connect
139 known vulnerabilities · 5 critical · 6 high
methodOverride Middleware Reflected Cross-Site Scripting in connect
Node Connect Reflected Cross-Site Scripting in Sencha Labs Connect middleware
FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString
Fastify's connection header abuse enables stripping of proxy-added headers
Malicious code in stripe-demo-connect-standard-saas-platform (npm)
Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
OpenClaw: Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin
OpenClaw: Silent privilege escalation via gateway shared-auth reconnect
Malicious code in waletconnect (npm)
OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy
OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement
Malicious code in wagmi-ethers-connectors (npm)
OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated
Malicious code in connect-perspectives-admintool (npm)
mcp-remote exposed to OS command injection via untrusted MCP server connections
Malicious code in theta-connector (npm)
URL Redirection to Untrusted Site ('Open Redirect') in express-openid-connect
Malicious code in meshblu-connector-arc-thermometer (npm)
Malicious code in cs-connection-hub (npm)
Malicious code in @tallyui/connector-shopify (npm)
NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS
Malicious code in fma-connect-javascript (npm)
Claude Code Improper Authorization via websocket connections from arbitrary origins
Malicious code in matomo-looker-studio-connector (npm)
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
Malicious code in uber-connect (npm)
Malicious code in spinal-core-connectorjs (npm)
apiconnect-cli-plugins vulnerable to OS Command Injection
Malicious code in fin-connector (npm)
Malicious code in deficonnect-private-sdk (npm)
loopback-connector-postgresql Vulnerable to Improper Sanitization of `contains` Filter
Malicious code in down-lo-ad-now-zip-mp3-18275-skelliconnection-taeie-mgpquk (npm)
Malicious code in ct-connect-stripe (npm)
Malicious code in mender-connect (npm)
Malicious code in fitbit-connect (npm)
Malicious code in fitbit-connect-client-api (npm)
MCP Connect has unauthenticated remote OS command execution via /bridge endpoint
Malicious code in com.unity.furioos-connection-kit (npm)
Malicious code in deficonnect-internal-utils (npm)
MCPHub has an Improper Authorization vulnerability via its handleSseConnection function
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
Malicious code in connector123 (npm)
Malicious code in wagmi-connectors (npm)
Malicious code in walletconnect-website (npm)
Malicious code in raydium-connect (npm)
Malicious code in connect_softbank_interface (npm)
Malicious code in connectflasjh (npm)
fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections
OpenClaw: Workspace dotenv files cannot override connector endpoint hosts
Malicious code in com.unity.connect.share (npm)
Malicious code in connectrix (npm)
keycloak-connect contains Open redirect vulnerability in the Node.js adapter
`chainId` may be outdated if user changes chains as part of connection in @web3-react
Malicious code in opsgenie-connectwise-integration (npm)
Malicious code in contentsource-connector (npm)
Malicious code in pc-nrfconnect-shared (npm)
Malicious code in custom-social-connections (npm)
Malicious code in fi-connect (npm)
Malicious code in @sodexo-connect/sap-cdc-client (npm)
Malicious code in connect-rtc-js (npm)
Malicious code in visma-connect-bv (npm)
Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components
@dapperduckling/keycloak-connector-server has Reflected XSS Vulnerability in Authentication Flow URL Handling
Malicious code in 32red-connect (npm)
Malicious code in 000webhost-connect (npm)
keycloak-connect and keycloak-js improperly handle invalid tokens
Malicious code in arkane-connect (npm)
Malicious code in gft-sam-connector (npm)
Malicious code in stripe-connect-rocketrides (npm)
Malicious code in bookingcom-connect (npm)
Malicious code in wallet-connector-rce (npm)
Malicious code in db-connections-templates (npm)
Malicious code in binance-connector-ruby (npm)
Malicious code in connect-me-icon (npm)
Malicious code in @sellerly-kit/amazon-token-connect (npm)
Malicious code in pp-mp-connected-path (npm)
Malicious code in @atlan/connectors (npm)
Malicious code in @pluxee-connect/api-client (npm)
Malicious code in @tallyui/connector-vendure (npm)
Malicious code in web3connectjs (npm)
Malicious code in db-dx-connector (npm)
Malicious code in @tallyui/connector-medusa (npm)
Malicious code in @uipath/packager-tool-connector (npm)
Malicious code in webrtc-studio-connection (npm)
Malicious code in binance-connector-js (npm)
Malicious code in search-connector-template (npm)
Malicious code in wcc-connector (npm)
Malicious code in connecthistoryapifallbacc (npm)
Malicious code in @w3m-app/is_connected (npm)
Malicious code in @fairwords/loopback-connector-es (npm)
Malicious code in connect-web (npm)
Malicious code in lbank-connector (npm)
Malicious code in lbank-connector-nodejs (npm)
Malicious code in jetpack-connection (npm)
Paperclip: codex_local inherited ChatGPT/OpenAI-connected Gmail and was able to send real email
Malicious code in generator-connection (npm)
Malicious code in @pluxee-connect/account-db-api-client (npm)
Budibase: `PUT /api/datasources/:datasourceId` is protected only by `TABLE/READ` permission instead of builder access, allowing any authenticated app user to overwrite datasource connection parameters including host, port, and URL
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
NocoDB: Cross-Workspace Integration Use in Connection Test
Malicious code in dmpconnectjsapp-base (npm)
Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name
Malicious code in openidconnect.net (npm)
NocoDB: Server-Side Request Forgery via Database Connection Host
Malicious code in @tallyui/connector-woocommerce (npm)
Malicious code in chia-gaming-lobby-connection (npm)
Malicious code in mbed-connector (npm)
Malicious code in worldpay-raft-connect (npm)
Malicious code in web3walletconnect (npm)
Malicious code in canva-connect-api-starter-kit (npm)
Malicious code in @mparpaillon/connector-parse (npm)
Malicious code in connectnodewebclient (npm)
Malicious code in deviceconnect (npm)
Nuxt dev server vite-node IPC socket is world-connectable on Linux
Malicious code in binance-connector-node (npm)
Malicious code in spinal-core-connectorjs_type (npm)
Duplicate Advisory: OpenClaw: Workspace dotenv files cannot override connector endpoint hosts
Malicious code in onboardconnect-agent (npm)
Malicious code in apex-connector (npm)
Malicious code in uisp-connector (npm)
Malicious code in ebay-connect (npm)
Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
Malicious code in @mlspace/connectors (npm)
Malicious code in @cloudplatform-single-spa/dataplatform-connections (npm)
Signal K Server: Server-Side Request Forgery via Remote Connection Endpoints
budibase: Database Connector SQL Injections in PostgreSQL, MS SQL, and MySQL
Malicious code in helix-contentsource-connector (npm)
Malicious code in alb-um-availa-ble-zip-mp3-file-46046-radical-connector-m2ydd-nirtvy (npm)
Malicious code in db-connector-log (npm)
Malicious code in barcodescanner-reconnect (npm)