ip

NPM IP package incorrectly identifies some private IP addresses as public

ip SSRF improper categorization in isPublic

Malicious code in @diotoborg/soluta-numquam-ipsam (npm)

Malicious code in @diotoborg/suscipit-amet (npm)

Cross-site scripting in react-bootstrap-table

Pug allows JavaScript code execution if an application accepts untrusted input

Malicious code in feature-flip (npm)

Prototype Pollution in iniparserjs

OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)

Paperclip: Cross-tenant agent API key IDOR in `/agents/:id/keys` routes allows full victim-company compromise

Joplin Cross-site Scripting vulnerability

Cross-Site Scripting in serve-index

sequelize-typescript Prototype Pollution vulnerability

path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards

prebuild-lwip downloads Resources over HTTP

Malicious code in pipedrive-embeddable-ringcentral-phone-spa (npm)

Cross-Site Scripting in swagger-ui

Paperclip: Cross-tenant agent API token minting via missing assertCompanyAccess on /api/agents/:id/keys

Cross-Site Scripting in sanitize-html

Malicious code in tiptap-shadcn-vue (npm)

Malicious code in bip40 (npm)

Bootbox.js Cross Site Scripting vulnerability

jQuery vulnerable to Cross-Site Scripting (XSS)

Cross-site Scripting in epubjs

Cross Site Scripting (XSS) in plotly.js

Cross-site scripting vulnerability in TinyMCE

Jellyfin Web Cross-Site Scripting (XSS) via Playlist Name

materialize-css vulnerable to cross-site Scripting (XSS) due to improper escape of user input

OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks

Flowise Cross-site Scripting in api/v1/chatflows/id

Cross-Site Scripting in iobroker.web

Malicious code in @diotoborg/dolorum-ipsam (npm)

OpenClaw has a gateway exec allowlist allow-always bypass via unregistered /usr/bin/script wrapper

Cross-site Scripting in Joplin

vxe-table Cross-site Scripting vulnerability

Cross-site scripting vulnerability in TinyMCE

Froala WYSIWYG editor allows cross-site scripting (XSS)

Duplicate Advisory: OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts

Cross-Site Scripting (XSS) in Verdaccio

Joplin Cross-site Scripting vulnerability

Malicious code in lazyhtml-scripts (npm)

Cross-site Scripting in CKEditor4

Cross-site scripting vulnerability in TinyMCE alerts

Malicious code in @diotoborg/ipsa-deleniti-ab (npm)

Status Board vulnerable to Cross-Site Scripting before v1.1.82

matrix-js-sdk can be tricked into disclosing E2EE room keys to a participating homeserver

OpenClaw has a IPv6 multicast SSRF classifier bypass

Anthropic's MCP TypeScript SDK has a ReDoS vulnerability

phoenix_html allows Cross-site Scripting in HEEx class attributes

OneUptime Vulnerable to a Privilege Escalation via Local Storage Key Manipulation

Cross-site scripting vulnerability in TinyMCE

Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)

Mind-elixir Cross-site Scripting vulnerability

Malicious code in aes-valid-ipherv (npm)

Malicious code in plonkscript-docs (npm)

Potential Cross-site Scripting vulnerability in Hydrogen

VvvebJs Reflected Cross-Site Scripting (XSS) vulnerability

Joplin vulnerable to Cross-site Scripting in notes

Reflected cross-site scripting (XSS) vulnerability

ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction

@udecode/plate-link does not sanitize URLs to prevent use of the `javascript:` scheme

coffe-script is malware

OpenClaw has a Command Injection via unescaped environment assignments in Windows Scheduled Task script generation

ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions

Angular i18n vulnerable to Cross-Site Scripting

@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters

OpenClaw's complex interpreter pipelines could skip exec script preflight validation

Margox Braft-Editor Cross-site Scripting Vulnerability

Stored Cross-Site Scripting in tianma-static

Fastify's connection header abuse enables stripping of proxy-added headers

Downloads Resources over HTTP in adamvr-geoip-lite

Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes

path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters

Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation

Malicious code in @diotoborg/suscipit-officia (npm)

Malicious code in @diotoborg/suscipit-vitae (npm)

ipip-coffee downloads Resources over HTTP

Remote code execution in vscode-npm-script

OpenClaw's unsanitized session ID enables path traversal in transcript file operations

webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence

Cross-site Scripting (XSS) in @scullyio/scully

Android WebView Universal Cross-site Scripting

Cross-Site Scripting in dojo

Macro in MathJax running untrusted Javascript within a web browser

OpenClaw's tools.exec.safeBins sort long-option abbreviation bypass can skip exec approval in allowlist mode

Arbitrary File Write in adm-zip

Cross Site Scripting (XSS) in @finastra/ssr-pages

DOMPurify contains a Cross-site Scripting vulnerability

pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"

OpenClaw vulnerable to path traversal (Zip Slip) in archive extraction during explicit installation commands

Cross-Site Scripting in swagger-ui

mailparser vulnerable to Cross-site Scripting

Malicious code in new-code-script-gt-a-samp-h-a-c-k-down-lo-ad-lkk02y (npm)

happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript

OpenClaw has incomplete IPv4 special-use SSRF blocking in web fetch guard

Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code

Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)

Cross-Site Scripting in sanitize-html

XSS vulnerability allowing arbitrary JavaScript execution

DataTable Vulnerable to Cross-Site Scripting

jplayer Cross Site Scripting vulnerability

Cross-site Scripting in electron-pdf

Malicious code in down-lo-ad-now-zip-mp3-sonic-nurse-a1wgm-jqylaq (npm)

Malicious code in down-lo-ad-now-zip-mp3-the-whole-love-f2ts8-cblkgz (npm)

Malicious code in down-load-available-zip-now-365509-chew-the-scenery-ymqd7-xaqqmu (npm)

node-red-dashboard vulnerable to Cross-site Scripting

Cross site scripting in @awsui/components-react

Malicious code in mp3-file-zip-d-ownload-33971-the-imagination-stage-ar0bb-cvzjxl (npm)

statics-server Cross-site Scripting vulnerability

Jellyfin Web Cross-Site Scripting (XSS) via Collection Name

Astro development server error page is vulnerable to reflected Cross-site Scripting

Flowise Cross-site Scripting in /api/v1/chatflows-streaming/id

Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled

Cross-site scripting in jspdf

A remote command execution (RCE) vulnerability in the /api/runscript endpoint of FUXA

