Malicious code in axis-abc-portal-menu (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 84dbd03fbc7970d1f3fc987743f698a9ea6a0af44ea2b89d0f2c1cbaa397f933 The package axis-abc-portal-menu was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-3074 Malicious code in axis-abc-portal-menu (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 84dbd03fbc7970d1f3fc987743f698a9ea6a0af44ea2b89d0f2c1cbaa397f933 The package axis-abc-portal-menu was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in axis-notification (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 341ed22195f4a5533e72c654980bb1eecb5d0fb91c70a5132ca728978d68de54 The package axis-notification was found to contain malicious code. Source: ghsa-malware...

Malicious code in js-component-explorer (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 42b874b4949845eda88ec207be1ff9bedde0eb14b4f8cc12b4f46fd32bd32391 The package js-component-explorer was found to contain malicious code. Source: ossf-package-analysis...

CVE-2026-41270

Flowise is a drag & drop user interface to build a customized large language model flow. Prior to 3.1.0, a Server-Side Request Forgery SSRF protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTPDENYLIST for axios and...

NPM: simple-git is vulnerable to Remote Code Execution

NPM: simple-git is vulnerable to Remote Code Execution vulnerability discovered by ? in WordPress Npm simple-git versions 3.36.0...

SUSE CVE-2026-31542

In the Linux kernel, the following vulnerability has been resolved: x86/platform/uv: Handle deconfigured sockets When a socket is deconfigured, it's mapped to SOCKEMPTY 0xffff. This causes a panic while allocating UV hub info structures. Fix this by using NUMANONODE, allowing UV hub info structur...

MAL-2026-3069 Malicious code in @tochka-ui/foundation (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9575f5fa03036022a473218e67ec437c95aa1e3c0768e1006762695c772705c8 The package @tochka-ui/foundation was found to contain malicious code. Source: ghsa-malware...

Malicious code in @frengki0707/google-cloud-clone (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a278202a1e4a54c185b707e1eeed0b0df0438168bcec4a2a5b5741bcbd8a5e5c The package @frengki0707/google-cloud-clone was found to contain malicious code. Source: ossf-package-analysis...

HTTP Response Splitting

Overview org.webjars.npm:axios is a promise-based HTTP client for the browser and Node.js. Affected versions of this package are vulnerable to HTTP Response Splitting via the isFormData and getHeaders handling in the HTTP request path. An attacker can inject arbitrary request headers by supplying...

CVE-2026-41421

SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification route POST /api/notification/pushMsg accepts a user-controlled msg value, forwards it through the backend broadcast...

CVE-2026-41421 SiYuan Desktop Notification XSS Leads to Electron RCE

SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification route POST /api/notification/pushMsg accepts a user-controlled msg value, forwards it through the backend broadcast...

EUVD-2026-25614

SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification route POST /api/notification/pushMsg accepts a user-controlled msg value, forwards it through the backend broadcast...

CVE-2026-41421

SiYuan is an open-source personal knowledge management system. Prior to 3.6.5, SiYuan desktop renders notification messages as raw HTML inside an Electron renderer. The notification route POST /api/notification/pushMsg accepts a user-controlled msg value, forwards it through the backend broadcast...

CVE-2026-41322

@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all...

CVE-2026-42042

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy...

CVE-2026-42034

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, for stream request bodies, maxBodyLength is bypassed when maxRedirects is set to 0 native http/https transport path. Oversized streamed uploads are sent fully even when the caller sets strict body limits...

CVE-2026-42039

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and...

UBUNTU-CVE-2026-42044

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.2, he Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution in the application's dependency tree to be escalated into surgical, invisible...

CVE-2026-42037

Axios is a promise based HTTP client for the browser and Node.js. From 1.0.0 to before 1.15.1, the FormDataPart constructor in lib/helpers/formDataToStream.js interpolates value.type directly into the Content-Type header of each multipart part without sanitizing CRLF \r\n sequences. An attacker w...