56 matches found
PT-2026-50155
Name of the Vulnerable Software and Affected Versions Deno versions prior to 2.8.1 Description Environment access is managed by the env permission, which can be restricted via --deny-env or an allowlist using --allow-env=FOO,BAR. The process.loadEnvFile function, a Node-compatible API for loading...
CVE-2026-53609 Apostrophe has Server-Side Prototype Pollution in apos.util.set via patch operators that leads to process-wide authorization bypass
ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, apos.util.set traverses dot-notation paths without sanitizing proto, allowing an authenticated editor to write arbitrary values to Object.prototype via the $pullAll patch operator. A confirm...
Malicious code in theta-connector (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9ac14206b12d7cb0c180c49e65d91b99aa2f013c33147d7f1eff396da2c48a2 The package advertises itself as a MySQL connector but index.js around line 236 contains a method queryDBConnect on the exported...
PT-2026-49006
Name of the Vulnerable Software and Affected Versions ApostropheCMS versions prior to 4.30.1 Description A prototype pollution issue exists in the apos.util.set function, which traverses dot-notation paths without sanitizing the proto property. This allows an authenticated editor to write arbitra...
Malicious code in @cloudplatform-single-spa/monaas-ui (npm)
Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...
Malicious code in @fb-deposit/form-deposit-auth (npm)
Part of a dependency confusion attack campaign targeting the @car-loans, @fb-deposit, and @debit-ib npm scopes. The attacker npm user pik-libs published 25 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version resolution,...
Malicious code in @cloudplatform-single-spa/profile (npm)
Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...
MAL-2026-4963 Malicious code in @cloudplatform-single-spa/redirect (npm)
Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...
MAL-2026-5022 Malicious code in @mlspace/inference-deploy (npm)
Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...
MAL-2026-4941 Malicious code in @cloudplatform-single-spa/ml-finetuning (npm)
Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...
Malicious code in clsx-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 23e4e85f63d161234d84c774fdff696827934a27282be2ce9ff362a756246ee6 On npm install, dist/postinstall.js base64-decodes the URL https://api.npoint.io/984b75c022a70cf00c39, fetches JSON from this anonymous mutable...
MAL-2026-4531 Malicious code in clsx-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 23e4e85f63d161234d84c774fdff696827934a27282be2ce9ff362a756246ee6 On npm install, dist/postinstall.js base64-decodes the URL https://api.npoint.io/984b75c022a70cf00c39, fetches JSON from this anonymous mutable...
GHSA-Q7RR-3CGH-J5R3 Prometheus exporter process crash via malformed HTTP request
Summary A single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint default 0.0.0.0:9464 has no error handling around URL parsing, so a request with an invalid URI causes an uncaught TypeError that terminates the process. You...
CVE-2026-40190 LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK langsmith contains an incomplete prototype pollution fix in its internally vendored lodash set utility. The baseAssignValue function only guards against the...
CVE-2026-30887 OneUptime Affected by Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By...
CVE-2026-26280
A flaw was found in systeminformation. An attacker can exploit a command injection vulnerability in the wifiNetworks function by providing a specially crafted network interface parameter. This occurs because the parameter is not properly sanitized in a retry mechanism, allowing for the execution ...
@isaacs/brace-expansion has Uncontrolled Resource Consumption
Summary @isaacs/brace-expansion is vulnerable to a Denial of Service DoS issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the...
MAL-2025-146311 Malicious code in pm2-run-script-eslint-plugin-leda (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a817f06ae0a4d8dc0d41ca305b9e56576f1bd8664d47548dc7532d0c54975083 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
EUVD-2020-1096
Malware in sbrugna...
EUVD-2022-7366
Malicious code in bioql PyPI...