ip

NPM IP package incorrectly identifies some private IP addresses as public

ip SSRF improper categorization in isPublic

Cross-site Scripting (XSS) in Eclipse Theia

Malicious code in feature-flip (npm)

Cross-site Scripting in Ghost

OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)

Paperclip: Cross-tenant agent API key IDOR in `/agents/:id/keys` routes allows full victim-company compromise

React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets

Joplin Cross-site Scripting vulnerability

Cross-Site Scripting in serve-index

Malicious code in pipedrive-embeddable-ringcentral-phone-spa (npm)

Cross-Site Scripting in swagger-ui

Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys

Malicious code in tiptap-shadcn-vue (npm)

Bootbox.js Cross Site Scripting vulnerability

jQuery vulnerable to Cross-Site Scripting (XSS)

Cross-site Scripting in epubjs

Cross-site scripting vulnerability in TinyMCE

claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh

OpenC3 Cross-site Scripting in Login functionality (`GHSL-2024-128`)

OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks

Cross-Site Scripting in http_server

Malicious code in @diotoborg/dolorum-ipsam (npm)

OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper

Cross-site Scripting in Joplin

Froala WYSIWYG editor allows cross-site scripting (XSS)

Duplicate Advisory: OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts

Cross-Site Scripting (XSS) in Verdaccio

Malicious code in lazyhtml-scripts (npm)

Status Board vulnerable to Cross-Site Scripting before v1.1.82

OpenClaw has a IPv6 multicast SSRF classifier bypass

phoenix_html allows Cross-site Scripting in HEEx class attributes

OneUptime Vulnerable to a Privilege Escalation via Local Storage Key Manipulation

Cross-site scripting vulnerability in TinyMCE

Malicious code in postcssmipot (npm)

Malicious code in aes-valid-ipherv (npm)

Malicious code in plonkscript-docs (npm)

VvvebJs Reflected Cross-Site Scripting (XSS) vulnerability

Joplin vulnerable to Cross-site Scripting in notes

Reflected cross-site scripting (XSS) vulnerability

coffe-script is malware

OpenClaw has a Command Injection via unescaped environment assignments in Windows Scheduled Task script generation

ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions

Angular i18n vulnerable to Cross-Site Scripting

matrix-js-sdk can be tricked into disclosing E2EE room keys to a participating homeserver

@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters

Margox Braft-Editor Cross-site Scripting Vulnerability

Cross-site scripting in react-bootstrap-table

path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards

Fastify's connection header abuse enables stripping of proxy-added headers

Downloads Resources over HTTP in adamvr-geoip-lite

Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation

Malicious code in @diotoborg/suscipit-officia (npm)

Malicious code in script-package (npm)

Malicious code in @diotoborg/suscipit-vitae (npm)

Remote code execution in vscode-npm-script

OpenClaw's unsanitized session ID enables path traversal in transcript file operations

Cross-site Scripting (XSS) in @scullyio/scully

Malicious code in smithy-typescript (npm)

axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)

webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence

Pug allows JavaScript code execution if an application accepts untrusted input

Cross Site Scripting (XSS) in @finastra/ssr-pages

DOMPurify contains a Cross-site Scripting vulnerability

Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)

@udecode/plate-link does not sanitize URLs to prevent use of the `javascript:` scheme

Malicious code in stripe-demo-connect-standard-saas-platform (npm)

pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"

OpenClaw vulnerable to path traversal (Zip Slip) in archive extraction during explicit installation commands

Cross-Site Scripting in swagger-ui

Malicious code in subscriptionid-apiversion (npm)

Malicious code in new-code-script-gt-a-samp-h-a-c-k-down-lo-ad-lkk02y (npm)

Paperclip: Approval decision attribution spoofing via client-controlled `decidedByUserId` in paperclip server

happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript

OpenClaw has incomplete IPv4 special-use SSRF blocking in web fetch guard

Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)

Cross-Site Scripting in sanitize-html

DataTable Vulnerable to Cross-Site Scripting

jplayer Cross Site Scripting vulnerability

Cross-site Scripting in electron-pdf

Malicious code in down-lo-ad-now-zip-mp3-sonic-nurse-a1wgm-jqylaq (npm)

Malicious code in down-lo-ad-now-zip-mp3-the-whole-love-f2ts8-cblkgz (npm)

Malicious code in down-load-available-zip-now-365509-chew-the-scenery-ymqd7-xaqqmu (npm)

node-red-dashboard vulnerable to Cross-site Scripting

Widget feature vulnerability allowing to execute JavaScript code using undo functionality

Cross site scripting in @awsui/components-react

Malicious code in mp3-file-zip-d-ownload-33971-the-imagination-stage-ar0bb-cvzjxl (npm)

statics-server Cross-site Scripting vulnerability

Malicious code in tackgqvipebdhxfy (npm)

Astro development server error page is vulnerable to reflected Cross-site Scripting

Flowise Cross-site Scripting in /api/v1/chatflows-streaming/id

Cross-site scripting in jspdf

A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA

Cross-site scripting in Swagger-UI

Cross-site Scripting in tempura

Joplin Cross-site Scripting vulnerability

Cross-site Scripting in reveal.js

Dash apps vulnerable to Cross-site Scripting

on-headers is vulnerable to http response header manipulation

Cross-Site Scripting in jquery

Vuetify Cross-site Scripting vulnerability

Multiple XSS Filter Bypasses in validator

Malicious code in bipiy74902-wx1 (npm)

react-pdf vulnerable to arbitrary JavaScript execution upon opening a malicious PDF with PDF.js

pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused

nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect)

TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes

Server-Side Request Forgery in private-ip

Cross-Site Scripting in dompurify

Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled

Cross-Site Scripting in serialize-to-js

Baremetrics date range picker vulnerable to Cross-site Scripting

OpenClaw has multiple E2E/test Dockerfiles that run all processes as root

Malicious code in @uipath/access-policy-tool (npm)

Malicious code in @uipath/rpa-tool (npm)

OpenClaw's complex interpreter pipelines could skip exec script preflight validation

Malicious code in @uipath/solution-packager (npm)

Malicious code in @uipath/solutionpackager-sdk (npm)

Cross-site Scripting in Mermaid

Malicious code in @uipath/solutionpackager-tool-core (npm)

methodOverride Middleware Reflected Cross-Site Scripting in connect

NodeBB Cross-site Scripting Vulnerability in Markdown Processing

vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)

OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows

Malicious code in auth-javascript (npm)

Malicious code in iceberg-javascript (npm)

