21118 matches found
CVE-2026-50016
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can...
CVE-2026-50016 pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can...
CVE-2026-50016
pnpm (the package manager) is affected by CVE-2026-50016. Before versions 10.34.0 and 11.4.0, a transitive dependency alias from registry metadata could include path traversal segments. During install, pnpm may treat that alias as a filesystem path when linking dependency nodes, allowing a regist...
EUVD-2026-39494
pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm allows a transitive dependency alias from registry package metadata to contain path traversal segments. During install, pnpm later uses that alias as a filesystem path when linking dependency nodes. As a result, a registry package can...
PT-2026-52515
Name of the Vulnerable Software and Affected Versions pnpm versions prior to 10.34.0 pnpm versions prior to 11.4.0 Description pnpm allows a transitive dependency alias within registry package metadata to include path traversal segments. During the installation process, pnpm utilizes this alias a...
Malicious code in node-fetch-utils (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 78aef0d64a7d761d2987d27aea462083425e5692475cd81332b7a3152c754308 On Windows, scripts/postinstall.js XOR-decodes a hardcoded C2 host node22.lunes.host:3258, authenticates with a 5-minute rolling HMAC-SHA256 token,...
@hulumi/platform-patterns (>=0.0.0-bootstrap.0 <=1.3.2) potentially affected by CVE-2026-48037 via @hulumi/baseline (>=1.3.1 <=1.3.2)
@hulumi/baseline NPM version =1.3.1, =0.0.0-bootstrap.0, =1.3.2 Source cves: CVE-2026-48037 Source advisory: OSV:GHSA-CJ8G-PRCM-MFG5...
@hulumi/platform-patterns (>=0.0.0-bootstrap.0 <=1.3.2) potentially affected by CVE-2026-48035 via @hulumi/baseline (>=1.3.1 <=1.3.2)
@hulumi/baseline NPM version =1.3.1, =0.0.0-bootstrap.0, =1.3.2 Source cves: CVE-2026-48035 Source advisory: OSV:GHSA-2MXR-P26X-MJ73...
openpaw-graveyard (=3.0.0) potentially affected by unknown CVE via @solana-launchpad/sdk (=1.0.13)
@solana-launchpad/sdk NPM version =1.0.13 is affected by a known vulnerability. The following packages have a transitive dependency on @solana-launchpad/sdk and may be impacted: - openpaw-graveyard =3.0.0 Source cves: unknown CVE Source advisory: OSV:MAL-2026-5495...
Malicious code in commons-ui-styles (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8b9fb701d18bde61d1dc783f0575a4d83bc0eba2653bd0832d0fc26bc9e85b48 [email protected] is an empty placeholder package index.js exports , description/author blank, version bumped to 99.9.1 — the classic...
MAL-2026-5437 Malicious code in commons-ui-styles (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8b9fb701d18bde61d1dc783f0575a4d83bc0eba2653bd0832d0fc26bc9e85b48 [email protected] is an empty placeholder package index.js exports , description/author blank, version bumped to 99.9.1 — the classic...
MAL-2026-5447 Malicious code in localization-lib (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bf143361939feffe7099c14acc7cf41a401681481e932e15d6054dde49e88f94 [email protected] is an empty shell package: index.js is module.exports = and package.json has no description or author. Its dependencies...
Malicious code in @sourceflow-uk/sourceflow-tracker (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c5bcccc37c380ce54f5bfc2bc2311fbefb6ebc3400a397cbc4afc2188fb3c11d package.json declares a dependency ltidisafe whose version specifier is the raw URL https://storage.googleapis.com/lscunpentest/packuxfoundry.tgz — a...
MAL-2026-5430 Malicious code in @sourceflow-uk/sourceflow-tracker (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c5bcccc37c380ce54f5bfc2bc2311fbefb6ebc3400a397cbc4afc2188fb3c11d package.json declares a dependency ltidisafe whose version specifier is the raw URL https://storage.googleapis.com/lscunpentest/packuxfoundry.tgz — a...
