CVE-2026-45302

parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with...

CVE-2026-45302

The CVE-2026-45302 entry concerns parse-nested-form-data, a Node.js module that parses FormData field names into nested objects. Before version 1.0.1, parseFormData() could traverse into Object.prototype when a field name begins with proto or contains .proto . mid-path, enabling prototype polluti...

CVE-2026-45302

parse-nested-form-data is a tiny node module for parsing FormData by name into objects and arrays. Prior to version 1.0.1, parseFormData walks bracket and dot-notation FormData field names into nested objects without filtering reserved property keys. A single FormData field whose name begins with...

Malicious code in corelia (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d2b637971f597ba9572b4cecfab0de4981d19620d585b1958b1bb37b004fae8f The package impersonates the popular pino logger README header 'corelia Pino', homepage https://getpino.io, main file pino.js, npm version badge...

MAL-2026-2367 Malicious code in json-mapping-fetch (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 45649188d792a4c0d12add7ece8a5f8bd1f35ea2478d963b75238249cc788de3 The package json-mapping-fetch was found to contain malicious code...

Siemens APE1808 Improper Privilege Management (CVE-2025-22254)

An Improper Privilege Management vulnerability CWE-269 affecting Fortinet FortiOS version 7.6.0 through 7.6.1, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16 and before 6.4.15, FortiProxy version 7.6.0 through 7.6.1 and before 7.4.7 & FortiWeb version 7.6.0 through 7.6.1 and befo...

CVE-2026-24884

The CVE-2026-24884 vulnerability affects the npm package compressing (versions ≤ 1.10.3 and 2.0.0) where TAR extraction of symbolic links is performed without validating link targets. This can allow an attacker to cause subsequent archive entries to be written to arbitrary locations on the host f...

SUSE CVE-2018-3750

The utilities function in all versions = 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all object...

CVE-2009-4518

Cross-site scripting XSS vulnerability in the Insert Node module 5.x before 5.x-1.2 for Drupal allows remote attackers to inject arbitrary web script or HTML via an inserted node...

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to multiple node modules (CVE-2025-64718, CVE-2025-64756, CVE-2025-13466 & CVE-2025-65945)

Summary IBM App Connect Enterprise Connector Discovery and OpenAPI Editor, IBM App Connect Enterprise Discovery Connectors and IBM App Connect Enterprise runtime are vulnerable to multiple vulnerabilities due to node modules js-yaml, glob, body-parser and jws. Vulnerability Details...

Meta React Server Components Remote Code Execution Vulnerability

React Server Components is a new component model in the React Framework that allows components to run and render on the server and not execute in the client browser. Meta React Server Components has a remote code execution vulnerability that stems from a lack of security checks when parsing...

MAL-2025-188097 Malicious code in module-barnard-ganymede-sociobiology (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 318ce5e99a1844c93f91036e8137e440098fae0a90415e943e5bb1c3a0a191af This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-172198 Malicious code in augis-po9r-no (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4d555e6c337a9401f7cabb41887a8eca3a71e67557e16e25b13d92a574539c50 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in inufgi-gobali-janig (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c47625452813df11c6a00eccf09a90277132607ae46cd2eb66a5868122722462 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-113230

Malicious code in geckodriver-redis-proxima-cache npm...

Malicious code in ida-miemee65-sluey (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 13ad48233b389e5d717f608b0af942a4a62e80982ba998639cd623f44150569e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in putri-kue42-breki (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 270b8de57037a7f76bbdba6df5836f8b0cde0b6cea6c587f63cba8d778e5e040 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-88634

Malicious code in supportingimpalaz3n npm...

MAL-2025-108506 Malicious code in selected_snake-appteadev (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 402cd394cc93e05d67bada41f84a791f0f803368a1d653817bb971988367cfbf This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-107703 Malicious code in rainy_tortoise_z3n (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector be04aaa391c12bd6d586f92ad274b8260a23aafd81624ec66c3ae715bc2cd041 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...