62192 matches found
a-mailx (=0.1.0), ai-shell (>=0.1.0 <=1.0.4) +138 more potentially affected by CVE-2026-44897 via mistune (>=3.0.0rc5 <=3.2.0)
mistune PYPI version =3.0.0rc5, =0.1.0, =0.9.5, =3.0.0, =3.2.1b1, =1.0.1, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =0.1.0, =0.0.2, =1.0.0.1, =0.0.1, =0.0.5 and more Source cves: CVE-2026-44897 Source advisory: SNYK:PYTHON-MISTUNE-16624520...
0.app1 (=1.0.52), 0.edsql (>=1.0.49 <=1.0.50) +2513 more potentially affected by CVE-2026-34766 via electron (>=0.1.2 <=38.6.0)
electron NPM version =0.1.2, =1.0.49, =1.0.49, =1.0.49, =1.0.1, =0.0.10, =1.0.2, =1.1.11, =0.1.0, =3.0.5, =3.0.7 and more Source cves: CVE-2026-34766 Source advisory: OSV:GHSA-9899-M83M-QHPJ...
@igea/oac_backend (>=1.0.35 <=1.0.113), @igea/oac_frontend (>=1.0.31 <=1.0.109) +12 more potentially affected by CVE-2026-30827 via express-rate-limit (=8.1.0)
express-rate-limit NPM version =8.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on express-rate-limit and may be impacted: - @igea/oacbackend =1.0.35, =1.0.31, =7.0.0, =2.0.0-test.19, =0.1.0, =0.29.0, =0.16.0, =0.42.0, =0.27.0, =0.42.0, =0.70.0,...
CVE-2026-28447
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...
EUVD-2026-9897
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...
CVE-2026-28447
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...
CVE-2026-28447
OpenClaw 2026.1.29-beta.1 contains a path traversal flaw in plugin installation that lets crafted package names escape the extensions directory and write files outside the intended area when running the plugins install command. This affects OpenClaw versions prior to 2026.2.1. The issue is a high...
CVE-2026-28447 OpenClaw 2026.1.29-beta.1 < 2026.2.1 - Path Traversal in Plugin Installation via Package Name
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...
CVE-2026-28447 OpenClaw 2026.1.29-beta.1 < 2026.2.1 - Path Traversal in Plugin Installation via Package Name
OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...
PT-2026-23526
Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.1.20 through 2026.2.1 Description The software’s plugin installation process does not properly validate plugin package names, allowing attackers to write files outside the intended installation directory. Specifically,...
CVE-2026-25764
OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work...
PT-2026-6806
Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 16.6.7 OpenProject versions prior to 17.0.3 Description OpenProject is a web-based project management software. A flaw exists in the time tracking function where the application fails to properly handle HTML tags...
Malicious code in callback-xanthus-astrochemistry-quantum-computing (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2e74905ae15aeed1f45edc675826a313007486a970d1f7ff6229b2fcc6ec21d4 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in pino-pretty-radiant-less-loader-galaxy (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 56f26e9ea5896df0ce372833130544656e3589f313b17873c4069dfdc07eab2e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in tachyon-mesosphere-spinner-pm2 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c0199d4ad6da5ed57f1010cac95dc16558ece4d84ae6e6c6fb857dc52e6c6370 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in mocha-neptunology-flare-galaxy (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a6d37bf0614ce1300b08987292992ee91266002a191b2baf94fb221bc877a9b1 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in umbriel-ariel-rigel-metalsmith (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e5c72945619dda01a368dfe59be292a5a07f66cf7ed86d55dc924a54ff02d902 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in miranda-postcss-blitz-module (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ea79ab04fc3a6ac4cbf5514fff31c3ed5fba441933ff5d9a861ea695d6fed4eb This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in webdriver-mocha-nightwatch-cosmiconfig-despina (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector de3cfc3b8c341c20b4e8af0757b87d8eb021f0af5c7c338267d8024659a8cd03 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in commitlint-slides-octans-resolvers (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 428a2525ab3ebc8ba2aeeb9ab46f2510a73a7eaff42b15ac0ac0ff63a719d922 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...