Malicious code in create-arnext-app (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 67a5229a06132707ff10eb04a5fc2a19abf029ded0d61e1c9d0814f5cb2bb667 The package declares "preinstall": "./.github/scripts/precheck" in package.json, which invokes a 976KB stripped Linux x8664 ELF binary hidden under...

CVE-2026-34832 Scoold: Cross-Account Feedback Deletion (IDOR)

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.66.1, Scoold contains an authenticated authorization flaw in feedback deletion that allows any logged-in, low-privilege user to delete another user's feedback post by submitting its ID to POST /feedback/id/delete. The...

CVE-2026-24741

ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the POST /delete endpoint uses a user-controlled filename value to construct a filesystem path and deletes it via unlink without sufficient validation. By supplying path traversal sequences e.g., ../, an attacker can...

CVE-2026-24741 ConvertX Vulnerable to Arbitrary File Deletion via Path Traversal in `POST /delete`

ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the POST /delete endpoint uses a user-controlled filename value to construct a filesystem path and deletes it via unlink without sufficient validation. By supplying path traversal sequences e.g., ../, an attacker can...

PT-2026-5023

Name of the Vulnerable Software and Affected Versions ConvertX versions prior to 0.17.0 Description ConvertX is a self-hosted online file converter. The POST /delete endpoint uses a user-controlled filename value to construct a filesystem path and deletes it via the unlink function without...

ConvertX path traversal vulnerability

ConvertX is a file format conversion tool developed by the ConvertX company. Versions of ConvertX prior to 0.17.0 contained a path traversal vulnerability. This vulnerability stemmed from the POST /delete endpoint using user-controlled filename values to construct file system paths and performing...

CVE-2025-4522

The IDonate – Blood Donation, Request And Donor Management System plugin for WordPress is vulnerable to Insecure Direct Object Reference via the adminpostdonordelete function in versions 2.0.0 to 2.1.9. By supplying an arbitrary userid parameter value to the wpdeleteuser function, authenticated...

CVE-2022-36296

Broken Authentication vulnerability in JumpDEMAND Inc. ActiveDEMAND plugin = 0.2.27 at WordPress allows unauthenticated post update/create/delete...

Arbitrary File Deletion Vulnerability in 'hid_name' in OfficeTen Management System of NetEconomic Technology (Suzhou) Co.

OfficeTen is an enterprise next-generation converged communication product that integrates voice, data, security, and real-time communication applications, developed by Nethru Technology with independent innovation and its own intellectual property rights. Arbitrary file deletion vulnerability...

WordPress media-file-manager-advanced Plugin Multiple Vulnerabilites

No description provided by source. Post Delete http://domain.tld/wp-admin/admin-ajax.php?action=mfmarelocatordelete post: id=17 MKDIR http://domain.tld/wp-admin/admin-ajax.php?action=mfmarelocatormkdir newdir=EVEXFOLDER folder exists: http://domain.tld/wp-contents/uploads/EVEXFOLDER RMDIR Dir Mus...

Media File Manager Advanced <= 1.1.5 - Multiple Vulnerabilites

Media File Manager Advanced suffers from executing administrator actions by any authenticated user due to weak permissions checking. An attacker is able to delete/update posts, Creating/Removing/Listing Directories, Moving/Renaming/Deleting Files, Blind SQL Injection and Cross-Site Scripting. Pos...