234568 matches found
NPM: Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
NPM: Hono: bodyLimit can be bypassed for chunked / unknown-length requests vulnerability discovered by ? in WordPress Npm hono versions 4.12.16...
MAL-2026-3361 Malicious code in 24712-pl5004 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d79bb37b62b8d47ca459db0858a93ffb3c35e3791423c11a0853fb4ab17388e The package 24712-pl5004 was found to contain malicious code. Source: ossf-package-analysis...
Malicious code in @paysafe-tracking/error-monitoring (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9c2acf9c4e0793663b7ca39f1c5c5a4646e8cecb488863494d904cdce97e01df The package @paysafe-tracking/error-monitoring was found to contain malicious code. Source: ossf-package-analysis...
MAL-2026-3360 Malicious code in @paysafe-tracking/error-monitoring (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9c2acf9c4e0793663b7ca39f1c5c5a4646e8cecb488863494d904cdce97e01df The package @paysafe-tracking/error-monitoring was found to contain malicious code. Source: ossf-package-analysis...
Malicious code in 24712-pl4712 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4c8947855d76def29ae6497648e1355d55d891c01d5eea51f475ef033c0eda29 The package 24712-pl4712 was found to contain malicious code. Source: ossf-package-analysis...
MAL-2026-3357 Malicious code in 24712-plv2 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2611781f2d1097ad72abff46b985c85ced20dc7e9f5f8883adbd3e5f394397ee The package 24712-plv2 was found to contain malicious code. Source: ossf-package-analysis...
NPM: basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
NPM: basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering vulnerability discovered by ? in WordPress Npm basic-ftp versions = 5.3.0...
NPM: Auth.js SDK has Improper Permission Checking
NPM: Auth.js SDK has Improper Permission Checking vulnerability discovered by ? in WordPress Npm auth0-js versions = 8.11.0, = 9.32.0...
NPM: Flowise: Bcrypt Password Hash Exposure
NPM: Flowise: Bcrypt Password Hash Exposure vulnerability discovered by ? in WordPress Npm flowise versions = 3.0.12...
MAL-2026-3353 Malicious code in money-badger-open-rpc (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8a9d70a5231934ee14ab33334a3de0db40d5520fb4ef092a5a24cbdffff9751e The package money-badger-open-rpc was found to contain malicious code. Source: ossf-package-analysis...
MAL-2026-3352 Malicious code in carbonite-internal (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4fec002c13bf1ef1b49658e5dc490ca30515cf414294154827adadab04cbc234 The package carbonite-internal was found to contain malicious code. Source: ossf-package-analysis...
Malicious code in carbonite-internal (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4fec002c13bf1ef1b49658e5dc490ca30515cf414294154827adadab04cbc234 The package carbonite-internal was found to contain malicious code. Source: ossf-package-analysis...
GHSA-JXH8-JH77-XH6G @evomap/evolver's validator sandbox allowlist permits `npm`/`npx`, yielding RCE from Hub-delivered validation tasks via lifecycle scripts
Summary The validator-mode sandbox executor src/gep/validator/sandboxExecutor.js places npm and npx in its hard executable allowlist. Because npm install and npx -y -p execute arbitrary code by design preinstall/install/postinstall lifecycle scripts and remote-package bin entries, and because...
@evomap/evolver's validator sandbox allowlist permits `npm`/`npx`, yielding RCE from Hub-delivered validation tasks via lifecycle scripts
Summary The validator-mode sandbox executor src/gep/validator/sandboxExecutor.js places npm and npx in its hard executable allowlist. Because npm install and npx -y -p execute arbitrary code by design preinstall/install/postinstall lifecycle scripts and remote-package bin entries, and because...
Malicious code in @rivianlabs/bedrock (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7d12061e491ebc9109496b77ffd62384bba9a781ac9f0579343a61c5742df351 The package @rivianlabs/bedrock was found to contain malicious code. Source: ossf-package-analysis...
NPM: OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes
NPM: OpenClaw's gateway config mutation guard allowed unsafe model-driven config writes vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.23...
NPM: OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution
NPM: OpenClaw vulnerable to arbitrary code execution via attacker-controlled setup-api.js loaded from cwd during env-key resolution vulnerability discovered by ? in WordPress Npm openclaw versions 2026.4.23...
MAL-2026-3345 Malicious code in deployment-core (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7a1345a90cd18e2bfa245f91057cca34707e7d325f4318263176d9fbcef25c1a The package deployment-core was found to contain malicious code. Source: ghsa-malware eca5b6ddf4f0df1086d272518f3383c140b5641ecf506100d93a352e2135441...
MAL-2026-3343 Malicious code in @atlan/connectors (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 22a96e40cb459d89624b2ce0705942ad4d54d8279e780c66fe2d2fa3f727cef1 The package @atlan/connectors was found to contain malicious code. Source: ghsa-malware...
@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.0-beta.7) +12 more potentially affected by CVE-2026-42439 via openclaw (>=2026.3.22 <=2026.4.1)
openclaw NPM version =2026.3.22, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.15.0 - tokaroo-openclaw-provider =0.1.1 Source cves: CVE-2026-42439 Source advisory: SNYK:JS-OPENCLAW-16420273...