730077 matches found
Cross-site Scripting (XSS)
Overview silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the FormAction field. An attacker can execute arbitrary script in the browser of other users by supplying a malicious titl...
Cross-site Scripting (XSS)
Overview silverstripe/framework is a PHP framework forming the base for the SilverStripe CMS. Affected versions of this package are vulnerable to Cross-site Scripting XSS via insufficient output encoding in TreeDropdownField and TreeMultiSelectField. An attacker can execute arbitrary script in th...
XML Injection
Overview Affected versions of this package are vulnerable to XML Injection during request serialization of scalar XML element values. An attacker can smuggle raw XML markup into generated output by supplying a string that contains CDATA terminator . This lets attacker-controlled content break out...
Malicious code in aikaf668897 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 450730a92143c06530923dacda588a17252ebc7edc9ddf71ff520446de5a3293 On npm install, the package's postinstall hook node scripts/postinstall.js spawns a detached background Node process running scripts/shell.js with...
MAL-2026-6216 Malicious code in aikaf668897 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 450730a92143c06530923dacda588a17252ebc7edc9ddf71ff520446de5a3293 On npm install, the package's postinstall hook node scripts/postinstall.js spawns a detached background Node process running scripts/shell.js with...
Malicious code in aikaf6688812 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fcdebe342ec1c629835301869934fab1a4800c98116a337ec33b05def92d33e7 package.json declares a postinstall hook that runs scripts/postinstall.js, which spawns scripts/shell.js as a detached, stdio-ignored background...
MAL-2026-6215 Malicious code in aikaf6688812 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fcdebe342ec1c629835301869934fab1a4800c98116a337ec33b05def92d33e7 package.json declares a postinstall hook that runs scripts/postinstall.js, which spawns scripts/shell.js as a detached, stdio-ignored background...
MAL-2026-6217 Malicious code in aikaf788812 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c91950cef6a5f877a4a9bca074501e4c910dc50008d4c8c2623ddc21f08e31f2 Package masquerades as a string-utility library but ships a postinstall backdoor. On npm install, scripts/postinstall.js spawns scripts/shell.js as a...
Malicious code in aikaf788812 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c91950cef6a5f877a4a9bca074501e4c910dc50008d4c8c2623ddc21f08e31f2 Package masquerades as a string-utility library but ships a postinstall backdoor. On npm install, scripts/postinstall.js spawns scripts/shell.js as a...
Malicious code in create-mono-package (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 85402ef2db7bfd9e2bb01034a533e52649cf6058cc1e824e9c273aee5ae8121d The package's postinstall hook .prepare.cjs collects host fingerprint data os.hostname, os.userInfo.username, platform/arch, all non-internal network...
MAL-2026-6222 Malicious code in create-mono-package (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 85402ef2db7bfd9e2bb01034a533e52649cf6058cc1e824e9c273aee5ae8121d The package's postinstall hook .prepare.cjs collects host fingerprint data os.hostname, os.userInfo.username, platform/arch, all non-internal network...
CVE-2026-49358
PhpWeasyPrint is a PHP library allowing PDF generation from a URL or an HTML page. Prior to version 2.6.0, AbstractGenerator::$temporaryFiles is a public array, and removeTemporaryFiles — invoked from destruct and from a registered shutdown function — calls unlink on every entry without verifying...
Malicious code in @chunklab/hexparse (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 56ad779454aa221e4a3d5a13725428059b40edd7cd8a4329ef382348bc493013 Package advertises itself as a small hex/base64/endianness codec library, but every exported encode/decode function encodeHex, decodeHex,...
MAL-2026-6214 Malicious code in @chunklab/hexparse (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 56ad779454aa221e4a3d5a13725428059b40edd7cd8a4329ef382348bc493013 Package advertises itself as a small hex/base64/endianness codec library, but every exported encode/decode function encodeHex, decodeHex,...
Malicious code in @bytemend/mfebus (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b3d53776853d18aabf967b0f1882eb45f2164feedd600eeccc927f496002f5e4 The package advertises itself as a small in-memory pubsub library but its main entry dist/index.js eagerly requires dist/bootstrap.js, a 277KB...
MAL-2026-6213 Malicious code in @bytemend/mfebus (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b3d53776853d18aabf967b0f1882eb45f2164feedd600eeccc927f496002f5e4 The package advertises itself as a small in-memory pubsub library but its main entry dist/index.js eagerly requires dist/bootstrap.js, a 277KB...
GHSA-VCV2-R9JH-99M5 Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-parameter interpolation into execSync
Summary agentic-flow versions = 2.0.13 MCP server tools interpolated attacker-influenceable tool parameters e.g. agent, task, name, language, agentdb arguments directly into shell command strings passed to execSync. A malicious value reaching any of the affected MCP tools could break out of the...
Agentic-Flow: OS Command Injection in agentic-flow MCP server tools via unsanitized tool-parameter interpolation into execSync
Summary agentic-flow versions = 2.0.13 MCP server tools interpolated attacker-influenceable tool parameters e.g. agent, task, name, language, agentdb arguments directly into shell command strings passed to execSync. A malicious value reaching any of the affected MCP tools could break out of the...
Malicious code in @briskforge/envcheck (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09dba573f5d6cb00b09562870f2148b3e539786f5d801f2a263338301d759313 The package advertises itself as a tiny environment-variable validator but ships lib/preflight.js, a heavily obfuscated obfuscator.io string-array...
MAL-2026-6212 Malicious code in @briskforge/envcheck (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 09dba573f5d6cb00b09562870f2148b3e539786f5d801f2a263338301d759313 The package advertises itself as a tiny environment-variable validator but ships lib/preflight.js, a heavily obfuscated obfuscator.io string-array...