ps

ps Enables OS Command Injection

Cross-site Scripting (XSS) in Eclipse Theia

nodeschnaps downloads resources over HTTP

Malicious code in @diotoborg/dolorum-ipsam (npm)

Malicious code in tinfoil-shops (npm)

Malicious code in @cloudplatform-single-spa/security-groups (npm)

Astro's server source code is exposed to the public if sourcemaps are enabled

Malicious code in tailwind-clamps-line (npm)

Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling

OS Command Injection in lifion-verify-deps

Duplicate Advisory: OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients

@stablelib/cbor: Stack exhaustion Denial of Service via deeply nested CBOR arrays, maps, or tags

Malicious code in synapse-artifacts (npm)

Malicious code in zeus-me-ops-tool (npm)

Malicious code in synapse-spark (npm)

robinweser fast-loops vulnerable to prototype pollution

Dash apps vulnerable to Cross-site Scripting

Denial of Service in https-proxy-agent

Command injection in node-ps

Malicious code in appsec-internal-package (npm)

@simonsmith/cypress-image-snapshothas fix for insecure snapshot file names

Malicious code in eclipse-typescript (npm)

Malicious code in boostrapsio (npm)

Malicious code in @diotoborg/soluta-numquam-ipsam (npm)

Malicious code in @ozon-maps/map-sdk (npm)

Malicious code in polkadot-apps (npm)

PsiTransfer has Zip Slip Path Traversal via TAR Archive Download

Calipso Arbitrary File Write via Archive Extraction (Zip Slip)

simplehttpserver allows directory traversal and file listing

Malicious code in standalone-apps (npm)

Malicious code in tailwindthml-flips (npm)

Malicious code in azure-synapse-access-control-samples-js (npm)

PsiTransfer: File integrity violation

JHipster Kotlin using insecure source of randomness `RandomStringUtils` before v1.2.0

Malicious code in azure-synapse-access-control (npm)

Malicious code in tps-lookup (npm)

Malicious code in minipay-minidapps (npm)

OpenClaw's Discord component interaction ingress skips guild/channel policy enforcement

OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows

Malicious code in @diotoborg/ipsa-deleniti-ab (npm)

yapi disables TLS/SSL certificate validation via rejectUnauthorized: false in Axios HTTPS agent

Malicious code in eclipse-megamovie-build (npm)

Malicious code in @eg-maps/commons (npm)

Remote code execution in Eclipse Theia

Malicious code in @epc-apps/edge-lambdas (npm)

Malicious code in psxjson (npm)

Malicious code in @juiggitea/ipsa-odit-illo (npm)

Handlebars.js has a Prototype Method Access Control Gap via Missing __lookupSetter__ Blocklist Entry

Malicious code in ps-brands-assets (npm)

OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients

Malicious code in pslx (npm)

Malicious code in babelpsetreactapp (npm)

Malicious code in apswap-api (npm)

OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation

Malicious code in proptyps (npm)

Malicious code in @platform-apps/portal-ui (npm)

Malicious code in deps-json-webpack-plugin (npm)

Malicious code in eftpsd (npm)

Malicious code in eslint-plugin-yandex-maps (npm)

Malicious code in olbizfdwpskrxcen (npm)

Malicious code in @platform-apps/platform-ui-app (npm)

Obsidian does not require user confirmation for non-http/https URLs.

Malicious code in pseudo-loc-for-signin-widget (npm)

Malicious code in httpsflood (npm)

Malicious code in permenmd-vps (npm)

Malicious code in @uc-maps/tile-layers.react (npm)

Malicious code in mimetyps (npm)

Malicious code in vipps-stitches (npm)

Malicious code in @zitterorg/adipisci-ipsum (npm)

Insufficient Verification of Data Authenticity in Eclipse Theia

Malicious code in trading-tips (npm)

Malicious code in @lbnqduy11805/psychic-waffle (npm)

Malicious code in @zitterorg/iusto-ipsum (npm)

Directory Traversal in cypserver

Malicious code in @uc-maps/parcel-shapes (npm)

Malicious code in @zitterorg/ipsum-nam-facere (npm)

matrix-appservice-irc vulnerable to IRC mode parameter confusion

Malicious code in @zitterorg/psychic-adventure (npm)