Flowise Cross-site Scripting in /api/v1/public-chatflows/id

Malicious code in supabase-javascript (npm)

Toast UI Grid vulnerable to Cross-site Scripting

x-data-spreadsheet through 1.1.9 vulnerable to Cross-site Scripting

Cross-site Scripting in node-red-dashboard

Cross-site Scripting in vis-timeline

Cross-Site Scripting in Prism

Cross-Site Scripting in bootstrap-select

Http request which redirect to another hostname do not strip authorization header in @actions/http-client

Command Injection in egg-scripts

Paperclip: OS Command Injection via Execution Workspace cleanupCommand

Cross-site Scripting (XSS) - Stored in crud-file-server

Scrypted Cross-site Scripting vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in directus

Clipboard-based DOM-XSS

Malicious code in eclipse-typescript (npm)

Cross-site scripting in anchorme

OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface

Cross-site Scripting in fullpage.js

Bit flip attack vulnerability in cookie-encrypter

Cross site scripting in datatables.net

nanotar is vulnerable to path traversal in parseTar() and parseTarGzip()

Cross-Site Scripting in serialize-javascript

Cross site scripting in code-server

Parse Server LiveQuery subscription with invalid regular expression crashes server

Exposure of Resource to Wrong Sphere in Zip-Local

Cross-site Scripting in peertube

Malicious code in @azure-tests/perf-core-rest-pipeline (npm)

TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements

Malicious code in flipper-plugin-ribtree (npm)

Malicious code in @diotoborg/soluta-numquam-ipsam (npm)

AdonisJS multipart body parsing has Prototype Pollution issue

Cross-site Scripting in tableexport.jquery.plugin

Malicious code in github-script (npm)

Malicious code in launchdarkly-api-typescript-sample (npm)

Cross-site scripting in TotalJS

TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements

Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser

Path Traversal in w-zip

electerm: electerm_install_script_CommandInjection Vulnerability Report

Cross-Site Scripting in react

OpenClaw has hook auth rate limiter bypass via IPv4-mapped IPv6 client key variants

n8n has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode

Cross-Site Scripting in exceljs

Malicious code in web3tool-providers-ipc (npm)

Malicious code in @freestarcapital/collector-pipeline (npm)

Denial of Service in get-ip-range

fuelux vulnerable to Cross-Site Scripting in Pillbox feature

Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()

Malicious code in down-lo-ad-now-zip-mp3-149132-the-soft-cavalry-vhx8d-iuyuef (npm)

Paperclip: Unauthenticated Access to Multiple API Endpoints in Authenticated Mode

Malicious code in elf-stats-candystriped-chimney-879 (npm)

DbGate has cross site scripting via the SVG Icon String Handler component

Malicious code in web-billing-code-snippets (npm)

n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks

Malicious code in xpack-subscription (npm)

Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial

CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage

Nuxt DevTools vulnerable to cross-site scripting (XSS)

PsiTransfer has Zip Slip Path Traversal via TAR Archive Download

Cross-Site Scripting in buttle

Calipso Arbitrary File Write via Archive Extraction (Zip Slip)

Cross-Site Scripting in http-file-server

Cross-site Scripting in lightning-server

Malicious code in defipulse-adapters (npm)

Duplicate Advisory: OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels

Malicious code in uipath-ui-widgets (npm)

Malicious code in stripe-terminal-react-native (npm)

OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders

Malicious code in biputils (npm)

Malicious code in transcript-viewer-ui-demo (npm)

Malicious code in tailwindthml-flips (npm)

Malicious code in bolt-scripts (npm)

GitBook allows Cross-site Scripting via a local .md file.

Incorrect Permission Checking for GraphQL Subscriptions

Cross-Site Scripting in shave

Malicious code in xterm-addon-clipboard (npm)

Malicious code in @tw-marionette/clipboard (npm)

Cross-site scripting in Joplin

Malicious code in ynf-dx-scripts (npm)

Malicious code in @juiggitea/provident-vel-quia-suscipit (npm)

Docsify vulnerable to cross-site scripting due to mishandled encoding

Cross site scripting in parse-url

Malicious code in updated-script-rainbow-six-siege-renown-method-unlimited-undetected-updated-2023-aaseax (npm)

OpenClaw has an arbitrary transcript path file write via gateway sessionFile

YUI Cross-site Scripting (XSS) vulnerability

Malicious code in multiply-proxy-actions-contracts (npm)

Malicious code in azure-core-rest-pipeline (npm)

Malicious code in azure-core-rest-pipeline-js (npm)

web3-core-subscriptions has a Prototype Pollution vulnerability

Malicious code in bip174-bigint (npm)

Malicious code in elf-stats-marzipan-cocoa-562 (npm)

OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity

Cross-Site Scripting in html-pages

NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells

Malicious code in availab-le-alb-um-zip-25931-the-life-aquatic-studio-sessions-mocn6-tnmvnd (npm)

layui vulnerable to cross-site scripting

Malicious code in azure-pipelines-dependency-track (npm)

JHipster Kotlin using insecure source of randomness `RandomStringUtils` before v1.2.0

Cross-site Scripting in pandao editor.md

Malicious code in equipment-icon-mapper (npm)

file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry

Cross-site Scripting in video.js

Cross-site Scripting in React Draft Wysiwyg

Malicious PDF can inject JavaScript into PDF Viewer

Stored Cross-Site Scripting in tianma-static

Malicious code in minipay-minidapps (npm)

jquery-ui Tooltip widget vulnerable to XSS

OpenClaw's Discord component interaction ingress skips guild/channel policy enforcement

Malicious code in cathode-versions-javascript (npm)

Mind-elixir Cross-site Scripting vulnerability

Next.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error page

OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind

Cross-Site Scripting in jquery

ipip-coffee downloads Resources over HTTP

Jodit Editor vulnerable to cross-site scripting

Cross-site Scripting in Strapi

cofeescript is malware

Malicious code in @uipath/filesystem (npm)

Malicious code in @uipath/flow-tool (npm)

Malicious code in dowload_ebok_also_an_octopus_by_maggie_tokuda_hall_ah2ip (npm)

mppx has Stripe charge credential replay via missing idempotency check

Malicious code in file-alb-um-zip-new-mp3-36289-laru-beya-zk5v7-mtjfsf (npm)

Cross-site scripting vulnerability in TinyMCE plugins

Malicious code in file-alb-um-zip-new-mp3-516808-dirt-femme-opjhu-pollak (npm)

