10 matches found
CVE-2026-39308
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious...
CVE-2026-39308
PraisonAI is a multi-agent teams system. Prior to 1.5.113, PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal manifest.json before it verifies that the manifest name and version match the HTTP route. A malicious...
CVE-2026-39308
Summary: CVE-2026-39308 affects PraisonAI’s recipe registry publish flow. Before version 1.5.113, the endpoint writes uploaded bundles to a filesystem path derived from manifest.json before validating that manifest name/version against the URL. A crafted manifest with directory traversal (.. /) c...
Malicious code in madisonperez (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8fb8476d8446bbeb0aec14afac5283214538c51533b29d3c053c96b6369e4e2e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in uinsu-lis-dinu (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e15d051d1ff784373f420c4e475a23398d932a3b09ab0984d9bb3a1b84b22202 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-163632 Malicious code in nokire-zenitsu43 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 79de8bb3ddb725c6b1cd8722ee4b967a844e8f0d58ad4aa0ab9fb1a352ab9de6 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in vitreous_panda_z3n (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c2beaf558344dadb035a80e6bd1168f2dc6da9993524a465a10698172dcde3b3 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in nina-lepet85-breki (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 450593367a8a28c30840a5999866e7adef7da55020e47a7372f4103c28856b35 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-109204 Malicious code in strong_mink_z3n (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 64a570ff097e00c999ed7ad3df6038b8dfef23ecf3783a83975c3f5c49c0c01f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
MAL-2025-98723 Malicious code in frequent_tyrannosaurus_z3n (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7cf77d766740ae93bd3418cc94d476a45722f4a04b5fba90478236c89e1a3720 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...