Malicious code in opsgeniewebhook (npm)

Malicious code in @juiggitea/ipsa-voluptatibus-velit (npm)

UUPSUpgradeable vulnerability in @openzeppelin/contracts

Malicious code in owncloud-customgroups-dev (npm)

Malicious code in @diotoborg/ipsa-error (npm)

Malicious code in @juiggitea/ipsam-laborum-earum (npm)

Command Injection in psnode

Malicious code in noblox.js-vps (npm)

Command Injection in ps-kill

matrix-appservice-irc events can be crafted to leak parts of targeted messages from other bridged rooms

Malicious code in react-rps-boilerplate (npm)

Malicious code in @oku-ui/collapsible (npm)

Malicious code in babelhelspevvuejsxmergeprops (npm)

Malicious code in working-today--find-the-simpsons-171-script-roblox-4zlhl1 (npm)

Malicious code in down-lo-ad-now-zip-mp3-93-million-miles-psw9n-wbuosp (npm)

Malicious code in @upside/flex-common-typescript-lib (npm)

Malicious code in epsilonprotect (npm)

Malicious code in arm-synapse (npm)

Malicious code in upstart-lending-status (npm)

Malicious code in upstart-loan-status (npm)

Malicious code in upstartadmindashboard- (npm)

Malicious code in upstartapplicationstatus (npm)

Malicious code in pear-apps-utils-date (npm)

Malicious code in calypso-url (npm)

DoS vulnerability for apps with sockets enabled

Malicious code in babel-plugin-i18n-calypso (npm)

Malicious code in @epc-apps/api-management-plan (npm)

Downloads Resources over HTTP in httpsync

Malicious code in safe-apps-list (npm)

Malicious code in eokpshjadwucgytr (npm)

RSA-PSS signature validation vulnerability by prepending zeros in jsrsasign

Malicious code in calypso-color-schemes (npm)

Malicious code in mocha-appscan-reporter (npm)

Malicious code in @ling-web/psdviewer (npm)

Injection and Cross-site Scripting in osm-static-maps

Malicious code in codm-lucky-shop-pss (npm)

Malicious code in puppeteer-proxy-https (npm)

SimbCo httpster vulnerable to Path Traversal

Malicious code in opstimlst (npm)

Malicious code in @the-coca-cola-company/ngps-global-common-utils (npm)

Malicious code in mender-snapshot (npm)

Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths

Malicious code in merchant-rps (npm)

Malicious code in crypto-ops (npm)

OpenClaw: Image pixel-limit guard can fail open on sips and allow decompression-bomb DoS

DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetch_url Tool

Malicious code in devops-debug-tool-ctf (npm)

Malicious code in @diotoborg/nostrum-nostrum-ipsum (npm)

Malicious code in synapse-managed-private-endpoints (npm)

Malicious code in free-robux-codes-ps4 (npm)

Malicious code in tochka-cyclops-api (npm)

client-certificate-auth Vulnerable to Open Redirect via Host Header Injection in HTTP-to-HTTPS redirect

@node-saml/node-saml's validatePostRequestAsync does not include checkTimestampsValidityError

Malicious code in snapshot-hub (npm)

Malicious code in onboarding-ops (npm)

Malicious code in @zitterorg/cum-ipsum-beatae (npm)

Path Traversal in statichttpserver

Malicious code in appsuite-mailvelope (npm)

Malicious code in synapse-access-control (npm)

Malicious code in upstart-offer-container (npm)

Malicious code in upstart.previewcss (npm)

Malicious code in vscode-ps1 (npm)

Improper handling of multiline messages in node-irc affects matrix-appservice-irc

Malicious code in synapse-access-control-1 (npm)

Malicious code in mshops-web-metrics-components (npm)

Malicious code in calypso-build (npm)

Malicious code in vscode-azurecontainerapps (npm)

Malicious code in @bmg-web/bmg-collapse (npm)

Malicious code in aca-review-apps (npm)

Malicious code in @uc-maps/geospatial (npm)

Malicious code in slack-opsgenie-alert-creator (npm)

Malicious code in cl.i-psinner (npm)