Malicious code in @diotoborg/ipsa-deleniti-ab (npm)

Cross site scripting in Metro UI

Cross-site Scripting in dompurify

OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling

Malicious code in @uipath/project-packager (npm)

Malicious code in @uipath/solution-tool (npm)

Bootstrap vulnerable to Cross-Site Scripting (XSS)

Incorrect Calculation in the MSR JavaScript Cryptography Library

bootstrap Cross-site Scripting vulnerability

ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction

OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation

Cross-site Scripting in vditor

tagify can pass a malicious placeholder to initiate the cross-site scripting (XSS) payload

Handlebars.js has JavaScript Injection via AST Type Confusion

Vulnogram contains a stored cross-site scripting vulnerability in comment hypertext handling

Cross-site scripting in jspdf

mercurius has Uncaught Exception when using subscriptions

OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated

Malicious code in com.unity.render-pipelines.high-definition-config (npm)

Malicious code in com.unity.scriptablebuildpipeline (npm)

OpenClaw: system.run wrapper-depth boundary could skip shell approval gating

Cross-Site Scripting in status-board

Command Injection in macfromip

Parse Server LiveQuery subscription query depth bypass

Unauthorized npm publish of cline@2.3.0 with modified postinstall script

Malicious code in @feiprotocol/fei-protocol-core (npm)

Malicious code in @uipath/identity-tool (npm)

Cross Site Scripting vulnerability in store2

Node Connect Reflected Cross-Site Scripting in Sencha Labs Connect middleware

Vega has Cross-site Scripting vulnerability in `lassoAppend` function

Malicious code in hixletpaiprs (npm)

Cross site scripting in valine

Malicious code in eclipse-megamovie-build (npm)

Remote code execution in Eclipse Theia

PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF

Clipboard feature vulnerability allowing to inject arbitrary HTML into the editor using paste functionality

Cross site scripting in kindeditor

Json2html vulnerable to cross-site scripting

Cross-site scripting vulnerability in TinyMCE

gatsby-transformer-remark has possible unsanitized JavaScript code injection

OpenClaw: Shell init-file options could satisfy exec allowlist script matching

Malicious code in competitive-equipment-icon (npm)

Cross-site Scripting in pandao

Malicious code in lliptiic (npm)

Malicious code in dippy (npm)

Malicious code in @epc-tools/typescript (npm)

textAngular Cross-site Scripting vulnerability

QMarkdown Cross-Site Scripting (XSS) vulnerability

Cross site scripting Vulnerability in backstage Software Catalog

NocoDB has Stored Cross-site Scripting via Formula Cell

Malicious code in eziparser (npm)

Cross-site scripting

Malicious code in holvipartners (npm)

Malicious code in tripadvisor-npm (npm)

Malicious code in @juiggitea/ipsa-odit-illo (npm)

Malicious code in @fishingbooker/react-swiper (npm)

Cross-site Scripting in Auth0 Lock

Cross-site Scripting in karma

Malicious code in strip-json-combmentd (npm)

Malicious code in brave-research-participation-tool (npm)

OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions

Cross-Site Scripting (XSS) via SVG Schema innerHTML Injection in @pdfme/schemas

Malicious code in c6lipboady (npm)

receiving subscription objects with deleted session

editor.md vulnerable to Cross-site Scripting

Malicious code in clipobard (npm)

Cross-site Scripting in evershop

Cross-site Scripting in pekeupload

Potential for cross-site scripting in PostHog-js

Arbitrary File Write via Archive Extraction in unzipper

Malicious code in eslint-plugin-flipper (npm)

Cross-site Scripting (XSS) in serialize-javascript

Options structure open to Cross-site Scripting if passed unfiltered

@keep-network/tbtc-v2 revealing P2PKH deposit with a wrapped P2SH script

OpenClaw has SSRF guard bypass via IPv6 transition over ISATAP

Cross-Site Scripting in selectize-plugin-a11y

Malicious code in @linesearch/swiper (npm)

Malicious code in @zitterorg/quas-in-suscipit (npm)

Jodit Editor vulnerable to Cross-site Scripting

Konga is vulnerable to Cross Site Scripting (XSS) attacks

Malicious code in async-pipeline-builder (npm)

Malicious code in build-scripts-utils (npm)

Cross site scripting in froala-editor

Ghost has possible Cross-site Scripting issue

Embedded Malicious Code in node-ipc

Malicious code in @zitterorg/voluptatibus-suscipit (npm)

Cross-site Scripting in file-upload-with-preview

OpenClaw's system.run approvals did not bind mutable script operands across approval and execution

Malicious code in alb-um-availa-ble-zip-mp3-file-38068-its-all-about-to-change-rnonb-pzjjbh (npm)

Malicious code in down-load-available-zip-now-6092-expensive-shit-dzpv2-hzbnea (npm)

Materialize-css vulnerable to Cross-site Scripting in tooltip component

Malicious code in babel-preset-sofi-scripts (npm)

element-plus vulnerable to cross-site scripting (XSS) via el-table-column

Malicious code in afip-example-api (npm)

Malicious code in fca-tpk-vip (npm)

Potential for Script Injection in syntax-error

cofee-script is malware

OpenClaw: TOCTOU read in exec script preflight

Malicious code in @zitterorg/adipisci-dolore (npm)

Malicious code in typescript-dom-lib-generator (npm)

Cross-Site Scripting in webtorrent

Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host

Malicious code in vipps-stitches (npm)

Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs

Malicious code in @zitterorg/adipisci-ipsum (npm)

Malicious code in @zitterorg/adipisci-quae-eius (npm)

Malicious code in toolbox-script (npm)

Malicious code in fma-connect-javascript (npm)

Cross-Site Scripting in gitbook

Insufficient Verification of Data Authenticity in Eclipse Theia

Malicious code in code-script-new-viking-simulator-script-hm9gi2 (npm)

Downloads Resources over HTTP in geoip-lite-country

Duplicate Advisory: OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals

Cross Site Scripting (XSS) in plotly.js

Malicious code in trading-tips (npm)

jQuery-UI vulnerable to Cross-site Scripting in dialog closeText

Jellyfin Web Cross-Site Scripting (XSS) via Playlist Name

vxe-table Cross-site Scripting vulnerability

Malicious code in @sportdigi/scripts (npm)

Malicious code in translationscripts (npm)

Sync-in Server has a stored cross-site scripting (XSS) vulnerability

Android WebView Universal Cross-site Scripting

Cross-site Scripting in remarkable

Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes

Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting)

Cross-Site Scripting in public

OpenClaw's tools.exec.safeBins sort long-option abbreviation bypass can skip exec approval in allowlist mode

Malicious code in satellite-precipitation-detector (npm)

url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.

