CVE-2026-33331 oRPC: Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify

oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.9, a stored cross-site scripting XSS vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control any field within the OpenAPI specificati...

SQL Injection

TypeORM is vulnerable to SQL Injection. The vulnerability is due to improper handling of object values in the sqlstring call where stringifyObjects defaults to false, which allows an attacker to inject crafted SQL through requests to repository.save or repository.update...

GHSA-33HQ-FVWR-56PM devalue affected by CPU and memory amplification from sparse arrays

Under certain circumstances, serializing sparse arrays using uneval or stringify could cause CPU and/or memory exhaustion. When this occurs on the server, it results in a DoS. This is extremely difficult to take advantage of in practice, as an attacker would have to manage to create a sparse arra...

devalue affected by CPU and memory amplification from sparse arrays

Under certain circumstances, serializing sparse arrays using uneval or stringify could cause CPU and/or memory exhaustion. When this occurs on the server, it results in a DoS. This is extremely difficult to take advantage of in practice, as an attacker would have to manage to create a sparse arra...

CVE-2026-25918

unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via...

UBUNTU-CVE-2026-25918

unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via...

CVE-2026-25918 unity-cli Exposes Plaintext Credentials in Debug Logs (sign-package command)

unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via...

CVE-2025-68665 LangChain serialization injection vulnerability enables secret extraction

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using...

CVE-2025-68665 LangChain serialization injection vulnerability enables secret extraction

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using...

EUVD-2025-201046

Malicious code in remark-stringify10 npm...

MAL-2025-192253 Malicious code in remark-stringify10 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 070b9c61c5afbb3ccd2147952cb2a3a1d18df77bb32d81aea039243c89a20b05 The package remark-stringify10 was found to contain malicious code. Source: ghsa-malware...

MAL-2025-191588 Malicious code in stringify-coder (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 10becae86ef9c656952f1684dea38b47c2242b0adafc4cbf72426b3e893a3751 The package stringify-coder was found to contain malicious code...

Malicious code in stringify-coder (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 10becae86ef9c656952f1684dea38b47c2242b0adafc4cbf72426b3e893a3751 The package stringify-coder was found to contain malicious code...

Malicious Package

Overview stringify-coder is a malicious package. This package contains malicious code associated with a social engineering campaign called "Contagious Interview." The attackers target developers through fake job interviews or coding test assignments that require the installation of this package...

TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update

Summary SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false. Details Vulnerable Code: js const username, city, name = req.body; const updateData = username, city, name,...

EUVD-2025-36689

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false...

GHSA-Q2PJ-6V73-8RGJ TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update

Summary SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false. Details Vulnerable Code: js const username, city, name = req.body; const updateData = username, city, name,...

CVE-2025-60542

CVE-2025-60542 (TypeORM) : SQL injection in TypeORM before 0.3.26 via crafted requests to repository.save or repository.update, resulting from sqlstring handling where stringifyObjects defaults to false. Public references indicate the issue arises in the MySQL driver path and can affect updates u...

TypeORM 安全漏洞

TypeORM is an excellent Node.js ORM framework open-sourced by TypeORM. The goal of the software is to maintain support for the latest Javascript features; with the following features: 1 provide one-to-one, many-to-one, one-to-many, many-to-many relational processing of tables; 2 to help develop a...

CVE-2025-60542

SQL Injection vulnerability in TypeORM before 0.3.26 via crafted request to repository.save or repository.update due to the sqlstring call using stringifyObjects default to false...