Blinko <= 1.8.3 - Path Traversal via /plugins

Blinko = 1.8.3 contains a path traversal caused by improper path concatenation without verification in the plugin file server endpoint, letting remote attackers access arbitrary files, exploit requires network access. id: CVE-2026-23483 info: name: Blinko = 1.8.3 - Path Traversal via /plugins...

MAL-2026-4763 Malicious code in pulumi-vcd (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08bbc8be2cfa9a85473b0287e3c327b16c3f9e15886869bd9e2188a323448fd9 Package pulumivcd is published with metadata mimicking an official Pulumi SDK Homepage https://www.pulumi.com, tfgen-style auto-generated bindings bu...

Malicious Package

Overview strapi-plugin-server is a malicious package. This package contains malicious code that conceals a command-and-control agent and credential harvester. A malicious actor published a coordinated campaign of thirty-six packages disguised as community Strapi CMS plugins. These packages aren't...

CVE-2026-23483 Blinko: Unauthorized Arbitrary File Read - /plugins

Blinko is an AI-powered card note-taking project. In versions from 1.8.3 and prior, the plugin file server endpoint uses join to concatenate paths but does not verify if the final path is within the plugins directory, leading to path traversal. At time of publication, there are no publicly...

CVE-2026-28427 OpenDeck affected by path traversal allows arbitrary file read

OpenDeck is Linux software for your Elgato Stream Deck. Prior to 2.8.1, the service listening on port 57118 serves static files for installed plugins but does not properly sanitize path components. By including ../ sequences in the request path, an attacker can traverse outside the intended...

Malicious code in @posthog/plugin-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cbacde545c940abfe63a0667580ea37cfc021d6b3e25094b71e23273cd899e1b The package @posthog/plugin-server was found to contain malicious code. Source: ghsa-malware...

MAL-2025-190947 Malicious code in @posthog/plugin-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cbacde545c940abfe63a0667580ea37cfc021d6b3e25094b71e23273cd899e1b The package @posthog/plugin-server was found to contain malicious code. Source: ghsa-malware...

EUVD-2025-199096

Malicious code in @posthog/plugin-server npm...

Embedded Malicious Code

Overview @posthog/plugin-server is a PostHog Plugin Server Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malwa...

EUVD-2025-115792

Malicious code in callback-run-script-html-webpack-plugin-server npm...

EUVD-2020-0530

Malware in sbrugna...

EUVD-2022-3020

Malicious code in bioql PyPI...

CVE-2025-8678

The WP Crontrol plugin for WordPress is vulnerable to blind Server-Side Request Forgery in versions 1.17.0 to 1.19.1 via the 'wpremoterequest' function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web requests to arbitrary locations...

MAL-2025-15291 Malicious code in babel-plugin-server-remove (npm)

The package babel-plugin-server-remove was found to contain malicious code...

WordPress Display Remote Posts Block plugin <= 1.1.0 - Server Side Request Forgery (SSRF) Vulnerability

Server Side Request Forgery SSRF Vulnerability discovered by theviper17 in WordPress Plugin Display Remote Posts Block versions = 1.1.0...

SQL Injection

@posthog/plugin-server is vulnerable to SQL Injection. The vulnerability is due to the lack of proper validation of a user-supplied string before using it to construct SQL queries, allows attackers to inject malicious SQL code and execute arbitrary commands in the context of the database account...

WordPress WP AVCL Automation Helper (formerly WPFlyLeads) plugin <= 3.4 - Server Side Request Forgery (SSRF) Vulnerability

Server Side Request Forgery SSRF Vulnerability discovered by ch4r0n in WordPress Plugin WP AVCL Automation Helper formerly WPFlyLeads versions = 3.4...

PostHog Plugin Server SQL Injection Vulnerability

PostHog ClickHouse Table Functions SQL Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of PostHog. Authentication is required to exploit this vulnerability. The specific flaw exists within the...

CVE-2025-1970 Export and Import Users and Customers <= 2.6.2 - Authenticated (Administrator+) Server-Side Request Forgery via validate_file Function

The Export and Import Users and Customers plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 2.6.2 via the validatefile function. This makes it possible for authenticated attackers, with Administrator-level access and above, to make web request...

CVE-2024-5980

A vulnerability in the /v1/runs API endpoint of lightning-ai/pytorch-lightning v2.2.4 allows attackers to exploit path traversal when extracting tar.gz files. When the LightningApp is running with the pluginserver, attackers can deploy malicious tar.gz plugins that embed arbitrary files with path...