5435 matches found
CVE-2026-30827
A flaw was found in express-rate-limit. The default key generator incorrectly applies IPv6 subnet masking to IPv4-mapped IPv6 addresses, which are used when an IPv4 client connects to a dual-stack server. This misconfiguration causes all IPv4 traffic to be treated as a single entity for rate...
CVE-2026-30827 express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting (all IPv4 clients share one bucket on dual-stack servers)
express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking /56 by default to all addresses that net.isIPv6 returns true for. Th...
CVE-2026-30827 express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting (all IPv4 clients share one bucket on dual-stack servers)
express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking /56 by default to all addresses that net.isIPv6 returns true for. Th...
CVE-2026-30827
express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking /56 by default to all addresses that net.isIPv6 returns true for. Th...
CVE-2026-30827 express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting (all IPv4 clients share one bucket on dual-stack servers)
express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking /56 by default to all addresses that net.isIPv6 returns true for. Th...
express-rate-limit 安全漏洞
Express-Rate-Limit is a request frequency limiting middleware developed by Express Rate Limit. Versions prior to 8.0.0, 8.1.1, 8.2.2, and 8.3.0 of Express-Rate-Limit have security vulnerabilities. These vulnerabilities stem from the improper application of subnet masks by the default key generato...
Allocation of Resources Without Limits or Throttling
Overview express-rate-limit is a Basic IP rate-limiting middleware for Express. Use to limit repeated requests to public APIs and/or endpoints such as password reset. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the ipKeyGenerator...
@chrisleekr/mcp-server-playground (>=1.1.0-dev-1d08adb.1 <=1.1.0-dev-ff904e8.1) potentially affected by CVE-2026-30827 via express-rate-limit (=8.0.1)
express-rate-limit NPM version =8.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on express-rate-limit and may be impacted: - @chrisleekr/mcp-server-playground =1.1.0-dev-1d08adb.1, =1.1.0-dev-ff904e8.1 Source cves: CVE-2026-30827 Source advisory:...
@igea/oac_backend (>=1.0.35 <=1.0.113), @igea/oac_frontend (>=1.0.31 <=1.0.109) +12 more potentially affected by CVE-2026-30827 via express-rate-limit (=8.1.0)
express-rate-limit NPM version =8.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on express-rate-limit and may be impacted: - @igea/oacbackend =1.0.35, =1.0.31, =7.0.0, =2.0.0-test.19, =0.1.0, =0.29.0, =0.16.0, =0.42.0, =0.27.0, =0.42.0, =0.70.0,...
@chrisleekr/mcp-server-playground (>=1.1.0-dev-1d08adb.1 <=1.1.0-dev-ff904e8.1) potentially affected by CVE-2026-30827 via express-rate-limit (=8.0.1)
express-rate-limit NPM version =8.0.1 is affected by a known vulnerability. The following packages have a transitive dependency on express-rate-limit and may be impacted: - @chrisleekr/mcp-server-playground =1.1.0-dev-1d08adb.1, =1.1.0-dev-ff904e8.1 Source cves: CVE-2026-30827 Source advisory:...
@igea/oac_backend (>=1.0.35 <=1.0.113), @igea/oac_frontend (>=1.0.31 <=1.0.109) +12 more potentially affected by CVE-2026-30827 via express-rate-limit (=8.1.0)
express-rate-limit NPM version =8.1.0 is affected by a known vulnerability. The following packages have a transitive dependency on express-rate-limit and may be impacted: - @igea/oacbackend =1.0.35, =1.0.31, =7.0.0, =2.0.0-test.19, =0.1.0, =0.29.0, =0.16.0, =0.42.0, =0.27.0, =0.42.0, =0.70.0,...
@chrisleekr/mcp-server-playground (>=1.1.0 <=1.1.2-dev-ed23132.1), @intlayer/backend (>=7.0.9-canary.2 <=7.5.9) +29 more potentially affected by CVE-2026-30827 via express-rate-limit (=8.2.1)
express-rate-limit NPM version =8.2.1 is affected by a known vulnerability. The following packages have a transitive dependency on express-rate-limit and may be impacted: - @chrisleekr/mcp-server-playground =1.1.0, =7.0.9-canary.2, =1.597.450, =4.0.0, =3.1.0, =0.0.1-canary.1, =0.42.0, =0.20.0,...
@chrisleekr/mcp-server-playground (>=1.1.0 <=1.1.2-dev-ed23132.1), @intlayer/backend (>=7.0.9-canary.2 <=7.5.9) +29 more potentially affected by CVE-2026-30827 via express-rate-limit (=8.2.1)
express-rate-limit NPM version =8.2.1 is affected by a known vulnerability. The following packages have a transitive dependency on express-rate-limit and may be impacted: - @chrisleekr/mcp-server-playground =1.1.0, =7.0.9-canary.2, =1.597.450, =4.0.0, =3.1.0, =0.0.1-canary.1, =0.42.0, =0.20.0,...
GHSA-46WH-PXPV-Q5GQ express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network
Summary The default keyGenerator in express-rate-limit applies IPv6 subnet masking /56 by default to all addresses that net.isIPv6 returns true for. This includes IPv4-mapped IPv6 addresses ::ffff:x.x.x.x, which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all...
PT-2026-23791
Name of the Vulnerable Software and Affected Versions express-rate-limit versions 8.0.0 through 8.0.1 express-rate-limit versions 8.1.0 through 8.1.1 express-rate-limit versions 8.2.0 through 8.2.1 Description The default keyGenerator in express-rate-limit incorrectly applies IPv6 subnet masking ...
CVE-2026-3452
Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to...
CVE-2026-1651
The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the 'workflowids' parameter in all versions up to, and including, 5.9.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This...
Unity Linux 20.1070a Security Update: kernel (UTSA-2026-005617)
The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005617 advisory. In the Linux kernel, the following vulnerability has been resolved: PCI/ASPM: Disable ASPM on MFD function removal to avoid use-after-free Struct...
org.webjars.npm:nestjs__platform-express (>=8.4.7 <=9.0.0-next.2) potentially affected by CVE-2026-3520 via org.webjars.npm:multer (=1.4.4-lts.1)
org.webjars.npm:multer MAVEN version =1.4.4-lts.1 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:multer and may be impacted: - org.webjars.npm:nestjsplatform-express =8.4.7, =9.0.0-next.2 Source cves: CVE-2026-3520 Source advisory:...
Deserialization of Untrusted Data
Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data via the columns parameter in the Express Entry List block configuration. An attacker can execute arbitrary code on the server by injecting crafted serialized data that is later processed without proper...