Lucene search
K

42 matches found

Cvelist
Cvelist
added 2026/04/15 8:56 p.m.20 views

CVE-2026-40261 Composer has Command Injection via Malicious Perforce Reference

Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the...

8.8CVSS0.01688EPSS
Exploits2References2
OSV
OSV
added 2026/03/16 12:0 a.m.3 views

MAL-2026-1526 Malicious code in prefer-let (npm)

The package 'prefer-let' is part of the PhantomRaven supply chain attack campaign Wave 2. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server npm.jpartifacts.com...

5.6AI score
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/03/16 12:0 a.m.9 views

Malicious code in prefer-let (npm)

The package 'prefer-let' is part of the PhantomRaven supply chain attack campaign Wave 2. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server npm.jpartifacts.com...

5.5AI score
Exploits0References3
Veracode
Veracode
added 2026/03/13 5:6 a.m.6 views

Improper File Handling

zx is vulnerable to Improper File Handling. The vulnerability is due to a logic error in the linkNodeModules and cleanup routines when using the --prefer-local option, which allows unintended deletion of an external /nodemodules directory outside the current working directory...

8.3CVSS5.8AI score0.0008EPSS
Exploits0References6Affected Software1
OSV
OSV
added 2025/11/20 6:31 p.m.2 views

GHSA-W87R-VG9Q-CRQM zx Uses Incorrectly-Resolved Name or Reference

When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...

8.3CVSS5.9AI score0.0008EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2025/11/20 6:31 p.m.10 views

zx Uses Incorrectly-Resolved Name or Reference

When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...

8.3CVSS6.9AI score0.0008EPSS
Exploits0References7Affected Software1
NVD
NVD
added 2025/11/20 5:15 p.m.6 views

CVE-2025-13437

When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...

8.3CVSS0.0008EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/11/20 4:25 p.m.8 views

CVE-2025-13437 Arbitrary node_modules Directory Deletion in Google zx

When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...

8.3CVSS6.5AI score0.0008EPSS
Exploits0References1
Cvelist
Cvelist
added 2025/11/20 4:25 p.m.13 views

CVE-2025-13437 Arbitrary node_modules Directory Deletion in Google zx

When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...

8.3CVSS0.0008EPSS
Exploits0References1
Snyk
Snyk
added 2025/11/20 4:25 p.m.5 views

Use of Incorrectly-Resolved Name or Reference

Overview zx is an A tool for writing better scripts Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference via the linkNodeModules function. An attacker can cause deletion of arbitrary directories by supplying a crafted path to the --prefer-local...

8.3CVSS6.9AI score0.0008EPSS
Exploits0References2
CVE
CVE
added 2025/11/20 4:25 p.m.18 views

CVE-2025-13437

ZX contains a vulnerability (CVE-2025-13437) where, when invoked with --prefer-local=, the CLI creates a symlink ./node_modules to the specified path and a logic error in src/cli.ts (linkNodeModules/cleanup) returns the target path instead of the symlink path. The subsequent cleanup can delete th...

8.3CVSS6.5AI score0.0008EPSS
Exploits0References1
OSV
OSV
added 2025/10/29 10:46 p.m.5 views

MAL-2025-49032 Malicious code in prefer-arrow (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bd4c923d3d6c399e77c6af5aa1cbd1e4712cb7bd89045f7ad31667227e6e3bd8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

6.8AI score
Exploits0References2
EUVD
EUVD
added 2025/10/29 10:46 p.m.0 views

EUVD-2025-36856

Malicious code in prefer-arrow npm...

6.6AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/10/29 10:46 p.m.5 views

Malicious code in prefer-arrow (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bd4c923d3d6c399e77c6af5aa1cbd1e4712cb7bd89045f7ad31667227e6e3bd8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

6.8AI score
Exploits0References2
Snyk
Snyk
added 2025/10/29 10:46 p.m.1 views

Malicious Package

Overview prefer-arrow is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6.8AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/10/29 10:45 p.m.6 views

Malicious code in prefer-object-spread (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 24f3eb78b1232c6b636794710f52f1699237b0b29192397a63c0b1b307652154 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

6.8AI score
Exploits0References2
Snyk
Snyk
added 2025/10/29 10:45 p.m.2 views

Malicious Package

Overview prefer-object-spread is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS6.8AI score
Exploits0References2
EUVD
EUVD
added 2025/10/29 10:45 p.m.4 views

EUVD-2025-36863

Malicious code in prefer-object-spread npm...

6.6AI score
Exploits0References1
OSV
OSV
added 2025/10/29 10:45 p.m.3 views

MAL-2025-49033 Malicious code in prefer-object-spread (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 24f3eb78b1232c6b636794710f52f1699237b0b29192397a63c0b1b307652154 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

6.8AI score
Exploits0References2
Broadcom
Broadcom
added 2025/02/13 12:0 a.m.11 views

PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE

pgjdbc, the PostgreSQL JDBC Driver, allows an attacker to inject SQL if using PreferQueryMode=SIMPLE. Note, this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a...

10CVSS7.8AI score0.0481EPSS
Exploits0
Rows per page
Query Builder