24 matches found
GHSA-2XX6-QF7X-GRQH next-npm-version is vulnerable to Command injection
NPM package next-npm-version1.0.1 is vulnerable to Command injection...
@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (>=0.8.3 <=0.9.0-beta.7) +14 more potentially affected by CVE-2026-42433 via openclaw (>=0.0.1 <=2026.4.1)
openclaw NPM version =0.0.1, =0.1.0, =0.8.3, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.1.0, =0.1.5 - tokaroo-openclaw-provider =0.1.1 and more Source cves: CVE-2026-42433 Source advisory: OSV:GHSA-7JP6-R74R-995Q...
EUVD-2021-1573
Malware in sbrugna...
EUVD-2021-1849
Malware in sbrugna...
MAL-2025-5261 Malicious code in drivers-kit (npm)
The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0ba30922790421a31176c5d094f9244d7e2c5aefa5a38c9506763c5adb863f66 Any computer that has this package installed or running should be considered...
CVE-2023-39655
A host header injection vulnerability exists in the NPM package @perfood/couch-auth versions = 0.20.0. By sending a specially crafted host header in the forgot password request, it is possible to send password reset links to users which, once clicked, lead to an attacker-controlled server and thu...
CVE-2020-8147
Flaw in input validation in npm package utils-extend version 1.0.8 and earlier may allow prototype pollution attack that may result in remote code execution or denial of service of applications using utils-extend...
MAL-2025-3748 Malicious code in @myop/cli (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 1cedbfe96e39f9d1720d4568325348b54f9806c883baab188675958573a2f34b Withdrawn Advisory This advisory has been withdrawn because @myop/cli is not malware. This link is maintained to preserve external references. Original...
MAL-2025-3739 Malicious code in gear-idea-indexer-db (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0e4383fa116dab4a076fef8694ef177acb72f5e46038222fdc48e6339dc84a6b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2025-2783 Malicious code in riskchallengeserv-paypal (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7da27f27f9efcf0b2d496e909e97771157cccea447420e5fb908ed4e912fcce6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2025-2706 Malicious code in sf-intl-sn-prod (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bb4cc33212e001bc0af0440f49eb0c52cdc0ad223eba555c5cb2afaa9931e5c3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2025-2410 Malicious code in request-draft-ui (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware e20e7c9b27e44bc6a2f406fc1638d5949e6a8ff79801714031432723b004872d Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2025-1517 Malicious code in quickwit-ui (npm)
This package runs commands on import that exfils sensitive data to a attacker-controlled domain. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware ac59f539efc4d8596e823182d97cdc7a461e965894dec0aabb807585cd5c92ea Any computer that has this package installed or running...
CVE-2024-57177
A host header injection vulnerability exists in the NPM package of perfood/couch-auth = 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information...
CVE-2024-57177
A host header injection vulnerability exists in the NPM package of perfood/couch-auth = 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information...
CVE-2023-46942
Lack of authentication in NPM's package @evershop/evershop before version 1.0.0-rc.8, allows remote attackers to obtain sensitive information via improper authorization in GraphQL endpoints...
Incorrect protocol extraction via \r, \n and \t characters
\r, \n and \t characters in user-input URLs can potentially lead to incorrect protocol extraction when using npm package urijs prior to version 1.19.11. This can lead to XSS when the module is used to prevent passing in malicious javascript: links into HTML or Javascript see following example:...
Command Injection in macfromip
All versions of npm package macfromip are affected by a command injection vulnerability. The injection point is located in line 66 in macfromip.js...
CVE-2021-21252
The jQuery Validation Plugin provides drop-in validation for your existing forms. It is published as an npm package "jquery-validation". jquery-validation before version 1.19.3 contains one or more regular expressions that are vulnerable to ReDoS Regular Expression Denial of Service. This is fixe...
Code injection
Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN reserved IP ranges, resulting in an indeterminable number of critical attack vectors, allowing remote...