CVE-2026-41646 Nuclei: Local File Read via require() Module Loader Bypass

Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require function, bypassing the default local file acce...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload. A malicious actor compromised the package, enabling the attacker to publish tampered versions of the deep learning framework. Malicious Behavior The execution chain ru...

GHSA-29RG-WMCW-HPF4 Nuclei: Local File Read via require() Module Loader Bypass

A vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require function, bypassing the default local file access restriction. Affected Component The issue is in the JavaScript runtime's module loading system. The goja...

Oracle Linux 10 : nodejs24 (ELSA-2026-7675)

The remote Oracle Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-7675 advisory. 1:24.14.1-2.0.1 - Update upstream references 1:24.14.1-2 - Update bundled nghttp2 to 1.68.1 1:24.14.1-1 - Update to version 24.14.1 Tenable has...

Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header

A flaw was found in Node.js. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request that includes a header named proto. When a Node.js application processes this request and attempts to access distinct headers, it encounters an unhandled error, leading to an...

ALPINE-CVE-2026-21712

A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN containing invalid characters, crashing the Node.js process...

CVE-2026-21712

A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN containing invalid characters, crashing the Node.js process...

CVE-2026-30925

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This...

CVE-2026-29091

Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution RCE flaw was discovered in the locutus project, specifically within the calluserfuncarray function implementation. The vulnerability allows an attacker to...

firefox: thunderbird: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Information disclosure due to JIT miscompilation in the JavaScript Engine: JIT component...

RLSA-2026:2782 Important: nodejs:22 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: Nodejs filesystem permissions bypass CVE-2025-55132 nodejs: Nodejs denial of service CVE-2026-21637 nodejs: Nodejs denial of service...

[SECURITY] Fedora 43 Update: nodejs22-22.22.0-2.fc43

Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed...

CVE-2026-23956

A flaw was found in seroval, a JavaScript JS value stringification library. A remote attacker could exploit this vulnerability by providing specially crafted regular expressions during deserialization. This could lead to the exhaustion of JavaScript runtime memory or trigger a Regular Expression...

MiracleLinux 7 : rh-nodejs12-nodejs-nodemon-2.0.3-2.el7, rh-nodejs12-nodejs-12.22.2-1.el7 (AXSA:2021-2259:02)

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2021-2259:02 advisory. nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl CVE-2021-23362 nodejs-ssri: Regular expression DoS ReDoS...

EUVD-2025-124345

Malicious code in nodejs-quito-deimos-publish npm...

EUVD-2025-105252

Malicious code in finalshrimpz3n npm...

0pflow (>=0.1.0-dev.0de2bc6 <=0.1.0-dev.f5622ac), 10t-images-to-pdf (=1.0.3) +12585 more potentially affected by CVE-2025-64118 via tar (>=7.5.1 <=7.5.15)

tar NPM version =7.5.1, =0.1.0-dev.0de2bc6, =0.0.1, =3.1.2, =1.0.1, =4.11.0, =1.0.1, =1.31.1, =2.0.0, =0.1.0, =0.1.0, =1.7.0-beta.7, =0.1.0, =0.1.7 and more Source cves: CVE-2025-64118 Source advisory: SNYK:JS-TAR-13782958...

Security Bulletin: multiple vulerability in IBM Spectrum Symphony with Node.js

Summary multiple vulerability in IBM Spectrum Symphony with Node.js Vulnerability Details CVEID:CVE-2024-27982 DESCRIPTION: The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling...

Node.js Express DevMode Enabled

Node.js Express installed on the remote host is configured to operate in development mode devMode. While this environment can help speed up development of web applications, it can leak information about the underlying web applications as well as the installation of Express, Node.js. No source dat...

EUVD-2024-1083

Malicious code in bioql PyPI...