74 matches found
EUVD-2019-0259
Malware in sbrugna...
Unity Linux 20.1070e Security Update: nodejs (UTSA-2025-680629)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-680629 advisory. @npmcli/arborist, the library that calculates dependency trees and manages the nodemodules folder hierarchy for the npm command line interface, aims to guarantee tha...
CVE-2025-59528
Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided...
Multiple Node.js Modules compromised in supply chain attack to steal crypto (08/09/2025)
The remote host has a version of one or more Node.js modules installed known to be compromised in a supply chain attack. The following Node.js modules are known to be affected: 'backslash', 'chalk', 'debug', 'chalk-template', 'supports-hyperlinks', 'has-ansi', 'simple-swizzle', 'color-string',...
CVE-2025-59143
Summary (CVE-2025-59143) : The issue affects the npm package color ([email protected]). An account takeover via phishing allowed an attacker to publish a malicious patch that inserts a payload in the browser context to redirect cryptocurrency transactions to attacker-owned addresses (e.g., wallets like...
CVE-2025-59140 [email protected] contains malware after npm account takeover
backlash parses collected strings with escapes. On 8 September 2025, the npm publishing account for backslash was taken over after a phishing attack. Version 0.2.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect...
Linux Distros Unpatched Vulnerability : CVE-2019-16775
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of...
MAL-2025-3653 Malicious code in vite-plugin-node-modules-polyfills (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ba225e7480a310032d62d6de3db636b57a0bb3e2594bf99605df20b09352eab9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in vite-plugin-node-modules-polyfills (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ba225e7480a310032d62d6de3db636b57a0bb3e2594bf99605df20b09352eab9 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in pb-node-modules (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 13f6ed4f1be7aaf5a813cae62ab02bae6da785284b44b4ec1ef18522f3c0f7a4 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
CVE-2025-1755
MongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privileges, when a crafted file is stored in C:\nodemodules\. This issue affects MongoDB Compass prior to 1.42.1...
CVE-2025-1755
MongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privileges, when a crafted file is stored in C:\nodemodules. This issue affects MongoDB Compass prior to 1.42.1...
CVE-2025-1756
mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privilege, when a crafted file is stored in C:\nodemodules. This issue affects mongosh prior to 2.3.0...
CVE-2025-1756
mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privilege, when a crafted file is stored in C:\nodemodules. This issue affects mongosh prior to 2.3.0...
PT-2025-1290 · Adobe · Photoshop
Name of the Vulnerable Software and Affected Versions: Adobe Photoshop versions 25.12, 26.1 and earlier Description: The issue is related to an Uncontrolled Search Path Element vulnerability that could lead to arbitrary code execution. An attacker could manipulate the search path environment...
SUSE CVE-2023-33966
Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and denoruntime 0.114.0, outbound HTTP requests made using the built-in node:http or node:https modules are incorrectly not checked against the network permission allow list --allow-net. Dependencies relying on these built-in modules...
CVE-2023-33966 Deno missing "--allow-net" permission check for built-in Node modules
Deno is a runtime for JavaScript and TypeScript. In deno 1.34.0 and denoruntime 0.114.0, outbound HTTP requests made using the built-in node:http or node:https modules are incorrectly not checked against the network permission allow list --allow-net. Dependencies relying on these built-in modules...
vm2 注入漏洞
vm2 is an advanced virtual machine/sandbox for Node.js by individual developer Patrik Simek in the Czech Republic. to run untrusted code using whitelisted Node built-in modules. An injection vulnerability exists in vm2 3.9.17 and earlier versions, which stems from the ability to run untrusted cod...
CVE-2023-29017 vm2 Sandbox Escape vulnerability
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Prior to version 3.9.15, vm2 was not properly handling host objects passed to Error.prepareStackTrace in case of unhandled async errors. A threat actor could bypass the sandbox protections to gain remote code...
SUSE CVE-2017-18355
Installed packages are exposed by nodemodules in Rendertron 1.0.0, allowing remote attackers to read absolute paths on the server by examining the "where" attribute of package.json files...