Cross-site scripting in Swagger-UI

Cross-site Scripting in tempura

Cross-site Scripting in reveal.js

Dash apps vulnerable to Cross-site Scripting

on-headers is vulnerable to http response header manipulation

Cross-Site Scripting in jquery

@urql/next Cross-site Scripting vulnerability

Vuetify Cross-site Scripting vulnerability

Multiple XSS Filter Bypasses in validator

react-pdf vulnerable to arbitrary JavaScript execution upon opening a malicious PDF with PDF.js

pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)

Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused

TinyMCE Cross-Site Scripting (XSS) vulnerability in handling iframes

Server-Side Request Forgery in private-ip

Cross-Site Scripting in dompurify

Cross-Site Scripting in serialize-to-js

Baremetrics date range picker vulnerable to Cross-site Scripting

Arbitrary file read via window-open IPC in Electron

OpenClaw has multiple E2E/test Dockerfiles that run all processes as root

Cross-site Scripting in Mermaid

methodOverride Middleware Reflected Cross-Site Scripting in connect

NodeBB Cross-site Scripting Vulnerability in Markdown Processing

vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)

OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows

Flowise Cross-site Scripting in /api/v1/public-chatflows/id

Toast UI Grid vulnerable to Cross-site Scripting

x-data-spreadsheet through 1.1.9 vulnerable to Cross-site Scripting

Cross-site Scripting in node-red-dashboard

Bootstrap Cross-site Scripting vulnerability

OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels

Cross-site Scripting in vis-timeline

Cross-Site Scripting in Prism

Cross-Site Scripting in bootstrap-select

Http request which redirect to another hostname do not strip authorization header in @actions/http-client

Command Injection in egg-scripts

Paperclip: OS Command Injection via Execution Workspace cleanupCommand

Cross-site Scripting (XSS) - Stored in crud-file-server

Scrypted Cross-site Scripting vulnerability

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in directus

Clipboard-based DOM-XSS

Malicious code in eclipse-typescript (npm)

Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses

Cross-site scripting in anchorme

OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface

Cross-site Scripting in fullpage.js

grapesjs before 0.19.5 vulnerable to Cross-site Scripting

Bit flip attack vulnerability in cookie-encrypter

Cross-Site Scripting in html-janitor

Cross site scripting in datatables.net

Malicious code in lodashsiplainobjet (npm)

nanotar is vulnerable to path traversal in parseTar() and parseTarGzip()

Cross-Site Scripting in serialize-javascript

Cross site scripting in code-server

Parse Server LiveQuery subscription with invalid regular expression crashes server

Exposure of Resource to Wrong Sphere in Zip-Local

Missing Handler in @scandipwa/magento-scripts

Malicious code in custom-script-vanilla-js (npm)

@backstage/plugin-techdocs-backend vulnerable to circumvention of cross site scripting protection

Cross-site Scripting in peertube

Signature bypass via multiple root elements

TinyMCE Cross-Site Scripting (XSS) vulnerability in handling external SVG files through Object or Embed elements

Malicious code in flipper-plugin-ribtree (npm)

AdonisJS multipart body parsing has Prototype Pollution issue

Cross-site Scripting in tableexport.jquery.plugin

Cross-Site Scripting in min-http-server

Vuetify has a Cross-site Scripting (XSS) vulnerability in the VDatePicker component

Malicious code in github-script (npm)

Malicious code in launchdarkly-api-typescript-sample (npm)

Paperclip: Malicious skills able to exfiltrate and destroy all user data

Cross-site scripting in TotalJS

TinyMCE Cross-Site Scripting (XSS) vulnerability using noscript elements

Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation in fast-xml-parser

Path Traversal in w-zip

Cross-site Scripting in PrimeFaces

electerm: electerm_install_script_CommandInjection Vulnerability Report

Cross-Site Scripting in react

OpenClaw has hook auth rate limiter bypass via IPv4-mapped IPv6 client key variants

cipher-base is missing type checks, leading to hash rewind and passing on crafted data

n8n has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode

Cross-Site Scripting in exceljs

repostat: Reflected Cross-Site Scripting (XSS) via repo prop in RepoCard

Denial of Service in get-ip-range

fuelux vulnerable to Cross-Site Scripting in Pillbox feature

Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()

Cross-site Scripting in teddy

Malicious code in chocolatechipjs-shopify (npm)

Malicious code in down-lo-ad-now-zip-mp3-149132-the-soft-cavalry-vhx8d-iuyuef (npm)

Paperclip: Unauthenticated Access to Multiple API Endpoints in Authenticated Mode

Malicious code in elf-stats-candystriped-chimney-879 (npm)

DbGate has cross site scripting via the SVG Icon String Handler component

n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks

Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial

CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage

Nuxt DevTools vulnerable to cross-site scripting (XSS)

PsiTransfer has Zip Slip Path Traversal via TAR Archive Download

Cross-Site Scripting in buttle

Calipso Arbitrary File Write via Archive Extraction (Zip Slip)

Cross-Site Scripting in http-file-server

Cross-site Scripting in lightning-server

Malicious code in defipulse-adapters (npm)

Duplicate Advisory: OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels

Malicious code in uipath-ui-widgets (npm)

Cross-Site Scripting in react-dom

OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders

Malicious code in transcript-viewer-ui-demo (npm)

Malicious code in tailwindthml-flips (npm)

generator-jhipster-entity-audit vulnerable to Unsafe Reflection when having Javers selected as Entity Audit Framework

GitBook allows Cross-site Scripting via a local .md file.

Incorrect Permission Checking for GraphQL Subscriptions

Cross-Site Scripting in shave

Malicious code in @fishingbooker/react-swiper (npm)

Malicious code in @tw-marionette/clipboard (npm)

Cross-site scripting in Joplin

Docsify vulnerable to cross-site scripting due to mishandled encoding

Cross site scripting in parse-url

OpenClaw has an arbitrary transcript path file write via gateway sessionFile

YUI Cross-site Scripting (XSS) vulnerability

Malicious code in azure-core-rest-pipeline (npm)

Malicious code in azure-core-rest-pipeline-js (npm)

Malicious code in azure-core-rest-pipeline-ts (npm)

web3-core-subscriptions has a Prototype Pollution vulnerability

Malicious code in bip174-bigint (npm)

Cross-site Scripting in Serenity

Malicious code in bipiy74902-wx1 (npm)

Malicious code in elf-stats-marzipan-cocoa-562 (npm)

OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity

Cross-Site Scripting in html-pages

NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells

layui vulnerable to cross-site scripting

Malicious code in azure-pipelines-dependency-track (npm)

JHipster Kotlin using insecure source of randomness `RandomStringUtils` before v1.2.0

