CVE-2026-32625

LibreChat vulnerability CVE-2026-32625 affects versions up to 0.8.3 where MCP server URL validation expands ${VAR} against process.env during Zod schema checks. An authenticated user can configure a malicious MCP URL to exfiltrate secrets (CREDS_KEY, CREDS_IV, JWT_SECRET, MONGO_URI) to an attacke...

EUVD-2026-34046

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. In versions up to and including 0.8.3, the Model Context Protocol MCP server integration resolves $VAR placeholders against the server's process.env during Zod schema validation of user-supplied MCP server URLs. Any...

Malicious Package

Overview zod-to-js is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

MAL-2026-4740 Malicious code in zod-to-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 370d1632254cb5b5dbd394992054b6c0e943a6fb758ab70f470c059ee734b9c0 The package is published as 'zod-to-js' but ships a copy of pino's source tree main entry pino.js, lib/proto.js, lib/levels.js, pino docs/README with...

Malicious code in zod-to-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 370d1632254cb5b5dbd394992054b6c0e943a6fb758ab70f470c059ee734b9c0 The package is published as 'zod-to-js' but ships a copy of pino's source tree main entry pino.js, lib/proto.js, lib/levels.js, pino docs/README with...

@use-pico/client (>=4.0.45 <=4.1.52), @use-pico/common (>=4.0.20 <=4.1.52) +1 more potentially affected by unknown CVE via @tanstack/zod-adapter (>=1.112.13 <=1.129.2)

@tanstack/zod-adapter NPM version =1.112.13, =4.0.45, =4.0.20, =4.0.16, =4.1.52 Source cves: unknown CVE Source advisory: OSV:MAL-2026-3501...

Malicious code in @tanstack/zod-adapter (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7b6bc07c0e2b0175dd6e6bd29157ea6967bb2bcb66f643f9dafd89ab77a9f6fd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2026-3501 Malicious code in @tanstack/zod-adapter (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 7b6bc07c0e2b0175dd6e6bd29157ea6967bb2bcb66f643f9dafd89ab77a9f6fd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@use-pico/client (>=4.0.45 <=4.1.52), @use-pico/common (>=4.0.20 <=4.1.52) +1 more potentially affected by CVE-2026-45321 via @tanstack/zod-adapter (>=1.112.13 <=1.129.2)

@tanstack/zod-adapter NPM version =1.112.13, =4.0.45, =4.0.20, =4.0.16, =4.1.52 Source cves: CVE-2026-45321 Source advisory: SNYK:JS-TANSTACKZODADAPTER-16640257...

CVE-2026-6991

A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit h...

CVE-2026-6991

A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit h...

CVE-2026-6991

A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit h...

EUVD-2026-25667

A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit h...

CVE-2026-6991 colinhacks Zod CUID Data Type regexes.ts sql injection

A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit h...

CVE-2026-6991 colinhacks Zod CUID Data Type regexes.ts sql injection

A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit h...

CVE-2026-6991

The CVE concerns colinhacks Zod up to 4.3.6, specifically the CUID Data Type Handler in packages/zod/src/v4/core/regexes.ts. The vulnerability arises from a manipulated input to an unknown function, enabling SQL injection. It is a remote attack and exploitation is indicated by public disclosures ...

PT-2026-35164

A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit h...

Zod 注入漏洞

Zod is a validation library developed by Colin McDonnell, with a focus on TypeScript. Versions of Zod 4.3.6 and earlier contained a injection vulnerability. This vulnerability stemmed from an unknown feature in the Component CUID Data Type Handler, specifically the file...

CVE-2026-5986

A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit ha...

GHSA-8FGX-WGVR-PCX8 Zod jsVideoUrlParser vulnerable to ReDoS in util.js

A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit ha...