Malicious code in ps-cart-recovery (npm)

Malicious code in open-xchange-appsuite-spamexperts (npm)

Malicious code in opsgenie-connectwise-integration (npm)

mxGraph vulnerable to cross-site scripting in setTooltips function

Malicious code in maps-theme (npm)

Malicious code in apps-showcase (npm)

DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval

Malicious code in pstbssfpresetenv (npm)

Malicious code in collapsible-group (npm)

Malicious code in @epc-apps/alert-servie (npm)

Malicious code in @epc-apps/api-generic-plan (npm)

Malicious code in @epc-apps/api-ingestor (npm)

Malicious code in synapse-monitoring (npm)

Malicious code in https-emailjs (npm)

Malicious code in @uc-maps/provider-google.react (npm)

Duplicate Advisory: OpenClaw: Pairing pending-request caps were enforced per channel instead of per account

Malicious code in @uc-maps/test1 (npm)

Malicious code in ymaps-host-configs (npm)

Prototype Pollution in copy-props

Malicious code in test-depss (npm)

Malicious code in eshops-components-library (npm)

Malicious code in @epc-apps/api-outages (npm)

Malicious code in eclipse-tractusx-github-io (npm)

Path Traversal in simplehttpserver

Malicious code in sps (npm)

Malicious code in @uc-maps/maps.react (npm)

Malicious code in dow-load-prisoners-of-geography-ten-maps-that-explain-everything-about-the-world-by-tim-ma (npm)

Malicious code in spstargm (npm)

Malicious code in eclipse-tslint (npm)

Malicious code in snapshot-vks (npm)

Malicious code in ohhttpstubs (npm)

PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart

Malicious code in ajna-rewards-snapshot (npm)

Malicious code in vkwzriqpsabdfhnc (npm)

Malicious code in homeappserver (npm)

Malicious code in build-onchain-apps (npm)

Malicious code in googleaips (npm)

OpenClaw: Discord voice ingress authorization can be bypassed via channel, name, and stale-role validation gaps

Malicious code in httpsrver (npm)

Malicious code in httpstatuscoxes (npm)

Matrix-appservice-irc vulnerable to sql injection via roomIds argument

Malicious code in peer-deps-external (npm)

Stored Cross-Site Scripting in simplehttpserver

Malicious code in dcapps-cli (npm)

Malicious code in maps-api-for-javascript (npm)

Critical severity vulnerability that affects generator-jhipster

Malicious code in hydrogen-sfdgspsdmq-test1 (npm)

Malicious code in frontend-static-props-provider (npm)

Malicious code in free-fortnite-skins-app-ps4 (npm)

Malicious code in ps-validations (npm)

Malicious code in @diotoborg/ipsam-ad (npm)

Malicious code in xyz-maps-core (npm)

Malicious code in rpsreadserv (npm)

Malicious code in niji-react-collapsible (npm)

Malicious code in @diotoborg/ipsa-ratione (npm)

matrix-appservice-bridge doesn't verify the sub parameter of an openId token exhange, allowing unauthorized access to provisioning APIs

Malicious code in xpsaht (npm)

Path Traversal in simplehttpserver

Malicious code in apple-psh (npm)

PsiTransfer: Violation of the integrity of file distribution

Malicious code in @aa-techops-ui/ping-authentication (npm)

Malicious code in hoppscotch-agent (npm)

Malicious code in @clickhouse-team/clickhouse-backups-plugin (npm)

Malicious code in appsforhere (npm)

generator-jhipster-entity-audit vulnerable to Unsafe Reflection when having Javers selected as Entity Audit Framework

Malicious code in grunt-heremaps-build (npm)

Malicious code in @frozen-ui/snapshot-serializer (npm)

Malicious code in @bugbounty-automation/deps-json-webpack-plugin (npm)

Malicious code in --legacy-peer-deps (npm)

Malicious code in findupsnc (npm)

Malicious code in upstartautoretailadmin (npm)

Malicious code in upstartdr (npm)

Malicious code in @spx-workforceops/shared-vue (npm)

Malicious code in @uc-maps/layer-select.react (npm)

Malicious code in jupyter-notebook-deps (npm)

Malicious code in @xvideos/apps (npm)

