PT-2026-3793

Name of the Vulnerable Software and Affected Versions NodeBB Plugin Emoji version 3.2.1 Description The NodeBB Plugin Emoji version 3.2.1 has a flaw that allows administrative users to write files to arbitrary system locations. This is possible through the emoji upload API by manipulating the fil...

ALPINE-CVE-2025-55130

A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files...

CVE-2025-55130

The CVE-2025-55130 entry describes a path traversal bypass in Node.js permission model: crafted relative symlink paths can cause reads/writes outside the allowed directory when --allow-fs-read/--allow-fs-write checks pass, enabling read/write of sensitive files and potential system compromise. Af...

UBUNTU-CVE-2026-23950

node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3. This is due to an incomplete handling of Unicode path collisions in the path-reservations system. On case-insensitive or normalization-insensitive filesystems such as macOS APFS, In which it has...

MiracleLinux 9 : xz-5.2.5-8.el9 (AXSA:2022-3977:03)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2022-3977:03 advisory. gzip: arbitrary-file-write vulnerability CVE-2022-1271 Tenable has extracted the preceding description block directly from the MiracleLinux security advisory...

MiracleLinux 9 : dotnet6.0-6.0.125-1.el9_3.ML.1 (AXSA:2023-7090:29)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-7090:29 advisory. dotnet: Arbitrary File Write and Deletion Vulnerability: FormatFtpCommand CVE-2023-36049 dotnet: ASP.NET Security Feature Bypass Vulnerability in...

MiracleLinux 9 : rsync-3.2.3-9.el9.2 (AXSA:2022-4046:07)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2022-4046:07 advisory. rsync: remote arbitrary files write inside the directories of connecting peers CVE-2022-29154 Tenable has extracted the preceding description block directly...

MiracleLinux 9 : dotnet8.0-8.0.100-2.el9_3.ML.1 (AXSA:2024-7409:03)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-7409:03 advisory. dotnet: Arbitrary File Write and Deletion Vulnerability: FormatFtpCommand CVE-2023-36049 dotnet: ASP.NET Security Feature Bypass Vulnerability in...

MiracleLinux 7 : gzip-1.5-11.el7 (AXSA:2022-3181:02)

The remote MiracleLinux 7 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2022-3181:02 advisory. gzip: arbitrary-file-write vulnerability CVE-2022-1271 Tenable has extracted the preceding description block directly from the MiracleLinux security advisory...

MiracleLinux 7 : xz-5.2.2-2.el7 (AXSA:2022-3278:01)

The remote MiracleLinux 7 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2022-3278:01 advisory. gzip: arbitrary-file-write vulnerability CVE-2022-1271 Tenable has extracted the preceding description block directly from the MiracleLinux security advisory...

MiracleLinux 8 : xz-5.2.4-4.el8 (AXSA:2022-3662:02)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2022-3662:02 advisory. gzip: arbitrary-file-write vulnerability CVE-2022-1271 Tenable has extracted the preceding description block directly from the MiracleLinux security advisory...

MiracleLinux 7 : rh-nodejs8-nodejs-8.17.0-2.el7 (AXSA:2020-200:01)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2020-200:01 advisory. nodejs-brace-expansion: Regular expression denial of service CVE-2017-18077 nodejs-chownr: TOCTOU vulnerability in chownr function in chownr.js...

MiracleLinux 8 : dotnet8.0-8.0.100-2.el8.ML.1 (AXSA:2024-7380:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-7380:01 advisory. dotnet: Arbitrary File Write and Deletion Vulnerability: FormatFtpCommand CVE-2023-36049 dotnet: ASP.NET Security Feature Bypass Vulnerability in...

Node.js security vulnerabilities

Node.js is an open-source, cross-platform JavaScript runtime environment developed by the Node.js community. Versions 20, 22, 24, and 25 of Node.js contain security vulnerabilities. These vulnerabilities stem from flaws in the permission model, which could allow attackers to bypass file system...

MiracleLinux 8 : libreoffice-6.4.7.2-15.el8.ML.1 (AXSA:2023-7259:06)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-7259:06 advisory. libreoffice: Empty entry in Java class path CVE-2022-38745 libreoffice: Array index underflow in Calc formula parsing CVE-2023-0950 libreoffice:...

MiracleLinux 8 : dotnet6.0-6.0.125-1.el8.ML.1 (AXSA:2024-7361:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-7361:01 advisory. dotnet: Arbitrary File Write and Deletion Vulnerability: FormatFtpCommand CVE-2023-36049 dotnet: ASP.NET Security Feature Bypass Vulnerability in...

MiracleLinux 8 : gzip-1.9-13.el8 (AXSA:2022-3155:01)

The remote MiracleLinux 8 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2022-3155:01 advisory. gzip: arbitrary-file-write vulnerability CVE-2022-1271 Tenable has extracted the preceding description block directly from the MiracleLinux security advisory...

MiracleLinux 7 : rsync-3.1.2-11.el7 (AXSA:2022-3735:05)

The remote MiracleLinux 7 host has a package installed that is affected by a vulnerability as referenced in the AXSA:2022-3735:05 advisory. rsync: remote arbitrary files write inside the directories of connecting peers CVE-2022-29154 Tenable has extracted the preceding description block directly...

MiracleLinux 7 : rh-nodejs12-nodejs-12.16.1-1.el7 (AXSA:2020-4480:02)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2020-4480:02 advisory. nodejs: HTTP request smuggling using malformed Transfer-Encoding header CVE-2019-15605 nodejs: Remotely trigger an assertion on a TLS server with a...

MiracleLinux 9 : dotnet7.0-7.0.114-1.el9_3.ML.1 (AXSA:2023-7071:33)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2023-7071:33 advisory. dotnet: Arbitrary File Write and Deletion Vulnerability: FormatFtpCommand CVE-2023-36049 dotnet: ASP.NET Security Feature Bypass Vulnerability in...