EUVD-2026-37856

Cotonti 1.0.0 master branch, commit f43f1fc3 is vulnerable to Cross-Site Request Forgery in the Personal File Storage PFS module. In modules/pfs/inc/pfs.editfolder.php, the folder update action 'a=update' updates folder metadata title, description, public/gallery flags without calling cotcheckxg ...

Malicious code in tardigrade-mini-css-extract-plugin-nightwatch-blueshift (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector eccd2dbe37050ec44770db072262af063d90c8cbb1f901cc4ab7337d91745c94 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in webdriver-manager-deneb-nconf-outercore (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d5856dc3105bafd0bd895c339e371e97000f404e871ca844f86c47c579ae39d6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in helmet-pegasus-non-blocking-phoebe (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 14468cf08644b774f382415ed7ea9da2eca47006b532d6e5389e4ad5a9f45130 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in transform-robotics-filament-orbit (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65dfde16dd768ac14d658dcc5d9aefd9d6e5e79e6df9a61fe8202c0c895d6480 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in astroinformatics-ethology-venus-slidev (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 226e9d3d2ba28c131f256e2a26ec85fb9afec9418f57e00d7ec0b300e0e98206 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in table-old-sun-await-decode (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3fff252c7519516e755af569d60b67bb3cbe754fc47400f464b2f0a3628ac9d4 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in public-perseus-zenith-blitz (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c1e0fda9529023a9e7ae60ebe50dfb049b2ebe3a6ca123f31ad56a1ef6721213 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in prompts-capella-node-config-biomimicry (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4a5f5aa037e69c5712a92678019d6d286a73fa6b441140f34d4a29bfbecb25b4 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in config-ophiuchus-levels-version (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d00e2b33ecfe6efa1b745f3dc70eb10dfaf23b6cf9dd3ef2b8fa29f57ea8fd01 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in local-terser-postcss-loader-eventhoriz (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 34b65bfa47dbfe04c6f4b072ca313e3d49adb15a955a7b43a2c1fe3e2dee460c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in notify-zero-abstract-old-dog (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1a53282b311726aa389d4f18e04f8cdede5fd23b6a0f0f816a5e9547530a4e8c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in halley-paleoceanography-mui-callisto (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1e1c18c06b50e272a459781ff344e0e72fb6cca19422c4940dd8a9f7d835cb9e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in darkmatter-exosphere-exoplanetology-yakutsk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 66fd91944b979138e05bf2487dcd84925f2788baa8346eb2c5452959746d963a This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in development-kinetic-mocha-equinox (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 96160b948656b764d9430295e2b31751c70cbd633bb727db7d40e6ab62af00a8 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in dog-daemon-transpile-grid-bundle (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 55edca587df4a61a434055376da40b0f9a67bbb2d201adc1b4ab8833d5c309bf This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in blaze-antares-taurus-prompts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5ad226b864d7c4e73ea785218719e45d19c4ac3acdb0c4d2a3c0530ff2b85350 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in cosmochemistry-lacerta-magnetosphere-reveal-md (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 08d0d5db9b30a391c486f37cb6ced3a4f296a525efa9c588f34a6a3845fe226e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in cosmogenic-astroinformatics-mesosphere-soap (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 51f5567535a8c7e5a16a20da17662eb0990505e3a08147a910886879f3674c79 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

Malicious code in dagda-pulsar-redshift-remark (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 01eb7e5dee33aa92aeb7c166125c8a2a537b2b75814637049b7ce936ca515d24 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...