Malicious code in flutter_appsflyer_sdk (npm)

Malicious code in crsosspsawn (npm)

Malicious code in express-groups-routes (npm)

Malicious code in @rnps-ppr/gensen-gotham (npm)

Malicious code in epsilonapi (npm)

Malicious code in designer-relationships-a-guide-to-happy-monogamy-positive-polyamory-and-optimistic-open-relationship (npm)

Malicious code in market-apps-list (npm)

Malicious code in synthetixio-deps-security-notice (npm)

Malicious code in lappsec-testpackage (npm)

Malicious code in cyberops-test-package (npm)

Malicious code in eslint-plugin-panel-ops (npm)

Malicious code in @gpsu/common (npm)

Malicious code in stormapps (npm)

Malicious code in hx1-upsrv (npm)

Malicious code in helm-secrets-sops-driver (npm)

Malicious code in mergeseekrangegaps (npm)

Malicious code in express-soaps (npm)

Malicious code in free-fortnite-skins-ps4-no-human-verification (npm)

Malicious code in @jumpstart-ui/utils (npm)

Malicious code in free-primogems-app-ps4 (npm)

Malicious code in free-robux-apps (npm)

Malicious code in bps-design-system (npm)

Malicious code in free-robux-apps-freerobuxgenertor (npm)

Malicious code in fps-logger (npm)

Malicious code in power-apps (npm)

Malicious code in zoomapps-customlayout-js (npm)

Malicious code in pepsico-ds (npm)

Malicious code in nixpsweb (npm)

Malicious code in gulptypscript (npm)

Malicious code in calypso-apps-builder (npm)

Malicious code in calypso-analytics (npm)

Malicious code in @doaction/mapstore (npm)

Malicious code in calypso-babel-config (npm)

Malicious code in @ascend-ops/web-client (npm)

Malicious code in data-portal-dwh-apps-fe (npm)

Malicious code in opensea-ships-log (npm)

Malicious code in opsie (npm)

Malicious code in promohlineupselling (npm)

Malicious code in utility-capsule (npm)

Malicious code in @techops-ui/ping-authentication (npm)

Malicious code in stale-props (npm)

Malicious code in pakistan_hsudoaps (npm)

Malicious code in get-deps-path (npm)

Malicious code in zapier-shops-orders (npm)

Malicious code in hpsetup (npm)

Malicious code in yhps (npm)

Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter

Malicious code in groupstrap (npm)

Malicious code in @zitterorg/ipsam-deserunt (npm)

Malicious code in @zitterorg/ipsam-magnam (npm)

Malicious code in @zitterorg/ipsam-officia (npm)

Malicious code in @zitterorg/ipsum-magnam (npm)

Malicious code in vscode-azurestaticwebapps (npm)

Malicious code in skipshot-agent (npm)

Malicious code in mongoose-stamps (npm)

Nuxt: Dev server discloses project absolute path and persistent workspace UUID via `/.well-known/appspecific/com.chrome.devtools.json`

Malicious code in apple-appstore-full-library-utility (npm)

Malicious code in mapbox-maps-android (npm)

Malicious code in vpsnet-website (npm)

Malicious code in sync-https-api (npm)

Malicious code in fin-common-snapshot (npm)

Malicious code in hpsmartstreamforindesigncccrack_7kh (npm)

Malicious code in @diotoborg/qui-ullam-ipsum (npm)

Malicious code in free-vbucks-app-ps4 (npm)

Malicious code in styledcomps (npm)

Malicious code in iron-collapse (npm)

Malicious code in @rnps-ppr/ppr-gensenjs (npm)

Malicious code in coopshares-webcomponent (npm)

Malicious code in aps-simple-viewer-nodejs (npm)

Malicious code in jshint-groups (npm)

Malicious code in record-data-encapsulation-test-app (npm)

Malicious code in k8s-apps-wordpress (npm)

Prototype Pollution in deeps

Malicious code in remotepshell (npm)

Malicious code in react-native-google-maps-directions (npm)

Malicious code in flapstacks (npm)

Malicious code in @juiggitea/dolorum-temporibus-ipsam (npm)

Malicious code in @diotoborg/ipsam-atque-eos (npm)

