CVE-2026-4191

A flaw has been found in JawherKl node-api-postgres up to 2.5. Affected is the function path.extname of the file index.js of the component Profile Picture Handler. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and m...

CVE-2026-4190

A vulnerability was detected in JawherKl node-api-postgres up to 2.5. This impacts the function User.getAll of the file models/user.js. The manipulation of the argument sort results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was...

EUVD-2026-12253

A flaw has been found in JawherKl node-api-postgres up to 2.5. Affected is the function path.extname of the file index.js of the component Profile Picture Handler. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and m...

CVE-2026-4190

A vulnerability was detected in JawherKl node-api-postgres up to 2.5. This impacts the function User.getAll of the file models/user.js. The manipulation of the argument sort results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was...

CVE-2026-4191

CVE-2026-4191 affects JawherKl node-api-postgres (up to v2.5). The Profile Picture Handler’s index.js path.extname function is manipulated, causing unrestricted upload. Attack is remote and exploit has been published; vendor did not respond. No remediation details are provided in the supplied doc...

CVE-2026-4191

A flaw has been found in JawherKl node-api-postgres up to 2.5. Affected is the function path.extname of the file index.js of the component Profile Picture Handler. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and m...

CVE-2026-4191 JawherKl node-api-postgres Profile Picture index.js path.extname unrestricted upload

A flaw has been found in JawherKl node-api-postgres up to 2.5. Affected is the function path.extname of the file index.js of the component Profile Picture Handler. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and m...

CVE-2026-4190

JawherKl node-api-postgres (up to 2.5) is affected by a SQL injection in User.getAll (models/user.js) caused by unsafely manipulated sort argument. The vulnerability allows remote execution, and public exploit code is available. Vendor was contacted but no response. No remediation details are pro...

CVE-2026-4190 JawherKl node-api-postgres user.js User.getAll sql injection

A vulnerability was detected in JawherKl node-api-postgres up to 2.5. This impacts the function User.getAll of the file models/user.js. The manipulation of the argument sort results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was...

CVE-2026-4190

A vulnerability was detected in JawherKl node-api-postgres up to 2.5. This impacts the function User.getAll of the file models/user.js. The manipulation of the argument sort results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was...

PT-2026-25563

A vulnerability was detected in JawherKl node-api-postgres up to 2.5. This impacts the function User.getAll of the file models/user.js. The manipulation of the argument sort results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. The vendor was...

PT-2026-25565

A flaw has been found in JawherKl node-api-postgres up to 2.5. Affected is the function path.extname of the file index.js of the component Profile Picture Handler. This manipulation causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been published and m...

EUVD-2021-1097

Malware in sbrugna...

EUVD-2019-0276

Malware in sbrugna...

Malicious code in nodeapi-json (npm)

The package nodeapi-json was found to contain malicious code. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware adf38cc7ff9fedd8e0e5018c03c9141360823a8c5143181264185160ee040728 Any computer that has this package installed or running should be considered fully...

Embedded Malicious Code

Overview @duckdb/node-api is an API for using DuckDB in Node. Affected versions of this package are vulnerable to Embedded Malicious Code. This package version contains malicious code that monitors network traffic when run in a browser and targets crypto transactions. The injected malicious code...

CVE-2025-59037

CVE-2025-59037 covers DuckDB npm packages where four Node.js packages were briefly compromised with malware: @duckdb/[email protected], @duckdb/[email protected], [email protected], and @duckdb/[email protected]. The malicious versions attempted to interfere with cryptocurrency transactions. DuckDB de...

DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware

The DuckDB distribution for Node.js on npm was compromised with malware along with several other packages. An attacker published new versions of four of duckdb’s packages that included malicious code to interfere with cryptocoin transactions. The following packages and versions are affected: -...

@argilzar/cli-plugin-export-parquet (>=1.0.4 <=1.3.4), @chainbound/payflow-mcp (>=0.0.1 <=0.0.2) +37 more potentially affected by unknown CVE via @duckdb/node-api (>=1.1.3-alpha.12 <=1.3.2-alpha.26)

@duckdb/node-api NPM version =1.1.3-alpha.12, =1.0.4, =0.0.1, =1.0.2, =1.0.1, =1.6.0, =1.0.2, =0.0.1, =0.1.0, =1.2.1, =1.0.0, =0.2.0, =1.0.0, =1.0.7 and more Source cves: unknown CVE Source advisory: OSV:MAL-2025-46992...

Malicious code in @duckdb/node-api (npm)

The DuckDB Node.js package @duckdb/node-api version 1.3.3 was compromised with malware through a sophisticated phishing attack targeting the DuckDB maintainers. An attacker created a pixel-perfect copy of the npmjs.com website at npmjs.help domain and tricked a maintainer into logging in and...