-tompan-reacttemplate (>=1.0.1 <=1.1.0), 0726react (=0.1.1) +28795 more potentially affected by CVE-2026-9277 via shell-quote (>=1.3.3 <=1.8.3)
shell-quote NPM version =1.3.3, =1.0.1, =1.1.0 - 0726react =0.1.1 - 0x0.icu.anima =0.1.0 - 0xcorde-pac =1.0.0 - 0xgank-tea-advice-pull =1.0.0 - 0xgank-tea-balance-pencil =1.0.0 - 0xgank-tea-brick-bell =1.0.0 - 0xgank-tea-cake-victory =1.0.0 - 0xgank-tea-central-compound =1.0.0 -...
5gasp-cli (>=0.1.0 <=0.4.0), agentos (>=0.1.0 <=0.2.0) +605 more potentially affected by CVE-2026-47734 via dulwich (>=0.20.2 <=1.0.0)
dulwich PYPI version =0.20.2, =0.1.0, =0.1.0, =0.5.1, =21.7.1, =0.0.1, =0.1.0, =1.3.4, =2023.2.21, =0.12.0, =0.1.0, =0.2.0, =0.2.0, =0.2.1, =0.5.1 and more Source cves: CVE-2026-47734 Source advisory: OSV:GHSA-XRVJ-V92F-53GJ...
aiidalab (>=22.6.0 <=26.5.2), aiidalab-chemshell (>=0.0.1 <=0.1.1) +137 more potentially affected by CVE-2026-47712 via dulwich (>=0.24.1 <=1.0.0)
dulwich PYPI version =0.24.1, =22.6.0, =0.0.1, =0.1.0, =1.3.4, =0.12.0, =0.1.0, =0.2.0, =0.2.0, =0.2.1, =0.2.1, =0.1.0, =0.1.6 - artificial-detection =0.1.0 - attp =0.1.0a0 and more Source cves: CVE-2026-47712 Source advisory: OSV:GHSA-555P-6GRF-MH7F...
ai.new-wave:spring-agent-app (>=0.1.0 <=0.3.0), ai.new-wave:spring-agent-core (>=0.1.0 <=0.3.0) +2788 more potentially affected by CVE-2026-47244 via io.netty:netty-codec-http2 (>=4.2.0.Final <=4.2.14.Final)
io.netty:netty-codec-http2 MAVEN version =4.2.0.Final, =0.1.0, =0.1.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.0, =26.3.2 and more Source cves: CVE-2026-47244 Source advisory: OSV:GHSA-5X3R-WRVG-RP6Q...
ai.spice:spiceai (=0.6.0), cn.isqing.icloud:icloud-common-utils (>=4.0.3-M1 <=4.0.3.1) +417 more potentially affected by CVE-2026-46340 via io.netty:netty-transport-sctp (>=4.2.0.Final <=4.2.14.Final)
io.netty:netty-transport-sctp MAVEN version =4.2.0.Final, =4.0.3-M1, =1.21.9, =3.4.7, =25.4.1, =26.2.1, =7.9.0, =5.1.0, =5.1.0, =6.80, =0.2.2, =0.2.4 and more Source cves: CVE-2026-46340 Source advisory: OSV:GHSA-5XRH-QMMQ-W6CH...
ai.agentican:agentican-quarkus-deployment (>=0.1.0-alpha.1 <=0.1.0-alpha.4), ai.agentican:agentican-quarkus-metrics (>=0.1.0-alpha.1 <=0.1.0-alpha.4) +14331 more potentially affected by CVE-2026-45674 via io.netty:netty-resolver-dns (>=4.1.0.Beta7 <=4.1.134.Final)
io.netty:netty-resolver-dns MAVEN version =4.1.0.Beta7, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.1, =0.1.0-alpha.3, =0.1.0, =0.1.0, =0.2.0, =0.2.0, =0.2.0, =0.2.0, =0.28.0 and more Source cves: CVE-2026-45674 Sour...