OpenClaw has system.run shell-wrapper env injection via SHELLOPTS/PS4 can bypass allowlist intent (RCE)

Malicious code in gps-gateway-client (npm)

Malicious code in azps-tools (npm)

Malicious code in @easytipsportal/node-helper (npm)

Malicious code in hyperterm-hipster (npm)

Malicious code in @sameepsi/sor (npm)

Malicious code in @zitterorg/ipsa-in-aliquam (npm)

Malicious code in opstooling-js-style (npm)

Malicious code in kpsbwogicxvtfqur (npm)

Malicious code in @diotoborg/aliquam-dolorum-ipsa (npm)

Malicious code in calypso-config (npm)

Parse Server option `masterKeyIps` vulnerability to IP spoofing

Malicious code in @diotoborg/ipsam-dolores-labore (npm)

Malicious code in @diotoborg/ipsam-sequi (npm)

Malicious code in @juiggitea/nobis-reprehenderit-ipsa-porro (npm)

Log Forging in generator-jhipster-kotlin

OpenClaw: Pairing pending-request caps were enforced per channel instead of per account

Malicious code in simple_cups-handler (npm)

Malicious code in getseekrangegapsfromshakareferences (npm)

Malicious code in glpsass (npm)

Malicious code in pumpswap-sdk (npm)

Malicious code in github-helpscout-collector (npm)

Malicious code in @diotoborg/psychic-bassoon (npm)

Malicious code in dops-components (npm)

Malicious code in entrevista_devops (npm)

Malicious code in trips-pwa-localization (npm)

Malicious code in @stepstone-genesis/components (npm)

Malicious code in ps-asymmetric-crypts (npm)

Malicious code in ps-bootstrap (npm)

Malicious code in psaqko (npm)

Malicious code in reactbootstraps (npm)

Malicious code in dowload_ebok_the_upside_of_unrequited_by_becky_albertalli_2jgmw (npm)

Malicious code in phpseclib (npm)

Malicious code in hit-makers-the-science-of-popularity-in-an-age-of-distraction-by-derek-thompson-on-ipad-new-version- (npm)

Malicious code in prisoners-of-geography-ten-maps-that-explain-everything-about-the-world-by-tim-marshall-on-iphone-fu (npm)

Malicious code in ppsdkconstants (npm)

Malicious code in pear-apps-utils-avatar-initials (npm)

Malicious code in hcpss (npm)

Malicious code in typescript-vue-apollo-smart-ops (npm)

Malicious code in eipsend (npm)

Malicious code in upstartloans (npm)

Malicious code in upstartportal (npm)

Malicious code in create-calypso-config (npm)

Malicious code in safe-apps-react-sdk (npm)

Malicious code in @lbnqduy11805/psychic-journey (npm)

OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups

OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md

Malicious code in macappstore (npm)

Malicious code in htps-curl (npm)

Malicious code in cmpsitdbgofqnjuk (npm)

Malicious code in cnqihwetjuapsgkb (npm)

Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning

path-to-regexp vulnerable to Denial of Service via sequential optional groups

Malicious code in com.unity.2d.psdimporter (npm)

Malicious code in calypso-typescript-config (npm)

Malicious code in @diotoborg/provident-ipsam (npm)

Malicious code in @diotoborg/ipsa-magni-debitis (npm)

Malicious code in kbn-ui-shared-deps (npm)

Malicious code in @uc-maps/boundaries-core.react (npm)

Malicious code in @tide-web-apps/global-environments (npm)

Malicious code in electron_npm_deps (npm)

Malicious code in htp-https (npm)

Malicious code in repsol-uikit (npm)

DOMPurify ADD_ATTR predicate skips URI validation

Malicious code in nepsnowplow (npm)

Malicious code in https-servers (npm)

Malicious code in com.frl.aepsych (npm)

Malicious code in zoomapps-texteditor-vuejs (npm)

Malicious code in launchpad6-dev-ops (npm)

Malicious code in @pumpswap-sdk4/metadata (npm)

Malicious code in @upstashed/context7-mcp (npm)

Duplicate Advisory: OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md

Malicious code in azps (npm)

Malicious code in @sflyinc-knapsack/shutterfly-react (npm)

