234 matches found
GHSA-VCCX-P757-PV6H mo has a XSS via inline SVG script tags in Markdown rendering
Summary When rendering Markdown files containing inline SVG elements with tags, the embedded JavaScript is executed in the browser. This is due to rehype-raw passing raw HTML including SVG through to the DOM without sanitization. PoC html alert1 Embedding the above in a Markdown file opened with ...
CVE-2026-28509 LangBot has a Cross Site Scripting(XSS) Vulnerability
LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, LangBot’s web UI renders user-supplied raw HTML using rehypeRaw, which can lead to a cross-site scripting XSS vulnerability. This issue has been patched in version 4.8.7...
CVE-2026-28509 LangBot has a Cross Site Scripting(XSS) Vulnerability
LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, LangBot’s web UI renders user-supplied raw HTML using rehypeRaw, which can lead to a cross-site scripting XSS vulnerability. This issue has been patched in version 4.8.7...
CVE-2026-28509 LangBot has a Cross Site Scripting(XSS) Vulnerability
LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, LangBot’s web UI renders user-supplied raw HTML using rehypeRaw, which can lead to a cross-site scripting XSS vulnerability. This issue has been patched in version 4.8.7...
CVE-2026-28509
LangBot’s web UI prior to version 4.8.7 renders user-supplied raw HTML via rehypeRaw, resulting in a cross-site scripting (XSS) vulnerability. Affected product: LangBot (global IM bot platform for LLMs). Root cause: unescaped user HTML processed by rehypeRaw. Impact (per CVSS): Confidentiality im...
LangBot 跨站脚本漏洞
LangBot is an open-source development platform for large-scale instant messaging robots created by LangBot. Versions of LangBot prior to 4.8.7 contained a cross-site scripting vulnerability. This vulnerability stemmed from the use of rehypeRaw to render the original HTML provided by users, which...
EUVD-2025-176732
Malicious code in rehype-janus-nebula-quito npm...
EUVD-2025-178638
Malicious code in grus-nodemon-rehype-hermes npm...
EUVD-2025-179450
Malicious code in csv-mongodb-rehype-less-loader npm...
Malicious code in cosmiconfig-xml-rehype-webpack (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c337d51a5afe782ff83bde8f55685686a71e8d4b23d52af00c64f247b76db8e7 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in csv-mongodb-rehype-less-loader (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 07f821738c4cf7c99d8107896b24f9a81bd00506c105a6aca07ef8a729d5d444 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
Malicious code in gemini-postgres-rehype-sagitta (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 835234f600dc962131b0c036e7163ad52a55b2eff7514f87441427dbc9a88dae This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
EUVD-2025-180089
Malicious code in betelgeuse-gammarayburst-puppeteer-rehype npm...
EUVD-2025-176731
Malicious code in rehype-mesosphere-orbit-puppeteer npm...
Malicious code in grus-nodemon-rehype-hermes (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a6d559410a1d7d46410b0043f04df13062a94d3ab8a1f955226d05167489046f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
EUVD-2025-178740
Malicious code in gemini-postgres-rehype-sagitta npm...
MAL-2025-187244 Malicious code in grus-nodemon-rehype-hermes (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a6d559410a1d7d46410b0043f04df13062a94d3ab8a1f955226d05167489046f This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...
EUVD-2025-175994
Malicious code in test-cache-rehype-backend npm...
EUVD-2025-179657
Malicious code in comet-rehype-transport-entanglement npm...
MAL-2025-187416 Malicious code in hyperion-prettier-stylelint-sqlite-rehype (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6521de9c655dbd6f20939704f17ffa28a37be1b632cc49a17cba0b908977d84e This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...