OsVault/npm/ini
npm2 critical

ini

213 known vulnerabilities · 2 critical · 13 high

CVE-2020-7788HIGH

ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse

Published Dec 10, 2020
GHSA-6xwp-cp5h-q856

Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm

Published May 19, 2026
CVE-2023-7078HIGH

Miniflare vulnerable to Server-Side Request Forgery (SSRF)

Published Dec 29, 2023
MAL-2024-8206

Malicious code in @diotoborg/cum-saepe-minima (npm)

Published Sep 2, 2024
CVE-2020-7617MEDIUM

Prototype Pollution in ini-parser

Published Jun 10, 2020
CVE-2022-39384MEDIUM

OpenZeppelin Contracts initializer reentrancy may lead to double initialization

Published Dec 14, 2021
CVE-2016-10540HIGH

Regular Expression Denial of Service in minimatch

Published Oct 9, 2018
MAL-2022-5248

Malicious code in paypay-ecommerce-miniapp (npm)

Published Jun 20, 2022
CVE-2015-8857CRITICAL

Incorrect Handling of Non-Boolean Comparisons During Minification in uglify-js

Published Oct 24, 2017
MAL-2026-5047

Malicious code in @cplace-paw-fe/cf-training-extended (npm)

Published May 29, 2026
MAL-2022-6633

Malicious code in training-kit (npm)

Published Jun 20, 2022
MAL-2022-6634

Malicious code in training-platform-web (npm)

Published Jun 20, 2022
MAL-2022-3324

Malicious code in gemini-adapter (npm)

Published Jun 20, 2022
MAL-2022-6253

Malicious code in spotify-event-definitions (npm)

Published Jun 20, 2022
CVE-2026-25533

Sandbox escape via infinite recursion and error objects

Published Feb 5, 2026
CVE-2020-28460MEDIUM

Prototype pollution in multi-ini

Published Apr 13, 2021
MAL-2022-6547

Malicious code in theme_dbtraining (npm)

Published Jun 20, 2022
GHSA-x72j-hv9f-qqh4

parse-ini is vulnerable to Prototype Pollution in index.js()

Published May 7, 2026
MAL-2022-866

Malicious code in administracja_reklamowa (npm)

Published Jun 20, 2022
MAL-2022-2630

Malicious code in dwux-init (npm)

Published Jun 20, 2022
CVE-2021-46320HIGH

Improper Initialization in OpenZeppelin

Published Feb 5, 2022
CVE-2020-26226HIGH

Secret disclosure when containing characters that become URI encoded

Published Nov 18, 2020
MAL-2025-4663

Malicious code in minimal-ts-webpack (npm)

Published Jun 3, 2025
CVE-2021-23567HIGH

Infinite Loop in colors.js

Published Jan 21, 2022
MAL-2022-1500

Malicious code in bender-event-definition-loader (npm)

Published Jun 20, 2022
CVE-2021-44906CRITICAL

Prototype Pollution in minimist

Published Mar 18, 2022
MAL-2025-47412

Malicious code in suchinind (npm)

Published Sep 16, 2025
MAL-2022-1177

Malicious code in authinit (npm)

Published Aug 30, 2022
MAL-2023-1137

Malicious code in cloudsplaining (npm)

Published Jul 26, 2023
CVE-2024-54134

Modified package published to npm, containing malware that exfiltrates private key material

Published Dec 4, 2024
CVE-2026-33891

Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input

Published Mar 26, 2026
CVE-2022-31160MEDIUM

jQuery UI vulnerable to XSS when refreshing a checkboxradio with an HTML-like initial text label

Published Jul 18, 2022
MAL-2026-3063

Malicious code in @google-pay-trust/finish (npm)

Published Apr 25, 2026
MAL-2025-2045

Malicious code in minipay-minidapps (npm)

Published Mar 3, 2025
MAL-2026-2667

Malicious code in ckeditor5-minimap (npm)

Published Apr 14, 2026
MAL-2022-6632

Malicious code in training-client (npm)

