Lucene search
+L

88921 matches found

nvd
nvd
added 2026/01/29 10:15 p.m.13 views

CVE-2026-25046

Kimi Agent SDK is a set of libraries that expose the Kimi Code Kimi CLI agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $cmd could execute...

2.9CVSS0.00113EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/01/29 9:37 p.m.4 views

CVE-2026-25046 [Kimi VS Code] Command Injection in publish scripts vsix-publish.js and ovsx-publish.js

Kimi Agent SDK is a set of libraries that expose the Kimi Code Kimi CLI agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $cmd could execute...

2.9CVSS5.9AI score0.00113EPSS
Exploits0References1
euvd
euvd
added 2026/01/29 9:37 p.m.16 views

EUVD-2026-4948

Kimi Agent SDK is a set of libraries that expose the Kimi Code Kimi CLI agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $cmd could execute...

2.9CVSS6.1AI score0.00113EPSS
Exploits0References1
osv
osv
added 2026/01/29 9:37 p.m.11 views

CVE-2026-25046 [Kimi VS Code] Command Injection in publish scripts vsix-publish.js and ovsx-publish.js

Kimi Agent SDK is a set of libraries that expose the Kimi Code Kimi CLI agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $cmd could execute...

2.9CVSS6.1AI score0.00113EPSS
Exploits0References3
cve
cve
added 2026/01/29 9:37 p.m.24 views

CVE-2026-25046

The CVE concerns the Kimi Agent SDK, specifically the development scripts vsix-publish.js and ovsx-publish.js, which pass filenames to shell via execSync(). Prior to v0.1.6, filenames containing shell metacharacters (e.g., $(cmd)) could cause arbitrary command execution. It affects development sc...

2.9CVSS6.1AI score0.00113EPSS
Exploits0References1
cvelist
cvelist
added 2026/01/29 9:37 p.m.28 views

CVE-2026-25046 [Kimi VS Code] Command Injection in publish scripts vsix-publish.js and ovsx-publish.js

Kimi Agent SDK is a set of libraries that expose the Kimi Code Kimi CLI agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $cmd could execute...

2.9CVSS0.00113EPSS
Exploits0References1
ptsecurity
ptsecurity
added 2026/01/29 12:0 a.m.13 views

PT-2026-5361

Name of the Vulnerable Software and Affected Versions Kimi Agent SDK versions prior to 0.1.6 Description The Kimi Agent SDK libraries expose the Kimi Code agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to the execSync function as shell command string...

2.9CVSS6.1AI score0.00113EPSS
Exploits0References5
ossf
ossf
added 2025/11/13 3:23 a.m.4 views

Malicious code in registry-apex-seismology-ichnology (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1bc0e74f615cb57fa334ff9dd070697aeb39697d41fa7ea06d55847b0e2cc7b6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
ossf
ossf
added 2025/11/13 3:23 a.m.8 views

Malicious code in capella-tethys-lynx-antimatter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b3bd723d35218da7f1893c877e9a4ed4feb0ca1f191e3971ab7cc91e3f7fe418 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
ossf
ossf
added 2025/11/13 3:23 a.m.7 views

Malicious code in procyon-json-dynamo-neutrino (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector be2e07823e5cce346b257d22926e479c2d0a207460567f6726c84336674fe59f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
ossf
ossf
added 2025/11/13 3:23 a.m.4 views

Malicious code in emulate-signal-psi-void-root (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7161863c004244de5cbff28eb8280d1b4c29469e0d59d63306be032cb0dcbea3 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
ossf
ossf
added 2025/11/13 3:23 a.m.7 views

Malicious code in ora-polaris-uranology-planckscale (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c94ca100618990dee2927e23b7d9bc5d41e43bd37867540cbad3756c8b7b740a This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
ossf
ossf
added 2025/11/13 3:23 a.m.5 views

Malicious code in publish-xanthus-cypress-redis (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3cddde1a52ce767fadb05cbd31671938c574d95abb54b2c3e13d2a133ea934da This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
ossf
ossf
added 2025/11/13 3:23 a.m.5 views

Malicious code in framework-release-it-fornax-non-blocking (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 41b7d00319abd576e303397fbe78c43c769e871f30b6725bd501a0203e38c58f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
ossf
ossf
added 2025/11/13 3:23 a.m.7 views

Malicious code in singularity-kuiperbelt-loopback-fermiparadox (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1f1afa76f7fe37851e702aa99f703e08b3365b03f94bca78843a30a75678da27 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
ossf
ossf
added 2025/11/13 3:23 a.m.6 views

Malicious code in radiometric-vega-element-ui-oortcloud (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1260fed5837dd3c43bd4ecea72add038d82fbcf75ec543f03ca004f630806fc5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
ossf
ossf
added 2025/11/13 3:23 a.m.6 views

Malicious code in load-fire-balance-try-old (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5ed8bd45f714ed76dc28e104d80484f6275477e646f6d793386b90377bb12749 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
ossf
ossf
added 2025/11/13 3:23 a.m.7 views

Malicious code in release-it-library-start-inquirer (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 348aaa3d96cbbca9efb6a3b8e5c7e01f9bfc1413dce9e60070864b028329ab09 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
ossf
ossf
added 2025/11/13 3:23 a.m.6 views

Malicious code in entanglement-pino-lint-innercore (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5bae11fcd1d834d151b4d2a4fabd47aea93d666ed6b8a38c767ddbcfe35e8ab8 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
ossf
ossf
added 2025/11/13 3:23 a.m.5 views

Malicious code in java-theta-theta-zero-static (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector de583b65b57ab9087f465b92bd3ee216f6f2f543c1cddc1d8ae174441f641f89 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score
Exploits0
Rows per page
Query Builder