Malicious code in pear-apps-utils-qr (npm)

Malicious code in @easytipsportal/pos-adapters (npm)

Malicious code in @cda-apps/source (npm)

Malicious code in @sameepsi/sor2 (npm)

Malicious code in @doctolib-apps/native-personalized-services (npm)

Astro: XSS via Unescaped Attribute Names in Spread Props

Malicious code in hops-preset-jest (npm)

Malicious code in mshops-seo-ui (npm)

Malicious code in cowsay-caps (npm)

Malicious code in epszkyqktamihwbr (npm)

Malicious code in appsec-event-rules-tools (npm)

Malicious code in nextcloudappstore (npm)

Command Injection in ps-visitor

Malicious code in https-parse (npm)

webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins

Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups

hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest

Malicious code in @idps/contrib-client (npm)

Malicious code in @uipath/aops-policy-tool (npm)

Malicious code in test-za-sec-psh (npm)

Malicious code in test-copppss (npm)

Malicious code in snapshot-server (npm)

Malicious code in @openclaw-cn/toutiao-ops (npm)

Malicious code in @mastra/upstash (npm)

Malicious code in battleships-player (npm)

Malicious code in psalm (npm)

Malicious code in pear-apps-lib-feedback (npm)

Malicious code in calypso-doctor (npm)

Malicious code in calypso-e2e (npm)

Malicious code in calypso-eslint-overrides (npm)

Malicious code in calypso-jest (npm)

Malicious code in pear-apps-lib-ui-react-hooks (npm)

Malicious code in @antv/l7-maps (npm)

Malicious code in @apps-home-dashboard/events (npm)

Malicious code in apple-appstore-server-library (npm)

Malicious code in po-ops-local-dev (npm)

Malicious code in npe-toolkit-server-deps (npm)

Malicious code in @flipster/utils (npm)

@nevware21/ts-utils: Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty

Malicious code in open-xchange-appsuite (npm)

Malicious code in marked-ps (npm)

Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload

Malicious code in gulpsourcemuaps (npm)

Malicious code in @platform-apps/ui-logger (npm)

Malicious code in ps-react-bootstrap (npm)

Malicious code in ps-request-ws (npm)

Malicious code in cowsay-allcaps (npm)

Malicious code in servicenow_cicd_azuredevops (npm)

Malicious code in @cloudplatform-single-spa/floating-ips (npm)

Malicious code in @cloudplatform-single-spa/marketplace-apps (npm)

Malicious code in arm-appservice (npm)

Malicious code in @platco/ceps-pc-validation-library (npm)

Malicious code in @tide-web-apps/bert2 (npm)

Malicious code in ps-crypt (npm)

Malicious code in @uc-maps/api.react (npm)

Malicious code in ups_node (npm)

Malicious code in @uc-maps/test (npm)

Malicious code in usaa-expand-collapse (npm)

Malicious code in vk-apps-contacts (npm)

Malicious code in @unpkg-semver/pedops-logger (npm)

Malicious code in wixapps (npm)

Malicious code in wp-calypso (npm)

Malicious code in @car-loans/wait-task-props (npm)

Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization

npm PraisonAI MCPSecurity Basic/OAuth authentication policies accept invalid credentials without validation

Upstash Adapter missing token verification

@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)

npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call

Malicious code in synapse-contracts (npm)

[Eclipse Theia] Indirect Prompt Injection via Adversarial Workspace File and Directory Names in AI Chat

Network-AI: EnvironmentManager.backup() follows symlinked directories and copies files outside the environment root into backups

[Eclipse Theia] Arbitrary Command Execution via Untrusted Workspace Task Definitions

[Eclipse Theia] Indirect Prompt Injection via Auto-Loaded Workspace Prompt Template Files in AI Chat

[Eclipse Theia] Data Exfiltration via Markdown Image Rendering in AI Chat

Malicious code in @diotoborg/dolore-magnam-ipsam (npm)

Malicious code in @diotoborg/ipsum-eaque-quidem (npm)

Malicious code in 3cx-call-control-apps (npm)

Malicious code in @posthog/rrweb-snapshot (npm)

Malicious code in virtualization-compression-collapse (npm)