Lucene search
K

49 matches found

ATTACKERKB
ATTACKERKB
added 2026/07/06 3:18 p.m.5 views

CVE-2026-59196

pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted lockfile alias could be joined directly under a hoisted nodemodules directory. Traversal aliases could escape that directory, while reserved aliases such as .bin or .pnpm could overwrite pnpm-owned layout. This vulnerability is fix...

7.1CVSS5.9AI score0.00262EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/07/06 3:18 p.m.17 views

CVE-2026-59196

pnpm is vulnerable prior to versions 10.34.4 and 11.7.0 due to a crafted lockfile alias that can be joined under a hoisted node_modules directory, enabling traversal aliases to escape the directory and reserved aliases like .bin or .pnpm to overwrite pnpm-owned layout. The fixed versions are 10.3...

7.1CVSS5.9AI score0.00262EPSS
Exploits1References1Affected Software1
Cvelist
Cvelist
added 2026/07/06 3:18 p.m.34 views

CVE-2026-59196 pnpm: hoisted install imports lockfile alias outside node_modules

pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted lockfile alias could be joined directly under a hoisted nodemodules directory. Traversal aliases could escape that directory, while reserved aliases such as .bin or .pnpm could overwrite pnpm-owned layout. This vulnerability is fix...

7.1CVSS0.00262EPSS
Exploits1References1
OSV
OSV
added 2026/07/06 3:18 p.m.4 views

CVE-2026-59196 pnpm: hoisted install imports lockfile alias outside node_modules

pnpm is a package manager. Prior to 10.34.4 and 11.7.0, a crafted lockfile alias could be joined directly under a hoisted nodemodules directory. Traversal aliases could escape that directory, while reserved aliases such as .bin or .pnpm could overwrite pnpm-owned layout. This vulnerability is fix...

7.1CVSS5.9AI score0.00262EPSS
Exploits1References3
OSV
OSV
added 2026/06/23 9:53 p.m.6 views

MAL-2026-6357 Malicious code in theme-color-picker (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f7a4ba7e8664b9e1d99c4018963a4731d591653d7f2a9b879ba090e7a7f6e7bd Although the package presents itself as a 'theme color picker', package.json identifies the publisher as analysis-chart.io with repository...

5.9AI score
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/23 9:53 p.m.8 views

Malicious code in theme-color-picker (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f7a4ba7e8664b9e1d99c4018963a4731d591653d7f2a9b879ba090e7a7f6e7bd Although the package presents itself as a 'theme color picker', package.json identifies the publisher as analysis-chart.io with repository...

5.9AI score
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/01/26 9:53 p.m.1 views

CVE-2026-23890 pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of nodemodules/.bin. Bin names starting with @ bypass validation, and after scope normalization, path traversal...

6.5CVSS5.9AI score0.00438EPSS
Exploits1References3
Github Security Blog
Github Security Blog
added 2026/01/26 9:2 p.m.8 views

pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

Summary A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of nodemodules/.bin. Bin names starting with @ bypass validation, and after scope normalization, path traversal sequences like ../../ remain intact. Details Th...

6.5CVSS5.9AI score0.00438EPSS
Exploits1References5Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2025/11/25 12:0 a.m.9 views

@actbase/node-server contains malware after npm account takeover

On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentia...

7.1AI score
Exploits0References3Affected Software1
GitLab Advisory Database
GitLab Advisory Database
added 2025/11/25 12:0 a.m.11 views

@actbase/react-absolute contains malware after npm account takeover

On November 24th 2025, a new supply chain attack called Shai-Hulud 2.0 was launched. This package contains the malicious code that attempts to harvest credentials and infect GitHub and npm repositories. The malicious software executes during the pre-install phase and attempts to harvest credentia...

7.1AI score
Exploits0References3Affected Software1
OSV
OSV
added 2025/11/20 6:31 p.m.2 views

GHSA-W87R-VG9Q-CRQM zx Uses Incorrectly-Resolved Name or Reference

When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...

8.3CVSS5.9AI score0.0008EPSS
Exploits0References7
NVD
NVD
added 2025/11/20 5:15 p.m.8 views

CVE-2025-13437

When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...

8.3CVSS0.0008EPSS
Exploits0References1
EUVD
EUVD
added 2025/11/20 4:25 p.m.7 views

EUVD-2025-198297

When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...

8.3CVSS6.3AI score0.0008EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/11/20 4:25 p.m.14 views

CVE-2025-13437 Arbitrary node_modules Directory Deletion in Google zx

When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...

8.3CVSS0.0008EPSS
Exploits0References1
CVE
CVE
added 2025/11/20 4:25 p.m.19 views

CVE-2025-13437

ZX contains a vulnerability (CVE-2025-13437) where, when invoked with --prefer-local=, the CLI creates a symlink ./node_modules to the specified path and a logic error in src/cli.ts (linkNodeModules/cleanup) returns the target path instead of the symlink path. The subsequent cleanup can delete th...

8.3CVSS6.5AI score0.0008EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2025-29226

Malicious code in bioql PyPI...

8.8CVSS6.3AI score0.00378EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2025-5459

Malicious code in bioql PyPI...

7.8CVSS6.3AI score0.00138EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2025/03/05 12:0 a.m.7 views

Linux Distros Unpatched Vulnerability : CVE-2021-39135

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - @npmcli/arborist, the library that calculates dependency trees and manages the nodemodules folder hierarchy for the npm command line interface, aims to guarante...

8.2CVSS7.3AI score0.00553EPSS
Exploits0References3
Github Security Blog
Github Security Blog
added 2025/02/27 6:31 p.m.19 views

mongosh vulnerable to local privilege escalation

mongosh may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privilege, when a crafted file is stored in C:\nodemodules. This issue affects mongosh prior to 2.3.0...

7.8CVSS6.6AI score0.00138EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2025/02/27 4:15 p.m.28 views

CVE-2025-1755

MongoDB Compass may be susceptible to local privilege escalation under certain conditions potentially enabling unauthorized actions on a user's system with elevated privileges, when a crafted file is stored in C:\nodemodules. This issue affects MongoDB Compass prior to 1.42.1...

7.8CVSS0.00138EPSS
Exploits0References2
Rows per page
Query Builder