Published Jul 21, 2022
MAL-2025-1341

Malicious code in gemini-test (npm)

Published Feb 13, 2025
CVE-2022-25854MEDIUM

tagify can pass a malicious placeholder to initiate the cross-site scripting (XSS) payload

Published Apr 30, 2022
GHSA-ch86-pxr9-j9h9

Duplicate Advisory: OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter

Published Apr 3, 2026
MAL-2026-3064

Malicious code in @google-pay-trust/init-google-pay (npm)

Published Apr 25, 2026
MAL-2022-2101

Malicious code in com.unity.render-pipelines.high-definition-config (npm)

Published May 16, 2022
MAL-2026-4106

Malicious code in @antv/x6-plugin-minimap (npm)

Published May 19, 2026
MAL-2026-4846

Malicious code in @service-suppliers/fetch-initial-suppliers-watcher-saga (npm)

Published May 28, 2026
MAL-2026-4848

Malicious code in @service-suppliers/fetch_initial_suppliers_action_saga (npm)

Published May 28, 2026
MAL-2026-4852

Malicious code in @service-suppliers/set_initial_loaded (npm)

Published May 28, 2026
MAL-2022-1364

Malicious code in azure-purview-administration (npm)

Published Jun 20, 2022
GHSA-wpc6-37g7-8q4w

OpenClaw: Shell init-file options could satisfy exec allowlist script matching

Published Apr 7, 2026
MAL-2022-3770

Malicious code in identity-module-miniapp (npm)

Published Jun 20, 2022
MAL-2022-3798

Malicious code in imagecompress-mini (npm)

Published Dec 7, 2022
MAL-2022-6653

Malicious code in trinity-pkg-ss (npm)

Published Jun 20, 2022
MAL-2022-40

Malicious code in 6ini (npm)

Published Aug 19, 2022
MAL-2022-4855

Malicious code in ninimis (npm)

Published Aug 19, 2022
CVE-2026-4598

jsrsasign is vulnerable to DoS through Infinite Loop when processing zero or negative inputs

Published Mar 23, 2026
MAL-2023-8097

Malicious code in purplebricks-administration (npm)

Published Sep 13, 2023
MAL-2022-6116

Malicious code in shuup-definite-theme (npm)

Published Dec 29, 2022
MAL-2026-4281

Malicious code in project-init-tools (npm)

Published May 23, 2026
MAL-2025-1044

Malicious code in minikit-monorepo (npm)

Published Feb 3, 2025
MAL-2022-4599

Malicious code in minicom-node (npm)

Published Jun 20, 2022
MAL-2022-4602

Malicious code in minimhc (npm)

Published Aug 19, 2022
MAL-2022-4603

Malicious code in minimum-flow-parser (npm)

Published Jun 20, 2022
MAL-2023-8377

Malicious code in @momo-miniapp/apix (npm)

Published Oct 13, 2023
GHSA-3j8v-cgw4-2g6q

fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)

Published Apr 9, 2026
MAL-2024-7364

Malicious code in @zitterorg/reiciendis-minima-excepturi (npm)

Published Jul 4, 2024
MAL-2024-8420

Malicious code in @diotoborg/minima-omnis (npm)

Published Sep 2, 2024
CVE-2020-7638MEDIUM

confinit vulnerable to prototype pollution

Published Apr 7, 2020
CVE-2026-27903

minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

Published Feb 26, 2026
GHSA-v3rj-xjv7-4jmq

smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines

Published Mar 25, 2026
CVE-2025-67427

evershop allows unauthenticated attackers to force server to initiate HTTP request via "GET /images" API

Published Jan 5, 2026
MAL-2024-7388

Malicious code in @zitterorg/tempore-debitis-minima (npm)

Published Jul 4, 2024
MAL-2025-190775

Malicious code in manual-billing-system-miniapp-api (npm)

Published Nov 24, 2025
MAL-2023-473

Malicious code in get-your-sht-together-how-to-stop-worrying-about-what-you-should-do-so-you-can-finish-what-you-need- (npm)

Published May 10, 2023
GHSA-9jpj-g8vv-j5mf

OpenClaw: Gemini OAuth exposed the PKCE verifier through the OAuth state parameter

Published Apr 4, 2026
CVE-2026-27646

OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions

Published Mar 9, 2026
MAL-2025-192803

Malicious code in init-router (npm)

Published Dec 23, 2025
MAL-2022-5253

Malicious code in paytm-mini-programs-nodejs-sdk (npm)

Published Jun 20, 2022
MAL-2022-2843

Malicious code in eslintplunginimpwrt (npm)

Published Aug 19, 2022
MAL-2025-47874

Malicious code in node-db-init (npm)

Published Oct 2, 2025
MAL-2026-2763

Malicious code in gemini-ai-checker (npm)

Published Apr 16, 2026
MAL-2026-2764

Malicious code in gemini-cli-vscode-ide-companion (npm)

Published Apr 16, 2026
MAL-2025-1585

Malicious code in exclusiveminimum (npm)

Published Feb 28, 2025
MAL-2026-1645

Malicious code in aboba-initial (npm)

Published Mar 18, 2026
CVE-2021-23328MEDIUM

Prototype Pollution in iniparserjs

Published Apr 13, 2021
CVE-2020-28441HIGH

conf-cfg-ini Prototype Pollution via malicious INI file before v1.2.2

Published Jul 26, 2022
CVE-2020-28461HIGH

js-ini Prorotype Pollution when malicious INI files submitted to an application that parses it with `parse`

Published Jul 26, 2022
MAL-2022-4993

Malicious code in o-autoinit (npm)

Published Jun 20, 2022
CVE-2020-7598MEDIUM

Prototype Pollution in minimist

Published Apr 3, 2020
MAL-2022-4601

Malicious code in minimal-mistakes (npm)

Published Jun 20, 2022
MAL-2022-7000

Malicious code in vue3-infinite-scroll (npm)

Published Jun 20, 2022
MAL-2025-190774

Malicious code in korea-administrative-area-geo-json-util (npm)

Published Nov 24, 2025
MAL-2025-191463

Malicious code in initial-path (npm)

Published Nov 25, 2025
CVE-2026-34768LOW
Risk: 19.5/100

Electron: Unquoted executable path in app.setLoginItemSettings on Windows

Published Apr 3, 2026
MAL-2022-3845

Malicious code in initappd (npm)

Published Jun 20, 2022
MAL-2022-1891

Malicious code in chawla-init-3 (npm)

Published Aug 2, 2022
MAL-2022-1048

Malicious code in apinitro (npm)

Published Jun 20, 2022
MAL-2024-8933

Malicious code in minification (npm)

Published Sep 21, 2024
MAL-2025-192976

Malicious code in shop-minis-docs (npm)

Published Dec 30, 2025
CVE-2021-29486HIGH

cumulative-distribution-function Infinite Loop vulnerability

Published May 4, 2021
MAL-2023-623

Malicious code in ngx-infinite-scroll-fixed (npm)

Published Mar 15, 2023
CVE-2026-2739

bn.js affected by an infinite loop

Published Feb 20, 2026
MAL-2026-5253

Malicious code in executable-stories-init (npm)

Published Jun 5, 2026
CVE-2023-30543MEDIUM

`chainId` may be outdated if user changes chains as part of connection in @web3-react

Published Apr 18, 2023
MAL-2022-4997

Malicious code in o7nyfinished (npm)

Published Aug 19, 2022
MAL-2022-1446

Malicious code in babpuuginimport (npm)

Published Aug 19, 2022
MAL-2025-3562

Malicious code in minicom-support-client (npm)

Published May 1, 2025
MAL-2026-646

Malicious code in picking-miniapp (npm)

Published Feb 2, 2026
MAL-2022-1365

Malicious code in azure-purview-administration-samples-js (npm)

Published Jun 20, 2022
GHSA-h2vw-ph2c-jvwf

OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests

Published Apr 25, 2026
MAL-2022-6696

Malicious code in twinit-cdk (npm)

Published Jun 20, 2022
GHSA-6m6c-36f7-fhxh

Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS

Published May 11, 2026
GHSA-6v9c-7cg6-27q7

Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer

Published Apr 29, 2026
CVE-2022-36313MEDIUM

file-type vulnerable to Infinite Loop via malformed MKV file

Published Jul 22, 2022
MAL-2025-600

Malicious code in digitalexp-datasource-definitions (npm)

Published Jan 29, 2025
MAL-2025-2261

Malicious code in init-spa (npm)

Published Mar 11, 2025
MAL-2025-6294

Malicious code in mini-builder (npm)

Published Jul 23, 2025
MAL-2022-7215

Malicious code in woocommerce-infinitepay (npm)

Published May 31, 2022
MAL-2025-2724

Malicious code in xverginia4u (npm)

Published Mar 25, 2025
CVE-2021-32850MEDIUM

@claviska/jquery-minicolors vulnerable to Cross-site Scripting

Published Feb 21, 2023
CVE-2022-37620HIGH

kangax html-minifier REDoS vulnerability

Published Oct 31, 2022
MAL-2024-9339

Malicious code in avail-able-albu-m-down-load-114925-rainier-fog-nuh7o-acneyh (npm)

Published Oct 16, 2024
MAL-2025-2123

Malicious code in raydium-sdk-liquidity-init (npm)

Published Mar 4, 2025
MAL-2025-1339

Malicious code in gemini-internal (npm)

Published Feb 13, 2025
MAL-2025-4981

Malicious code in vscode-spring-initializr (npm)

Published Jun 16, 2025
CVE-2021-32050MEDIUM

MongoDB Driver may publish events containing authentication-related data

Published Aug 29, 2023
MAL-2026-3114

Malicious code in @apple-pay-trust/finish (npm)

Published Apr 27, 2026
MAL-2022-3843

Malicious code in inipyrser (npm)

Published Aug 19, 2022
MAL-2022-3844

Malicious code in init-epic-link-multiselect (npm)

Published Jun 20, 2022
CVE-2026-4603

jsrsasign: Division by Zero Allows Invalid JWK Modulus to Cause Deterministic Zero Output in RSA Operations

Published Mar 23, 2026
GHSA-m5qc-5hw7-8vg7

image-size Denial of Service via Infinite Loop during Image Processing

Published Apr 2, 2025
CVE-2020-28462HIGH

ion-parser Prototype Pollution when malicious INI file submitted to application that parses with `parse`

Published Jul 26, 2022
MAL-2022-3916

Malicious code in intrinio-adapter (npm)

Published Jun 20, 2022
MAL-2025-1011

Malicious code in @infinid-indonesia/ui-kit (npm)

Published Feb 3, 2025
GHSA-wpqr-6v78-jr5g

Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses

Published Apr 24, 2026
MAL-2026-4977

Malicious code in @cloudplatform-single-spa/svp-anti-affinity (npm)

Published May 28, 2026
MAL-2024-7296

Malicious code in @zitterorg/nihil-illo-minima (npm)

Published Jul 4, 2024
MAL-2026-4394

Malicious code in @ikyyofc/gemini-cli (npm)

Published May 20, 2026
MAL-2022-4600

Malicious code in minicssextractpluin (npm)

Published Aug 19, 2022
MAL-2023-8098

Malicious code in smeeh-administration (npm)

Published Sep 13, 2023
MAL-2026-2891

Malicious code in chai-as-init (npm)

Published Apr 16, 2026
MAL-2023-8345

Malicious code in situs-bocoran-rtp-live-bocoran-agen-judi-rtp-slot-hari-ini-terpercaya (npm)

Published Oct 12, 2023
MAL-2023-8376

Malicious code in @momo-miniapp/api (npm)

Published Oct 13, 2023
MAL-2022-3694

Malicious code in htmlminifire (npm)

Published Aug 19, 2022
MAL-2023-873

Malicious code in the-self-taught-programmer-the-definitive-guide-to-programming-professionally-by-cory-althoff-on-kin (npm)

