Malicious code in node-red-contrib-request (npm)

--- -= Per source details. Do not edit below this line.=-...

MAL-2024-9242 Malicious code in node-red-contrib-lowwercase (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 577092139d0eab16ce212c5f1857a5bd55b8632d4d93358b21d74e379dbf7f60 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in node-red-contrib-lowwercase (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 577092139d0eab16ce212c5f1857a5bd55b8632d4d93358b21d74e379dbf7f60 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

D-Link G416 nodered tar file command injection vulnerability

D-Link G416 is the AX1500 4G+ Smart Router launched by AUO in June 2025 , which supports Wi-Fi 6, AI Smart Optimization and 4G LTE Cat 6 network with up to 300Mbps internet speed. The D-Link G416 suffers from a command injection vulnerability that stems from a nodered tar file handling command...

D-Link G416 nodered gz file command injection vulnerability

D-Link G416 is the AX1500 4G+ Smart Router launched by AUO in June 2025 , which supports Wi-Fi 6, AI Smart Optimization and 4G LTE Cat 6 network with up to 300Mbps internet speed. The D-Link G416 suffers from a command injection vulnerability that stems from a nodered gz file handling command...

D-Link G416 安全漏洞

D-Link G416 is the AX1500 4G+ Smart Router launched by AUO in June 2025 , which supports Wi-Fi 6, AI Smart Optimization and 4G LTE Cat 6 network with up to 300Mbps internet speed. The D-Link G416 suffers from a command injection vulnerability that stems from a nodered gz file handling command...

@3c-node-red/runtime (=3.1.6), @adeunis/node-red-contrib-adeunis-codecs (=1.0.0) +244 more potentially affected by CVE-2024-27307 via jsonata (>=1.5.0 <=1.8.6)

jsonata NPM version =1.5.0, =20.2.3, =5.0.0, =0.8.0, =0.0.1, =1.0.0, =1.0.1, =2.0.0, =2.0.4 - @elastic.io/batching-library =2.0.1-dev.4 and more Source cves: CVE-2024-27307 Source advisory: OSV:GHSA-FQG8-VFV7-8FJ8...

Malicious code in node-red-contrib-object-to-array (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware dc617e826788805ca870b385151ace964f43893d9560c8b2d9615276520929a2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2024-1030 Malicious code in node-red-contrib-object-to-array (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware dc617e826788805ca870b385151ace964f43893d9560c8b2d9615276520929a2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

VulnCheck KEV: CVE-2021-25864

node-red-contrib-huemagic 3.0.0 is affected by hue/assets/..%2F Directory Traversal.in the res.sendFile API, used in file hue-magic.js, to fetch an arbitrary file...

VulnCheck KEV: CVE-2021-3223

Node-RED-Dashboard before 2.26.2 allows uibase/js/..%2f directory traversal to read files...

CVE-2021-26504

Directory Traversal vulnerability in Foddy node-red-contrib-huemagic version 3.0.0, allows remote attackers to gain sensitive information via crafted request in res.sendFile API in hue-magic.js...

Directory traversal

Directory Traversal vulnerability in Foddy node-red-contrib-huemagic version 3.0.0, allows remote attackers to gain sensitive information via crafted request in res.sendFile API in hue-magic.js...

node-red-contrib-huemagic path traversal vulnerability

node-red-contrib-huemagic is a solution for Foddy individual developers. A security vulnerability exists in Foddy node-red-contrib-huemagic version 3.0.0, which stems from a directory traversal vulnerability. An attacker can exploit this vulnerability to obtain sensitive information by sending a...

CVE-2021-26504

CVE-2021-26504 affects Foddy’s node-red-contrib-huemagic (v3.0.0). The vulnerability is a directory traversal in the hue-magic.js res.sendFile API, enabling remote attackers to read sensitive information. CVSS v3.1 base score 7.5 (HIGH) with NETWORK attack vector, LOW attack complexity, and no pr...

Malicious code in node-red-contrib-tfjs-object-detection (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5ae6d965935a10741f1389a09905356a09e9d7358dc5e8d1e3b56fac4602c78d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2023-633 Malicious code in node-red-contrib-tfjs-object-detection (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5ae6d965935a10741f1389a09905356a09e9d7358dc5e8d1e3b56fac4602c78d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@automatacontrols/automata-thermostat (>=1.0.7 <=1.0.12), @clysema/node-red-contrib-ui-week-schedule (>=0.1.0 <=0.1.4) +30 more potentially affected by CVE-2022-3783 via node-red-dashboard (>=2.13.2 <=3.1.7)

node-red-dashboard NPM version =2.13.2, =1.0.7, =0.1.0, =0.0.1, =1.0.0, =2.0.0, =0.3.0, =0.0.5, =1.0.5-alpha.11, =2.5.0, =0.0.3, =1.2.0, =0.5.1, =0.8.0 - mtr-dashboard =0.0.1 and more Source cves: CVE-2022-3783 Source advisory: OSV:GHSA-VRV9-3X3W-FFXW...

GHSA-VRV9-3X3W-FFXW node-red-dashboard vulnerable to Cross-site Scripting

node-red-dashboard contains a cross-site scripting vulnerability. This issue affects some unknown processing of the file components/ui-component/ui-component-ctrl.js of the component uitext Format Handler. The attack may be initiated remotely. The issue is patched in version 3.2.0...

node-red-dashboard vulnerable to Cross-site Scripting

node-red-dashboard contains a cross-site scripting vulnerability. This issue affects some unknown processing of the file components/ui-component/ui-component-ctrl.js of the component uitext Format Handler. The attack may be initiated remotely. The issue is patched in version 3.2.0...