CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 2026/05/13 5:31 p.m.•28 views

CVE-2026-44004 vm2: Host Process OOM DoS via Buffer.alloc (Timeout Bypass)

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, sandboxed code can call Buffer.alloc with an arbitrary size to allocate memory directly on the host heap. Because Buffer.alloc is a synchronous C++ native call, vm2's timeout option cannot interrupt it. A single request can exhaust ho...

7.5CVSS0.00052EPSS

Cvelist•added 2026/05/13 5:30 p.m.•28 views

CVE-2026-44003 vm2: Transformer Fast-Path Bypass Exposes Internal State Variable

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, vm2's code transformer has a performance optimization that skips AST analysis when the code does not contain catch, import, or async keywords. This fast-path bypass allows sandboxed code to directly access the internal...

5.3CVSS0.00049EPSS

CVE•added 2026/05/13 5:29 p.m.•20 views

CVE-2026-44001

Summary : CVE-2026-44001 affects vm2 before version 3.11.0, where a sandbox escape allows sandboxed code to crash the host Node.js process via an unhandled rejection from a Promise executor. The issue stems from the executor path not being sanitized, even though the earlier CVE-2026-22709 fix add...

8.6CVSS5.9AI score0.00052EPSS

Exploits1References1Affected Software1

Vulnrichment•added 2026/05/13 5:21 p.m.•5 views

CVE-2026-43999 vm2: NodeVM builtin allowlist bypass via `module` builtin's `Module._load` allows sandbox escape

vm2 is an open source vm/sandbox for Node.js. Prior to 3.11.0, NodeVM's builtin allowlist can be bypassed when the module builtin is allowed including via the '' wildcard. The module builtin exposes Node's Module.load, which loads any module by name directly in the host context, completely...

9.9CVSS6.3AI score0.00178EPSS

CVE•added 2026/05/13 5:17 p.m.•18 views

CVE-2026-43997

CVE-2026-43997 affects the vm2 sandbox for Node.js. The vuln enables an attacker to obtain the host Object and escape the sandbox, potentially leading to arbitrary code execution (RCE). Affected versions were

10CVSS6AI score0.00022EPSS

Exploits1References1Affected Software1

OSV•added 2026/05/13 5:16 p.m.•5 views

DRUPAL-CONTRIB-2026-034

Node view permissions module enables permissions "View own content" and "View any content" for each content type on permissions page The module doesn't sufficiently handle the case where a user is cancelled and their content is reassigned to the anonymous user. This vulnerability is mitigated by...

3.7CVSS5.8AI score0.00037EPSS

CVE•added 2026/05/13 5:1 p.m.•38 views

CVE-2026-44578

CVE-2026-44578 affects Next.js self-hosted deployments using the built-in Node.js server. The issue enables server-side request forgery via crafted WebSocket upgrade requests, allowing an attacker to proxy requests to internal or external destinations and potentially expose internal services or c...

8.6CVSS5.9AI score0.07215EPSS

Exploits8References1Affected Software1

OSSF Malicious Packages•added 2026/05/13 4:39 p.m.•7 views

Malicious code in chia-network (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis c7439a1ad4a50c3852597bd31aaf7a3f15c53c2cb9f124b9b350e55517b5f592 The OpenSSF Package Analysis project identified 'chia-network' @ 1.0.0 npm as malicious. It is considered malicious because: - The package...

HackRead•added 2026/05/13 3:18 p.m.•6 views

Exploits0

TeamPCP Used Mini Shai-Hulud Worm to Poison Over 400 npm and PyPI Packages

Research reveals that TeamPCP hijacked OIDC tokens to poison hundreds of TanStack, Mistral AI, and UiPath packages with the self-propagating Mini Shai-Hulud worm...

Snyk•added 2026/05/13 2:14 p.m.•3 views

Exploits0

Malicious Package

Overview buffer-export is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.8AI score

Exploits0References2

OSV•added 2026/05/13 2:14 p.m.•4 views

MAL-2026-3658 Malicious code in load-bufferjs (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 04d9f5ba202651d252a375411cf609db6f9a7ae83f164f6f2e66559a6dff5b92 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

OSSF Malicious Packages•added 2026/05/13 2:14 p.m.•6 views

Malicious code in load-bufferjs (npm)

OSV•added 2026/05/13 2:3 p.m.•4 views

MAL-2026-3657 Malicious code in chai-as-streamed (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware fef1582aa7fb15599bd48e6f077be4d1a577d3916cf2c2650893f0406ede8ea3 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...