378 matches found
EUVD-2026-30360
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, POST /api/tag/getTag is registered with model.CheckAuth only, omitting both model.CheckAdminRole and model.CheckReadonly, despite the handler performing a configuration write that is normally guarded by both. Any...
CVE-2026-45371 SiYuan: SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs
SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs. POST /api/graph/getGraph, POST /api/graph/getLocalGraph, POST /api/sync/setSyncInterval, POST /api/storage/updateRecentDocViewTime, POST...
SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs
Summary SiYuan publish-mode Reader can mutate Conf and SQL index via 8 ungated APIs POST /api/graph/getGraph, POST /api/graph/getLocalGraph, POST /api/sync/setSyncInterval, POST /api/storage/updateRecentDocViewTime, POST /api/storage/updateRecentDocCloseTime, POST...
PT-2026-35031
Name of the Vulnerable Software and Affected Versions Dgraph versions prior to 25.3.3 Description An issue exists in Dgraph that allows an unauthenticated attacker to gain full read access to all data in the database. This occurs in the default configuration where Access Control Lists ACL are...
CVE-2026-35620 OpenClaw < 2026.3.24 - Missing Authorization in /send and /allowlist Chat Commands
OpenClaw before 2026.3.24 contains missing authorization vulnerabilities in the /send and /allowlist chat command handlers. The /send command allows non-owner command-authorized senders to change owner-only session delivery policy settings, and the /allowlist mutating commands fail to enforce...
CVE-2021-28860
In Node.js mixme, prior to v0.5.1, an attacker can add or alter properties of an object via 'proto' through the mutate and merge functions. The polluted attribute will be directly assigned to every object in the program. This will put the availability of the program at risk causing a potential...
Malicious code in cosmochemistry-lacerta-magnetosphere-reveal-md (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08d0d5db9b30a391c486f37cb6ced3a4f296a525efa9c588f34a6a3845fe226e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-187065 Malicious code in fusion-inflation-dactyl-webpack (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector afd7df62b134bcc7afb6138cd72c0148fe9828de23d7012fa0e5c0c2047e9063 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-187855 Malicious code in long-boolean-table-compress-tree (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d6ce61b95ca11c80fb5abda226276f953078eb8f6cfe963270f6034d758b6b22 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-188454 Malicious code in optimize-double-nu-cluster-function (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b9b98723aa7741d128b3d9fe5fff42be8f635f757b1c6bf032d86eed998a8200 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-189516 Malicious code in sirius-lynx-antares-server (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fe1b1189742e5aae02454df7ad46c469deecbe1d18ea01b1feb3d6b00b7c548d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-187604 Malicious code in jekyll-resolvers-quark-epimetheus (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a7dc947279fc7b4978324c611197f7ba4d99cc1748bf2d4d42d7484d8dfe30bf This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in bad-transpile-xml-signal-cache (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 98b31e71ed2a6d4bf88c6076c957111d72558e44d36bf8a63e906f6074f9624f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-189918 Malicious code in thread-compile-parse-decrypt-air (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6a7146ef933c1aa178443b1e6366208057596a2447d96deb31dc0f893f501187 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-186495 Malicious code in debug-char-code-double-encode (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cf04c663a92261e5204471a60b4f4195cd06203bbc747e721e88d638e35efbb3 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in archaeogenetics-csrf-aquarius-perturbation (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f3bf298157c040760bce94b452e888389305beacf18b29f6f82b92ab32890e45 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in meta-code-debug-key-old (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8c44349ff42d4f48dca55e6eede52c18fd580f1050b7cfe7ef57d36b8602a3fc This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-187787 Malicious code in link-astrometry-gulp-transhumanism (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f4329a95dcfa0e1622818152248a41d94a3ba730de57357e0fa2c4f82e5e2950 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-182634 Malicious code in imugiay-ajvog-dnieamnfaiyugpa (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f4fa6fe12bf45d08c1a825d80d1c1c4d52076a0f8e8e34d998efaf752555eba4 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in mitaukailok-don-olasia (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector af9d31b6b44cd7a6ce31d19da5a708e1969b15df3b09ebc18d3e2096591188cd This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...