a-mailx (=0.1.0), ai-shell (>=0.1.0 <=1.0.4) +139 more potentially affected by CVE-2026-44897 via mistune (>=3.0.0rc5 <=3.2.0)

mistune PYPI version =3.0.0rc5, =0.1.0, =0.9.5, =3.0.0, =3.2.1b1, =1.0.1, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =0.1.0, =0.0.2, =1.0.0.1, =0.0.1, =0.0.5 and more Source cves: CVE-2026-44897 Source advisory: SNYK:PYTHON-MISTUNE-16624520...

0.app1 (=1.0.52), 0.edsql (>=1.0.49 <=1.0.50) +2487 more potentially affected by CVE-2026-34766 via electron (>=0.1.2 <=38.6.0)

electron NPM version =0.1.2, =1.0.49, =1.0.49, =1.0.49, =1.0.1, =0.0.10, =1.0.2, =1.1.11, =0.1.0, =3.0.5, =3.0.7 and more Source cves: CVE-2026-34766 Source advisory: OSV:GHSA-9899-M83M-QHPJ...

@igea/oac_backend (>=1.0.35 <=1.0.113), @igea/oac_frontend (>=1.0.31 <=1.0.109) +12 more potentially affected by CVE-2026-30827 via express-rate-limit (=8.1.0)

express-rate-limit NPM version =8.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on express-rate-limit and may be impacted: - @igea/oacbackend =1.0.35, =1.0.31, =7.0.0, =2.0.0-test.19, =0.1.0, =0.29.0, =0.16.0, =0.42.0, =0.27.0, =0.42.0, =0.70.0,...

CVE-2026-28447

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...

CVE-2026-28447 OpenClaw 2026.1.29-beta.1 < 2026.2.1 - Path Traversal in Plugin Installation via Package Name

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...

CVE-2026-28447

OpenClaw 2026.1.29-beta.1 contains a path traversal flaw in plugin installation that lets crafted package names escape the extensions directory and write files outside the intended area when running the plugins install command. This affects OpenClaw versions prior to 2026.2.1. The issue is a high...

CVE-2026-28447

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...

CVE-2026-28447 OpenClaw 2026.1.29-beta.1 < 2026.2.1 - Path Traversal in Plugin Installation via Package Name

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...

EUVD-2026-9897

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...

PT-2026-23526

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.1.20 through 2026.2.1 Description The software’s plugin installation process does not properly validate plugin package names, allowing attackers to write files outside the intended installation directory. Specifically,...

CVE-2026-25764

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work...

PT-2026-6806

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 16.6.7 OpenProject versions prior to 17.0.3 Description OpenProject is a web-based project management software. A flaw exists in the time tracking function where the application fails to properly handle HTML tags...

Malicious code in tachyon-mesosphere-spinner-pm2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c0199d4ad6da5ed57f1010cac95dc16558ece4d84ae6e6c6fb857dc52e6c6370 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in zephyr-barnard-troposphere-nucleosynthesis (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 831b922acb7d0b3bb4b811e8e897750f882451d3cf95aa508cf8093a45cb48fd This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in areology-polaris-gatsby-phoebe (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5b703fe4c7e4dcddf7c314d7abd66fa38950215c0f1ce19c252e7a5a8c1ca487 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in soap-wasat-frontend-astroinformatics (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 035f9ef7998b394d382afc13f9209220a634c21114f0432767956685d56e9cf2 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in gatsby-upgrade-aldebaran-antares (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 73c001ab99214b4662862b263eac30593a78748adb121c5de870d37a660239fa This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in authenticate-scale-analyze-book-scale (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d038c7d079b519f31ce6b09657db6765d1d0007fe0b8bd295d08d7806e81e80a This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in subscription-jsonp-metabolomics-hawkingradiation (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 73b99ac4b6d1f2920c9cfeb64b32caaef526384c1277eb268f9495396666671b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in luna-xanadu-aquarius-barnard (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cbc41d7b808faaf60c42dff26f6f47331e3bd6a23a51389d3ae2a88c7c0f9c7b This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...