MAL-2026-4641 Malicious code in platform-tempo (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6d1c69e098c3ebeb2876b746523bea0220034b429f58e0a55683f0ee2c8776cd [email protected] declares a preinstall hook that runs poc.js on every npm install. The script collects host identity os.hostname, whoami /all /...

Malicious code in tempo-layout (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 795bf7080d27cef141114dd46b5734c136f762933a43f2d1308e82547c5f99a6 [email protected] ships a preinstall hook poc.js that unconditionally collects host identity os.hostname, whoami, id, network configuration...

PT-2026-41178

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev100 Description An issue exists where the packages.js template interpolates stored link URLs into a template literal within single-quoted HTML and writes the result to the DOM using the $div.htmlhtml functio...

PYSEC-2026-129

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the setpackagedata API function call inside the data object with key "folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary...

CVE-2026-42315

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the setpackagedata API function call inside the data object with key "folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary...

CVE-2026-42315

Summary (CVE-2026-42315) pyLoad before 0.5.0b3.dev100 is vulnerable to path traversal via the _folder field in set_package_data, allowing a user with Perms.MODIFY to set arbitrary download folders. The root cause is lack of sanitization for folder names supplied to set_package_data(), enabling ab...

CVE-2026-42315

pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, when passing a folder name in the setpackagedata API function call inside the data object with key "folder", there is no sanitization at all, allowing a user with Perms.MODIFY to specify arbitrary...

PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data

Summary No sanitization of package folder name allows writing files anywhere outside the intended download directory. Affected Component - src/pyload/core/api/init.py - Function: setpackagedata Details When passing a folder name in the setpackagedata API function call inside the data object with...

GHSA-838G-GR43-QQG9 PyLoad vulnerable to Path Traversal via Package Folder Name in set_package_data

Summary No sanitization of package folder name allows writing files anywhere outside the intended download directory. Affected Component - src/pyload/core/api/init.py - Function: setpackagedata Details When passing a folder name in the setpackagedata API function call inside the data object with...

PT-2026-37264

Name of the Vulnerable Software and Affected Versions pyLoad versions prior to 0.5.0b3.dev100 Description Lack of sanitization in the set package data function allows a user with Perms.MODIFY permissions to specify arbitrary directories as download locations for a package. This occurs when passin...

CVE-2025-36229 Exposure of Sensitive System Information to an Unauthorized Control Sphere in IBM Aspera Faspex

IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 could allow authenticated users to enumerate sensitive information of data due by enumerating package identifiers...

Malicious code in phoebe-borealis-vuepress-coronalmassejection (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector deaa586f7a513b8036116d867f85c2889429e1affc2ab69c5e417d09987ff2ac This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-185451 Malicious code in analyze-char-fork-theta-kernel (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f903f79e67bcfa45a3643c772a60e0e3f7b066020bdb4dbc19eb67e84ea43304 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-185608 Malicious code in astrophysics-mesosphere-neptunology-xml (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 684bd004536091223ef4c99151f120e9e68cf9d9e4b2583634be658dd965d50d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-190222 Malicious code in warp-hyperion-quasar-quark (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0ce712bcaa7250178e1c74d3981affc85be58ccdcbbe4747eb57092b766b7c04 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in global-gridsome-oauth-supervisor (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d4e9e7cc1e7c42481f808804394b0a8b7ae377b94f9d631eda6a135a33dbc5c6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in cron-rho-analyze-socket-air (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b3ccfff0cb2760978774c62072d2c40b1b8f36364183047d5546f5c67d0fa50b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in blueshift-kuiperbelt-asteroid-dendrochronology (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a6529f5366e3712b3bcecb53700bba7cdc4e0d404e2d5487dc5e3255f0093eef This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in dynamo-mini-css-extract-plugin-cosmicsilence-frontend (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ce8e478555161d23346f7ff922f8c5628d28d7fb3aafb9004466f99613fec9ae This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in encode-route-deserialize-eta-export (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a4849f20d06c8c3eb71f943fcebe44c6e682e2c94299b7465ea7d58fde0889c9 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...