CVE-2026-30625

Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands npm, npx accept argument flags that enable...

EUVD-2021-30530

Malicious code in bioql PyPI...

vscode -- VS Code Remote Code Execution Vulnerability

VSCode developers report: Visual Studio Code Remote Code Execution Vulnerability A remote code execution vulnerability exists in VS Code 1.82.0 and earlier versions that working in a maliciously crafted package.json can result in executing commands locally. This scenario would require the attacke...

MGASA-2022-0294 Updated nodejs packages fix security vulnerability

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have bee...

CVE-2021-43616

The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have bee...

DEBIAN-CVE-2020-15095

Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://:@::/". The password value is not redacted and is printed to stdout and also to any generated log files...

CVE-2020-5282

In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in the npm command which is part of this software package. This allows arbitrary shell execution,which can compromise the bot This is patched in version 1.0.0-beta...

Command injection

In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in the npm command which is part of this software package. This allows arbitrary shell execution,which can compromise the bot This is patched in version 1.0.0-beta...

CVE-2020-5282 arbitrary shell execution in Nick Chan Bot

In Nick Chan Bot before version 1.0.0-beta there is a vulnerability in the npm command which is part of this software package. This allows arbitrary shell execution,which can compromise the bot This is patched in version 1.0.0-beta...

CVE-2020-5282

CVE-2020-5282 affects Nick Chan Bot prior to version 1.0.0-beta, where the npm command within the bot can lead to arbitrary shell execution. The root cause is unfiltered input to OS command construction, enabling code execution and potential compromise of the bot. References in multiple sources c...

npm CLI Arbitrary File Write Vulnerability

The npm CLI is a JavaScript package manager. An arbitrary file write vulnerability exists in npm CLI versions prior to 6.13.3, which can be exploited by an attacker to write arbitrary files...

Malicious Test Script

nothing-js is vulnerable to malicious test script. The package contains a malicious test script that attempts to delete all files on the system when the npm test command is run...