728061 matches found
Malicious code in abuden221 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fbd19b84f2238fb96214c792d294b1ac0e114103c238ddf040a7960377d78f90 The tarball is a static-site / web-proxy build index.html, /assets/.js bundles with obfuscated names, a.well-known/discord verification file, brandin...
Malicious code in abuden22 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c6b2d1b9158b6a3652850cdee84fd448567fc6d8187e685ee0b85eb8d594f57 The tarball contains a static-site bundle index.html, obfuscated asset chunks, service worker sw.js, and the MercuryWorkshop/Scramjet web-proxy bundl...
MAL-2026-6129 Malicious code in abuden22 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1c6b2d1b9158b6a3652850cdee84fd448567fc6d8187e685ee0b85eb8d594f57 The tarball contains a static-site bundle index.html, obfuscated asset chunks, service worker sw.js, and the MercuryWorkshop/Scramjet web-proxy bundl...
MAL-2026-6130 Malicious code in abuden221 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fbd19b84f2238fb96214c792d294b1ac0e114103c238ddf040a7960377d78f90 The tarball is a static-site / web-proxy build index.html, /assets/.js bundles with obfuscated names, a.well-known/discord verification file, brandin...
Malicious code in abuden218 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5215a61abda9d84fd39b739be57d465fddcf6561219deddfe212538607de0c66 Package is published under a deceptive identity. package.json declares main=sw.js, but sw.js is a service-worker entry importScripts that throws when...
MAL-2026-6128 Malicious code in abuden218 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5215a61abda9d84fd39b739be57d465fddcf6561219deddfe212538607de0c66 Package is published under a deceptive identity. package.json declares main=sw.js, but sw.js is a service-worker entry importScripts that throws when...
Malicious code in panrouter-admin (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 390c706978c9207807a0aeb4b1e3dfc500847828c23f5ffb06a14171ca8e51e6 panrouter-admin ships relayclient.cjs, which connects to a hardcoded WebSocket endpoint at wss://jiuling.xyz/ws, registers the host with an identity ...
MAL-2026-6134 Malicious code in panrouter-admin (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 390c706978c9207807a0aeb4b1e3dfc500847828c23f5ffb06a14171ca8e51e6 panrouter-admin ships relayclient.cjs, which connects to a hardcoded WebSocket endpoint at wss://jiuling.xyz/ws, registers the host with an identity ...
Malicious code in metavu (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fc05e6833390f96b1a53f5d1612e613436e5002673da2f7a8c1e8e9f9f41c525 package.json declares preinstall: node index.js, which fires automatically on npm install. index.js collects hostname, platform, architecture, home...
MAL-2026-6132 Malicious code in metavu (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fc05e6833390f96b1a53f5d1612e613436e5002673da2f7a8c1e8e9f9f41c525 package.json declares preinstall: node index.js, which fires automatically on npm install. index.js collects hostname, platform, architecture, home...
GHSA-WCPR-6G7X-P44R googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken)
An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint RFC 7662, it decodes the response into an introspectResp struct. However, the...
googleapis/mcp-toolbox: authentication bypass vulnerability in the generic opaque token validation path (validateOpaqueToken)
An authentication bypass vulnerability exists in the generic opaque token validation path validateOpaqueToken of googleapis/mcp-toolbox. When the toolbox validates an opaque token via an OAuth 2.0 introspection endpoint RFC 7662, it decodes the response into an introspectResp struct. However, the...
GHSA-X5MV-8WGW-29HG tract-nnef: integer overflow in NNEF `.dat` tensor parser yields an out-of-bounds read on model load
Component: tract-nnef nnef/src/tensors.rs::readtensor + tract-data data/src/tensor.rs - Affected versions: 0.21.16, 0.22.0–0.22.2, 0.23.0–0.23.1 — the dense DatLoader path was unguarded across all three release lines; patched in 0.21.16 / 0.22.2 / 0.23.1 - Class: CWE-190 integer overflow →...
tract-nnef: integer overflow in NNEF `.dat` tensor parser yields an out-of-bounds read on model load
Component: tract-nnef nnef/src/tensors.rs::readtensor + tract-data data/src/tensor.rs - Affected versions: 0.21.16, 0.22.0–0.22.2, 0.23.0–0.23.1 — the dense DatLoader path was unguarded across all three release lines; patched in 0.21.16 / 0.22.2 / 0.23.1 - Class: CWE-190 integer overflow →...
Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID
Development Runner Telephony WebSocket /ws Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID Summary The pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without any authentication. An unauthenticated remote attacker who...
GHSA-J8CV-X86Q-RJ85 Pipecat: Telephony WebSocket `/ws` Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID
Development Runner Telephony WebSocket /ws Unauthenticated Call-Control Abuse via Attacker-Supplied Call SID Summary The pipecat development runner registers a /ws WebSocket endpoint for telephony testing that accepts connections without any authentication. An unauthenticated remote attacker who...
GHSA-W5CV-PW74-4RXC opentelemetry-collector-contrib: githubreceiver silently ignores configured required_headers authentication
githubreceiver Silently Ignores Configured requiredheaders Authentication Summary The githubreceiver webhook handler does not enforce the requiredheaders configuration. Headers are validated at startup config rejects empty keys/values but never checked on incoming requests. This follows the same...
opentelemetry-collector-contrib: githubreceiver silently ignores configured required_headers authentication
githubreceiver Silently Ignores Configured requiredheaders Authentication Summary The githubreceiver webhook handler does not enforce the requiredheaders configuration. Headers are validated at startup config rejects empty keys/values but never checked on incoming requests. This follows the same...
Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`
TL;DR This vulnerability affects Kirby sites and plugins that use the writer or list fields or that use $dom-sanitize, Sane::sanitize, Sane\Html::sanitize, Sane\Svg::sanitize, Sane\Xml::sanitize, Sane::sanitizeFile or $file-sanitizeContents with untrusted input. It was possible to inject maliciou...
GHSA-WR9H-4R83-F4V6 Kirby: Cross-site scripting (XSS) from incomplete HTML/XML sanitization in `Dom::sanitize()`
TL;DR This vulnerability affects Kirby sites and plugins that use the writer or list fields or that use $dom-sanitize, Sane::sanitize, Sane\Html::sanitize, Sane\Svg::sanitize, Sane\Xml::sanitize, Sane::sanitizeFile or $file-sanitizeContents with untrusted input. It was possible to inject maliciou...