J259-6C58-9M58 loopback-connector-postgresql Vulnerable to Improper Sanitization of `contains` Filter

Improper input validation on the contains LoopBack filter may allow for arbitrary SQL injection. Impact When the extended filter property contains is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of...

NoSQL Injection in loopback-connector-mongodb

Versions of loopback-connector-mongodb prior to 3.6.0 are vulnerable to NoSQL Injection. Filters passed to the database query are not properly sanitized which leads to execution of code on the database driver and data leak. Recommendation Upgrade to version 3.6.0 or later...

GHSA-HXWC-5VW9-2W4W NoSQL Injection in loopback-connector-mongodb

Versions of loopback-connector-mongodb prior to 3.6.0 are vulnerable to NoSQL Injection. Filters passed to the database query are not properly sanitized which leads to execution of code on the database driver and data leak. Recommendation Upgrade to version 3.6.0 or later...

GHSA-M734-R4G6-34F9 NoSQL Injection in loopback-connector-mongodb

Versions of loopback-connector-mongodb before 3.6.0 are vulnerable to NoSQL injection. MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the special $where...

@colmena/api (=0.1.0), agneta-platform (>=0.13.0-beta.1 <=0.13.0-beta.9) +21 more potentially affected by unknown CVE via loopback-connector-mongodb (>=1.13.3 <=3.2.1)

loopback-connector-mongodb NPM version =1.13.3, =0.13.0-beta.1, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =0.0.4, =1.0.1, =0.1.1, =1.7.0, =1.7.61 and more Source cves: unknown CVE Source advisory: OSV:GHSA-M734-R4G6-34F9...

NoSQL Injection in loopback-connector-mongodb

Versions of loopback-connector-mongodb before 3.6.0 are vulnerable to NoSQL injection. MongoDB Connector for LoopBack fails to properly sanitize a filter passed to query the database by allowing the dangerous $where property to be passed to the MongoDB Driver. The Driver allows the special $where...

NoSQL Injection

Overview Versions of loopback-connector-mongodb prior to 3.6.0 are vulnerable to NoSQL Injection. Filters passed to the database query are not properly sanitized which leads to execution of code on the database driver and data leak. Recommendation Upgrade to version 3.6.0 or later. References -...

NoSQL Injection

loopback-connector-mongodb is susceptible to NoSQL injection attack. The buildWhere and buildSort functions fail to sanitize the filter passed to the database query, allowing the attacker to inject and execute arbitrary NoSQL queries...

SQL Injection

loopback-connector-mssql is vulnerable to SQL injection attacks. This is because user-supplied inputs are not properly sanitized before using them in SQL queries, allowing a remote attacker to inject or manipulate SQL queries in the back-end database...

SQL Injection

loopback-connector-postgresql is vulnerable to SQL injection attacks. This is because user-supplied inputs are not properly sanitized before using them in SQL queries, allowing a remote attacker to inject or manipulate SQL queries in the back-end database...

SQL Injection

loopback-connector-mysql is vulnerable to SQL injection attacks. This is because user-supplied inputs are not properly sanitized before using them in SQL queries, allowing a remote attacker to inject or manipulate SQL queries in the back-end database...