Malicious code in skip-validator (npm)

tarteaucitron Cross-site Scripting (XSS)

quill-mention Cross-site Scripting vulnerability

Malicious code in a-love-letter-to-whiskey-by-kandi-steiner-on-iphone-new-version- (npm)

Cross-site scripting in yui 2.4.0

XSS vulnerability allowing arbitrary JavaScript execution

Malicious code in @zitterorg/iusto-ipsum (npm)

Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section

Paperclip: Arbitrary File Read via Agent-Controlled adapterConfig.instructionsFilePath

Malicious code in typescript-snap (npm)

Malicious code in typescript3 (npm)

Strapi's field level permissions not being respected in relationship title

Markdown-Nice v1.8.22 vulnerable to Cross-site Scripting

express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network

Malicious code in @zitterorg/ipsum-nam-facere (npm)

GetmeUK ContentTools Cross-Site Scripting (XSS)

OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers

Cross-site Scripting in dijit editor's LinkDialog plugin

mppx has multiple payment bypass and griefing vulnerabilities

Electron: Crash in clipboard.readImage() on malformed clipboard image data

Missing Handler in @scandipwa/magento-scripts

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in @nextcloud/dialogs

Malicious code in @diotoborg/adipisci-placeat-iure (npm)

OpenClaw SSRF guard misses four IPv6 special-use ranges

Cross-site Scripting in Serenity

tarteaucitron.js vulnerable to Cross-site Scripting

Malicious code in @juiggitea/ipsa-voluptatibus-velit (npm)

Malicious code in lodash-scripts (npm)

Malicious code in djangosnippets.org (npm)

Cross-Site Scripting in backbone

seajs Cross-site Scripting vulnerability

paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass

Malicious code in @diotoborg/ipsa-error (npm)

Malicious code in request-ip-validator (npm)

jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution

Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code

Malicious code in web-scripts-monorepo (npm)

Malicious code in @gthwebdev/ui-tooltip (npm)

Cross-site Scripting in NodeBB

Malicious code in @juiggitea/ipsam-laborum-earum (npm)

VBScript Content Injection in marked

Malicious code in @diotoborg/quo-adipisci-laboriosam (npm)

OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic

Malicious code in legacyreact-aws-s3-typescript (npm)

Bootstrap Cross-site Scripting vulnerability

sequelize-typescript Prototype Pollution vulnerability

Cross-Site Scripting (XSS) in pivottable

Malicious code in flipper-plugins (npm)

Code Snippet GeSHi plugin in CKEditor 4 has reflected cross-site scripting (XSS) vulnerability

minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

Valid ECDSA signatures erroneously rejected in Elliptic

File Descriptor Leak Can Cause DoS Vulnerability in hapi

Matrix JavaScript SDK's key history sharing could share keys to malicious devices

xmldom allows multiple root nodes in a DOM

Cross-Site Scripting in jqtree

Clipboard-based XSS

Cross-Site Scripting in i18next

@nestjs/core vulnerable to Information Exposure via StreamableFile pipe

Malicious code in @diotoborg/adipisci-dolorum (npm)

SQL Injection and Cross-site Scripting in class-validator

@netlify/ipx vulnerable to Full Response SSRF and Stored XSS via Cache Poisoning and Improper Host Validation

Malicious code in eslint-config-sipplint (npm)

Malicious code in @diotoborg/autem-suscipit-unde (npm)

Cross-site Scripting in yapi-vendor

Malicious code in example-javascript (npm)

Bootstrap Vulnerable to Cross-Site Scripting

@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details

Malicious code in adsscriptloaderstatic (npm)

Malicious code in mp3-file-zip-d-ownload-welcome-to-mali-ntp96-jgcurk (npm)

Uncaught Exception in fastify-multipart

Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths

angular-ui-notification Cross-site Scripting vulnerability

HTML comments vulnerability allowing to execute JavaScript code

Cross-Site Scripting in mustache

CKEditor4 Cross-site Scripting vulnerability caused by incorrect CDATA detection

Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML

OpenClaw's hook transform module path allows traversal and arbitrary JavaScript module loading

CediPay Affected by Improper Input Validation in Payment Processing

Malicious code in advertising-api-javascript-client (npm)

Scrypted Cross-site Scripting vulnerability

Validation Bypass in paypal-ipn

Malicious code in v-pure-tooltip (npm)

@appium/support has a Zip Slip arbitrary file write in its ZIP extraction

Critters Cross-site Scripting Vulnerability

Cross-site Scripting in curly-bracket-parser

Elliptic Uses a Cryptographic Primitive with a Risky Implementation

File upload local preview can run embedded scripts after user interaction

Downloads Resources over HTTP in go-ipfs-dep

Cross-site Scripting in sanitize-url

Malicious code in @ensdomains/ccip-read-router (npm)

Malicious code in @ensdomains/ccip-read-worker-viem (npm)

Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer

Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload

Malicious code in summerfi-typescript-config-security-notice (npm)

Cross-Site Scripting in bootstrap-tagsinput

Malicious code in dow-load-the-great-passage-by-shion-miura-on-ipad-full-edition- (npm)

Malicious code in elf-stats-candystriped-garland-735 (npm)

Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers

Malicious code in cypress-typescript (npm)

Cross-Site Scripting in simditor

Enhanced Image plugin for CKEditor is vulnerable to Cross-site scripting (XSS)

n8n: Webhook Node IP Whitelist Bypass via Partial String Matching

Malicious code in updated-script-poop-with-friends-script-0rxgqp (npm)

Astro: XSS in define:vars via incomplete </script> tag sanitization

Cross-Site Scripting in m-server

Malicious code in updated-script-restaurant-tycoon-2-script-instant-cook-4dz6cj (npm)

Malicious code in ripe-grs (npm)

Malicious code in flip-flop-flop (npm)

DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

Cross-site Scripting in apostrophe

Malicious code in working-today--find-the-simpsons-171-script-roblox-4zlhl1 (npm)

Malicious code in down-lo-ad-now-zip-mp3-18275-skelliconnection-taeie-mgpquk (npm)

Malicious code in down-lo-ad-now-zip-mp3-6766-the-empyrean-bn3pu-tdpbau (npm)

Malicious code in ripiocoin (npm)

Malicious code in down-lo-ad-now-zip-mp3-7514-tapestry-fqgk2-jvvwtn (npm)

