8 matches found
CVE-2026-40922 SiYuan: Incomplete sanitization of bazaar README allows stored XSS via iframe srcdoc (incomplete fix for CVE-2026-33066)
SiYuan is an open-source personal knowledge management system. In versions 3.6.1 through 3.6.3, a prior fix for XSS in bazaar README rendering incomplete fix for CVE-2026-33066 enabled the Lute HTML sanitizer, but the sanitizer does not block iframe tags, and its URL-prefix blocklist does not...
Malicious code in tronpad (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 6002c93fa065aaf9656b42830fd923134eb1d298d2c07b0d61865395577771c9 Package appears to be designed for private key exfiltration, but no known usage. The name appears to be related to the cryptocurrency TRX Tron / Tronix. Some...
MAL-2026-894 Malicious code in troncloud (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 8c123c7a348b5856fcedbadf1312d14b224c100c7138bfeeb3eff610fbf9dc12 Package appears to be designed for private key exfiltration, but no known usage. The name appears to be related to the cryptocurrency TRX Tron / Tronix. Some...
Malicious code in hexdeclink (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 4df8ddadb082a2d285b508fc17356d22ef0375649424cc39d9b08a9e32ab6684 Package appears to be designed for private key exfiltration, but no known usage. The name appears to be related to the cryptocurrency TRX Tron / Tronix. Some...
MAL-2025-191758 Malicious code in hexdecnet (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 4ca5c3aa5b553fffaca36241e0e3a6144c9b661b9e0cb77fd93ae34fc6b1ed7e Package appears to be designed for private key exfiltration, but no known usage. The name appears to be related to the cryptocurrency TRX Tron / Tronix. Some...
MAL-2025-191754 Malicious code in hexadecpy (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 e553647ff67ec6e0339b5de8038f9522494a1200e0437156eee7674d5a29ef21 Package appears to be designed for private key exfiltration, but no known usage. The name appears to be related to the cryptocurrency TRX Tron / Tronix. Some...
Malicious code in hexadec (PyPI)
--- -= Per source details. Do not edit below this line.=- Source: kam193 f9d0ae8ccf24a6f5bfc3a0d5e39a983576d6edb2c64d9fe31fcb758236a4aa25 Package appears to be designed for private key exfiltration, but no known usage. The name appears to be related to the cryptocurrency TRX Tron / Tronix. Some...
Cross-Site Scripting
Overview Versions of verdaccio prior to 3.12.0 are vulnerable to Cross-Site Scripting. Contents of READMEs are not properly sanitized before rendering, which may allow attackers to execute arbitrary JavaScript code. Recommendation Upgrade to version 3.12.0 or later...