557270 matches found
CVE-2026-59214
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, Open WebUI runs client-side Python with Pyodide in a same-origin web worker, allowing stored chat payloads that use pyodide.http.pyfetch or the js module fetch and XMLHttpRequest APIs to issue...
Malicious code in lovable-tager (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0f100c9dbac6f2e352e559d0eb06f573e971845cc083b80c61f211013e03973a lovable-tager is a single-character-deletion typosquat of the legitimate Vite plugin lovable-tagger. The ESM entry dist/index.js referenced by main...
Malicious code in cookie-parser-es (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b33910f1e874310521f231a698952504d94e6fbdb08ef9d43e02ee220afc18b1 Package name and metadata impersonate the widely-used cookie-parser middleware: README, API surface, and package.json author TJ Holowaychuk and...
Malicious code in multer-orm (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 489805f0242c070653fa4e09c782d8135971a370b3ae292d31d721507332a12f Package name impersonates the popular multer middleware and copies its README/repo metadata. On require'multer-orm', index.js loads lib/feature.js,...
Malicious code in express-router-engine (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 49091d8e8923e3e709cebd14f01ee1617267bf3f9b6be99052603715b7cf9f70 The sole shipped file index.js is a heavily obfuscated RC4 + base64 string-array, 337-entry rotated array, control-flow flattening IIFE that executes...
Malicious code in type-slint (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1b5cd26e040f4f4366ed65cca4b70258d276f781e0aab76b99b5573d4007a97d The npm package [email protected] masquerades as the pino logger copied module layout, exports as module.exports.pino, keywords fast/logger/stream/jso...
Malicious code in cursed-ecto-d3ab00 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 49348969de68b56d680a46f67f817053621fa41a5220d8cd0bc1da720e77a5a1 The package has no legitimate functionality index.js is an empty module and exists solely to run an install-time attack payload. All four lifecycle...
CVE-2026-59214 Open WebUI: Stored web worker XSS via Pyodide
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, Open WebUI runs client-side Python with Pyodide in a same-origin web worker, allowing stored chat payloads that use pyodide.http.pyfetch or the js module fetch and XMLHttpRequest APIs to issue...
CVE-2026-59214
Open WebUI (self-hosted AI platform) before 0.10.0 is affected by a stored web worker XSS via Pyodide. The vulnerability arises when Pyodide runs in a same-origin web worker and stored chat payloads can cause authenticated same-origin requests through pyodide.http.pyfetch or the browser fetch/XML...
CVE-2026-59214
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, Open WebUI runs client-side Python with Pyodide in a same-origin web worker, allowing stored chat payloads that use pyodide.http.pyfetch or the js module fetch and XMLHttpRequest APIs to issue...
Malicious code in polymarket-apis (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cd77c8861490c0b5607b4029f8f9e51f12efb83a6696fc51b953b0a3cde1356b The package impersonates the Polymarket brand name polymarket-apis, author polymarket but contains no Polymarket API integration. Its exported...
Malicious code in polymarket-trader-apis (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 54436b6dea3d66e295c1ca82184b4f4b904d8441a68e77845f37cbb039c5f3c9 [email protected] advertises itself as a Polymarket trading helper but its main entry is a remote code loader. The default-exported...
Malicious code in polymarket-kit (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 63a4eba33a56521a94e4e0b3ab2923d58b0c5cd398c791e36433536591a1d6ff Package name and description advertise a 'Polymarket API SDK', but the shipped code contains no Polymarket functionality. The exported getPlugin help...
Malicious code in es6-codify (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e7ae2aa828c8ed2c3ec71480536fd07d9c19f3c698c3b095eafb41206ff3a75f The package advertises itself as a small ES6 string/array/object utility library, but both entrypoints dist/index.cjs and the ESM build execute a...
Wordfence Intelligence Weekly WordPress Vulnerability Report (June 29, 2026 to July 5, 2026)
Last week, there were 246 vulnerabilities disclosed in 179 WordPress Plugins and 40 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 100 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabiliti...
Malicious code in chai-as-buffered (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d136202d96267459c4bf3aaaf6c903d7bd2c491901b61dcf2f391a4612f951a [email protected] is a typosquat lure name resembles chai-as-promised; README and module exports impersonate the pino logger whose actual...
Malicious code in chai-deflect (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4328eb627063ce40813ae27e3cb7ec1a967d17aa6c2bf045f0083d42e09352ea On require'chai-deflect', index.js top-level invokes launchDeflectBootstrap which detaches a child process running lib/caller.js. caller.js issues an...
Malicious code in chai-defender (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 14f276305fd5e43b60bbfd1048d8792ef7f72734c28cfe533d368c0fc199a0fe On require'chai-defender', index.js invokes launchDeflectBootstrap which spawns a detached background node process running lib/caller.js. That proces...
apache-cxf: org.apache.cxf/cxf-integration-jca: Apache CXF: Arbitrary code execution via JNDI Injection
A flaw was found in Apache CXF's JCA integration module. This Java Naming and Directory Interface JNDI Injection vulnerability allows for arbitrary code execution. A remote attacker could exploit this by manipulating the Java EE Connector Architecture JCA deployment descriptor ra.xml or runtime...
org.apache.logging.log4j/log4j-core: Apache Log4j Core: Log injection via CRLF sequences due to configuration attribute renames
A flaw was found in Apache Log4j Core. This vulnerability allows for log injection through the use of Carriage Return Line Feed CRLF sequences. This occurs because security-related configuration attributes were silently renamed, impacting users who directly configure Rfc5424Layout with stream-bas...