Malicious code in down-lo-ad-now-zip-mp3-93-million-miles-psw9n-wbuosp (npm)

Malicious code in @upside/flex-common-typescript-lib (npm)

Malicious code in down-load-available-zip-now-23630-non-stop-je-te-plie-en-deux-6jxm0-xjqkwj (npm)

Malicious code in down-load-available-zip-now-35816-laughter-lust-jih3q-fajkvi (npm)

@google/clasp vulnerable to unsafe path traversal cloning or pulling a malicious script

Malicious code in cow-scripts (npm)

Cross-site Scripting in evershop

Malicious code in stripe-sample-accept-a-payment (npm)

Cross-Site Scripting in fileview

Malicious code in node-unzip (npm)

OpenClaw has Zip Slip path traversal in tar archive extraction

OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts

Malicious code in ecmascript-runtime-client (npm)

Malicious code in trgrip (npm)

Cross-Site Scripting in c3

beautiful-mermaid contains an SVG attribute injection issue that can lead to cross-site scripting (XSS)

Malicious code in typescript-rtk-query (npm)

Malicious code in elf-stats-marzipan-cocoa-977 (npm)

Malicious code in vscode-typescript-next (npm)

Cross-Site Scripting in scratch-svg-renderer

Summernote vulnerable to cross-site scripting

Malicious code in javascript-heap (npm)

Joplin Desktop App vulnerable to Cross-site Scripting

Svelte affected by cross-site scripting via spread attributes in Svelte SSR

Cross-Site Scripting in nunjucks

Malicious code in pdf-off-base-out-of-uniform-1-by-annabeth-albert-on-iphone-new-volumes- (npm)

Malicious code in kinvey-flex-scripts (npm)

Cross site scripting in markdown-to-jsx

Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables

Paperclip: Stored XSS via javascript: URLs in MarkdownBody — urlTransform override disables react-markdown sanitization

Malicious code in ct-connect-stripe (npm)

coffescript is malware

Cross-site Scripting in CKEditor4

Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint

Angular has XSS Vulnerability via Unsanitized SVG Script Attributes

Claude SDK for TypeScript: Memory Tool Path Validation Allows Sandbox Escape to Sibling Directories

Electron: AppleScript injection in app.moveToApplicationsFolder on macOS

Cross-Site Scripting in iobroker.web

Malicious code in pancake_uniswap_validators_utils_snipe (npm)

Orval has Code Injection via unsanitized x-enum-descriptions using JS comments

Cross-site Scripting in @rocket.chat/livechat

Cross-site scripting in lazysizes

Script injection

Malicious code in idv-script (npm)

Malicious code in date-fns-scripts (npm)

Malicious code in xpack-subscription-test (npm)

Malicious code in coral-typescript-types-pieces (npm)

OpenClaw runs Discord audio preflight transcription before member authorization

Malicious code in rippled-exporter (npm)

Malicious code in firestore-stripe-payments-js (npm)

Malicious code in react-script-log (npm)

eslint-detailed-reporter vulnerable to cross-site scripting

OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)

Malicious code in codex-cipher (npm)

Malicious code in flipper-server-companion (npm)

Orval has a code injection via unsanitized x-enum-descriptions in enum generation

iziModal Cross-site Scripting vulnerability

Malicious code in @3stripes/api-client (npm)

Cross-site Scripting in NocoDB

Cross-site Scripting in jsoneditor

Malicious code in iiipkillkdeqcyh (npm)

IPC messages delivered to the wrong frame in Electron

Malicious code in internal-scripts (npm)

Froala Editor Cross-site Scripting vulnerability

OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals

Cross site scripting in mobiledoc-kit

Insecure serialization leading to RCE in serialize-javascript

Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause

Malicious code in trip-tracker-web (npm)

JavaScript SDK v2 users should add validation to the region parameter value in or migrate to v3

Malicious code in com.unity.scripting.python (npm)

Malicious code in vip-landing (npm)

Cross-site Scripting in vditor

Cross-Site Scripting in simple-markdown

Malicious code in @sporting-life/sportinglife-betslip-sdk (npm)

Mercurius's queryDepth limit bypassed for WebSocket subscriptions

Joplin Vulnerable to Cross-site Scripting in Note Content

Injection and Cross-site Scripting in osm-static-maps

Malicious code in ccip-starter-kit-hardhat (npm)

Malicious code in djangosnippets (npm)

Malicious code in @3stripes/helpers (npm)

Malicious code in @3stripes/lib (npm)

Cross-site Scripting in bootstrap-table

Cross-site Scripting in Strapi

jszip Vulnerable to Prototype Pollution

Malicious code in ship_sleepnpm-tool (npm)

Malicious code in zip.js-2.8.2 (npm)

Uncontrolled Resource Consumption in fastify-multipart

Malicious code in okqaelhmbfuwipvz (npm)

NocoDB Missing Ownership Validation in MCP Token Operations

Sensitive Information leak via Script File in TinaCMS

Cross-site Scripting in vmd

n8n Has Stored Cross-site Scripting via Markdown Rendering in Workflow UI

Cross-site Scripting in jspreadsheet

Malicious code in mp3-file-zip-d-ownload-7517-goodbye-yellow-brick-road-h63vl-tpdnhx (npm)

Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing

jSuites subect to Cross-site Scripting

Malicious code in ab-typescript-app (npm)

CKEditor 5 has Cross-site Scripting (XSS) in the HTML Support package

OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable)

jquery-validation vulnerable to Cross-site Scripting

Prototype Pollution in iniparserjs

Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Cross-Site Scripting in dojo

Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)

CKEditor5 cross-site scripting vulnerability caused by the editor instance destroying process

n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK

Vditor Cross-site Scripting vulnerability

OpenClaw: Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS

Cross-site Scripting in docsify

Paperclip: Malicious skills able to exfiltrate and destroy all user data

Cross-Site Scripting (XSS) in restify

Cross-Site Scripting in forms

Malicious code in @tax-taxdev/tools-scripts (npm)

Malicious code in @the-coca-cola-company/receipt-scanner-admin-lib (npm)

markdown-it-decorate vulnerable to cross-site scripting (XSS)

OpenClaw: Zip extraction symlink traversal could write outside destination

Malicious code in @diotoborg/nostrum-nostrum-ipsum (npm)

NASA Open MCT Cross Site Scripting vulnerability

Cross-site Scripting in bootstrap-table

Malicious code in strip-nasi (npm)

@tiptap/extension-link vulnerable to Cross-site Scripting (XSS)

Claude Code Vulnerable to Command Injection via Piped sed Command Bypasses File Write Restrictions

Apostrophe has stored XSS via javascript: URL in Image Widget Link

Malicious code in vscode-npm-script (npm)

Flowise and Flowise Chat Embed vulnerable to Stored Cross-site Scripting

Malicious code in eip-681-qr-generator (npm)

Cross-site Scripting in aurelia-framework

`vega-functions` vulnerable to Cross-site Scripting via `setdata` function

Signature bypass via multiple root elements

Unsanitized JavaScript code injection possible in gatsby-plugin-mdx

Cross-site Scripting in Froala Editor

Malicious code in valid-ip-scope (npm)

Malicious code in yarn-design-system-rc-tooltip (npm)

Malicious code in skip-reason-validator (npm)

Malicious code in node-common-npm-scripts (npm)

Malicious code in silentcipherui (npm)

Cross-site Scripting in jquery.json-viewer

QuestDB UI's Web Console is Vulnerable to Cross-Site Scripting

Malicious code in payable-js-ipg-sdk (npm)

Malicious code in @diotoborg/adipisci-soluta (npm)

Cross-Site Scripting in sexstatic

Arbitrary JavaScript Execution in bassmaster

Malicious code in @zitterorg/cum-ipsum-beatae (npm)

Svelte SSR vulnerable to cross-site scripting via spread attributes

mxGraph vulnerable to cross-site scripting in color field

Cross-Site Scripting in @nuxt/devalue

NodeBB Cross-site scripting (XSS) vulnerability

Malicious code in stripe-ms (npm)

Malicious code in stripe-samples (npm)

NotChatbot WebChat has a stored cross-site scripting (XSS) vulnerability

OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees

@whyour/qinglong: manipulation of the argument command leads to protection mechanism failure

Malicious code in stripe-sample-accept-a-card-payment (npm)

Malicious code in alb-um-availa-ble-zip-mp3-file-a-river-aint-too-much-to-love-0u85h-vysnxq (npm)

Hono: IP Restriction bypasses static deny rules for non-canonical IPv6

Cross-Site Scripting in editor.md

Malicious code in arm-subscriptions (npm)

Malicious code in suspicious-react-scripts (npm)

ckeditor-wordcount-plugin vulnerable to Cross-site Scripting in Source Mode of Editor

Duplicate Advisory: OpenClaw's system.run approvals did not bind mutable script operands across approval and execution

@urql/next Cross-site Scripting vulnerability

Cross-Site Scripting (XSS) via Select Schema Option Value Injection in @pdfme/schemas

Malicious code in instacart-javascript (npm)

Elliptic's verify function omits uniqueness validation

Malicious code in conjure-receipe-example-app (npm)

unhead: Streaming SSR `streamKey` injected into inline script without identifier validation

Malicious code in zz-aipage-widget (npm)

OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection

Cross-Site Scripting in node-red

Malicious code in typescript-go (npm)

Cross-site scripting in TileServer GL

Malicious code in chocolatechipjs-shopify (npm)

Open WebUI Has Stored Cross-Site Scripting in SVG Renderer

webmention.js Cross-site Scripting vulnerability

Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage

OpenClaw: Reject symlinks in local skill packaging script

YUI Cross-site Scripting (XSS) vulnerability

Cross-Site Scripting in connect

Malicious code in @harrysforge/subscription-sdk (npm)

Code Injection in script-manager

Malicious code in infobip-calls-showcase (npm)

Malicious code in conjure-typescript-runtime (npm)

Malicious code in @3stripes/toolkit (npm)

Malicious code in aiprofilestyle (npm)

npm-script-demo is malware

Malicious code in elf-stats-candystriped-muffin-773 (npm)

Inngest TypeScript SDK exposes environment variables via serve() handler on unhandled HTTP methods

Malicious code in javascript-yaml (npm)

Malicious code in yaml-javascript (npm)

Malicious code in @gaia-codesearch/gaia-api-typescript (npm)

Malicious code in backbone-typescripts-accessor-generator (npm)

link-preview-js vulnerable to IPv6 and internal loopback attacks

Malicious code in com.unity.render-pipelines.universal-config (npm)

Cross-Site Scripting in dojo

@apollo/experimental-nextjs-app-support Cross-site Scripting vulnerability

OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels

OpenClaw Affected by Remote Code Execution via System Prompt Injection in Slack Channel Descriptions

Erxes vulnerable to Cross-site Scripting

Withdrawn Advisory: Bootstrap Cross-Site Scripting (XSS) vulnerability

Malicious code in flipper-plugin-core (npm)

Flowise Cross-site Scripting in api/v1/chatflows/id

Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes

Duplicate Advisory: OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)

Connect-Multiparty allows arbitrary file upload

Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default

Materialize-css vulnerable to Cross-site Scripting in autocomplete component

Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]

OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels

Withdrawn Advisory: Bootstrap Cross-Site Scripting (XSS) vulnerability

Malicious code in guplip-util (npm)

mxGraph vulnerable to cross-site scripting in setTooltips function

Postiz has Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader

xml-crypto Vulnerable to XML Signature Verification Bypass via Multiple SignedInfo References

Malicious code in elf-stats-candystriped-ornament-933 (npm)

Duplicate Advisory: OpenClaw session transcript files were created without forced user-only permissions

Duplicate Advisory: ssrfcheck has Incomplete IP Address Deny List that leads to Server-Side Request Forgery Vulnerability

Malicious code in cthipjznlgrwqysa (npm)

generator-hottowel Cross-site Scripting vulnerability

Malicious code in stripe-sample-checkout-with-multiple-locales (npm)

Malicious code in img-aws-s3-object-multipart-copy (npm)

Script injection

Malicious code in typescript-plugin-some-plugin (npm)

Malicious code in @riptano/helios (npm)

Malicious code in code-snippet-frontend (npm)

Cross-Site Scripting in @ckeditor/ckeditor5-link

Malicious code in reactnativeflipperexample (npm)

Cross-site Scripting in Scratch-Svg-Renderer

Malicious code in rippleadminconsole (npm)

Malicious code in hash-script (npm)

@builder.io/qwik vulnerable to Cross-site Scripting

Prototype pollution in swiper

Malicious code in com.unity.sharp-zip-lib (npm)

OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks

Signature bypass via multiple root elements

Malicious code in fastly-ip-sync (npm)

Angular (deprecated package) Cross-site Scripting

@evomap/evolver's validator sandbox allowlist permits `npm`/`npx`, yielding RCE from Hub-delivered validation tasks via lifecycle scripts

n8n has a Sandbox Escape in its JavaScript Task Runner

AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value

Malicious code in elf-stats-candystriped-lantern-205 (npm)

Cross site scripting in parse-url

Malicious code in wp-scripts (npm)

Malicious code in tulip-backend (npm)

Cross-site scripting in @shopify/koa-shopify-auth

Malicious code in elf-stats-marzipan-fir-219 (npm)

Malicious code in com.unity.multiplayer.tools (npm)

Jellyfin Web Cross-Site Scripting (XSS) via Collection Name

Svelecte item names vulnerable to execution of arbitrary JavaScript

materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input

Malicious code in eslint-typescript-runtime-check (npm)

Malicious code in @diotoborg/alias-animi-suscipit (npm)

Malicious code in @diotoborg/necessitatibus-provident-adipisci (npm)

Fake objects feature vulnerability allowing to execute JavaScript code using malformed HTML.