Cross-site Scripting in pandao editor.md

file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry

Cross-site Scripting in video.js

Cross-site Scripting in React Draft Wysiwyg

Malicious PDF can inject JavaScript into PDF Viewer

Malicious code in minipay-minidapps (npm)

jquery-ui Tooltip widget vulnerable to XSS

Next.js has cross site scripting (XSS) vulnerability via the 404 or 500 /_error page

OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind

Cross-Site Scripting in jquery

Jodit Editor vulnerable to cross-site scripting

Cross-site Scripting in Strapi

cofeescript is malware

Duplicate Advisory: Command Injection via unescaped environment assignments in Windows Scheduled Task script generation

mppx has Stripe charge credential replay via missing idempotency check

Widget feature vulnerability allowing to execute JavaScript code using undo functionality

Elliptic Uses a Broken or Risky Cryptographic Algorithm

Cross-site scripting vulnerability in TinyMCE plugins

Cross-site Scripting in vditor

Cross site scripting in Metro UI

Cross-site Scripting in dompurify

OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling

Cross-Site Scripting in connect

Bootstrap vulnerable to Cross-Site Scripting (XSS)

Incorrect Calculation in the MSR JavaScript Cryptography Library

bootstrap Cross-site Scripting vulnerability

Cross-site Scripting (XSS) in serialize-javascript

OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation

Cross-site Scripting in vditor

tagify can pass a malicious placeholder to initiate the cross-site scripting (XSS) payload

paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass

Handlebars.js has JavaScript Injection via AST Type Confusion

Vulnogram contains a stored cross-site scripting vulnerability in comment hypertext handling

Malicious code in code-snippet-frontend (npm)

Cross-site scripting in jspdf

mercurius has Uncaught Exception when using subscriptions

OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated

Malicious code in com.unity.render-pipelines.high-definition-config (npm)

Malicious code in com.unity.scriptablebuildpipeline (npm)

OpenClaw: system.run wrapper-depth boundary could skip shell approval gating

Cross-Site Scripting in status-board

Command Injection in macfromip

DOMPurify contains a Cross-site Scripting vulnerability

Parse Server LiveQuery subscription query depth bypass

Unauthorized npm publish of cline@2.3.0 with modified postinstall script

Malicious code in @feiprotocol/fei-protocol-core (npm)

Cross Site Scripting vulnerability in store2

Node Connect Reflected Cross-Site Scripting in Sencha Labs Connect middleware

Vega has Cross-site Scripting vulnerability in `lassoAppend` function

Malicious code in hixletpaiprs (npm)

Command injection in bestzip

Cross site scripting in valine

Malicious code in eclipse-megamovie-build (npm)

CKEditor5 cross-site scripting vulnerability caused by the editor instance destroying process

Cross-site Scripting in NodeBB

Remote code execution in Eclipse Theia

Cross-site Scripting in jquery-ui

Clipboard feature vulnerability allowing to inject arbitrary HTML into the editor using paste functionality

Cross site scripting in kindeditor

Json2html vulnerable to cross-site scripting

YUI Cross-site Scripting (XSS) vulnerability

Cross-site scripting vulnerability in TinyMCE

gatsby-transformer-remark has possible unsanitized JavaScript code injection

Malicious code in competitive-equipment-icon (npm)

Cross-site Scripting in pandao

Malicious code in lliptiic (npm)

OpenClaw: PIP_INDEX_URL and UV_INDEX_URL bypass host exec env sanitization and redirect Python package-index traffic

Malicious code in dippy (npm)

Malicious code in @epc-tools/typescript (npm)

textAngular Cross-site Scripting vulnerability

QMarkdown Cross-Site Scripting (XSS) vulnerability

Cross site scripting Vulnerability in backstage Software Catalog

OpenClaw: Shell init-file options could satisfy exec allowlist script matching

NocoDB has Stored Cross-site Scripting via Formula Cell

Malicious code in eziparser (npm)

Cross-site scripting

Malicious code in holvipartners (npm)

Code Snippet GeSHi plugin in CKEditor 4 has reflected cross-site scripting (XSS) vulnerability

minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

OpenClaw: Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS

Cross-site Scripting in Auth0 Lock

Cross-site Scripting in karma

Malicious code in strip-json-combmentd (npm)

Malicious code in brave-research-participation-tool (npm)

OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions

Cross-site Scripting in pekeupload

Cross-Site Scripting (XSS) via SVG Schema innerHTML Injection in @pdfme/schemas

Malicious code in c6lipboady (npm)

Cross-site Scripting in evershop

receiving subscription objects with deleted session

editor.md vulnerable to Cross-site Scripting

Malicious code in clipobard (npm)

Potential for cross-site scripting in PostHog-js

Arbitrary File Write via Archive Extraction in unzipper

Malicious code in eslint-plugin-flipper (npm)

Options structure open to Cross-site Scripting if passed unfiltered

@keep-network/tbtc-v2 revealing P2PKH deposit with a wrapped P2SH script

OpenClaw has SSRF guard bypass via IPv6 transition over ISATAP

Cross-Site Scripting in selectize-plugin-a11y

Cross-site Scripting in remarkable

Malicious code in typescript-action (npm)

Malicious code in okqaelhmbfuwipvz (npm)

Malicious code in on-running-script-context (npm)

Paperclip: Arbitrary File Read via Agent-Controlled adapterConfig.instructionsFilePath

Malicious code in @linesearch/swiper (npm)

Malicious code in @zitterorg/quas-in-suscipit (npm)

Jodit Editor vulnerable to Cross-site Scripting

Konga is vulnerable to Cross Site Scripting (XSS) attacks

Malicious code in titanite-javascript (npm)

Cross site scripting in froala-editor

Markdown-Nice v1.8.22 vulnerable to Cross-site Scripting

Ghost has possible Cross-site Scripting issue

Parse Server has a query condition depth bypass via pre-validation transform pipeline

Embedded Malicious Code in node-ipc

Malicious code in @zitterorg/voluptatibus-suscipit (npm)

Cross-site Scripting in file-upload-with-preview

Vega Expression Language `scale` expression function Cross Site Scripting

Malicious code in @freestarcapital/collector-pipeline (npm)

OpenClaw's system.run approvals did not bind mutable script operands across approval and execution

Malicious code in alb-um-availa-ble-zip-mp3-file-38068-its-all-about-to-change-rnonb-pzjjbh (npm)

Malicious code in down-load-available-zip-now-6092-expensive-shit-dzpv2-hzbnea (npm)

Materialize-css vulnerable to Cross-site Scripting in tooltip component

express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network

Malicious code in babel-preset-sofi-scripts (npm)

element-plus vulnerable to cross-site scripting (XSS) via el-table-column

Multiple Content Injection Vulnerabilities in marked

Cross-Site Scripting in handlebars

Duplicate Advisory: OpenClaw session transcript files were created without forced user-only permissions

