parcel 安全漏洞

parcel is a zero-configuration build tool for the web from Parcel open source. A security vulnerability exists in parcel 2.0.0-alpha and earlier versions, which stems from a source validation error that allows a malicious website to send XMLHTTPRequests to the development server and read the...

CVE-2025-56648

npm parcel 2.0.0-alpha and before has an Origin Validation Error vulnerability. Malicious websites can send XMLHTTPRequests to the application's development server and read the response to steal source code when developers visit them...

CVE-2025-56648

CVE-2025-56648 affects npm parcel 2.0.0-alpha and earlier, with an Origin Validation Error. The vulnerability allows a malicious site to send XMLHTTPRequests to the development server and read the response, potentially stealing source code when developers visit the site. The CVSSv3.1 base score i...

PT-2025-38252

Name of the Vulnerable Software and Affected Versions parcel versions 2.0.0-alpha and earlier Description A security issue exists in Parcel that allows malicious websites to send XMLHTTPRequests to the application's development server and read the response, potentially leading to source code thef...

Vite 访问控制错误漏洞

Vite is a new front-end build tool from Vite Open Source. An access control error vulnerability exists in Vite versions prior to 7.1.5, prior to 7.0.7, prior to 6.3.6, and prior to 5.4.20, which stems from explicitly exposing the Vite development server to the network resulting in arbitrary HTML...

Linux Distros Unpatched Vulnerability : CVE-2025-48068

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may...

CVE-2025-57753 vite-plugin-static-copy files not included in `src` are accessible with a crafted request

vite-plugin-static-copy is rollup-plugin-copy for Vite with dev server support. Files not included in src are accessible with a crafted request. The vulnerability is fixed in 2.3.2 and 3.1.2...

Linux Distros Unpatched Vulnerability : CVE-2025-48050

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In DOMPurify through 3.2.5 before 6bc6d60, scripts/server.js does not ensure that a pathname is located under the current working directory. NOTE: the Supplier...

VulnCheck KEV: CVE-2025-54782

Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution RCE vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API...

CVE-2025-54782

Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution RCE vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API...

PT-2025-44787

Name of the Vulnerable Software and Affected Versions React Native Community CLI versions 4.8.0 through 20.0.0-alpha.2 Description The Metro Development Server, which is opened by the React Native Community CLI, binds to external interfaces by default. The server exposes an endpoint vulnerable to...

GHSA-85CG-CMQ5-QJM7 @nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers

Summary A critical Remote Code Execution RCE vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API endpoint that uses an unsafe JavaScript sandbox safe-eval-like implementation. Due to improper...

Exploit for CVE-2025-31486

Vite Path Traversal Lab CVE-2025-31486 !Open in GitHub Co...

Exploit for CVE-2025-31125

Vite Exploit CVE-2025-31125 Description: Exploits path tr...

Information Disclosure

@cloudflare/vite-plugin is vulnerable to information disclosure. The vulnerability is due to the default configuration exposing all files via the local development server, which allows an attacker to access sensitive files like .env and .dev.vars that may contain secrets...

GHSA-4V9V-HFQ4-RM2V webpack-dev-server users' source code may be stolen when they access a malicious web site

Summary Source code may be stolen when you access a malicious web site. Details Because the request for classic script by a script tag is not subject to same origin policy, an attacker can inject in their site and run the script. Note that the attacker has to know the port and the output entrypoi...

Origin Validation Error

Overview org.webjars.npm:webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Origin Validation Error via theOrigin header, which allows IP address origins to conne...

CVE-2025-48068 Information exposure in Next.js dev server due to lack of origin verification

Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects...

Next.js 安全漏洞

Next.js is a React framework open-sourced by Vercel. A security vulnerability exists in versions of Next.js prior to 13.0 through 15.2.2, which stems from a possible source code leak when the App Router is enabled on the development server...

Exploit for CVE-2025-1461

Vuetify VCalendar XSS Vulnerability POC CVE-2025-1461 This...