Malicious code in zip-mp3-a-lbum-do-wnload-new-gift-of-screws-q2h3s-xswcix (npm)

Malicious code in zip-mp3-a-lbum-do-wnload-new-in-the-future-vrf78-daqfza (npm)

ssrfcheck: SSRF Bypass Caused by Failure to Classify Reserved IP Address Space as Invalid

Malicious code in flipper-plugin-preferences (npm)

Claude SDK for TypeScript has Insecure Default File Permissions in Local Filesystem Memory Tool

Malicious code in discord-sniper (npm)

Malicious code in tetris-scripts (npm)

Malicious code in discord.js-aployscript-v11 (npm)

Malicious code in @ensdomains/ccip-read-dns-gateway (npm)

Malicious code in superhero-turnip (npm)

Malicious code in typescript-aurelia-api (npm)

Malicious code in aspirejavascript-vite (npm)

Malicious code in elf-stats-marzipan-fir-795 (npm)

Malicious code in eclipse-tractusx-github-io (npm)

Malicious code in elf-stats-candystriped-cookiejar-799 (npm)

Vuetify has a Cross-site Scripting (XSS) vulnerability in the VDatePicker component

Malicious code in elf-stats-marzipan-nightcap-982 (npm)

Malicious code in before-we-were-yours-by-lisa-wingate-on-iphone-new-chapters- (npm)

Next.js has cross-site scripting in beforeInteractive scripts with untrusted input

Cross-Site Scripting in swagger-ui

Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site

repostat: Reflected Cross-Site Scripting (XSS) via repo prop in RepoCard

Malicious code in typescsdaript (npm)

Malicious code in trip-plugins (npm)

Malicious code in @sasmeee/ip-locator (npm)

open-webui Vulnerable to Stored XSS via Model Description

Cross-site scripting vulnerability in TinyMCE alerts

Malicious code in eclipse-tslint (npm)

Malicious code in coreipc (npm)

rsshub vulnerable to Cross-site Scripting via unvalidated URL parameters

Malicious code in int_stripe_sfra (npm)

Malicious code in pipreqs (npm)

Malicious code in eslint-config-pexip-engage (npm)

Cross-site Scripting in Prism

Malicious code in mlp-friendship-map-mapping (npm)

Cross-Site Scripting in html-janitor

Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block

Malicious code in awesomeypescriptxoader (npm)

Malicious code in kubeflow-pipelines (npm)

Typebot affected by Credential Theft via Client-Side Script Execution and API Authorization Bypass

Malicious code in @vividcortex/multiplexer (npm)

Malicious code in subscriptionmgmtserv (npm)

Cross-site Scripting in edge.js

Malicious code in cors-typescript-server (npm)

ckeditor4 vulnerable to cross-site scripting

Cross-Site Scripting in min-http-server

Open WebUI Unauthenticated Multipart Boundary Denial of Service (DoS) Vulnerability

Duplicate Advisory: OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling

Malicious code in btcbip-39 (npm)

Malicious code in node-ipc (npm)

Malicious code in the-universe-has-your-back-transform-fear-to-faith-by-gabrielle-bernstein-on-iphone-full-pages- (npm)

Malicious code in four-sdk-aes-ipheriv (npm)

Malicious code in code-snippet-editor-plugin (npm)

Bootstrap Cross-site Scripting vulnerability

Malicious code in elf-stats-candystriped-bauble-740 (npm)

Cross-site Scripting in yapi-vendor

svelte vulnerable to Cross-site Scripting

Malicious code in win32ipc (npm)

Malicious code in smart-power-strip (npm)

Cross-site scripting in bootstrap-select

Cross-Site Scripting in keystone

Malicious code in dancer-pipeline (npm)

Malicious code in trip-component-platform-online-header (npm)

pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion

Malicious code in googleaips (npm)

metascraper before v5.2.0 vulnerable to stored cross-site scripting

NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload

Malicious code in @3stripes/ui (npm)

Cross-site Scripting in Joplin

@claviska/jquery-minicolors vulnerable to Cross-site Scripting

Cloudflare Agents is Vulnerable to Reflected Cross-Site Scripting in the AI Playground's OAuth callback handler

Malicious code in typescript-resolvers (npm)

vditor Vulnerable to Cross-site Scripting in SVG events

Cross-site scripting in Survey Creator

Malicious code in sd-cip-module-client (npm)

ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API

Malicious code in typescript-validation-schema (npm)

NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field

OpenClaw: pnpm dlx approvals did not bind local script operands

Malicious code in vuejavascript (npm)

Malicious code in eslint-config-minecraft-scripting (npm)

@mattkrick/sanitize-svg vulnerable to Cross-Site Scripting (XSS)

Potential Command Injection in hubot-scripts

Stored Cross-Site Scripting in simplehttpserver

Malicious code in @3stripes/components (npm)

Duplicate Advisory: OpenClaw: QQBot direct media upload skipped URL SSRF validation

Malicious code in @3stripes/config (npm)

Elliptic Uses a Broken or Risky Cryptographic Algorithm

Malicious code in @3stripes/core (npm)

Malicious code in @3stripes/sdk (npm)

Malicious code in @3stripes/shared (npm)

Malicious code in maps-api-for-javascript (npm)

Critical severity vulnerability that affects generator-jhipster

jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)

Malicious code in insomnia-scripting-environment (npm)

faker.js 6.6.6 is broken and the developer has wiped the original GitHub repo

DOMPurify allows Cross-site Scripting (XSS)

Malicious code in paddle-internal-scripts (npm)

html2pdf.js contains a cross-site scripting vulnerability

Malicious code in pipeline-npm-artifactory (npm)