Malicious code in afip-example-api (npm)

vue-i18n has cross-site scripting vulnerability with prototype pollution

Malicious code in fca-tpk-vip (npm)

Potential for Script Injection in syntax-error

cofee-script is malware

OpenClaw: TOCTOU read in exec script preflight

Malicious code in @zitterorg/adipisci-dolore (npm)

Malicious code in typescript-dom-lib-generator (npm)

Malicious code in typescsdariptt (npm)

Cross-Site Scripting in webtorrent

Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host

Malicious code in vipps-stitches (npm)

Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs

Malicious code in @zitterorg/adipisci-ipsum (npm)

Malicious code in @zitterorg/adipisci-quae-eius (npm)

Malicious code in @azure-tests/perf-core-rest-pipeline (npm)

Paperclip: codex_local inherited ChatGPT/OpenAI-connected Gmail and was able to send real email

Malicious code in toolbox-script (npm)

Malicious code in fma-connect-javascript (npm)

Cross-Site Scripting in @novnc/novnc

Cross-Site Scripting in gitbook

Insufficient Verification of Data Authenticity in Eclipse Theia

Malicious code in code-script-new-viking-simulator-script-hm9gi2 (npm)

TinyMCE Cross-Site Scripting (XSS) vulnerability using noneditable_regexp option

Downloads Resources over HTTP in geoip-lite-country

GetmeUK ContentTools Cross-Site Scripting (XSS)

Duplicate Advisory: OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals

Malicious code in trading-tips (npm)

jQuery-UI vulnerable to Cross-site Scripting in dialog closeText

@netlify/ipx vulnerable to Full Response SSRF and Stored XSS via Cache Poisoning and Improper Host Validation

Malicious code in @sportdigi/scripts (npm)

Malicious code in translationscripts (npm)

Sync-in Server has a stored cross-site scripting (XSS) vulnerability

Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting)

Malicious code in yarn-design-system-rc-tooltip (npm)

Malicious code in @zitterorg/cum-ipsum-beatae (npm)

Cross-Site Scripting in public

Malicious code in satellite-precipitation-detector (npm)

url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.

Malicious code in skip-validator (npm)

xml-crypto Vulnerable to XML Signature Verification Bypass via Multiple SignedInfo References

tarteaucitron Cross-site Scripting (XSS)

quill-mention Cross-site Scripting vulnerability

Malicious code in a-love-letter-to-whiskey-by-kandi-steiner-on-iphone-new-version- (npm)

Cross-site scripting in yui 2.4.0

OpenZeppelin Contracts's SignatureChecker may revert on invalid EIP-1271 signers

Malicious code in @zitterorg/iusto-ipsum (npm)

Malicious code in node-common-npm-scripts (npm)

Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section

tarteaucitron.js allows UI manipulation via unrestricted CSS injection

Malicious code in typescript-snap (npm)

Malicious code in typescript3 (npm)

Bootstrap Vulnerable to Cross-Site Scripting

Strapi's field level permissions not being respected in relationship title

Malicious code in @zitterorg/ipsum-nam-facere (npm)

Cross-Site Scripting in i18next

Cross-Site Scripting in seeftl

Cross-site Scripting (XSS) in Eclipse Theia

Cross-site Scripting in dijit editor's LinkDialog plugin

@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details

mppx has multiple payment bypass and griefing vulnerabilities

Cross-Site Scripting in morris.js

Electron: Crash in clipboard.readImage() on malformed clipboard image data

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in @nextcloud/dialogs

Malicious code in tripadvisor-npm (npm)

Enhanced Image plugin for CKEditor is vulnerable to Cross-site scripting (XSS)

Malicious code in @diotoborg/adipisci-placeat-iure (npm)

Malicious code in @diotoborg/adipisci-soluta (npm)

OpenClaw SSRF guard misses four IPv6 special-use ranges

Malicious code in trip-component-platform-online-goto (npm)

Paperclip: Approval decision attribution spoofing via client-controlled `decidedByUserId` in paperclip server

tarteaucitron.js vulnerable to Cross-site Scripting

Malicious code in @juiggitea/ipsa-voluptatibus-velit (npm)

Malicious code in lodash-scripts (npm)

Malicious code in @diotoborg/dolore-magnam-ipsam (npm)

Malicious code in djangosnippets.org (npm)

Angular vulnerable to Cross-site Scripting

Cross-Site Scripting in backbone

seajs Cross-site Scripting vulnerability

Malicious code in @diotoborg/ipsa-error (npm)

Malicious code in request-ip-validator (npm)

jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution

Malicious code in web-scripts-monorepo (npm)

Malicious code in @gthwebdev/ui-tooltip (npm)

Malicious code in @diotoborg/ipsum-eaque-quidem (npm)

Malicious code in @juiggitea/ipsam-laborum-earum (npm)

Malicious code in alb-um-availa-ble-zip-mp3-file-46046-radical-connector-m2ydd-nirtvy (npm)

Malicious code in alb-um-availa-ble-zip-mp3-file-85058-bright-phoebus-dboqy-oraqvx (npm)

Malicious code in alb-um-availa-ble-zip-mp3-file-a-river-aint-too-much-to-love-0u85h-vysnxq (npm)

VBScript Content Injection in marked

Malicious code in @diotoborg/quo-adipisci-laboriosam (npm)

Malicious code in file-alb-um-zip-new-mp3-126009-bitter-sweet-dz7i2-hidryu (npm)

Malicious code in legacyreact-aws-s3-typescript (npm)

Malicious code in mp3-file-zip-d-ownload-7678-new-york-dolls-7j7ir-rschdh (npm)

Malicious code in mp3-file-zip-d-ownload-push-the-sky-away-m86s1-rigirm (npm)

Cross-Site Scripting (XSS) in pivottable

Malicious code in flipper-plugins (npm)

Malicious code in updated-script-50-50-pick-a-door-script-rooms-check-vr6en2 (npm)

Malicious code in updated-script-retail-tycoon-2-script-h-a-c-k-9u9pw3 (npm)

Valid ECDSA signatures erroneously rejected in Elliptic

Malicious code in updated-script-roblox-muscle-legends-script-e3lrsz (npm)

File Descriptor Leak Can Cause DoS Vulnerability in hapi

Matrix JavaScript SDK's key history sharing could share keys to malicious devices

xmldom allows multiple root nodes in a DOM

Cross-Site Scripting in jqtree

Critters Cross-site Scripting Vulnerability

Clipboard-based XSS

Cross-Site Scripting in i18next

OpenClaw: Google Chat app-url webhook auth accepted non-deployment add-on principals

