62192 matches found
a-mailx (=0.1.0), ai-shell (>=0.1.0 <=1.0.4) +136 more potentially affected by CVE-2026-44897 via mistune (>=3.0.0rc5 <=3.2.0)
mistune PYPI version =3.0.0rc5, =0.1.0, =0.9.5, =3.0.0, =3.2.1b1, =1.0.1, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =0.1.0, =0.0.2, =1.0.0.1, =0.0.1, =0.0.5 and more Source cves: CVE-2026-44897 Source advisory: SNYK:PYTHON-MISTUNE-16624520...
0.app1 (=1.0.52), 0.edsql (>=1.0.49 <=1.0.50) +2520 more potentially affected by CVE-2026-34766 via electron (>=0.1.2 <=38.6.0)
electron NPM version =0.1.2, =1.0.49, =1.0.49, =1.0.49, =1.0.1, =0.0.10, =1.0.2, =1.1.11, =0.1.0, =3.0.5, =3.0.7 and more Source cves: CVE-2026-34766 Source advisory: OSV:GHSA-9899-M83M-QHPJ...
@igea/oac_backend (>=1.0.35 <=1.0.115), @igea/oac_frontend (>=1.0.31 <=1.0.111) +12 more potentially affected by CVE-2026-30827 via express-rate-limit (=8.1.0)
express-rate-limit NPM version =8.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on express-rate-limit and may be impacted: - @igea/oacbackend =1.0.35, =1.0.31, =7.0.0, =2.0.0-test.19, =0.1.0, =0.29.0, =0.16.0, =0.42.0, =0.27.0, =0.42.0, =0.70.0,...
CVE-2026-28447
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...
CVE-2026-28447 OpenClaw 2026.1.29-beta.1 < 2026.2.1 - Path Traversal in Plugin Installation via Package Name
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...
EUVD-2026-9897
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...
CVE-2026-28447
OpenClaw 2026.1.29-beta.1 contains a path traversal flaw in plugin installation that lets crafted package names escape the extensions directory and write files outside the intended area when running the plugins install command. This affects OpenClaw versions prior to 2026.2.1. The issue is a high...
CVE-2026-28447 OpenClaw 2026.1.29-beta.1 < 2026.2.1 - Path Traversal in Plugin Installation via Package Name
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...
CVE-2026-28447
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...
PT-2026-23526
Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.1.20 through 2026.2.1 Description The software’s plugin installation process does not properly validate plugin package names, allowing attackers to write files outside the intended installation directory. Specifically,...
CVE-2026-25764
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work...
PT-2026-6806
Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 16.6.7 OpenProject versions prior to 17.0.3 Description OpenProject is a web-based project management software. A flaw exists in the time tracking function where the application fails to properly handle HTML tags...
Malicious code in vortex-husky-sqlite-exobiology (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 90045f94e1d9d66252d467fa18357ac19aac151e5ea708173e4ac15adc8779ef This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in winston-kinetic-zenith-corvus (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 33aea94bfb56e0007d05b76e2fd4429326a2eba7c08d4c4190df4b030c654c44 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in global-upgrade-wolf-betelgeuse (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9f36eabf70e6a0498bc947c1d4011bf05f67eb39c3e4010c7ab28a2b04e317f4 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in nextjs-shelljs-centaurus-singularity (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c55363b3a5905f100f53657d0b726caa73dfb097b64c18ebd0409751dc343854 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in sagitta-shelljs-halley-grunt (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c27d14c78f0650cc9e36a6a09704b5376e65f49f575b3bcc650e67f28f0dbb37 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in kronos-phoebe-kronos-elektra (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5dc25b80229005403d5a869b7a5ab665719bb0043973fc6000c8f42696c5c624 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in callback-xanthus-astrochemistry-quantum-computing (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2e74905ae15aeed1f45edc675826a313007486a970d1f7ff6229b2fcc6ec21d4 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in miranda-postcss-blitz-module (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ea79ab04fc3a6ac4cbf5514fff31c3ed5fba441933ff5d9a861ea695d6fed4eb This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...