ROOT-APP-NPM-CVE-2026-1526 CVE-2026-1526 in @rootio/undici - Patched by Root

Root has patched CVE-2026-1526 in the @rootio/undici package for Root:npm. Multiple fixed versions available...

RHEL 9 : nodejs:22 (RHSA-2026:7983)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:7983 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

nodejs22 security update

An update is available for nodejs22. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Node.js is a platform built on Chrome's JavaScript runtime \ for easily...

Important: Red Hat Security Advisory: nodejs:24 security update

An update for the nodejs:24 module is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

@01.software/cli (>=0.1.1 <=0.2.0-dev.260310.cf511cb), @01.software/sdk (>=0.0.1-251008.90016 <=0.3.0) +383 more potentially affected by CVE-2026-1526 via undici (>=7.0.0 <=7.22.0)

undici NPM version =7.0.0, =0.1.1, =0.0.1-251008.90016, =0.0.6, =0.0.1, =0.0.2, =0.0.33, =0.0.1, =1.0.0, =21.0.0, =21.0.0, =0.5.0, =1.0.1, =2.8.7 and more Source cves: CVE-2026-1526 Source advisory: OSV:GHSA-VRM6-8VPV-QV8Q...

0utmailauth (=1.0.0), 0xsodium (>=0.2.0 <=0.14.0) +13853 more potentially affected by CVE-2026-1526 via undici (>=0.3.3 <=6.23.0)

undici NPM version =0.3.3, =0.2.0, =1.0.0, =0.2.0, =0.4.0, =0.1.0, =0.0.1, =1.0.21, =1.0.1, =2.1.0, =2.1.1 and more Source cves: CVE-2026-1526 Source advisory: OSV:GHSA-VRM6-8VPV-QV8Q...

Linux Distros Unpatched Vulnerability : CVE-2026-1526

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSock...

org.webjars.npm:actions__core (>=1.10.0 <=1.11.1), org.webjars.npm:actions__http-client (>=2.2.1 <=2.2.3) +14 more potentially affected by CVE-2026-1526 via org.webjars.npm:undici (>=4.12.2 <=5.29.0)

org.webjars.npm:undici MAVEN version =4.12.2, =1.10.0, =2.2.1, =0.1.16, =0.1.28 - org.webjars.npm:elasticelasticsearch =8.6.0 - org.webjars.npm:elastictransport =8.3.1 - org.webjars.npm:firebase =10.13.0 - org.webjars.npm:firebaseauth =1.7.7 - org.webjars.npm:firebaseauth-compat =0.5.12 -...

CVE-2026-1526

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit...

CVE-2026-1526 undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit...