37741 matches found
CVE-2026-47900
Logseq is vulnerable to a stored cross-site scripting XSS. A malicious plugin can include a JavaScript payload in the "name" field of its "package.json" file, which is rendered using "innerHTML" without proper sanitization, allowing the execution of arbitrary code in the privileged host context...
CVE-2026-47900
Logseq is vulnerable to a stored cross-site scripting XSS. A malicious plugin can include a JavaScript payload in the "name" field of its "package.json" file, which is rendered using "innerHTML" without proper sanitization, allowing the execution of arbitrary code in the privileged host context...
CVE-2026-47900 Stored XSS via Unsanitized Plugin Metadata in Logseq
Logseq is vulnerable to a stored cross-site scripting XSS. A malicious plugin can include a JavaScript payload in the "name" field of its "package.json" file, which is rendered using "innerHTML" without proper sanitization, allowing the execution of arbitrary code in the privileged host context...
CVE-2026-47900 Stored XSS via Unsanitized Plugin Metadata in Logseq
Logseq is vulnerable to a stored cross-site scripting XSS. A malicious plugin can include a JavaScript payload in the "name" field of its "package.json" file, which is rendered using "innerHTML" without proper sanitization, allowing the execution of arbitrary code in the privileged host context...
CVE-2026-47900
Affected software: Logseq. Vulnerability: Stored XSS in which a malicious plugin can place a JavaScript payload in the name field of its package.json, rendered via innerHTML without sanitization, allowing code execution in privileged host context. Versions/impact: Only v0.10.15 was tested and con...
Malicious code in platform-tempo (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6d1c69e098c3ebeb2876b746523bea0220034b429f58e0a55683f0ee2c8776cd [email protected] declares a preinstall hook that runs poc.js on every npm install. The script collects host identity os.hostname, whoami /all /...
Malicious code in muaddib-scanner (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c8eea5d3ed390c4c82b5bfa89ac220f1d424fcaebe70fe71bbbe3bce66f0f48f package.json declares "loadash": "^1.0.0" as a runtime dependency. loadash is a well-known typosquat of lodash and is never required or imported...
MAL-2026-4508 Malicious code in cdk-insights (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fa41acb776dbedfe93c37899783a5e54b78017ac31576c798a27eae6b9e9ec89 The package contains code in dist/entry.js and dist/index.js that invokes npm publish programmatically combined with writeFileSync operations — the...
GHSA-RG65-45M7-HQ57 esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files
Summary A Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process. Details The vulnerable...
PT-2026-40543
Name of the Vulnerable Software and Affected Versions esm.sh versions 137 and earlier Description A Local File Inclusion LFI issue exists in the esbuild plugin's handling of the browser field within the package.json file. An attacker can publish a malicious npm package that leverages ../ sequence...
GHSA-W3X5-7C4C-66P9 Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)
Summary An unauthenticated attacker can pollute the internal state restoreFilePath of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files e.g., security.json,...
CVE-2025-66398 Signal K Server has Unauthenticated State Pollution leading to Remote Code Execution (RCE)
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state restoreFilePath of the server via the /skServer/validateBackup endpoint. This allows the attacker to hijack the administrator's "Restor...
Malicious code in spinner-proxima-cybernetics-cosmochemistry (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7452dbccf4e36bdc41bf89259059d35e9ad079945737d08d43590057286583d9 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in taurus-mutation-izar-node-sass (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c256602c1f7c8b93be5ed695597c57a40839d4299f5b8b8cbe4a4f17d74ed56c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in socket-minify-export-catch-file (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e30d97ee2bf204b3fc45d68f49bafdd6a020615e4ad51cbc83f463f193b80ea9 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in tree-function-kappa-decrypt-assert (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1cacb380e1ce93ad7d45f252a5f9858b2a29a47775e53ec4c03d4779cadce49d This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in terser-webpack-plugin-andromeda-zenobia-pavo (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1353b216b9be652df251b86f5fbd1ba87fb50094ee212a5f9118d884dc328d7b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in table-old-sun-await-decode (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3fff252c7519516e755af569d60b67bb3cbe754fc47400f464b2f0a3628ac9d4 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in taurus-winston-panspermia-neuromorphic (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e83d2cd6b9bc072d292c08b72596bfeb053e4d083b485191205648263cf806a5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in socketio-polaris-restart-adonis (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e80f723fb0c38fbfaf0efdc1c70d08acd508343dbd594e403fca9751fb9b1719 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...