398 matches found
ROOT-APP-NPM-CVE-2026-27959 CVE-2026-27959 in @rootio/koa - Patched by Root
Root has patched CVE-2026-27959 in the @rootio/koa package for Root:npm. Multiple fixed versions available...
CVE-2026-9495
Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...
CVE-2026-9495
CVE-2026-9495 affects the npm package @koa/router, specifically versions 14.0.0 and earlier than 15.0.0. The issue is an Access Control Bypass caused by middleware being silently dropped from the execution chain when the router prefix contains path parameters. This can enable bypass of authentica...
CVE-2026-9495
Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...
CVE-2026-9495
Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...
EUVD-2026-31792
Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...
CVE-2026-9495
Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...
@koa/router 安全漏洞
@koa/router is a routing middleware developed by Koa.js. Versions from 14.0.0 to 15.0.0 of @koa/router had a security vulnerability. This vulnerability occurred when the router prefix contained path parameters, causing the middleware to silently discard requests, which could lead to access contro...
PT-2026-43190
Versions of the package @koa/router from 14.0.0 and before 15.0.0 are vulnerable to Access Control Bypass due to the middleware being silently dropped from the execution chain when the router prefix contains path parameters. Depending on what the skipped middleware was supposed to protect, an...
MAL-2026-4571 Malicious code in get-deps-path (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65fa6f34a831aa832f9d88019ce3d0f4011701df6ab0667bd263645208c978ce On require, get-deps-path immediately invokes getPlugin, which performs an HTTP fetch to https://jsonkeeper.com/b/QBRMI an anonymous public paste hos...
Malicious code in get-deps-path (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 65fa6f34a831aa832f9d88019ce3d0f4011701df6ab0667bd263645208c978ce On require, get-deps-path immediately invokes getPlugin, which performs an HTTP fetch to https://jsonkeeper.com/b/QBRMI an anonymous public paste hos...
EUVD-2026-25618
Budibase is an open-source low-code platform. Prior to 3.35.4, the authenticated middleware uses unanchored regular expressions to match public no-auth endpoint patterns against ctx.request.url. Since ctx.request.url in Koa includes the query string, an attacker can access any protected endpoint ...
Malicious Package
Overview koa-v3 is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...
Malicious code in koa-v3 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5868e3008cddae6f0d4f1594e5f22c25d905ca6e32b915c4b527ad2ed77cce7f The package koa-v3 was found to contain malicious code. Source: ghsa-malware 16ed2d5a3189595a73eb117e70d2a31ba6ed920704a2917c7f83aacb8b5f42d1 Any...
MAL-2026-2838 Malicious code in koa-v3 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 5868e3008cddae6f0d4f1594e5f22c25d905ca6e32b915c4b527ad2ed77cce7f The package koa-v3 was found to contain malicious code. Source: ghsa-malware 16ed2d5a3189595a73eb117e70d2a31ba6ed920704a2917c7f83aacb8b5f42d1 Any...
Security Bulletin: IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to loss of confidentiality (CVE-2026-27959)
Summary Node.js module Koa is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container DesignerAuthoring operands are vulnerable to loss of confidentiality. This bulletin provides patch information to address the reported vulnerability in Node.js modu...
EUVD-2026-8816
Koa has Host Header Injection via ctx.hostname...
3dshex (>=0.1.0 <=0.5.3), 91jin (>=0.1.4 <=0.1.8) +2024 more potentially affected by CVE-2026-27959 via koa (>=0.0.1 <=2.16.3)
koa NPM version =0.0.1, =0.1.0, =0.1.4, =1.0.0, =1.0.0, =0.1.0, =0.0.4, =3.10.1, =3.7.0, =0.0.1, =0.2.9, =4.25.19-patch.1, =4.25.19-patch.3 - @ant-design-vue/tools =1.0.1 and more Source cves: CVE-2026-27959 Source advisory: OSV:GHSA-7GCC-R8M5-44QM...
Koa has Host Header Injection via ctx.hostname
Summary Koa's ctx.hostname API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a @ symbol e.g., evil.com:[email protected] is received,...
GHSA-7GCC-R8M5-44QM Koa has Host Header Injection via ctx.hostname
Summary Koa's ctx.hostname API performs naive parsing of the HTTP Host header, extracting everything before the first colon without validating the input conforms to RFC 3986 hostname syntax. When a malformed Host header containing a @ symbol e.g., evil.com:[email protected] is received,...