Published May 10, 2023
MAL-2026-3266

Malicious code in @bcs-bank/init (npm)

Published May 4, 2026
MAL-2026-1506

Malicious code in transform-minify-booleans (npm)

Published Mar 16, 2026
MAL-2026-1503

Malicious code in minify-replace (npm)

Published Mar 16, 2026
MAL-2026-18

Malicious code in initializers (npm)

Published Jan 2, 2026
MAL-2026-3319

Malicious code in @google-pay-trust/init-google-pay-result (npm)

Published May 4, 2026
MAL-2026-5837

Malicious code in postcss-minify-selector (npm)

Published Jun 15, 2026
MAL-2025-1338

Malicious code in gemini-dev (npm)

Published Feb 13, 2025
MAL-2025-1518

Malicious code in miniprogram-project (npm)

Published Feb 22, 2025
CVE-2020-28448MEDIUM

Prototype Pollution in multi-ini

Published Apr 13, 2021
MAL-2022-5918

Malicious code in sample-mini (npm)

Published Jun 20, 2022
MAL-2022-3325

Malicious code in gemini-exports (npm)

Published Jun 20, 2022
MAL-2024-1221

Malicious code in @lbnqduy11805/miniature-garbanzo (npm)

Published Apr 10, 2024
MAL-2024-1222

Malicious code in @lbnqduy11805/miniature-train (npm)

Published Apr 10, 2024
CVE-2026-27795

LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader

Published Feb 25, 2026
MAL-2024-1427

Malicious code in @juiggitea/earum-in-minima-maiores (npm)

Published Jun 3, 2024
GHSA-w24r-5266-9c3c

Clerk has an authorization bypass when combining organization, billing, or reverification checks

Published Apr 30, 2026
CVE-2026-32256

music-metadata has an infinite loop vulnerability in ASF parser

Published Mar 17, 2026
MAL-2024-9084

Malicious code in deferred-initialization (npm)

Published Oct 3, 2024
CVE-2025-64118

node-tar has a race condition leading to uninitialized memory exposure

Published Oct 30, 2025
MAL-2025-1340

Malicious code in gemini-main (npm)

Published Feb 13, 2025
GHSA-474h-prjg-mmw3

OpenClaw: Sandboxed sessions_spawn(runtime="acp") bypassed sandbox inheritance and allowed host ACP initialization

Published Mar 3, 2026
MAL-2024-9248

Malicious code in redux-init (npm)

Published Oct 10, 2024
CVE-2026-31808

file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header

Published Mar 10, 2026
MAL-2026-1252

Malicious code in pear-apps-utils-avatar-initials (npm)

Published Mar 5, 2026
MAL-2026-1522

Malicious code in minify-mangle-names (npm)

Published Mar 16, 2026
MAL-2023-600

Malicious code in mini-suggest (npm)

Published Jan 30, 2023
MAL-2025-3930

Malicious code in blahblahblah-definitely-not-a-real-package-name (npm)

Published May 17, 2025
MAL-2024-1490

Malicious code in @juiggitea/sapiente-soluta-minima-fuga (npm)

Published Jun 3, 2024
MAL-2025-4301

Malicious code in arcademinigame (npm)

Published May 23, 2025
MAL-2024-7271

Malicious code in @zitterorg/minima-magnam (npm)

Published Jul 4, 2024
CVE-2026-33863

Convict has prototype pollution via load(), loadFile(), and schema initialization

Published Mar 26, 2026
CVE-2026-33311

SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials

Published Mar 19, 2026
MAL-2025-47872

Malicious code in cors-init (npm)

Published Oct 2, 2025
MAL-2025-2050

Malicious code in segment-anything-mini-demo (npm)

Published Mar 3, 2025
MAL-2026-1748

Malicious code in initial-path21 (npm)

Published Mar 18, 2026
MAL-2026-1749

Malicious code in initial-path32 (npm)

Published Mar 18, 2026
MAL-2025-47577

Malicious code in adobe-alloy-mini-site (npm)

