Lucene search
K

4338 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/19 12:0 a.m.10 views

Malicious code in @antv/l7-utils (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References5
OSV
OSV
added 2026/05/19 12:0 a.m.12 views

MAL-2026-4053 Malicious code in @antv/l7-utils (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References5
vulnersOsv
vulnersOsv
added 2026/05/18 9:0 p.m.24 views

@antv/l7 (>=2.1.13 <=2.25.10), @antv/l7-component (>=2.0.0-beta.1 <=2.25.10) +13 more potentially affected by unknown CVE via @antv/l7-utils (>=2.0.0-beta.1 <=2.25.9)

@antv/l7-utils NPM version =2.0.0-beta.1, =2.1.13, =2.0.0-beta.1, =2.0.0-beta.1, =2.1.13, =2.1.13, =2.10.0, =2.1.13, =2.10.0, =2.1.13, =2.1.13, =2.1.13, =2.0.0-beta.1, =2.10.0, =1.0.0, =1.0.17, =1.0.18 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVL7UTILS-16754432...

5.5AI score
Exploits0
Snyk
Snyk
added 2026/05/18 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/05/18 9:0 p.m.4 views

crypto-utils-box (=0.0.6), knk (=0.1.11) +1 more potentially affected by unknown CVE via xmorse (=1.0.0)

xmorse NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on xmorse and may be impacted: - crypto-utils-box =0.0.6 - knk =0.1.11 - vite-plugin-qwer =0.0.5, =0.0.7 Source cves: unknown CVE Source advisory: SNYK:JS-XMORSE-16754902...

5.5AI score
Exploits0
vulnersOsv
vulnersOsv
added 2026/05/18 9:0 p.m.5 views

@antv/torch (>=1.0.0 <=1.0.6), @diogoxiang/utils (=1.0.0) potentially affected by unknown CVE via @antv/istanbul (=0.0.0)

@antv/istanbul NPM version =0.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/istanbul and may be impacted: - @antv/torch =1.0.0, =1.0.6 - @diogoxiang/utils =1.0.0 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVISTANBUL-16755114...

5.5AI score
Exploits0
vulnersOsv
vulnersOsv
added 2026/05/18 9:0 p.m.5 views

crypto-utils-box (=0.0.6), knk (=0.1.11) +1 more potentially affected by unknown CVE via xmorse (=1.0.0)

xmorse NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on xmorse and may be impacted: - crypto-utils-box =0.0.6 - knk =0.1.11 - vite-plugin-qwer =0.0.5, =0.0.7 Source cves: unknown CVE Source advisory: SNYK:JS-XMORSE-16755071...

5.5AI score
Exploits0
vulnersOsv
vulnersOsv
added 2026/05/18 9:0 p.m.6 views

@diogoxiang/utils (=1.0.0) potentially affected by unknown CVE via @antv/torch (=1.0.6)

@antv/torch NPM version =1.0.6 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/torch and may be impacted: - @diogoxiang/utils =1.0.0 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVTORCH-16754422...

5.5AI score
Exploits0
vulnersOsv
vulnersOsv
added 2026/05/18 9:0 p.m.6 views

@antv/torch (>=1.0.0 <=1.0.6), @diogoxiang/utils (=1.0.0) potentially affected by unknown CVE via @antv/istanbul (=0.0.0)

@antv/istanbul NPM version =0.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on @antv/istanbul and may be impacted: - @antv/torch =1.0.0, =1.0.6 - @diogoxiang/utils =1.0.0 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVISTANBUL-16754945...

5.5AI score
Exploits0
OSV
OSV
added 2026/05/18 5:7 p.m.4 views

GHSA-CMXG-94MG-JQ94 @tmlmobilidade/utils has prototype pollution in its setValueAtPath

Impact Prototype pollution vulnerability in @tmlmobilidade/utils for setValueAtPath. Patches A fix is available in versions 20260509.0340.15 and up...

8.2CVSS5.8AI score0.00055EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/18 5:7 p.m.13 views

@tmlmobilidade/utils has prototype pollution in its setValueAtPath

Impact Prototype pollution vulnerability in @tmlmobilidade/utils for setValueAtPath. Patches A fix is available in versions 20260509.0340.15 and up...

