Mura 安全漏洞

Mura is a content management system developed by Mura Corporation. Versions of Mura 10.1.10 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the bundled package creation feature lacking CSRF token validation, which could lead to data leakage...

BIT-CROSSPLANE-2023-37900 Crossplane vulnerable to denial of service from large image

Crossplane is a framework for building cloud native control planes without needing to write code. In versions prior to 1.11.5, 1.12.3, and 1.13.0, a high-privileged user could create a Package referencing an arbitrarily large image containing that Crossplane would then parse, possibly resulting i...

GHSA-W7RQ-FGX4-4XCM LavaLite CMS affected by a stored cross-site scripting vulnerability

LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without prop...

CVE-2025-71177 LavaLite CMS <= 10.1.0 Stored XSS via Package Creation and Search

LavaLite CMS versions up to and including 10.1.0 contain a stored cross-site scripting vulnerability in the package creation and search functionality. Authenticated users can supply crafted HTML or JavaScript in the package Name or Description fields that is stored and later rendered without prop...

CVE-2025-71177

LavaLite CMS ≤ 10.1.0 is reported to have a stored XSS vulnerability in package creation and package search. Authenticated users can inject HTML/JavaScript into the Package Name or Description fields, which is stored and later rendered without proper output encoding in search results, enabling po...

LavaLite cross-site scripting vulnerabilities

LavaLite is a lightweight content management system developed under the Lavalite open source project. Versions of LavaLite 10.1.0 and earlier contained a cross-site scripting vulnerability. This vulnerability stemmed from improperly encoded HTML or JavaScript stored in the package creation and...

CVE-2023-49089

Umbraco is an ASP.NET content management system CMS. Starting in version 8.0.0 and prior to versions 8.18.10, 10.8.1, and 12.3.0, Backoffice users with permissions to create packages can use path traversal and thereby write outside of the expected location. Versions 8.18.10, 10.8.1, and 12.3.0...

Malicious code in chalk-asteroid-await-prettier-stylelint (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ff0124325d816f4773fcfae9158e4307c2ea0ff90e2182a36e609ecad7bd1f43 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in nokire-rara844 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d9991f20f9f0e016b3590fb9d4db022c1a35069cf07cea63b2e5c79a96f05013 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-156146 Malicious code in ilal-poke43 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 883f7614956eab9ee5c20d2971725287f969a853ef7bc0102b60ddca54e7a455 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in markdown-pdf-mocha-lynx-nightwatch (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 38f527d979b805966a29c97a0f6ba24c8df77bbdf6e19633f45420bca5790374 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in wawan-kue81-riris (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector edc69a2d034637faff76470890bd4c8cd5a94e204803a35e95f9ad138168ada3 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-104789 Malicious code in kiki-kue47-ruro (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9aeb8f6ffd2de026a0a28aa473b971e277e382004db258db2e3eb97bba92dddd This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in xaver-lepet44-miaww (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 57ae16781d9a7da21ed6eb1c5f6debb9a5121c0841969c1512a7e316ecfeefab This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-73976 Malicious code in kurnia-saguer85-breki (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aaaffa685d0910318dfde69a02ee72ad6c4415036d3de3ce8832cfbdb1bc0d3b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-75170 Malicious code in riana-sambalado45-breki (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ead8f50535910e583f15becd0592e45b2559cd344274e3c146ab9e343cd39a35 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-70820 Malicious code in stale-tomato-snail (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 90af5a4395a55228f60b49a519f5cc020a7bb94cc3e7f0e16c90c99f0ceed93d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in wati-keraktelor85-sukiwir (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e9645a6b7b5ef17964ea419733a706d46f55529823ae1e4062d4ca871062de5e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

PT-2025-42225

CVE-2025-56219 CVE-2025-56219 Lack of Rate Limiting – Add Package API Description An attacker can automate the creation of a large number of Packages in a short period of time to cause a DoS. CVSS Score https://t.co/iF3xHC0jbb...

GHSA-X698-5HJM-W2M5 pyLoad is vulnerable to attacks that bypass localhost restrictions, enabling the creation of arbitrary packages

Summary Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. Details Any unauthenticated attacker can bypass the localhost restrictions posed by the application and utilize this to create arbitrary packages. Thi...