Published Sep 25, 2025
MAL-2026-4046

Malicious code in @antv/l7-mini (npm)

Published May 19, 2026
CVE-2022-25851HIGH

Infinite loop in jpeg-js

Published Jun 11, 2022
MAL-2022-4598

Malicious code in miniapp-api (npm)

Published Jun 20, 2022
MAL-2024-1449

Malicious code in @juiggitea/minima-iure-necessitatibus-corporis (npm)

Published Jun 3, 2024
MAL-2025-1849

Malicious code in init-discord (npm)

Published Mar 3, 2025
GHSA-4mhr-cxr4-2prm

Duplicate Advisory: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests

Published May 11, 2026
MAL-2026-76

Malicious code in open-telemetry-mini-client (npm)

Published Jan 6, 2026
MAL-2024-8255

Malicious code in @diotoborg/doloribus-minima-velit (npm)

Published Sep 2, 2024
MAL-2026-4807

Malicious code in shop-minis (npm)

Published May 26, 2026
MAL-2026-4817

Malicious code in chainix (npm)

Published May 26, 2026
MAL-2025-105

Malicious code in turbiniactl-status (npm)

Published Jan 14, 2025
MAL-2026-5899

Malicious code in stripe-cli-init-plugin (npm)

Published Jun 16, 2026
MAL-2026-6047

Malicious code in @mastra/voice-google-gemini-live (npm)

Published Jun 17, 2026
MAL-2024-1448

Malicious code in @juiggitea/minima-illum-deserunt (npm)

Published Jun 3, 2024
GHSA-58qx-3vcg-4xpx

ws: Uninitialized memory disclosure

Published May 18, 2026
CVE-2020-28472HIGH

Prototype Pollution via file load in aws-sdk and @aws-sdk/shared-ini-file-loader

Published Nov 16, 2021
MAL-2022-4604

Malicious code in minis-samples (npm)

Published Jun 20, 2022
MAL-2022-5367

Malicious code in plugin-bugfix-v8-spread-parameters-in-optional-chaining (npm)

Published Jun 20, 2022
CVE-2026-26996

minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern

Published Feb 18, 2026
MAL-2022-738

Malicious code in @xfinity/fetlife-assets (npm)

Published Jun 20, 2022
MAL-2026-4882

Malicious code in @cloudplatform-single-spa/administration (npm)

Published May 28, 2026
MAL-2022-5530

Malicious code in purview-administration (npm)

Published Jun 20, 2022
GHSA-28qq-5f47-r5x2

Duplicate Advisory: gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)

Published Jan 23, 2026
GHSA-4h5r-5jm8-jxjm

gemini-mcp-tool vulnerable to OS command injection and @file exfiltration via prompt quoting (CVE-2026-0755)

Published Jun 18, 2026
GHSA-5jv7-2mjm-h6qj

npm PraisonAI utility shell safe-command wrapper allowlist bypass via shell chaining

Published Jun 18, 2026
MAL-2026-5737

Malicious code in postcss-minify-selector-parser (npm)

Published Jun 13, 2026
CVE-2026-27904

minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

Published Feb 26, 2026
GHSA-g9jw-92q7-g7fj

[Eclipse Theia] Arbitrary Command Execution via Untrusted Workspace Task Definitions

Published Jun 18, 2026
GHSA-vjv9-7m7j-h833

npm PraisonAI SandboxExecutor allowedCommands bypass via shell chaining

Published Jun 18, 2026
MAL-2024-8602

Malicious code in @diotoborg/rem-minima (npm)

Published Sep 2, 2024
MAL-2025-1850

Malicious code in initidiscord (npm)

Published Mar 3, 2025
MAL-2025-190773

Malicious code in iron-shield-miniapp (npm)

Published Nov 24, 2025
MAL-2026-6146

Malicious code in actionbars-infinitescroll-searchbar (npm)

Published Jun 17, 2026
MAL-2026-6164

Malicious code in interaction-photos-infinitescroll (npm)

Published Jun 17, 2026
Check your entire dependency tree at onceRun dependency scan →