EUVD-2026-25921

Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context by injecting a crafted conditional chaining expression via the Conten...

PT-2026-35526

Name of the Vulnerable Software and Affected Versions qnabot-on-aws versions prior to 7.3.0 Description Improper use of the static-eval npm package allows an authenticated administrator to execute arbitrary code within the fulfillment Lambda execution context. This is achieved by injecting a...

CVE-2026-1615

Versions of the package jsonpath before 1.3.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can...

EUVD-2018-0370

Malware in sbrugna...

GO-2024-3182 OpenTofu potential leaking of secret variable values when using static evaluation in v1.8 in github.com/opentofu/opentofu

OpenTofu potential leaking of secret variable values when using static evaluation in v1.8 in github.com/opentofu/opentofu...

OpenTofu potential leaking of secret variable values when using static evaluation in v1.8

Impact Users who have opted into static evaluation of module sources, versions, and backend configurations may be at risk of exposing sensitive variables and locals. This is a workflow that should not be possible and explicitly show errors. Workarounds Check that you are not using sensitive...

GHSA-WPR2-J6GR-PJW9 OpenTofu potential leaking of secret variable values when using static evaluation in v1.8

Impact Users who have opted into static evaluation of module sources, versions, and backend configurations may be at risk of exposing sensitive variables and locals. This is a workflow that should not be possible and explicitly show errors. Workarounds Check that you are not using sensitive...

3d-tiles-tools (>=0.1.0 <=0.1.3), 3m5-coco (>=0.0.2 <=0.0.8) +1133 more potentially affected by CVE-2017-16226 via static-eval (>=0.0.0 <=1.1.1)

static-eval NPM version =0.0.0, =0.1.0, =0.0.2, =0.16.0, =0.0.11, =0.1.27, =0.1.2, =1.0.0, =2.0.15, =1.0.2, =1.1.3, =2.0.2 - @arilotter/tsne-js =1.0.3 and more Source cves: CVE-2017-16226 Source advisory: OSV:GHSA-5MJW-6JRH-HVFQ...