43 matches found
CVE-2026-12866
All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function. Because user-controlled expressions are transformed directly into...
CVE-2026-12866
The CVE-2026-12866 entry concerns the npm package expr-eval. Affected versions are vulnerable to Code Execution via the toJSFunction() API, where user-supplied expressions are transformed into executable JavaScript with new Function(), allowing an attacker to escape the sandbox and run arbitrary ...
CVE-2026-12866
All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function. Because user-controlled expressions are transformed directly into...
MAL-2026-5607 Malicious code in chai-net-test (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cd5f4bb3d7abae3be57c7521b84016b6484d4c21bd2898fcde043d376513cf1e chai-net-test ships a remote-code-execution dropper behind its public chain API. When a consumer calls chain... the documented entry point,...
CVE-2026-47099
TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...
CVE-2026-47099
TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...
CVE-2026-47099 TeleJSON < 6.0.0 DOM-based XSS via parse() Function
TeleJSON prior to 6.0.0 contains a DOM-based cross-site scripting vulnerability in the parse function that allows attackers to execute arbitrary JavaScript by delivering a crafted JSON payload containing a malicious constructor-name property value. The custom reviver passes the constructor name...
EUVD-2026-30556
Cockpit CMS through version 2.14.0, patched in commit 72a83fc, contains a stored cross-site scripting vulnerability in the Set field type's Display template option, where the template string is processed by the $interpolate function using new Function and rendered via Vue's v-html directive witho...
Cockpit CMS 跨站脚本漏洞
Cockpit CMS is an open-source headless content management system developed by Cockpit. Versions of Cockpit CMS 2.14.0 and earlier had a cross-site scripting vulnerability. This vulnerability stemmed from the use of the $interpolate function in template strings within the Display template options,...
Cross-site Scripting (XSS)
Overview telejson is an A library for teleporting rich data to another place. Affected versions of this package are vulnerable to Cross-site Scripting XSS in the parse function. An attacker can execute arbitrary JavaScript code in the new Function context by supplying a crafted JSON payload...
GHSA-CCGF-5RWJ-J3HV TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`
Summary telejson versions prior to 6.0.0 released 2022 are vulnerable to DOM-based Cross-Site Scripting XSS through unsafe deserialisation. Attacker-controlled input from the constructor-name property in parsed JSON is passed directly to new Function without sanitisation, allowing arbitrary...
TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`
Summary telejson versions prior to 6.0.0 released 2022 are vulnerable to DOM-based Cross-Site Scripting XSS through unsafe deserialisation. Attacker-controlled input from the constructor-name property in parsed JSON is passed directly to new Function without sanitisation, allowing arbitrary...
EUVD-2026-11718
Locutus vulnerable to RCE via unsanitized input in createfunction...
Locutus vulnerable to RCE via unsanitized input in create_function()
Summary The createfunctionargs, code function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 GHSA-fp25-p6mj-qqg6 which was calluserfuncarray using eval in v2.x. This finding affects...
GHSA-VH9H-29PQ-R5M8 Locutus vulnerable to RCE via unsanitized input in create_function()
Summary The createfunctionargs, code function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 GHSA-fp25-p6mj-qqg6 which was calluserfuncarray using eval in v2.x. This finding affects...
CVE-2026-32304 Locutus: RCE via unsanitized input in create_function()
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the createfunctionargs, code function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from...
CVE-2026-32304 Locutus: RCE via unsanitized input in create_function()
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the createfunctionargs, code function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from...
CVE-2026-32304
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the createfunctionargs, code function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from...
PT-2026-25084
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create functionargs, code function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from...
Lightning Flow Scanner Vulnerable to Code Injection via Unsafe Use of `new Function()` in APIVersion Rule
Impact The APIVersion rule uses new Function to evaluate expression strings. A malicious crafted flow metadata file can cause arbitrary JavaScript execution during scanning. An attacker could execute arbitrary JavaScript during a scan by supplying a malicious expression within rule configuration ...