https://vulnerability.circl.lu Contains only the most 10 recent sightings. http://www.rssboard.org/rss-specification python-feedgen en Thu, 11 Jun 2026 06:44:32 +0000 https://vulnerability.circl.lu/sighting/e86e92f8-0137-409f-89ba-bf48237ffc8c/export {"uuid": "e86e92f8-0137-409f-89ba-bf48237ffc8c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-63706", "type": "seen", "source": "https://gist.github.com/6en6ar/607368f1fc8fe429f03c6e0d9486ba72", "content": "\nProduct: https://www.npmjs.com/package/@jswork/next-npm-version\nVersion: v1.0.1\nVulnerability type: Command injection inside @jswork/next-npm-version through version 1.0.1\nCVE ID: CVE-2025-63706\n\nDescription: \nNPM package next-npm-version through function nx.npmVersion defined on line 19. inside index.js does not properly sanitize inName variable before it is passed to execSync which executes a command using npm show.\nAn attacker is able to inject code when calling npmVersion function to check the version of the npm package. This is possible because the code is not sanitizing inName variable before it is passed to child_process execSync. \nThis code uses npm show to cli command to execute the code.\n\nPayload used:\n\n> import '@jswork/next-npm-version';\n>\n> console.log(nx.npmVersion('node-ts-ocr && id #'));\n> // '2.6.0'\n>\n> This executes the 'id' command.", "creation_timestamp": "2026-05-06T19:59:28.000000Z"} {"uuid": "e86e92f8-0137-409f-89ba-bf48237ffc8c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-63706", "type": "seen", "source": "https://gist.github.com/6en6ar/607368f1fc8fe429f03c6e0d9486ba72", "content": "\nProduct: https://www.npmjs.com/package/@jswork/next-npm-version\nVersion: v1.0.1\nVulnerability type: Command injection inside @jswork/next-npm-version through version 1.0.1\nCVE ID: CVE-2025-63706\n\nDescription: \nNPM package next-npm-version through function nx.npmVersion defined on line 19. inside index.js does not properly sanitize inName variable before it is passed to execSync which executes a command using npm show.\nAn attacker is able to inject code when calling npmVersion function to check the version of the npm package. This is possible because the code is not sanitizing inName variable before it is passed to child_process execSync. \nThis code uses npm show to cli command to execute the code.\n\nPayload used:\n\n> import '@jswork/next-npm-version';\n>\n> console.log(nx.npmVersion('node-ts-ocr && id #'));\n> // '2.6.0'\n>\n> This executes the 'id' command.", "creation_timestamp": "2026-05-06T19:59:28.000000Z"} https://vulnerability.circl.lu/sighting/e86e92f8-0137-409f-89ba-bf48237ffc8c/export Wed, 06 May 2026 19:59:28 +0000