88921 matches found
CVE-2026-25046
Kimi Agent SDK is a set of libraries that expose the Kimi Code Kimi CLI agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $cmd could execute...
CVE-2026-25046 [Kimi VS Code] Command Injection in publish scripts vsix-publish.js and ovsx-publish.js
Kimi Agent SDK is a set of libraries that expose the Kimi Code Kimi CLI agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $cmd could execute...
EUVD-2026-4948
Kimi Agent SDK is a set of libraries that expose the Kimi Code Kimi CLI agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $cmd could execute...
CVE-2026-25046 [Kimi VS Code] Command Injection in publish scripts vsix-publish.js and ovsx-publish.js
Kimi Agent SDK is a set of libraries that expose the Kimi Code Kimi CLI agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $cmd could execute...
CVE-2026-25046
The CVE concerns the Kimi Agent SDK, specifically the development scripts vsix-publish.js and ovsx-publish.js, which pass filenames to shell via execSync(). Prior to v0.1.6, filenames containing shell metacharacters (e.g., $(cmd)) could cause arbitrary command execution. It affects development sc...
CVE-2026-25046 [Kimi VS Code] Command Injection in publish scripts vsix-publish.js and ovsx-publish.js
Kimi Agent SDK is a set of libraries that expose the Kimi Code Kimi CLI agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $cmd could execute...
PT-2026-5361
Name of the Vulnerable Software and Affected Versions Kimi Agent SDK versions prior to 0.1.6 Description The Kimi Agent SDK libraries expose the Kimi Code agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to the execSync function as shell command string...
Malicious code in registry-apex-seismology-ichnology (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1bc0e74f615cb57fa334ff9dd070697aeb39697d41fa7ea06d55847b0e2cc7b6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in capella-tethys-lynx-antimatter (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b3bd723d35218da7f1893c877e9a4ed4feb0ca1f191e3971ab7cc91e3f7fe418 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in procyon-json-dynamo-neutrino (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector be2e07823e5cce346b257d22926e479c2d0a207460567f6726c84336674fe59f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in emulate-signal-psi-void-root (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7161863c004244de5cbff28eb8280d1b4c29469e0d59d63306be032cb0dcbea3 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in ora-polaris-uranology-planckscale (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c94ca100618990dee2927e23b7d9bc5d41e43bd37867540cbad3756c8b7b740a This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in publish-xanthus-cypress-redis (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3cddde1a52ce767fadb05cbd31671938c574d95abb54b2c3e13d2a133ea934da This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in framework-release-it-fornax-non-blocking (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 41b7d00319abd576e303397fbe78c43c769e871f30b6725bd501a0203e38c58f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in singularity-kuiperbelt-loopback-fermiparadox (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1f1afa76f7fe37851e702aa99f703e08b3365b03f94bca78843a30a75678da27 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in radiometric-vega-element-ui-oortcloud (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1260fed5837dd3c43bd4ecea72add038d82fbcf75ec543f03ca004f630806fc5 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in load-fire-balance-try-old (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5ed8bd45f714ed76dc28e104d80484f6275477e646f6d793386b90377bb12749 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in release-it-library-start-inquirer (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 348aaa3d96cbbca9efb6a3b8e5c7e01f9bfc1413dce9e60070864b028329ab09 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in entanglement-pino-lint-innercore (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5bae11fcd1d834d151b4d2a4fabd47aea93d666ed6b8a38c767ddbcfe35e8ab8 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in java-theta-theta-zero-static (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector de583b65b57ab9087f465b92bd3ee216f6f2f543c1cddc1d8ae174441f641f89 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...