Malicious code in tripica-library (npm)

Cross-Site Scripting in sanitize-html

dijit editor cross-site scripting vulnerability

Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import

Malicious code in @diotoborg/deleniti-totam-suscipit (npm)

NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node

Malicious code in snyk-azure-pipelines-task (npm)

NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells

Flowise Cross-site Scripting in/api/v1/credentials/id

Malicious code in strip-umer (npm)

Malicious code in stripe-connect-rocketrides (npm)

Bootstrap Vulnerable to Cross-Site Scripting in its Popover and Tooltip Components

Malicious code in typescript-error-reporter-action (npm)

Malicious code in @diotoborg/ipsam-ad (npm)

Malicious code in dow-load-beautiful-tempest-malory-anderson-family-12-by-johanna-lindsey-on-iphone-new-form (npm)

Malicious code in elf-stats-candystriped-star-592 (npm)

Malicious code in blipkitgit (npm)

Cross-Site Scripting (XSS) in jquery

Malicious code in @diotoborg/ipsa-ratione (npm)

Duplicate Advisory: OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity

Malicious code in o-typescript (npm)

Malicious code in @metadata-ipfs/bonk.fun-ipfs (npm)

Malicious code in m-typescript (npm)

Malicious code in get-new-script-rainbow-six-unlock-all-skins-elite-and-various-other-updated-2023-q6uukf (npm)

Malicious code in get-new-script-roblox-bedwars-script-076bmo (npm)

Malicious code in no-typescript (npm)

Malicious code in script-updated-gta-5-ragemp-spoofer-hwid-unban-zcnl0m (npm)

Malicious code in script-updated-roblox-redwood-prison-reworked-script-c5bqbv (npm)

Cross-Site Scripting in @risingstack/protect

Malicious code in down-lo-ad-now-zip-mp3-61269-billy-mann-9mfek-wlvmjv (npm)

CKEditor cross-site scripting vulnerability in AJAX sample

Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

grapesjs before 0.19.5 vulnerable to Cross-site Scripting

Malicious code in born-to-win-find-your-success-by-zig-ziglar-on-iphone-new-version- (npm)

@backstage/plugin-techdocs-backend vulnerable to circumvention of cross site scripting protection

Cross-Site-Scripting attack on `<RichTextField>`

Malicious code in multipage-checkout (npm)

Malicious code in transform-typescript (npm)

Malicious code in @crimson-team/typescript-helpers (npm)

Malicious code in beautiful-tempest-malory-anderson-family-12-by-johanna-lindsey-on-iphone-new-format- (npm)

Command injection in bestzip

generator-jhipster-entity-audit vulnerable to Unsafe Reflection when having Javers selected as Entity Audit Framework

Anthropic's MCP TypeScript SDK has a ReDoS vulnerability

Parse Server has a query condition depth bypass via pre-validation transform pipeline

Malicious code in example-typescript (npm)

Malicious code in discord.js-selfbot-aployscript (npm)

Malicious code in bconffee-script (npm)

Malicious code in @frozen-ui/tooltip (npm)

Malicious code in inipyrser (npm)

Cross-site Scripting in PrimeFaces

Malicious code in caliper-publish (npm)

Malicious code in @trp-gims-usi-cip/web-portal-lib (npm)

Malicious code in twitch-desktop-ipc (npm)

DOMPurify contains a Cross-site Scripting vulnerability

Malicious code in identitydocumentserv-multipart-paypal (npm)

Malicious code in coinmate-typescript-client (npm)

Malicious code in generate-release-description (npm)

Malicious code in oabcipqvkhelzmrn (npm)

Malicious code in managed-vip-2-by-kristen-callihan-on-iphone-full-volumes- (npm)

@braintree/sanitize-url Cross-site Scripting vulnerability

Malicious code in adobe_pipeline_test (npm)

OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)

Malicious code in skip-tot (npm)

Cross-site Scripting in jquery-ui

Malicious code in lodashsiplainobjet (npm)

markdown-it-toc Cross-site Scripting due to title of generated toc and contents of header not being escaped

Malicious code in compute-starter-kit-assemblyscript-default (npm)

Malicious code in rnx-kit-scripts (npm)

Malicious code in designer-relationships-a-guide-to-happy-monogamy-positive-polyamory-and-optimistic-open-relationship (npm)

Malicious code in trip-component-platform-online-region-selector (npm)

Malicious code in azure-core-rest-pipeline-ts (npm)

Malicious code in alipay-js-jdk (npm)

Malicious code in solana-sniper-bot (npm)

Malicious code in core-rest-pipeline (npm)

Malicious code in chalk-ipheriv (npm)

Malicious code in custom-script-vanilla-js (npm)

Malicious code in moodle-core-tooltip (npm)

Malicious code in dow-load-the-best-we-could-do-by-thi-bui-on-ipad-new-format- (npm)

Malicious code in the-best-we-could-do-by-thi-bui-on-ipad-new-format- (npm)

Malicious code in stripe-identity-react-native (npm)

Malicious code in meu-script (npm)

Malicious code in god-a-human-history-by-reza-aslan-on-ipad-new-version- (npm)

Malicious code in link-stripper2 (npm)

Malicious code in hopelessly-devoted-bayou-devils-mc-1-by-am-myers-on-iphone-full-chapters- (npm)

Malicious code in madly-whiskey-the-whiskeys-dark-knights-at-peaceful-harbor-2-by-melissa-foster-on-iphone-new-pages- (npm)

Malicious code in taniyadidipro (npm)

Malicious code in extratazip (npm)

Malicious code in @diotoborg/adipisci-esse-tempore (npm)

Malicious code in clipboard-guardian (npm)

Malicious code in @ibm-pipeline/logging (npm)

Malicious code in typescript-nhost (npm)

Malicious code in @frozen-team-qa/subscriptions-service (npm)

Malicious code in expo-config-plugin-typescript (npm)

Malicious code in rocketship-validator (npm)

Malicious code in njip (npm)

Malicious code in elf-stats-candystriped-saddlebag-217 (npm)

Malicious code in gulptypscript (npm)

Malicious code in scriptconfig (npm)

Malicious code in repo-typescript-config (npm)

Malicious code in typescript-mock-data (npm)

Malicious code in @flipbit2-bb/test-auth-state (npm)

Malicious code in @immersive-composer/scripting-api (npm)

Malicious code in shipmentdetails-paypal (npm)

Malicious code in shipmenttrackingserv-paypal (npm)

Malicious code in @bookiply/core (npm)