252573 matches found
CVE-2026-24118
vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.0...
Malicious code in api-typings (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a549cfdf0cbbfa203632d6fe432f69fa60578b8d81b03b75c2bece912aa0c588 The package api-typings was found to contain malicious code. Source: ossf-package-analysis...
MAL-2026-3329 Malicious code in api-typings (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a549cfdf0cbbfa203632d6fe432f69fa60578b8d81b03b75c2bece912aa0c588 The package api-typings was found to contain malicious code. Source: ossf-package-analysis...
CVE-2026-26956 vm2: WASM Sandbox Escape (Node 25 only)
vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5...
CVE-2026-26956 vm2: WASM Sandbox Escape (Node 25 only)
vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5...
Malicious code in pocpoc2626 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4a43e5357592b2bbbe0c68be3960ac829ab988a15b57d63df5ab954c9d0b5b09 The package pocpoc2626 was found to contain malicious code. Source: ossf-package-analysis...
MAL-2026-3328 Malicious code in pocpoc2626 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4a43e5357592b2bbbe0c68be3960ac829ab988a15b57d63df5ab954c9d0b5b09 The package pocpoc2626 was found to contain malicious code. Source: ossf-package-analysis...
Arbitrary Code Injection
Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Arbitrary Code Injection through the lookupGetter method and improper context isolation. An attacker can execute arbitrary commands o...
Malicious code in capacitor-plugin-service-worker (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 36f1958d8bc44724a00d45b291983ad836dc2f28370c27f83c76f7bf1780bd4b The package capacitor-plugin-service-worker was found to contain malicious code. Source: ossf-package-analysis...
svgo: SVGO: Denial of Service via XML entity expansion
A flaw was found in SVGO, an SVG Scalable Vector Graphics Optimizer. This vulnerability allows a remote attacker to cause a Denial of Service DoS by submitting a specially crafted XML file. The application's failure to properly guard against XML entity expansion or recursion can lead to the Node....
Security Bulletin: Vulnerability in node-tar affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.
Summary Potential vulnerability in node-tar has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for additional information...
Security Bulletin: Vulnerability in auth0/node-jws affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.
Summary Potential vulnerability in auth0/node-jws has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for additional information...
Security Bulletin: Vulnerability in node-tar affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.
Summary Potential vulnerability in node-tar has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for additional information...
Security Bulletin: Vulnerability in node-tar affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge.
Summary Potential vulnerability in node-tar has been identified that affects IBM watsonx Assistant Cartridge and IBM watsonx Orchestrate with watsonx Assistant Cartridge - Assistant Builder Component. . The vulnerability have been addressed. Refer to details for additional information...
MAL-2026-3326 Malicious code in paychex-common-vendor-lib (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 77d8076c0caa289734b5a30b904f9a075ae0d55ea3fc74f665806d913efe7d28 The package paychex-common-vendor-lib was found to contain malicious code. Source: ghsa-malware...
MAL-2026-3335 Malicious code in @bank-widgets/whats-new (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 83244f927bab36b8e6f6493e932fea1ed017f30aaf286c82a81990f509589934 The package @bank-widgets/whats-new was found to contain malicious code. Source: ossf-package-analysis...
Malicious Package
Overview @tw-marionette/clipboard is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview @google-pay-trust/cancelled is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this...
Malicious Package
Overview @tw-marionette/input is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
MAL-2026-3318 Malicious code in @b2b_blocker/hide_activation_error (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7cbbf4ca3aa2fddd7145289bbf2f3ee83ef30e0fb6aa1163f465c4175cd22aec The package @b2bblocker/hideactivationerror was found to contain malicious code. Source: ghsa-malware...