MAL-2025-36952 Malicious code in tiny-jpg (npm)

The package tiny-jpg was found to contain malicious code...

Malicious code in tiny-png (npm)

The package tiny-png was found to contain malicious code...

CVE-2025-55149

Tiny-Scientist is a lightweight framework for automating the entire lifecycle of scientific research—from ideation to implementation, writing, and review. In versions 0.1.1 and below, a critical path traversal vulnerability has been identified in the reviewpaper function in backend/app.py. The...

CVE-2025-55149 Path Traversal Vulnerability in PDF Review Function (CWE-22)

Tiny-Scientist is a lightweight framework for automating the entire lifecycle of scientific research—from ideation to implementation, writing, and review. In versions 0.1.1 and below, a critical path traversal vulnerability has been identified in the reviewpaper function in backend/app.py. The...

CVE-2025-55149 Path Traversal Vulnerability in PDF Review Function (CWE-22)

Tiny-Scientist is a lightweight framework for automating the entire lifecycle of scientific research—from ideation to implementation, writing, and review. In versions 0.1.1 and below, a critical path traversal vulnerability has been identified in the reviewpaper function in backend/app.py. The...

PT-2025-32426 · Unknown · Tiny-Scientist

Name of the Vulnerable Software and Affected Versions: Tiny-Scientist versions 0.1.1 and below Description: Tiny-Scientist is a lightweight framework for automating the entire lifecycle of scientific research. A path traversal vulnerability has been identified in the review paper function in...

Exploit for CVE-2025-10351

CVE-2025-10351 POC - SQL Injection Exploit 💉 POC for CVE-20...

NewStart CGSL MAIN 7.02 : perl-HTTP-Tiny Vulnerability (NS-SA-2025-0177)

The remote NewStart CGSL host, running version MAIN 7.02, has perl-HTTP-Tiny packages installed that are affected by a vulnerability: - HTTP::Tiny before 0.083, a Perl core module since 5.13.9 and available standalone on CPAN, has an insecure default TLS configuration where users must opt in to...

CVE-2024-49364

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require'buffer' is the NPM buffer package. The...

CVE-2024-49365

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify, when global Buffer is the buffer package. This affects only environments where require'buffer' is the NPM buffer package. Buffer.isBuffer check can b...

Private Key Extraction

tiny-secp256k1 is vulnerable to private key extraction. The vulnerability is due to the ability to bypass Buffer.isBuffer checks when the global Buffer is overridden by the NPM buffer package, which allows an attacker to reuse the nonce k across different messages and extract the private key by...

Improper Input Validation

tiny-secp256k1 is vulnerable to improper input validation. The vulnerability is due to the ability to pass a malicious JSON-stringifiable object to the verify function when the global Buffer is overridden by the NPM buffer package, which allows an attacker to perform a type confusion attack and...

CVE-2024-49365

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify, when global Buffer is the buffer package. This affects only environments where require'buffer' is the NPM buffer package. Buffer.isBuffer check can b...

CVE-2024-49364

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require'buffer' is the NPM buffer package. The...

CVE-2024-49364

CVE-2024-49364 affects tiny-secp256k1 (NPM wrapper). Prior to 1.1.7, if global Buffer comes from the NPM buffer package, the Buffer.isBuffer check can be bypassed, enabling private key extraction by signing a malicious JSON-stringifiable object via key reuse across messages. The issue is fixed in...

CVE-2024-49364 tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled environment

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require'buffer' is the NPM buffer package. The...

CVE-2024-49364 tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled environment

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require'buffer' is the NPM buffer package. The...

CVE-2024-49364 tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled environment

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a private key can be extracted on signing a malicious JSON-stringifiable object, when global Buffer is the buffer package. This affects only environments where require'buffer' is the NPM buffer package. The...

CVE-2024-49365 tiny-secp256k1 allows for verify() bypass when running in bundled environment

tiny-secp256k1 is a tiny secp256k1 native/JS wrapper. Prior to version 1.1.7, a malicious JSON-stringifyable message can be made passing on verify, when global Buffer is the buffer package. This affects only environments where require'buffer' is the NPM buffer package. Buffer.isBuffer check can b...

CVE-2024-49365

The CVE-2024-49365 issue affects tiny-secp256k1 prior to 1.1.7, where in environments using the Node buffer package, Buffer.isBuffer can be bypassed and a crafted JSON-stringifiable object could be accepted by verify(), potentially causing false-positive True values. The root cause is a vulnerabi...