a-mailx (=0.1.0), ai-shell (>=0.1.0 <=1.0.4) +139 more potentially affected by CVE-2026-44897 via mistune (>=3.0.0rc5 <=3.2.0)

mistune PYPI version =3.0.0rc5, =0.1.0, =0.9.5, =3.0.0, =3.2.1b1, =1.0.1, =1.0.1, =0.1.0, =0.1.0, =0.0.1, =0.1.0, =0.0.2, =1.0.0.1, =0.0.1, =0.0.5 and more Source cves: CVE-2026-44897 Source advisory: SNYK:PYTHON-MISTUNE-16624520...

0.app1 (=1.0.52), 0.edsql (>=1.0.49 <=1.0.50) +2487 more potentially affected by CVE-2026-34766 via electron (>=0.1.2 <=38.6.0)

electron NPM version =0.1.2, =1.0.49, =1.0.49, =1.0.49, =1.0.1, =0.0.10, =1.0.2, =1.1.11, =0.1.0, =3.0.5, =3.0.7 and more Source cves: CVE-2026-34766 Source advisory: OSV:GHSA-9899-M83M-QHPJ...

@igea/oac_backend (>=1.0.35 <=1.0.113), @igea/oac_frontend (>=1.0.31 <=1.0.109) +12 more potentially affected by CVE-2026-30827 via express-rate-limit (=8.1.0)

express-rate-limit NPM version =8.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on express-rate-limit and may be impacted: - @igea/oacbackend =1.0.35, =1.0.31, =7.0.0, =2.0.0-test.19, =0.1.0, =0.29.0, =0.16.0, =0.42.0, =0.27.0, =0.42.0, =0.70.0,...

CVE-2026-28447

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...

CVE-2026-28447 OpenClaw 2026.1.29-beta.1 < 2026.2.1 - Path Traversal in Plugin Installation via Package Name

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...

CVE-2026-28447

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...

CVE-2026-28447

OpenClaw 2026.1.29-beta.1 contains a path traversal flaw in plugin installation that lets crafted package names escape the extensions directory and write files outside the intended area when running the plugins install command. This affects OpenClaw versions prior to 2026.2.1. The issue is a high...

CVE-2026-28447 OpenClaw 2026.1.29-beta.1 < 2026.2.1 - Path Traversal in Plugin Installation via Package Name

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...

EUVD-2026-9897

OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.1 contain a path traversal vulnerability in plugin installation that allows malicious plugin package names to escape the extensions directory. Attackers can craft scoped package names containing path traversal sequences like .. to write files...

PT-2026-23526

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.1.20 through 2026.2.1 Description The software’s plugin installation process does not properly validate plugin package names, allowing attackers to write files outside the intended installation directory. Specifically,...

CVE-2026-25764

OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work...

PT-2026-6806

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 16.6.7 OpenProject versions prior to 17.0.3 Description OpenProject is a web-based project management software. A flaw exists in the time tracking function where the application fails to properly handle HTML tags...

Malicious code in tachyon-mesosphere-spinner-pm2 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c0199d4ad6da5ed57f1010cac95dc16558ece4d84ae6e6c6fb857dc52e6c6370 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in java-orchestrate-awk-process-virtualize (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 23029396724af0865eecdd010c3f17e6739fe0ce56c8d44b3531fbdeac934801 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in concurrently-hawkingradiation-tailwindcss-janus (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2666bd2deaa384120f711b4ca42f1ee157cd1ece04e11132de099f8803437863 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in encode-rain-refactor-execute-pi (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 06ee24f91b8cf6e03f7269a7f2c713ec12a15e887c78c0ea82e730ed28149481 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in docusaurus-xml-proxima-luna (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4841cb7fbba4912212b6867a9ab9667021ec18b4781ff0fe00923b7377062a5c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in zephyr-barnard-troposphere-nucleosynthesis (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 831b922acb7d0b3bb4b811e8e897750f882451d3cf95aa508cf8093a45cb48fd This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in areology-polaris-gatsby-phoebe (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5b703fe4c7e4dcddf7c314d7abd66fa38950215c0f1ce19c252e7a5a8c1ca487 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in soap-wasat-frontend-astroinformatics (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 035f9ef7998b394d382afc13f9209220a634c21114f0432767956685d56e9cf2 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...