MAL-2026-3711 Malicious code in ethers-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 7b57e9cfd1db5527382181f22fbf36f8bbc8cc0df4f701d2b4d6bc7ec7dbc407 The OpenSSF Package Analysis project identified 'ethers-web' @ 1.0.0 npm as malicious. It is considered malicious because: - The package...

EUVD-2026-10195

A security flaw has been discovered in RyuzakiShinji biome-mcp-server up to 1.0.0. Affected by this issue is some unknown functionality of the file biome-mcp-server.ts. Performing a manipulation results in command injection. The attack can be initiated remotely. The exploit has been released to t...

CVE-2025-13860 Easy Jump Links Menus <= 1.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

The Easy Jump Links Menus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the htags parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level...

PT-2025-49238

The Trail Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions a...

CVE-2025-12586

The Conditional Maintenance Mode for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.0. This is due to missing nonce validation when toggling the maintenance mode status. This makes it possible for unauthenticated attackers to...

siddheshtea (=1.1.6) potentially affected by unknown CVE via aji-23 (=1.0.0)

aji-23 NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on aji-23 and may be impacted: - siddheshtea =1.1.6 Source cves: unknown CVE Source advisory: OSV:MAL-2025-152062...

siddheshtea (=1.1.6) potentially affected by unknown CVE via nokire-nakala78 (=1.0.0)

nokire-nakala78 NPM version =1.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on nokire-nakala78 and may be impacted: - siddheshtea =1.1.6 Source cves: unknown CVE Source advisory: OSV:MAL-2025-163034...

CVE-2025-11878

The ST Categories Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's st-categories shortcode in versions less than, or equal to, 1.0.0. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-9697 Ajax WooSearch <= 1.0.0 - Unauthenticated SQL Injection

The Ajax WooSearch WordPress plugin through 1.0.0 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection...

CVE-2025-10196

The Survey Anyplace plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'surveyanyplaceembed' shortcode in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for...

CVE-2025-9944

CVE-2025-9944 affects the Professional Contact Form plugin for WordPress (all versions up to 1.0.0). Root cause: missing/invalid nonce validation in the watch_for_contact_form_submit function, enabling CSRF. Impact: unauthenticated attackers can trigger test emails by tricking an admin into perfo...

My-Blog 安全漏洞

My-Blog is ZHENFENG13 individual developer by SpringBoot + Mybatis + Thymeleaf and other technologies to achieve the Java blog system, page beautiful, full-featured, easy to deploy and perfect code. A security vulnerability exists in My-Blog version 1.0.0, which stems from the lack of protection...

Tenda FH451 formSafeClientFilter Function Buffer Overflow Vulnerability

The Tenda FH451 is a router from the Chinese company Tenda. The Tenda FH451 version 1.0.0.9 suffers from a buffer overflow vulnerability that originates from the parameter Go/page in file /goform/SafeClientFilter that fails to properly validate the length of the input data, which can be exploited...

CVE-2025-48339

Missing Authorization vulnerability in activity-log.com Profiler - What Slowing Down Your WP allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Profiler - What Slowing Down Your WP: from n/a through 1.0.0...

Malicious code in openai-realtime-console (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 63903b0e2f2b97ef7bde23b987c10da50353b221fdaa4036434af2c3c6e1ab47 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

WordPress Unseen Blog theme <= 1.0.0 - Authenticated (Contributor+) PHP Object Injection vulnerability

Authenticated Contributor+ PHP Object Injection vulnerability discovered by Francesco Carlucci in WordPress Theme Unseen Blog versions = 1.0.0...

Insurance Management System 安全漏洞

Insurance Management System is an insurance management system from the individual developer Angel Jude Reyes Suarez. A security vulnerability exists in Insurance Management System v.1.0.0 and prior versions, which stems from a cross-site scripting XSS vulnerability in the First Name field...

CVE-2024-25166

Cross Site Scripting vulnerability in 71CMS v.1.0.0 allows a remote attacker to execute arbitrary code via the uploadfile action parameter in the controller.php file...

71CMS Security Breach

71CMS is xiaocheng-keji open source a smart party building system. 71CMS v.1.0.0 version has a security vulnerability. Attackers use this vulnerability to execute arbitrary code via the uploadfile parameter in the controller.php file...

Malicious code in discord-web-stream.js (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 34fa39c7559a1834d28c5b1e0b3470965c15470b60f2f9c1a196a823e394a49f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...