42 matches found
CVE-2026-40261 Composer has Command Injection via Malicious Perforce Reference
Composer is a dependency manager for PHP. Versions 1.0 through 2.2.26 and 2.3 through 2.9.5 contain a command injection vulnerability in the Perforce::syncCodeBase method, which appends the $sourceReference parameter to a shell command without proper escaping, and additionally in the...
MAL-2026-1526 Malicious code in prefer-let (npm)
The package 'prefer-let' is part of the PhantomRaven supply chain attack campaign Wave 2. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server npm.jpartifacts.com...
Malicious code in prefer-let (npm)
The package 'prefer-let' is part of the PhantomRaven supply chain attack campaign Wave 2. It uses a Remote Dynamic Dependency RDD technique: the published package appears benign but includes a URL-based dependency in package.json pointing to an attacker-controlled C2 server npm.jpartifacts.com...
Improper File Handling
zx is vulnerable to Improper File Handling. The vulnerability is due to a logic error in the linkNodeModules and cleanup routines when using the --prefer-local option, which allows unintended deletion of an external /nodemodules directory outside the current working directory...
GHSA-W87R-VG9Q-CRQM zx Uses Incorrectly-Resolved Name or Reference
When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...
zx Uses Incorrectly-Resolved Name or Reference
When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...
CVE-2025-13437
When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...
CVE-2025-13437 Arbitrary node_modules Directory Deletion in Google zx
When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...
CVE-2025-13437 Arbitrary node_modules Directory Deletion in Google zx
When zx is invoked with --prefer-local=, the CLI creates a symlink named ./nodemodules pointing to /nodemodules. Due to a logic error in src/cli.ts linkNodeModules / cleanup, the function returns the target path instead of the alias symlink path. The later cleanup routine removes what it received...
Use of Incorrectly-Resolved Name or Reference
Overview zx is an A tool for writing better scripts Affected versions of this package are vulnerable to Use of Incorrectly-Resolved Name or Reference via the linkNodeModules function. An attacker can cause deletion of arbitrary directories by supplying a crafted path to the --prefer-local...
CVE-2025-13437
ZX contains a vulnerability (CVE-2025-13437) where, when invoked with --prefer-local=, the CLI creates a symlink ./node_modules to the specified path and a logic error in src/cli.ts (linkNodeModules/cleanup) returns the target path instead of the symlink path. The subsequent cleanup can delete th...
MAL-2025-49032 Malicious code in prefer-arrow (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bd4c923d3d6c399e77c6af5aa1cbd1e4712cb7bd89045f7ad31667227e6e3bd8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
EUVD-2025-36856
Malicious code in prefer-arrow npm...
Malicious code in prefer-arrow (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware bd4c923d3d6c399e77c6af5aa1cbd1e4712cb7bd89045f7ad31667227e6e3bd8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious Package
Overview prefer-arrow is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
Malicious code in prefer-object-spread (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 24f3eb78b1232c6b636794710f52f1699237b0b29192397a63c0b1b307652154 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious Package
Overview prefer-object-spread is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...
EUVD-2025-36863
Malicious code in prefer-object-spread npm...
MAL-2025-49033 Malicious code in prefer-object-spread (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 24f3eb78b1232c6b636794710f52f1699237b0b29192397a63c0b1b307652154 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
PostgreSQL JDBC Driver allows attacker to inject SQL if using PreferQueryMode=SIMPLE
pgjdbc, the PostgreSQL JDBC Driver, allows an attacker to inject SQL if using PreferQueryMode=SIMPLE. Note, this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a...