5.8AI score0.00055EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/05/18 2:14 p.m.7 views

Malicious Package

Overview citrea-utils is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score
Exploits0References2
OSV
OSV
added 2026/05/18 2:14 p.m.8 views

MAL-2026-3831 Malicious code in citrea-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9af3ffcf057e7fa952c80b46cbee31773e340ba668377511d7f3ee3b38c1c810 The package citrea-utils was found to contain malicious code. Source: ghsa-malware 0cbde9fcd3b6b009f9d8b0ff2dc739d877beb20223d14d402fcbc90515470eac A...

5.8AI score
Exploits0References1
vulnersOsv
vulnersOsv
added 2026/05/18 12:31 p.m.6 views

arbor-ai (>=0.1.5 <=0.1.14), coreason-runtime (>=0.1.0 <=0.31.0) +10 more potentially affected by CVE-2026-7304 via sglang (>=0.4.5 <=0.5.2)

sglang PYPI version =0.4.5, =0.1.5, =0.1.0, =1.1.0, =2.0.0b40, =0.0.1, =0.1.0, =0.1.0, =0.0.1.post1, =0.0.0, =0.8.0, =0.10.7 Source cves: CVE-2026-7304 Source advisory: SNYK:PYTHON-SGLANG-17111815...

9.8CVSS5.4AI score0.00585EPSS
Exploits0
RedHat Linux
RedHat Linux
added 2026/05/18 12:24 p.m.3 views

org.codehaus.plexus:plexus-utils: Plexus-utils: Directory Traversal in extractFile method

A flaw was found in plexus-utils. This vulnerability, known as a Directory Traversal, exists within the extractFile method. An attacker can exploit this to execute unauthorized code on the system in the context of the current working user...

8.8CVSS6AI score0.00663EPSS
Exploits0References9
RedHat Linux
RedHat Linux
added 2026/05/18 12:12 p.m.3 views

org.codehaus.plexus:plexus-utils: Plexus-utils: Directory Traversal in extractFile method

A flaw was found in plexus-utils. This vulnerability, known as a Directory Traversal, exists within the extractFile method. An attacker can exploit this to execute unauthorized code on the system in the context of the current working user...

8.8CVSS6AI score0.00663EPSS
Exploits0References9
OSV
OSV
added 2026/05/18 12:31 a.m.7 views

GHSA-866G-F22W-33X8 @ai-sdk/provider-utils has an Uncontrolled Resource Consumption issue

A vulnerability was determined in Vercel AI up to 3.0.97. The impacted element is the function createJsonResponseHandler/createJsonErrorResponseHandler of the file packages/provider-utils/src/response-handler.ts of the component provider-utils. This manipulation causes resource consumption. The...

5.3CVSS5.5AI score0.00561EPSS
Exploits1References6
EUVD
EUVD
added 2026/05/18 12:31 a.m.30 views

EUVD-2026-30712

A vulnerability was determined in vercel ai up to 3.0.97. The impacted element is the function createJsonResponseHandler/createJsonErrorResponseHandler of the file packages/provider-utils/src/response-handler.ts of the component provider-utils. This manipulation causes resource consumption. The...

5.3CVSS5.5AI score0.00561EPSS
Exploits1References5
NVD
NVD
added 2026/05/17 11:17 p.m.26 views

CVE-2026-8768

A vulnerability was found in vercel ai up to 3.0.97. The affected element is the function validateDownloadUrl of the file packages/provider-utils/src/download-blob.ts of the component provider-utils. The manipulation results in server-side request forgery. The attack can be launched remotely. The...

7.5CVSS0.00385EPSS
Exploits1References6
CVE
CVE
added 2026/05/17 11:0 p.m.43 views

CVE-2026-8769

CVE-2026-8769 affects vercel ai up to 3.0.97, specifically the provider-utils file response-handler.ts (functions createJsonResponseHandler and createJsonErrorResponseHandler). The issue enables resource consumption that can be triggered remotely; exploit publicly disclosed. Details on affected v...

6.5CVSS5.5AI score0.00561EPSS
Exploits1References4Affected Software1
Rows per page
Query Builder