Vite dev server - Cross-Site Scripting

Vite's dev server, when used with appType: 'custom' and manually invoking server.transformIndexHtml using the unmodified request URL, is vulnerable to XSS via a crafted URL payload. If the HTML being served includes an inline module script ..., an attacker can inject a script via the URL,...

Linux Distros Unpatched Vulnerability : CVE-2026-44573

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n...

Malicious code in @antv/g6-ssr (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

MAL-2026-4080 Malicious code in @antv/s2-ssr (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

@antv/gpt-vis-ssr (>=0.3.4 <=0.3.7), @tiangong-ai/vis-server (>=0.0.1 <=0.0.5) potentially affected by unknown CVE via @antv/s2-ssr (>=0.0.2 <=0.1.1)

@antv/s2-ssr NPM version =0.0.2, =0.3.4, =0.0.1, =0.0.5 Source cves: unknown CVE Source advisory: OSV:MAL-2026-4080...

@antv/gpt-vis (=0.5.0-beta.0), @antv/gpt-vis-ssr (>=0.1.0 <=0.3.7) +7 more potentially affected by unknown CVE via @antv/g2-ssr (>=0.0.8 <=0.2.0)

@antv/g2-ssr NPM version =0.0.8, =0.1.0, =0.0.1, =0.0.1, =1.0.0, =1.0.0, =1.0.2 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3979...

@antv/gpt-vis (=0.5.0-beta.0), @antv/gpt-vis-ssr (>=0.1.0 <=0.3.7) +6 more potentially affected by unknown CVE via @antv/g6-ssr (>=0.0.16 <=0.1.1)

@antv/g6-ssr NPM version =0.0.16, =0.1.0, =0.0.1, =0.0.1, =0.2.1, =1.0.0, =1.0.0, =1.0.2 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3996...

CVE-2026-44437

Summary: CVE-2026-44437 affects Angular SSR before fixed versions 19.2.25, 20.3.25, 21.2.9, and 22.0.0-next.7. The vulnerability lies in the X-Forwarded-Prefix header processing: the internal validation does not properly account for URL-encoded characters (notably dots like %2e%2e), enabling enco...

Malicious code in @tanstack/solid-router-ssr-query (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8693692b7ab31b63eb7411750d5b8798beec7ab29dddc1adea60186d354f4ed8 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@alivault/pico (>=0.1.0 <=0.1.2), @argus-vrt/web (=0.1.0) +29 more potentially affected by unknown CVE via @tanstack/router-ssr-query-core (>=1.121.0-alpha.28 <=1.168.0)

@tanstack/router-ssr-query-core NPM version =1.121.0-alpha.28, =0.1.0, =0.0.4, =1.0.0, =0.1.0, =1.121.0-alpha.28, =1.133.19, =1.140.0, =0.2.4, =0.0.1, =0.1.0-alpha.1, =0.1.0-alpha.2 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-3478...

MAL-2026-3478 Malicious code in @tanstack/router-ssr-query-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 388949e6add086eda74454a083d7f720fe77716c9c3f18746ba90206a5ebbab5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/router-ssr-query-core (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 388949e6add086eda74454a083d7f720fe77716c9c3f18746ba90206a5ebbab5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/vue-router-ssr-query (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 925332e137c53fc83198f6ce65ec615c060124cbd8d1a5b23b9186c6494dbfba Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3497 Malicious code in @tanstack/vue-router-ssr-query (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 925332e137c53fc83198f6ce65ec615c060124cbd8d1a5b23b9186c6494dbfba Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in @tanstack/react-router-ssr-query (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 6c8db33bfb3bf19b736238a7e0895ecfd856e38c6e86d83f6eee8df6f5c13730 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@alivault/pico (>=0.1.0 <=0.1.2), @argus-vrt/web (=0.1.0) +26 more potentially affected by unknown CVE via @tanstack/react-router-ssr-query (>=1.166.10 <=1.166.12)

@tanstack/react-router-ssr-query NPM version =1.166.10, =0.1.0, =0.0.4, =1.0.0, =0.1.0, =0.2.4, =0.0.1, =0.1.0-alpha.1, =0.0.1, =0.0.8 - better-github =0.0.1 and more Source cves: unknown CVE Source advisory: OSV:MAL-2026-3467...

@alivault/pico (>=0.1.0 <=0.1.2), @argus-vrt/web (=0.1.0) +29 more potentially affected by CVE-2026-45321 via @tanstack/router-ssr-query-core (>=1.121.0-alpha.28 <=1.168.0)

@tanstack/router-ssr-query-core NPM version =1.121.0-alpha.28, =0.1.0, =0.0.4, =1.0.0, =0.1.0, =1.121.0-alpha.28, =1.133.19, =1.140.0, =0.2.4, =0.0.1, =0.1.0-alpha.1, =0.1.0-alpha.2 and more Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKROUTERSSRQUERYCORE-16640223...

Security Bulletin: MongoDB Enterprised Advanced affected by: react-router-7.11.0.tgz (CVE-2026-21884, CVE-2026-22029, CVE-2026-22030)

Summary There are vulnerabilities in react-router-7.11.0.tgz used in MongoDB Enterprised Advanced for IBM, involving an XSS vulnerability. The vulnerability has been addressed. Vulnerability Details CVEID:CVE-2026-21884 DESCRIPTION: React Router is a router for React. In @remix-run/react version...

@hmcts/ccd-case-ui-toolkit (>=7.3.49-4369 <=7.3.51), @hmcts/media-viewer (>=4.2.16-4435 <=4.2.17-exui-4369-cve-fix-01) potentially affected by CVE-2026-44437 via @angular/ssr (>=20.3.18 <=20.3.24)

@angular/ssr NPM version =20.3.18, =7.3.49-4369, =4.2.16-4435, =4.2.17-exui-4369-cve-fix-01 Source cves: CVE-2026-44437 Source advisory: SNYK:JS-ANGULARSSR-16438975...

mcp-data-vis vulnerable to denial of service via unsanitized `select` key lookup on `Object.prototype` with `precompile: true`

Summary icu-minify's runtime formatter resolves select branches by looking up the runtime value as a plain property on a prototype-bearing object. When the value coerces to a key that exists on Object.prototype e.g. toString, proto, constructor, hasOwnProperty, valueOf, the lookup returns a truth...