125 matches found
Malicious code in hexo-deployer-wrangler (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebc95a6a1ae1e522feabf03446f9791372191e27ca9da454717559b6cc6948eb The package ships a binding.gyp file line 6 containing GYP command-expansion syntax !... inside the targets/sources fields. npm implicitly runs...
MAL-2026-6491 Malicious code in hexo-deployer-wrangler (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebc95a6a1ae1e522feabf03446f9791372191e27ca9da454717559b6cc6948eb The package ships a binding.gyp file line 6 containing GYP command-expansion syntax !... inside the targets/sources fields. npm implicitly runs...
Malicious code in wrangler-deploy (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0d2085fa4916157b99799df085aa11e3d29bdb9a47f5798c85375b1bfdf8bd7e Package name wrangler-deploy is close to Cloudflare's official wrangler CLI, which raises confusion-risk concerns for developers who may install it...
Malicious code in create-wrangler-deploy (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c3bd71e3d5a93887188f34c9434d24b09d1108a2471ab437d6e78ae216162b05 The package was found to contain malicious code or consuming dependency that contains malicious code Source: google-open-source-security...
Embedded Malicious Code
Overview Affected versions of this package are vulnerable to Embedded Malicious Code containing a malicious binding.gyp file that drops and runs a self-propagating cloud secret stealer. The malicious code attempts to exfiltrate AWS, GCP, Azure, Vault, and Kubernetes credentials, as well as npm an...
Malicious code in camelotlabs-sdk (npm)
Five packages camelotlabs-sdk, camelotlabs-core, camelotlabs-config, camelotlabs-worker, and camelotlabs-utils were published to the public npm registry at version 99.0.0 by the actor madman0619 as a dependency confusion attack targeting the internal npm packages of Camelot Labs. The inflated...
MAL-2026-3644 Malicious code in camelotlabs-worker (npm)
Five packages camelotlabs-sdk, camelotlabs-core, camelotlabs-config, camelotlabs-worker, and camelotlabs-utils were published to the public npm registry at version 99.0.0 by the actor madman0619 as a dependency confusion attack targeting the internal npm packages of Camelot Labs. The inflated...
CVE-2026-25447
Improper Control of Generation of Code 'Code Injection' vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a through = 2.3.9...
EUVD-2026-15728
Improper Control of Generation of Code 'Code Injection' vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a through = 2.3.9...
CVE-2026-25447
Improper Control of Generation of Code 'Code Injection' vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a through = 2.3.9...
CVE-2026-25447
CVE-2026-25447 describes an Unauthenticated remote code execution vector in the WordPress plugin Widget Wrangler (
CVE-2026-25447 WordPress Widget Wrangler plugin <= 2.3.9 - Remote Code Execution (RCE) vulnerability
Improper Control of Generation of Code 'Code Injection' vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a through = 2.3.9...
CVE-2026-25447 WordPress Widget Wrangler plugin <= 2.3.9 - Remote Code Execution (RCE) vulnerability
Improper Control of Generation of Code 'Code Injection' vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a through = 2.3.9...
WordPress plugin Widget Wrangler 安全漏洞
WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...
PT-2026-27948
Name of the Vulnerable Software and Affected Versions Widget Wrangler versions prior to 2.3.9 Description A code injection issue exists in Jonathan Daggerhart Widget Wrangler. The issue involves improper control of code generation. This allows for code injection. Recommendations Update Widget...
WordPress Widget Wrangler plugin <= 2.3.9 - Remote Code Execution (RCE) vulnerability
Remote Code Execution RCE vulnerability discovered by NumeX in WordPress Plugin Widget Wrangler versions = 2.3.9...
CVE-2026-0933
SummaryA command injection vulnerability CWE-78 has been found to exist in the wrangler pages deploy command. The issue occurs because the --commit-hash parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of --commit-hash to...
@abuiles/vite-plugin (>=1.8.0 <=1.10.0), @anyauth/design-system (>=0.5.0 <=0.5.1) +18 more potentially affected by CVE-2026-0933 via wrangler (>=4.0.0 <=4.59.0)
wrangler NPM version =4.0.0, =1.8.0, =0.5.0, =12.6.6, =0.1.11, =0.8.0, =0.2.0, =0.0.0, =0.0.0-snapshot-0ac76b86f5045e62447317d6844f3c9c364df5e8, =1.0.6, =0.16.0, =0.37.0, =0.37.0, =0.1.0, =0.2.9 and more Source cves: CVE-2026-0933 Source advisory: OSV:GHSA-36P8-MVP6-CV38...
@astrojs/cloudflare (=0.4.0), @cfpreview/pages-e2e-test-runner-cli (>=0.0.1 <=0.0.8) +20 more potentially affected by CVE-2026-0933 via wrangler (>=2.0.23 <=3.114.1)
wrangler NPM version =2.0.23, =0.0.1, =1.0.387, =0.5.41, =2.1.0, =0.0.0-next-20230221055802, =1.0.0, =0.0.3, =0.0.47, =1.0.0, =1.0.0, =0.1.1, =0.1.106 and more Source cves: CVE-2026-0933 Source advisory: OSV:GHSA-36P8-MVP6-CV38...
Wrangler affected by OS Command Injection in `wrangler pages deploy`
Summary A command injection vulnerability CWE-78 has been found to exist in the wrangler pages deploy command. The issue occurs because the --commit-hash parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of --commit-hash t...