Malicious code in express-request-ip (npm)

@nestjs/core vulnerable to Information Exposure via StreamableFile pipe

Malicious code in @diotoborg/adipisci-dolorum (npm)

react-native-keys insecurely stores encryption cipher and Base64 chunks

SQL Injection and Cross-site Scripting in class-validator

Malicious code in get-new-script-viking-simulator-script-apo06a (npm)

Malicious code in eslint-config-sipplint (npm)

Malicious code in @diotoborg/autem-suscipit-unde (npm)

Cross-site Scripting in yapi-vendor

Cross-site Scripting in markdown-it-highlightjs

Malicious code in example-javascript (npm)

Cross-Site Scripting Vulnerability in @joeattardi/emoji-button

Malicious code in working-today--roblox-rise-of-nations-script-8ayh1b (npm)

Cross-Site Scripting in glance

Cross-Site Scripting in http_server

Malicious code in adsscriptloaderstatic (npm)

Malicious code in mp3-file-zip-d-ownload-welcome-to-mali-ntp96-jgcurk (npm)

Uncaught Exception in fastify-multipart

Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths

angular-ui-notification Cross-site Scripting vulnerability

HTML comments vulnerability allowing to execute JavaScript code

Cross-Site Scripting in mustache

Cross-site Scripting in Ghost

CKEditor4 Cross-site Scripting vulnerability caused by incorrect CDATA detection

Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML

OpenClaw's hook transform module path allows traversal and arbitrary JavaScript module loading

CediPay Affected by Improper Input Validation in Payment Processing

Malicious code in advertising-api-javascript-client (npm)

Scrypted Cross-site Scripting vulnerability

Validation Bypass in paypal-ipn

Malicious code in v-pure-tooltip (npm)

@appium/support has a Zip Slip arbitrary file write in its ZIP extraction

React Server Components have multiple Denial of Service Vulnerabilities

Cross-site Scripting in curly-bracket-parser

Elliptic Uses a Cryptographic Primitive with a Risky Implementation

File upload local preview can run embedded scripts after user interaction

@google/clasp vulnerable to unsafe path traversal cloning or pulling a malicious script

Downloads Resources over HTTP in go-ipfs-dep

Cross-site Scripting in sanitize-url

Malicious code in @ensdomains/ccip-read-router (npm)

Malicious code in @ensdomains/ccip-read-worker-viem (npm)

Parse Server vulnerable to stored cross-site scripting (XSS) via SVG file upload

Malicious code in summerfi-typescript-config-security-notice (npm)

Cross-Site Scripting in bootstrap-tagsinput

Smoothie vulnerable to Cross-site Scripting when tooltipLabel or strokeStyle are controlled by users

Malicious code in dow-load-the-great-passage-by-shion-miura-on-ipad-full-edition- (npm)

Malicious code in elf-stats-candystriped-garland-735 (npm)

Cross site scripting in reveal.js

Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers

Malicious code in cypress-typescript (npm)

Cross-Site Scripting in simditor

n8n: Webhook Node IP Whitelist Bypass via Partial String Matching

Malicious code in updated-script-poop-with-friends-script-0rxgqp (npm)

Malicious code in @viapip/eslint-config (npm)

Astro: XSS in define:vars via incomplete </script> tag sanitization

Malicious code in updated-script-restaurant-tycoon-2-script-instant-cook-4dz6cj (npm)

Malicious code in ripe-grs (npm)

Malicious code in flip-flop-flop (npm)

DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS

Cross-site Scripting in apostrophe

Malicious code in working-today--find-the-simpsons-171-script-roblox-4zlhl1 (npm)

Malicious code in down-lo-ad-now-zip-mp3-18275-skelliconnection-taeie-mgpquk (npm)

Malicious code in down-lo-ad-now-zip-mp3-6766-the-empyrean-bn3pu-tdpbau (npm)

Malicious code in ripiocoin (npm)

Malicious code in down-lo-ad-now-zip-mp3-7514-tapestry-fqgk2-jvvwtn (npm)

Malicious code in down-lo-ad-now-zip-mp3-93-million-miles-psw9n-wbuosp (npm)

Malicious code in @upside/flex-common-typescript-lib (npm)

Malicious code in down-load-available-zip-now-23630-non-stop-je-te-plie-en-deux-6jxm0-xjqkwj (npm)

Malicious code in down-load-available-zip-now-35816-laughter-lust-jih3q-fajkvi (npm)

Malicious code in cow-scripts (npm)

Cross-site Scripting in evershop

Malicious code in stripe-sample-accept-a-payment (npm)

Cross-Site Scripting in fileview

Malicious code in node-unzip (npm)

OpenClaw has Zip Slip path traversal in tar archive extraction

OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts

Malicious code in ecmascript-runtime-client (npm)

Malicious code in trgrip (npm)

Cross-Site Scripting in c3

beautiful-mermaid contains an SVG attribute injection issue that can lead to cross-site scripting (XSS)

Malicious code in typescript-rtk-query (npm)

Malicious code in elf-stats-marzipan-cocoa-977 (npm)

Malicious code in vscode-typescript-next (npm)

Malicious code in eclipse-tractusx-github-io (npm)

Cross-Site Scripting in scratch-svg-renderer

Summernote vulnerable to cross-site scripting

Malicious code in javascript-heap (npm)

Joplin Desktop App vulnerable to Cross-site Scripting

Svelte affected by cross-site scripting via spread attributes in Svelte SSR

Cross-Site Scripting in nunjucks

Malicious code in pdf-off-base-out-of-uniform-1-by-annabeth-albert-on-iphone-new-volumes- (npm)

Malicious code in kinvey-flex-scripts (npm)

Cross site scripting in markdown-to-jsx

Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables

Paperclip: Stored XSS via javascript: URLs in MarkdownBody — urlTransform override disables react-markdown sanitization

Angular has XSS Vulnerability via Unsanitized SVG Script Attributes

Malicious code in ct-connect-stripe (npm)

coffescript is malware

Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint

Joplin Cross Site Scripting Vulnerability via NOSCRIPT tags

Malicious code in pancake_uniswap_validators_utils_snipe (npm)

Orval has Code Injection via unsanitized x-enum-descriptions using JS comments

Cross-site Scripting in @rocket.chat/livechat

Signal K Server: Unauthenticated Source Priorities Manipulation

Cross-site scripting in lazysizes

Script injection

Malicious code in idv-script (npm)

Malicious code in date-fns-scripts (npm)

DOM clobbering could escalate to Cross-site Scripting (XSS)

Malicious code in xpack-subscription-test (npm)

