connect
108 known vulnerabilities · 5 critical · 6 high
methodOverride Middleware Reflected Cross-Site Scripting in connect
Node Connect Reflected Cross-Site Scripting in Sencha Labs Connect middleware
fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections
keycloak-connect contains Open redirect vulnerability in the Node.js adapter
Malicious code in wagmi-ethers-connectors (npm)
Fastify's connection header abuse enables stripping of proxy-added headers
OpenClaw: Gateway Backend Reconnect lets Non-Admin Operator Scopes Self-Claim operator.admin
OpenClaw: Silent privilege escalation via gateway shared-auth reconnect
OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy
OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement
OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated
mcp-remote exposed to OS command injection via untrusted MCP server connections
URL Redirection to Untrusted Site ('Open Redirect') in express-openid-connect
Malicious code in pp-mp-connected-path (npm)
Malicious code in meshblu-connector-arc-thermometer (npm)
Malicious code in cs-connection-hub (npm)
NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS
Paperclip: codex_local inherited ChatGPT/OpenAI-connected Gmail and was able to send real email
Malicious code in fma-connect-javascript (npm)
Claude Code Improper Authorization via websocket connections from arbitrary origins
apiconnect-cli-plugins vulnerable to OS Command Injection
Malicious code in alb-um-availa-ble-zip-mp3-file-46046-radical-connector-m2ydd-nirtvy (npm)
Malicious code in matomo-looker-studio-connector (npm)
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
Malicious code in uber-connect (npm)
Malicious code in spinal-core-connectorjs (npm)
Malicious code in fin-connector (npm)
Malicious code in deficonnect-private-sdk (npm)
loopback-connector-postgresql Vulnerable to Improper Sanitization of `contains` Filter
Malicious code in down-lo-ad-now-zip-mp3-18275-skelliconnection-taeie-mgpquk (npm)
Malicious code in ct-connect-stripe (npm)
Malicious code in mender-connect (npm)
Malicious code in fitbit-connect (npm)
Malicious code in fitbit-connect-client-api (npm)
MCP Connect has unauthenticated remote OS command execution via /bridge endpoint
Malicious code in com.unity.furioos-connection-kit (npm)
Malicious code in deficonnect-internal-utils (npm)
MCPHub has an Improper Authorization vulnerability via its handleSseConnection function
Malicious code in connector123 (npm)
Malicious code in wagmi-connectors (npm)
Malicious code in walletconnect-website (npm)
Malicious code in raydium-connect (npm)
Malicious code in chia-gaming-lobby-connection (npm)
Malicious code in connect_softbank_interface (npm)
Malicious code in connectflasjh (npm)
Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
Malicious code in com.unity.connect.share (npm)
Malicious code in connectrix (npm)
`chainId` may be outdated if user changes chains as part of connection in @web3-react
Malicious code in opsgenie-connectwise-integration (npm)
Malicious code in contentsource-connector (npm)
Malicious code in pc-nrfconnect-shared (npm)
Malicious code in custom-social-connections (npm)
Malicious code in fi-connect (npm)
Malicious code in @sodexo-connect/sap-cdc-client (npm)
Malicious code in connect-rtc-js (npm)
Malicious code in visma-connect-bv (npm)
@dapperduckling/keycloak-connector-server has Reflected XSS Vulnerability in Authentication Flow URL Handling
Budibase: Server-Side Request Forgery via REST Connector with Empty Default Blacklist
Malicious code in 32red-connect (npm)
Malicious code in helix-contentsource-connector (npm)
Malicious code in 000webhost-connect (npm)
keycloak-connect and keycloak-js improperly handle invalid tokens
Malicious code in arkane-connect (npm)
Malicious code in gft-sam-connector (npm)
Malicious code in stripe-connect-rocketrides (npm)
Malicious code in bookingcom-connect (npm)
Malicious code in wallet-connector-rce (npm)
Duplicate Advisory: OpenClaw: WebSocket shared-auth connections could self-declare elevated scopes
Malicious code in db-connections-templates (npm)
Malicious code in binance-connector-ruby (npm)
Malicious code in connect-me-icon (npm)
Malicious code in binance-connector-node (npm)
Malicious code in @sellerly-kit/amazon-token-connect (npm)
Malicious code in stripe-demo-connect-standard-saas-platform (npm)
Malicious code in web3connectjs (npm)
Malicious code in spinal-core-connectorjs_type (npm)
Malicious code in connecthistoryapifallbacc (npm)
Malicious code in webrtc-studio-connection (npm)
Malicious code in binance-connector-js (npm)
Malicious code in wcc-connector (npm)
Malicious code in @w3m-app/is_connected (npm)
Malicious code in @fairwords/loopback-connector-es (npm)
Malicious code in connect-web (npm)
Malicious code in lbank-connector (npm)
Malicious code in lbank-connector-nodejs (npm)
Malicious code in jetpack-connection (npm)
Malicious code in generator-connection (npm)
Malicious code in dmpconnectjsapp-base (npm)
Malicious code in openidconnect.net (npm)
Malicious code in waletconnect (npm)
Malicious code in mbed-connector (npm)
Malicious code in worldpay-raft-connect (npm)
Malicious code in web3walletconnect (npm)
Malicious code in canva-connect-api-starter-kit (npm)
Malicious code in @mparpaillon/connector-parse (npm)
Malicious code in connectnodewebclient (npm)
Malicious code in deviceconnect (npm)
Malicious code in ebay-connect (npm)