5 matches found
MAL-2026-6160 Malicious code in firebase-readability (npm)
The npm package firebase-readability published by npm user sproger, [email protected] is a deceptive React Native component and part of a coordinated 37-package campaign across two attacker-controlled domains surrprisingcoompanny.lol and barbellmate.xyz. On component mount it registers...
CVE-2026-44586
SiYuan (desktop) Bazaar marketplace before 3.7.0 renders package author metadata into HTML without escaping, enabling stored XSS. Because Electron windows are created with nodeIntegration: true and contextIsolation: false, a successful payload could access Node.js APIs and run code on the host. A...
MAL-2025-8022 Malicious code in @hishprorg/dolorum-aut (npm)
The package @hishprorg/dolorum-aut was found to contain malicious code...
Phar unserialization vulnerability in phpMussel
Impact What kind of vulnerability is it? Who is impacted? Anyone using = v1.0.0 = v1.6.0 the earliest safe version will resolve the problem. However, as multiple new major versions have been released since that version, upgrading to the latest available version is recommended, in order to protect...
Unsafe eval()
Overview Affected versions of summit allow attackers to execute arbitrary commands via collection names when using the PouchDB driver. Recommendation No direct patch is available at this time. Currently, the best option to mitigate the issue is to avoid using the PouchDB driver, as the package...