Cross-site scripting in SocksJS-node

Malicious code in coral-typescript-types-pieces (npm)

OpenClaw runs Discord audio preflight transcription before member authorization

Glossarizer Cross-site Scripting vulnerability

Malicious code in rippled-exporter (npm)

Cross-site Scripting in bootstrap-table

Malicious code in firestore-stripe-payments-js (npm)

Malicious code in react-script-log (npm)

eslint-detailed-reporter vulnerable to cross-site scripting

OpenClaw's exec allow-always can be bypassed via unrecognized multiplexer shell wrappers (busybox/toybox sh -c)

Malicious code in codex-cipher (npm)

QGIS QWC2 Cross-Site Scripting vulnerability

DOM-based cross-site scripting in Froala Editor

Malicious code in flipper-server-companion (npm)

Orval has a code injection via unsanitized x-enum-descriptions in enum generation

iziModal Cross-site Scripting vulnerability

Malicious code in @3stripes/api-client (npm)

Cross-site Scripting in NocoDB

Cross-site Scripting in jsoneditor

@braintree/sanitize-url Cross-site Scripting vulnerability

Malicious code in iiipkillkdeqcyh (npm)

Malicious code in instacart-javascript (npm)

IPC messages delivered to the wrong frame in Electron

Malicious code in internal-scripts (npm)

Froala Editor Cross-site Scripting vulnerability

Cross site scripting in mobiledoc-kit

Insecure serialization leading to RCE in serialize-javascript

Parse Server has a protected fields bypass via LiveQuery subscription WHERE clause

Malicious code in trip-tracker-web (npm)

JavaScript SDK v2 users should add validation to the region parameter value in or migrate to v3

Malicious code in com.unity.scripting.python (npm)

Malicious code in vip-landing (npm)

Cross-Site Scripting in simple-markdown

Malicious code in @sporting-life/sportinglife-betslip-sdk (npm)

Mercurius's queryDepth limit bypassed for WebSocket subscriptions

Joplin Vulnerable to Cross-site Scripting in Note Content

Injection and Cross-site Scripting in osm-static-maps

Malicious code in ccip-starter-kit-hardhat (npm)

Malicious code in djangosnippets (npm)

Malicious code in @3stripes/helpers (npm)

Malicious code in @3stripes/lib (npm)

Cross-site Scripting in bootstrap-table

Cross-site Scripting in Strapi

Trix has a cross-site Scripting vulnerability on copy & paste

jszip Vulnerable to Prototype Pollution

Malicious code in ship_sleepnpm-tool (npm)

Malicious code in zip.js-2.8.2 (npm)

Malicious code in mp3-file-zip-d-ownload-7517-goodbye-yellow-brick-road-h63vl-tpdnhx (npm)

Uncontrolled Resource Consumption in fastify-multipart

NocoDB Missing Ownership Validation in MCP Token Operations

Sensitive Information leak via Script File in TinaCMS

Cross-site Scripting in vmd

n8n Has Stored Cross-site Scripting via Markdown Rendering in Workflow UI

OpenClaw: Reject symlinks in local skill packaging script

Cross-site Scripting in jspreadsheet

Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing

jSuites subect to Cross-site Scripting

Malicious code in ab-typescript-app (npm)

CKEditor 5 has Cross-site Scripting (XSS) in the HTML Support package

OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable)

Seafile Server has multiple stored XSS vulnerabilities

jquery-validation vulnerable to Cross-site Scripting

TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes

@excalidraw/excalidraw Cross-site Scripting vulnerability

OpenClaw: Zip extraction symlink traversal could write outside destination

ckeditor-wordcount-plugin vulnerable to Cross-site Scripting in Source Mode of Editor

Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)

Parse Server option `masterKeyIps` vulnerability to IP spoofing

n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK

Flowise and Flowise Chat Embed vulnerable to Stored Cross-site Scripting

Withdrawn Advisory: Bootstrap Cross-Site Scripting (XSS) vulnerability

Malicious code in img-aws-s3-object-multipart-copy (npm)

Vditor Cross-site Scripting vulnerability

Cross-site Scripting in docsify

Cross-Site Scripting (XSS) in restify

Cross-site Scripting in aurelia-framework

webmention.js Cross-site Scripting vulnerability

Cross-Site Scripting in forms

Cross Site Scripting in evershop

Malicious code in @tax-taxdev/tools-scripts (npm)

Malicious code in @the-coca-cola-company/receipt-scanner-admin-lib (npm)

markdown-it-decorate vulnerable to cross-site scripting (XSS)

Code Injection in script-manager

Malicious code in @diotoborg/nostrum-nostrum-ipsum (npm)

Signature bypass via multiple root elements

NotChatbot WebChat has a stored cross-site scripting (XSS) vulnerability

NASA Open MCT Cross Site Scripting vulnerability

OpenC3 Cross-site Scripting in Login functionality (`GHSL-2024-128`)

`vega-functions` vulnerable to Cross-site Scripting via `setdata` function

Malicious code in strip-nasi (npm)

@tiptap/extension-link vulnerable to Cross-site Scripting (XSS)

Malicious code in zjdkvqcxmknipaye (npm)

Claude Code Vulnerable to Command Injection via Piped sed Command Bypasses File Write Restrictions

Angular vulnerable to Cross-site Scripting

Unsanitized JavaScript code injection possible in gatsby-plugin-mdx

Malicious code in vscode-npm-script (npm)

PDF.js vulnerable to arbitrary JavaScript execution upon opening a malicious PDF

Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes

@apollo/experimental-nextjs-app-support Cross-site Scripting vulnerability

Malicious code in eip-681-qr-generator (npm)

Connect-Multiparty allows arbitrary file upload

Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default

OpenClaw: Discord voice transcript owner-flag omission could expose owner-only tools in mixed-trust channels

Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import

Cross-site Scripting in Froala Editor

Malicious code in valid-ip-scope (npm)

Malicious code in skip-reason-validator (npm)

Malicious code in @ensdomains/ccip-read-dns-gateway (npm)

Log Forging in generator-jhipster-kotlin

Malicious code in @oku-ui/tooltip (npm)

Cross-Site Scripting in sexstatic

Malicious code in silentcipherui (npm)

Cross-site Scripting in jquery.json-viewer

QuestDB UI's Web Console is Vulnerable to Cross-Site Scripting

Malicious code in payable-js-ipg-sdk (npm)

Arbitrary JavaScript Execution in bassmaster

Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options

mxGraph vulnerable to cross-site scripting in color field

OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees

Cross-Site Scripting in @nuxt/devalue

NodeBB Cross-site scripting (XSS) vulnerability

Malicious code in stripe-ms (npm)

