CVE-2026-40318 SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and prior, the /api/av/removeUnusedAttributeView endpoint constructs a filesystem path using the user-controlled id parameter without validation or path boundary enforcement. An attacker can inject path traversal...

CVE-2026-40259 SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via removeUnusedAttributeView API

SiYuan is an open-source personal knowledge management system. In versions 3.6.3 and below, the /api/av/removeUnusedAttributeView endpoint is protected only by generic authentication that accepts publish-service RoleReader tokens. The handler passes a caller-controlled id directly to a model...

SiYuan 安全漏洞

SiYuan is an open-source personal knowledge management system developed by SiYuan itself. Versions of SiYuan 3.6.3 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the /api/av/removeUnusedAttributeView endpoint, which was only protected by general authentication...

Malicious code in fusion-events (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e8c8e696e51251f71e47adebced7b96e693530edba7546edfc180e21202e2048 The package fusion-events was found to contain malicious code. Source: ghsa-malware 88d534717a957da6a2dd2be4f5db4aa652489fa5ac3b30382f4a8e5e06865be2...

Malicious code in base-counter-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0d62a2050cc5eeb2ef06d0fc82867045f7b3d45cb4285dee67a182482ec29fb7 The package base-counter-web was found to contain malicious code. Source: ghsa-malware a14be5d8c05cd4abe5d7c7cc81e7da406ff18dfed1f6b64d1eb731c9344b4e...

MAL-2026-2692 Malicious code in fusion-events (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e8c8e696e51251f71e47adebced7b96e693530edba7546edfc180e21202e2048 The package fusion-events was found to contain malicious code. Source: ghsa-malware 88d534717a957da6a2dd2be4f5db4aa652489fa5ac3b30382f4a8e5e06865be2...

Malicious code in vs-supplier-portal-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd4ce50d0cee946b14aa2dee0c469a73331ff0c63bc65b134b3b50edb5d43c54 The package vs-supplier-portal-web was found to contain malicious code. Source: ghsa-malware...

Malicious code in @pnc-ref/harmony-core-v18 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e9af3593ce67756288a2b5c3d0b337f86b5dc510085895bc2d8f76629a79a350 The package @pnc-ref/harmony-core-v18 was found to contain malicious code. Source: ghsa-malware...

Malicious code in @pnc-ref/harmony-support-v18 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e3c6a47dfcf980f2cd22ec066b1f85f003d7001a45e28ee6a5541e4b18e5edc5 The package @pnc-ref/harmony-support-v18 was found to contain malicious code. Source: ghsa-malware...

MAL-2026-2690 Malicious code in @pnc-ref/harmony-support-v18 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e3c6a47dfcf980f2cd22ec066b1f85f003d7001a45e28ee6a5541e4b18e5edc5 The package @pnc-ref/harmony-support-v18 was found to contain malicious code. Source: ghsa-malware...

MAL-2026-2688 Malicious code in @pnc-cib/cib-core-lib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8766c693609e1190061234006c3ba48a9e4f421805daabf59baa712e6d634eee The package @pnc-cib/cib-core-lib was found to contain malicious code. Source: ghsa-malware...

Malicious code in @pnc-cib/cib-core-lib (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8766c693609e1190061234006c3ba48a9e4f421805daabf59baa712e6d634eee The package @pnc-cib/cib-core-lib was found to contain malicious code. Source: ghsa-malware...

Malicious code in com.baogong.app_push_permission (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 93345e918d93e3cd492384a72e95c8e9ce9cafec610ce022b3b19493edb68780 The package com.baogong.apppushpermission was found to contain malicious code. Source: ghsa-malware...

CVE-2026-1852

The Product Pricing Table by WooBeWoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the updateLabel and remove functions. This makes it possible for unauthenticated attackers to...

CVE-2026-1852

The Product Pricing Table by WooBeWoo plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.0. This is due to missing or incorrect nonce validation on the updateLabel and remove functions. This makes it possible for unauthenticated attackers to...

MAL-2026-2678 Malicious code in snitz-chief-cloud (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bbc306ec8452bc2fd831e57407e5c99169c8e2813debf726f99604d8c6e459a4 The package snitz-chief-cloud was found to contain malicious code. Source: ghsa-malware...

Malicious code in chief-documentation (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4685fab18e6de4de4fba0c842db2c4ee4114ca7259b8339900078fec02724a39 The package chief-documentation was found to contain malicious code. Source: ghsa-malware...

Malicious code in chief-proxy-out (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9b408fee03920bbac11e3f3e2a31fa1948a9d1b99041e54c1e10ba0f5e8cf949 The package chief-proxy-out was found to contain malicious code. Source: ghsa-malware cc92974c8b9f8dc914e29b747314307d52026764bd99c484f10fad298df29f6...

Malicious code in snitz-chief-cloud (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bbc306ec8452bc2fd831e57407e5c99169c8e2813debf726f99604d8c6e459a4 The package snitz-chief-cloud was found to contain malicious code. Source: ghsa-malware...

Malicious code in moscova-plural-json-parser (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a51fa685cb52dec458580533d514310ee1449c22a04bf82f6f1fc1e9e7b9db5 The package moscova-plural-json-parser was found to contain malicious code. Source: ghsa-malware...