PT-2026-27482

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 8.6.57 Parse Server versions prior to 9.6.0-alpha.48 Description An authenticated user can modify server-generated session fields, such as expiresAt and createdWith, when updating their own session through the RE...

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.60 and 9.6.0-alpha.54. These vulnerabilities stemmed from the ability for MFA recovery...

PT-2026-25367

LibreChat is a ChatGPT clone with additional features. Prior to 0.8.3-rc1, a Denial of Service DoS vulnerability exists in the DELETE /api/convos endpoint that allows an authenticated attacker to crash the Node.js server process by sending malformed requests. The DELETE /api/convos route handler...

DEBIAN-CVE-2026-2229

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the servermaxwindowbits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. ...

DEBIAN-CVE-2026-2581

This is an uncontrolled resource consumption vulnerability CWE-400 that can lead to Denial of Service DoS. In vulnerable Undici versions, when interceptors.deduplicate is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlle...

GHSA-GMQ8-994R-JV83 yauzl contains an off-by-one error

yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...

Graphql-upload-minimal has a prototype pollution vulnerability.

Overview Version 1.6.1 of the Flash Payments package graphql-upload-minimal is vulnerable to prototype pollution. This vulnerability, located in the processRequest function, allows an attacker to inject special property names into the operations.variables object and pollute global object...

CVE-2026-31988 yauzl 3.2.0 - Denial of Service via Off-by-One Error in NTFS Timestamp Parser

yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...

Path Traversal

Node.js is vulnerable to Path Traversal. The vulnerability is due to improper validation of relative symlink paths in the permissions model, allowing attackers to chain directories and symlinks to bypass --allow-fs-read and --allow-fs-write restrictions and access files outside the permitted...

CVE-2026-31808 file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header

file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF WMV/WMA file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value...

Vaadin: Specially crafted ZIP archives can escape the intended extraction directory

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. Vaadin’s build process can automatically download and extract Node.js if it...

CVE-2026-2741

CVE-2026-2741 affects Vaadin’s build process which automatically downloads and extracts Node.js when not installed locally. A path traversal flaw in specially crafted ZIP archives can make files be written outside the intended extraction directory during Node.js download/extraction for Vaadin ver...

PT-2026-24603

Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost...

Siemens SIDIS Prime

SUMMARY SIDIS Prime before V4.0.800 is affected by multiple vulnerabilities in the components OpenSSL, SQLite, and several Node.js packages as described below. Siemens has released a new version of SIDIS Prime and recommends to update to the latest version. 2. GENERAL RECOMMENDATIONS As a...

CVE-2026-30925

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This...

EUVD-2026-10420

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By...

Multer 安全漏洞

Multer is an open-source middleware for Node.js developed by ExpressJS. Versions of Multer prior to 2.1.1 contained a security vulnerability caused by a stack overflow issue when handling malformed requests, which could lead to a denial-of-service attack...

Linux Distros Unpatched Vulnerability : CVE-2023-39331

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A previously disclosed vulnerability CVE-2023-30584 was patched insufficiently in commit 205f1e6. The new path traversal vulnerability arises because the...

Exploit for CVE-2025-1302

Research: jsonpath-plus RCE CVE-2025-1302 Analysis !Securi...

UBUNTU-CVE-2026-27699

The basic-ftp FTP client library for Node.js contains a path traversal vulnerability CWE-22 in versions prior to 5.2.0 in the downloadToDir method. A malicious FTP server can send directory listings with filenames containing path traversal sequences ../ that cause files to be written outside the...