Malicious code in stripe-sample-checkout-with-multiple-locales (npm)

Malicious code in stripe-samples (npm)

Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline

Malicious code in zip-mp3-a-lbum-do-wnload-new-gift-of-screws-q2h3s-xswcix (npm)

Malicious code in zip-mp3-a-lbum-do-wnload-new-in-the-future-vrf78-daqfza (npm)

@whyour/qinglong: manipulation of the argument command leads to protection mechanism failure

Malicious code in arm-subscriptions (npm)

Malicious code in stripe-sample-accept-a-card-payment (npm)

Cross-Site Scripting in editor.md

Malicious code in suspicious-react-scripts (npm)

Cross-Site Scripting (XSS) via Select Schema Option Value Injection in @pdfme/schemas

Duplicate Advisory: OpenClaw's system.run approvals did not bind mutable script operands across approval and execution

Elliptic's verify function omits uniqueness validation

Malicious code in conjure-receipe-example-app (npm)

unhead: Streaming SSR `streamKey` injected into inline script without identifier validation

Malicious code in typescript-go (npm)

Malicious code in zz-aipage-widget (npm)

OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection

Cross-Site Scripting in node-red

Cross-site scripting in TileServer GL

Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage

Malicious code in elf-stats-candystriped-hollyberry-986 (npm)

YUI Cross-site Scripting (XSS) vulnerability

Claude SDK for TypeScript: Memory Tool Path Validation Allows Sandbox Escape to Sibling Directories

Malicious code in @harrysforge/subscription-sdk (npm)

Malicious code in infobip-calls-showcase (npm)

Malicious code in conjure-typescript-runtime (npm)

Malicious code in @3stripes/toolkit (npm)

Malicious code in aiprofilestyle (npm)

npm-script-demo is malware

Malicious code in elf-stats-candystriped-muffin-773 (npm)

Cross-Site Scripting in dojo

generator-hottowel Cross-site Scripting vulnerability

Malicious code in backbone-typescripts-accessor-generator (npm)

Malicious code in com.unity.render-pipelines.universal-config (npm)

OpenClaw Affected by Remote Code Execution via System Prompt Injection in Slack Channel Descriptions

Svelecte item names vulnerable to execution of arbitrary JavaScript

Erxes vulnerable to Cross-site Scripting

Malicious code in example-typescript (npm)

Malicious code in flipper-plugin-core (npm)

AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value

Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

Duplicate Advisory: OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)

Malicious code in monday-integration-quickstart-app-typescript (npm)

Materialize-css vulnerable to Cross-site Scripting in autocomplete component

Malicious code in @diotoborg/alias-animi-suscipit (npm)

Postiz has Multiple SSRF Vectors - Webhooks, RSS Feed, URL Loader

DOMPurify ADD_ATTR predicate skips URI validation

OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch

Malicious code in @diotoborg/necessitatibus-provident-adipisci (npm)

React Draft Wysiwyg Cross-Site Scripting (XSS) via the Embedded Button

Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]

Withdrawn Advisory: Bootstrap Cross-Site Scripting (XSS) vulnerability

Malicious code in guplip-util (npm)

mxGraph vulnerable to cross-site scripting in setTooltips function

Script injection

OpenClaw's Discord component interaction ingress skips guild/channel policy enforcement

Malicious code in elf-stats-candystriped-ornament-933 (npm)

Malicious code in cthipjznlgrwqysa (npm)

Cross-Site Scripting in m-server

Vditor allows Cross-site Scripting via an attribute of an `A` element

Cross-Site Scripting in @ckeditor/ckeditor5-link

Malicious code in typescript-plugin-some-plugin (npm)

AdonisJS Path Traversal in Multipart File Handling

Malicious code in typescript-react-sample (npm)

Malicious code in @riptano/helios (npm)

Cross-site scripting in @atlaskit/editor-core

Malicious code in reactnativeflipperexample (npm)

Cross-site Scripting in Scratch-Svg-Renderer

Malicious code in tackgqvipebdhxfy (npm)

Malicious code in rippleadminconsole (npm)

Malicious code in hash-script (npm)

@builder.io/qwik vulnerable to Cross-site Scripting

Prototype pollution in swiper

Malicious code in com.unity.sharp-zip-lib (npm)

Malicious code in @trp-gims-usi-cip/web-portal-lib (npm)

Malicious code in twitch-desktop-ipc (npm)

Malicious code in fastly-ip-sync (npm)

Angular (deprecated package) Cross-site Scripting

n8n has a Sandbox Escape in its JavaScript Task Runner

Malicious code in elf-stats-candystriped-lantern-205 (npm)

Malicious code in elf-stats-candystriped-saddlebag-217 (npm)

Malicious code in tulip-backend (npm)

Cross site scripting in parse-url

Malicious code in wp-scripts (npm)

Cross-site scripting in @shopify/koa-shopify-auth

Malicious code in elf-stats-marzipan-fir-219 (npm)

Malicious code in elf-stats-marzipan-fir-795 (npm)

Malicious code in com.unity.multiplayer.tools (npm)

Malicious code in eslint-typescript-runtime-check (npm)

Pannellum Cross-Site Scripting due to data not being sanitized for URIs or vbscript

Malicious code in superhero-turnip (npm)

Fake objects feature vulnerability allowing to execute JavaScript code using malformed HTML.

Malicious code in flipper-plugin-preferences (npm)

Malicious code in discord-sniper (npm)

Malicious code in tetris-scripts (npm)

Malicious code in discord.js-aployscript-v11 (npm)

Malicious code in typescript-aurelia-api (npm)

Malicious code in aspirejavascript-vite (npm)

Malicious code in elf-stats-candystriped-cookiejar-799 (npm)

Malicious code in elf-stats-marzipan-nightcap-982 (npm)

Malicious code in before-we-were-yours-by-lisa-wingate-on-iphone-new-chapters- (npm)

Cross-Site Scripting in swagger-ui

Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site

Malicious code in ynf-dx-scripts (npm)

Malicious code in typescsdaript (npm)

Paperclip: Privilege Escalation via Agent-Controlled workspaceStrategy.provisionCommand Leading to OS Command Execution

Malicious code in trip-plugins (npm)

Prototype Pollution in swiper

Malicious code in @sasmeee/ip-locator (npm)

Malicious code in eclipse-tslint (npm)

Malicious code in coreipc (npm)

rsshub vulnerable to Cross-site Scripting via unvalidated URL parameters

Malicious code in int_stripe_sfra (npm)

Malicious code in pipreqs (npm)

Malicious code in eslint-config-pexip-engage (npm)

Cross-site Scripting in Prism

Malicious code in mlp-friendship-map-mapping (npm)

Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block

Malicious code in awesomeypescriptxoader (npm)

Malicious code in kubeflow-pipelines (npm)

OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)

Typebot affected by Credential Theft via Client-Side Script Execution and API Authorization Bypass

Malicious code in @vividcortex/multiplexer (npm)

Malicious code in subscriptionmgmtserv (npm)

Cross-site Scripting in edge.js

Malicious code in cors-typescript-server (npm)

ckeditor4 vulnerable to cross-site scripting

Open WebUI Unauthenticated Multipart Boundary Denial of Service (DoS) Vulnerability

Duplicate Advisory: OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling

Malicious code in xterm-addon-clipboard (npm)

Malicious code in btcbip-39 (npm)

Malicious code in the-universe-has-your-back-transform-fear-to-faith-by-gabrielle-bernstein-on-iphone-full-pages- (npm)

Malicious code in four-sdk-aes-ipheriv (npm)

Cross-Site-Scripting attack on `<RichTextField>`

Malicious code in code-snippet-editor-plugin (npm)

Bootstrap Cross-site Scripting vulnerability

Malicious code in elf-stats-candystriped-bauble-740 (npm)

Cross-site Scripting in yapi-vendor

svelte vulnerable to Cross-site Scripting

Malicious code in win32ipc (npm)

Raneto vulnerable to Cross-site Scripting

Malicious code in smart-power-strip (npm)

Cross-site scripting in bootstrap-select

Cross-Site Scripting in keystone

Malicious code in dancer-pipeline (npm)

DOMPurify allows Cross-site Scripting (XSS)

Malicious code in trip-component-platform-online-header (npm)

pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion

Malicious code in googleaips (npm)

metascraper before v5.2.0 vulnerable to stored cross-site scripting

NocoDB Vulnerable to Stored Cross-Site Scripting via SVG upload

Malicious code in @3stripes/ui (npm)

Cross-site Scripting in Joplin

@claviska/jquery-minicolors vulnerable to Cross-site Scripting

Cloudflare Agents is Vulnerable to Reflected Cross-Site Scripting in the AI Playground's OAuth callback handler

Malicious code in typescript-resolvers (npm)

vditor Vulnerable to Cross-site Scripting in SVG events

Cross-site scripting in Survey Creator

Trigger `beforeFind` not invoked in internal query pipeline when fetching pointer

Malicious code in sd-cip-module-client (npm)

ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API

Malicious code in typescript-validation-schema (npm)

NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field

OpenClaw: pnpm dlx approvals did not bind local script operands

Malicious code in vuejavascript (npm)

Malicious code in eslint-config-minecraft-scripting (npm)

@mattkrick/sanitize-svg vulnerable to Cross-Site Scripting (XSS)

Potential Command Injection in hubot-scripts

Stored Cross-Site Scripting in simplehttpserver

Malicious code in @3stripes/components (npm)

Malicious code in @3stripes/config (npm)

Malicious code in @3stripes/core (npm)

Malicious code in @3stripes/sdk (npm)

Malicious code in @3stripes/shared (npm)

Malicious code in maps-api-for-javascript (npm)

Critical severity vulnerability that affects generator-jhipster

jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)

Malicious code in insomnia-scripting-environment (npm)

faker.js 6.6.6 is broken and the developer has wiped the original GitHub repo

Improper Neutralization of Script in Attributes in @dcl/single-sign-on-client

Electron: Service worker can spoof executeJavaScript IPC replies

Malicious code in paddle-internal-scripts (npm)

html2pdf.js contains a cross-site scripting vulnerability

Malicious code in pipeline-npm-artifactory (npm)

Malicious code in accenture-react-scripts (npm)

Malicious code in tripica-library (npm)

Cross-Site Scripting in sanitize-html

CKEditor cross-site scripting vulnerability in AJAX sample

Malicious code in postcssmipot (npm)

dijit editor cross-site scripting vulnerability

Malicious code in @diotoborg/deleniti-totam-suscipit (npm)

NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node

Malicious code in snyk-azure-pipelines-task (npm)

NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells

Flowise Cross-site Scripting in/api/v1/credentials/id

Malicious code in strip-umer (npm)

Malicious code in stripe-connect-rocketrides (npm)

Malicious code in @diotoborg/itaque-suscipit (npm)

Bootstrap Vulnerable to Cross-Site Scripting in its Popover and Tooltip Components

Malicious code in typescript-error-reporter-action (npm)

Malicious code in @diotoborg/ipsam-ad (npm)

Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects

Malicious code in dow-load-beautiful-tempest-malory-anderson-family-12-by-johanna-lindsey-on-iphone-new-form (npm)

Malicious code in elf-stats-candystriped-star-592 (npm)

Malicious code in blipkitgit (npm)

NocoDB Vulnerable to Stored Cross-site Scripting via Comments

Cross-Site Scripting (XSS) in jquery

Malicious code in @diotoborg/ipsa-ratione (npm)

Malicious code in alipay-js-jdk (npm)

Duplicate Advisory: OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity

Malicious code in o-typescript (npm)

Malicious code in @metadata-ipfs/bonk.fun-ipfs (npm)

Malicious code in m-typescript (npm)

Malicious code in get-new-script-rainbow-six-unlock-all-skins-elite-and-various-other-updated-2023-q6uukf (npm)

Malicious code in get-new-script-roblox-bedwars-script-076bmo (npm)

Malicious code in no-typescript (npm)

Malicious code in script-updated-gta-5-ragemp-spoofer-hwid-unban-zcnl0m (npm)

Malicious code in script-updated-roblox-redwood-prison-reworked-script-c5bqbv (npm)

Cross-Site Scripting in @risingstack/protect

Malicious code in aployscript (npm)

Malicious code in down-lo-ad-now-zip-mp3-61269-billy-mann-9mfek-wlvmjv (npm)

markdown-it-toc Cross-site Scripting due to title of generated toc and contents of header not being escaped

Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo

Malicious code in born-to-win-find-your-success-by-zig-ziglar-on-iphone-new-version- (npm)

Malicious code in multipage-checkout (npm)

Malicious code in transform-typescript (npm)

Malicious code in @crimson-team/typescript-helpers (npm)

Malicious code in beautiful-tempest-malory-anderson-family-12-by-johanna-lindsey-on-iphone-new-format- (npm)

Malicious code in bconffee-script (npm)

Malicious code in @frozen-team-qa/subscriptions-service (npm)

Malicious code in discord.js-selfbot-aployscript (npm)

Malicious code in @frozen-ui/tooltip (npm)

Malicious code in managed-vip-2-by-kristen-callihan-on-iphone-full-volumes- (npm)