57 matches found
MAL-2026-6273 Malicious code in zod-pino (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c536e5a7ee3d5542e1ac822b30ba4525e52b2ae0c964d0c2470468d91b9b41c8 The package is published under a name suggesting a Pino logger integration for Zod, but the tarball contents do not match that purpose and exhibit...
Malicious code in hex-type (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f7d0271fe97ea66e9ff2ba3a0ea225364324f28138af32c337d6ed8b2b99e5ad Package metadata description "A universally-unique, lexicographically-sortable, identifier generator", homepage github.com/ulid/javascript, build...
CVE-2026-32625
LibreChat vulnerability CVE-2026-32625 affects versions up to 0.8.3 where MCP server URL validation expands ${VAR} against process.env during Zod schema checks. An authenticated user can configure a malicious MCP URL to exfiltrate secrets (CREDS_KEY, CREDS_IV, JWT_SECRET, MONGO_URI) to an attacke...
EUVD-2026-34046
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol MCP server integration resolves $VAR placeholders against the server's process.env during Zod schema validation of user-supplied MCP server URLs. Any...
LibreChat 信息泄露漏洞
LibreChat is an open-source, free, and highly customizable unified AI dialogue platform. It allows for the aggregation and running of large models from any vendor within a single interface. Versions of LibreChat 0.8.3 and earlier contained a security vulnerability known as information leakage. Th...
Malicious Package
Overview zod-to-js is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
MAL-2026-4740 Malicious code in zod-to-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 370d1632254cb5b5dbd394992054b6c0e943a6fb758ab70f470c059ee734b9c0 The package is published as 'zod-to-js' but ships a copy of pino's source tree main entry pino.js, lib/proto.js, lib/levels.js, pino docs/README with...
Malicious code in zod-to-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 370d1632254cb5b5dbd394992054b6c0e943a6fb758ab70f470c059ee734b9c0 The package is published as 'zod-to-js' but ships a copy of pino's source tree main entry pino.js, lib/proto.js, lib/levels.js, pino docs/README with...
Malicious code in @tanstack/zod-adapter (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7b6bc07c0e2b0175dd6e6bd29157ea6967bb2bcb66f643f9dafd89ab77a9f6fd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
MAL-2026-3501 Malicious code in @tanstack/zod-adapter (npm)
--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7b6bc07c0e2b0175dd6e6bd29157ea6967bb2bcb66f643f9dafd89ab77a9f6fd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...
@use-pico/client (>=4.0.45 <=4.1.52), @use-pico/common (>=4.0.20 <=4.1.52) +1 more potentially affected by CVE-2026-45321 via @tanstack/zod-adapter (>=1.112.13 <=1.129.2)
@tanstack/zod-adapter NPM version =1.112.13, =4.0.45, =4.0.20, =4.0.16, =4.1.52 Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKZODADAPTER-16640257...
CVE-2026-6991
A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit h...
CVE-2026-6991
A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit h...
CVE-2026-6991 colinhacks Zod CUID Data Type regexes.ts sql injection
A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit h...
CVE-2026-6991
A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit h...
EUVD-2026-25667
A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit h...
CVE-2026-6991 colinhacks Zod CUID Data Type regexes.ts sql injection
A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit h...
CVE-2026-6991
The CVE concerns colinhacks Zod up to 4.3.6, specifically the CUID Data Type Handler in packages/zod/src/v4/core/regexes.ts. The vulnerability arises from a manipulated input to an unknown function, enabling SQL injection. It is a remote attack and exploitation is indicated by public disclosures ...
PT-2026-35164
A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit h...
Zod 注入漏洞
Zod is a validation library developed by Colin McDonnell, with a focus on TypeScript. Versions of Zod 4.3.6 and earlier contained a injection vulnerability. This vulnerability stemmed from an unknown feature in the Component CUID Data Type Handler, specifically the file...