PT-2026-45967

These are all security issues fixed in the libmozjs-115-0-115.15.0-9.1 package on the GA media of openSUSE Tumbleweed...

CVE-2026-42280 Improper Permission Checking in Auth.js SDK

Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0...

qs 代码问题漏洞

QS is a JavaScript library developed by Jordan Harband. Versions of QS from 6.11.1 to 6.15.2 had code vulnerabilities. This vulnerability occurred when calling qs.stringify on an array containing null or undefined, with arrayFormat set to comma and encodeValuesOnly set to true. This resulted in a...

CVE-2026-45783

creationtimestamp| type| source ---|---|--- 2026-05-13 02:15:12+00:00| published-proof-of-concept| https://github.com/libp2p/js-libp2p/security/advisories/GHSA-32mq-hpph-xfvr...

CVE-2026-42338

ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group and Address6.link do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage emitted by the Address6...

NPM: protobuf.js: Process-wide denial of service through unsafe option paths

NPM: protobuf.js: Process-wide denial of service through unsafe option paths vulnerability discovered by ? in WordPress Npm protobufjs versions = 7.5.5...

0xpay-cc-sdk (>=0.0.8 <=0.1.0), 0xtrails (=0.0.0-canary-3a59770274bcb6f3bebd5d1b93a2c92d1fc4edbd) +7941 more potentially affected by CVE-2026-40175 via axios (>=1.0.0 <=1.14.0)

axios NPM version =1.0.0, =0.0.8, =0.1.0, =1.1.0, =0.1.0, =1.0.21, =0.1.4, =0.1.0, =1.0.10, =1.0.10, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =1.1.0-beta.18 and more Source cves: CVE-2026-40175 Source advisory: SNYK:JS-AXIOS-15969258...

Official Clerk JavaScript SDKs 代码问题漏洞

The Official Clerk JavaScript SDKs are an open-source repository for Clerk authentication purposes. These SDKs have code-related vulnerabilities. The vulnerability stems from the clerkFrontendApiProxy function in @clerk/backend, which involves server-side request forgeing. This could allow...

4coders-commons (>=0.0.1 <=0.0.2), @11ty/eleventy (=0.3.3) +3647 more potentially affected by CVE-2026-33938 via handlebars (>=4.0.0 <=4.7.8)

handlebars NPM version =4.0.0, =0.0.1, =0.1.0, =0.1.0, =0.0.11, =0.0.52, =0.1.0, =0.0.72, =0.1.0, =1.1.1, =0.0.0-3b548b7bf6ff6554f724240da3a11be924237e6c, =1.16.0, =1.16.0, =1.16.0, =2.4.4 and more Source cves: CVE-2026-33938 Source advisory: SNYK:JS-HANDLEBARS-15803082...

EUVD-2026-14377

Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key by forcing r or s to be zero, so the library emits an invalid signature witho...

CVE-2026-4603

Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations e.g., verify and encryption to collapse to...

0xkit (=0.0.1), 0xpass (>=0.0.11 <=0.1.26) +7269 more potentially affected by unknown CVE via h3 (>=1.0.1 <=1.15.5)

h3 NPM version =1.0.1, =0.0.11, =0.0.2, =0.1.0, =1.1.0, =0.1.0, =0.1.0, =1.0.21, =2.0.0, =0.1.4, =0.1.0, =1.0.10, =1.0.11 and more Source cves: unknown CVE Source advisory: SNYK:JS-H3-15683856...

MAL-2026-1687 Malicious code in chain-cli-promised (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8f7e399daf13fda688fc1a6bb911c0bf7582ef52fff3eb5af58fbd8c0934b88a The package chain-cli-promised was found to contain malicious code...

CVE-2026-31938

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the options argument of the output function allows attackers to inject arbitrary HTML such as scripts into the browser context the created PDF is opened in. The vulnerability can be exploited in the followi...

@saasmakers/ui (>=0.1.88 <=0.1.117), @styleframe/app (>=0.0.1 <=0.1.1) +13 more potentially affected by CVE-2026-31860 via unhead (>=2.0.0-alpha.0 <=2.1.10)

unhead NPM version =2.0.0-alpha.0, =0.1.88, =0.0.1, =1.1.0, =2.0.0, =2.0.0, =2.0.0-alpha.0, =2.0.0, =2.0.0, =2.0.0, =1.2.0, =0.0.2, =0.17.0, =2.0.0-alpha.8, =0.1.0-beta.10, =0.1.0-beta.14 Source cves: CVE-2026-31860 Source advisory: SNYK:JS-UNHEAD-15627227...

firefox: thunderbird: Integer overflow in the JavaScript: Standard Library component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Integer overflow in the JavaScript: Standard Library component...

Immutable collections for JavaScript 安全漏洞

Immutable Collections for JavaScript is an open-source immutable data collection library developed by Immutable.js. There were security vulnerabilities in versions prior to 3.8.3, 4.3.7, and 5.1.5 of Immutable Collections for JavaScript. These vulnerabilities stemmed from prototype pollution issu...

CVE-2026-2762

Integer overflow in the JavaScript: Standard Library component. This vulnerability affects Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8...

CASL 安全漏洞

CASL is a JavaScript library developed by Serhii Stotskyi. Versions 2.4.0 to 6.7.4 of CASL contain security vulnerabilities, which stem from prototype pollution and may lead to logical errors or other attacks...

003-gas-convert (=1.0.1), 0x-hunter-core (>=1.0.0 <=1.0.1-5) +13827 more potentially affected by CVE-2026-2739 via bn.js (>=4.10.3 <=4.12.0)

bn.js NPM version =4.10.3, =1.0.0, =0.0.3, =0.0.3, =0.0.11, =1.1.0, =0.0.2, =0.9.9, =0.10.33 - 108-gas-convert =1.0.0 - 2.typescript-init =1.0.0 - 260f-check-balance =1.0.0 - 260f-gas-convert =1.0.0 and more Source cves: CVE-2026-2739 Source advisory: SNYK:JS-BNJS-15274301...