Total
54 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-8217 | 1 Amazon | 1 Q Developer Vs Code Extension | 2025-07-31 | 4 Medium |
| The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI. To mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use. | ||||
| CVE-2024-4978 | 1 Javs | 2 Javs Viewer, Viewer | 2025-07-30 | 8.4 High |
| Justice AV Solutions Viewer Setup 8.3.7.250-1 contains a malicious binary when executed and is signed with an unexpected authenticode signature. A remote, privileged threat actor may exploit this vulnerability to execute of unauthorized PowerShell commands. | ||||
| CVE-2025-30066 | 1 Tj-actions | 1 Changed-files | 2025-07-30 | 8.6 High |
| tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code.) | ||||
| CVE-2025-30154 | 1 Reviewdog | 6 Action-ast-grep, Action-composite-template, Action-setup and 3 more | 2025-07-30 | 8.6 High |
| reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos. | ||||
| CVE-2025-54313 | 2025-07-23 | 7.5 High | ||
| eslint-config-prettier 8.10.1, 9.1.1, 10.1.6, and 10.1.7 has embedded malicious code for a supply chain compromise. Installing an affected package executes an install.js file that launches the node-gyp.dll malware on Windows. | ||||
| CVE-2024-3094 | 2 Redhat, Tukaani | 3 Enterprise Linux, Jboss Enterprise Application Platform, Xz | 2025-07-05 | 10 Critical |
| Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing in the source code, which is then used to modify specific functions in the liblzma code. This results in a modified liblzma library that can be used by any software linked against this library, intercepting and modifying the data interaction with this library. | ||||
| CVE-2025-32965 | 2025-04-23 | N/A | ||
| xrpl.js is a JavaScript/TypeScript API for interacting with the XRP Ledger in Node.js and the browser. Versions 4.2.1, 4.2.2, 4.2.3, and 4.2.4 of xrpl.js were compromised and contained malicious code designed to exfiltrate private keys. Version 2.14.2 is also malicious, though it is less likely to lead to exploitation as it is not compatible with other 2.x versions. Anyone who used one of these versions should stop immediately and rotate any private keys or secrets used with affected systems. Users of xrpl.js should pgrade to version 4.2.5 or 2.14.3 to receive a patch. To secure funds, think carefully about whether any keys may have been compromised by this supply chain attack, and mitigate by sending funds to secure wallets, and/or rotating keys. If any account's master key is potentially compromised, disable the key. | ||||
| CVE-2023-2003 | 2 Unitronics, Unitronicsplc | 3 Vision1210, Vision1210, Vision1210 Firmware | 2024-11-21 | 9.1 Critical |
| Embedded malicious code vulnerability in Vision1210, in the build 5 of operating system version 4.3, which could allow a remote attacker to store base64-encoded malicious code in the device's data tables via the PCOM protocol, which can then be retrieved by a client and executed on the device. | ||||
| CVE-2021-22887 | 2 Pulsesecure, Supermicro | 24 Psa-5000, Psa-5000 Firmware, Psa-7000 and 21 more | 2024-11-21 | 2.3 Low |
| A vulnerability in the BIOS of Pulse Secure (PSA-Series Hardware) models PSA5000 and PSA7000 could allow an attacker to compromise BIOS firmware. This vulnerability can be exploited only as part of an attack chain. Before an attacker can compromise the BIOS, they must exploit the device. | ||||
| CVE-2020-15165 | 1 Chameleon Mini Live Debugger Project | 1 Chameleon Mini Live Debugger | 2024-11-21 | 9.3 Critical |
| Version 1.1.6-free of Chameleon Mini Live Debugger on Google Play Store may have had it's sources or permissions tampered by a malicious actor. The official maintainer of the package is recommending all users upgrade to v1.1.8 as soon as possible. For more information, review the referenced GitHub Security Advisory. | ||||
| CVE-2017-16207 | 1 Discordi.js Project | 1 Discordi.js | 2024-11-21 | N/A |
| discordi.js is a malicious module based on the discord.js library that exfiltrates login tokens to pastebin. | ||||
| CVE-2017-16205 | 1 Coffescript Project | 1 Coffescript | 2024-11-21 | N/A |
| The coffescript module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation. | ||||
| CVE-2017-16204 | 1 Jquey Project | 1 Jquey | 2024-11-21 | N/A |
| The jquey module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation. | ||||
| CVE-2017-16203 | 1 Coffescript Project | 1 Coffescript | 2024-11-21 | N/A |
| The coffe-script module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation. | ||||
| CVE-2017-16202 | 1 Cofeescript Project | 1 Cofeescript | 2024-11-21 | N/A |
| The cofeescript module exfiltrates sensitive data such as a user's private SSH key and bash history to a third party server during installation. | ||||
| CVE-2017-16128 | 1 Npm-script-demo Project | 1 Npm-script-demo | 2024-11-21 | N/A |
| The module npm-script-demo opened a connection to a command and control server. It has been removed from the npm registry. | ||||
| CVE-2017-16081 | 1 Cross-env.js Project | 1 Cross-env.js | 2024-11-21 | N/A |
| cross-env.js was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||||
| CVE-2017-16080 | 1 Nodesass Project | 1 Nodesass | 2024-11-21 | N/A |
| nodesass was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||||
| CVE-2017-16079 | 1 Smb Project | 1 Smb | 2024-11-21 | N/A |
| smb was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||||
| CVE-2017-16078 | 1 Shadowsock Project | 1 Shadowsock | 2024-11-21 | N/A |
| shadowsock was a malicious module published with the intent to hijack environment variables. It has been unpublished by npm. | ||||