26 matches found
CVE-2026-42089
Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass...
CVE-2026-42089 yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation
Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass...
EUVD-2026-37131
Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. Versions 2.9.0 through 6.0.0 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass...
CVE-2026-42089
The CVE concerns yeoman-environment. Vulnerable versions 2.9.0 through 6.0.0 install missing local generator packages from attacker-controlled names without user confirmation, via installLocalGenerators() calling repository.install(). This can cause arbitrary package installation and code executi...
GHSA-VV9J-GJW2-J8WP yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation
Impact yeoman-environment versions = 2.9.0 and 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation...
433bf (=0.0.1), @aaqilniz/cli (=4.1.4) +556 more potentially affected by CVE-2026-42089 via yeoman-environment (>=2.9.5 <=6.0.0)
yeoman-environment NPM version =2.9.5, =4.2.0, =14.0.0, =1.0.0, =0.0.1, =1.0.0-beta.1, =1.0.0-beta.1, =0.0.5, =8.0.0, =8.3.0-pre.2022-06-22.sha-42703caf, =8.0.2, =1.0.0, =1.2.1-pre.2024-01-09.d13174d0, =2.1.0 and more Source cves: CVE-2026-42089 Source advisory: OSV:GHSA-VV9J-GJW2-J8WP...
yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation
Impact yeoman-environment versions = 2.9.0 and 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation...
PT-2026-43442
Name of the Vulnerable Software and Affected Versions Yeoman Environment versions 2.9.0 through 6.0.0 Description Yeoman Environment provides an API to discover, create, and run generators, and to configure where and how a generator is resolved. The installLocalGenerators function calls...
Malicious code in yeoman-genrator (npm)
The package yeoman-genrator was found to contain malicious code...
MAL-2025-40457 Malicious code in yeoman-genrator (npm)
The package yeoman-genrator was found to contain malicious code...
@backstage/plugin-scaffolder-backend (>=0.0.0-nightly-2021712211 <=0.15.24-next.0), @backstage/plugin-scaffolder-backend-module-confluence-to-markdown (>=0.0.0-nightly-20230325022054 <=0.0.0-nightly-20230801022410) +8 more potentially affected by CVE-2023-35926 via @backstage/plugin-scaffolder-backend (>=0.0.0-nightly-20220708025041 <=0.18.0)
@backstage/plugin-scaffolder-backend NPM version =0.0.0-nightly-20220708025041, =0.0.0-nightly-2021712211, =0.0.0-nightly-20230325022054, =0.0.0-nightly-2022122206, =0.0.0-nightly-2022122206, =0.0.0-nightly-20230112022659, =0.0.0-nightly-2022122206, =1.0.8, =1.0.0, =1.0.0, =2.2.0 -...
MAL-2022-7345 Malicious code in yeoman-enviromenv (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c36384869fc93242a75a1c21aa58d07f3cec77dab5eaea1747b40e96b68a7e21 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in yeoman-33enerator (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 46467411b04dd7b9a5c0f9063b47e48dcb506330bdcd90899e4e20e48de784e3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
Malicious code in yeoman-enviromenv (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c36384869fc93242a75a1c21aa58d07f3cec77dab5eaea1747b40e96b68a7e21 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2022-7344 Malicious code in yeoman-33enerator (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 46467411b04dd7b9a5c0f9063b47e48dcb506330bdcd90899e4e20e48de784e3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
CVE-2022-31559
The tsileo/flask-yeoman repository through 2013-09-13 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...
CVE-2022-31559
The tsileo/flask-yeoman repository through 2013-09-13 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...
Path traversal
The tsileo/flask-yeoman repository through 2013-09-13 on GitHub allows absolute path traversal because the Flask sendfile function is used unsafely...
flask-yeoman 路径遍历漏洞
flask-yeoman is a Flask blueprint by Thomas Sileo, a French personal developer. It makes creating web applications with Yeoman and Flask a breeze. A security vulnerability exists in flask-yeoman version 2013-09-13 and earlier, which stems from an incorrect call to Flask's sendfile function that...
Malicious code in yeoman-ui-frontend (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2ace234b9c2e9e1c18cb7d82af141cf423a3f8e847c62d929c2fca7557bc8509 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...