CVE-2026-41324

basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to...

VulnCheck KEV: CVE-2025-69985

FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution RCE. The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can...

EUVD-2026-25166

Paperclip is a Node.js server and React UI that orchestrates a team of AI agents to run a business. Prior to version 2026.416.0, an unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in authenticated mode with default configuration...

Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header

A flaw was found in Node.js. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request that includes a header named proto. When a Node.js application processes this request and attempts to access distinct headers, it encounters an unhandled error, leading to an...

SUSE SLES15 Security Update : nodejs22 (SUSE-SU-2026:1509-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1509-1 advisory. Update to version 22.22.2. - CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism...

Security Bulletin: Automation Assets in IBM Cloud Pak for Integration is vulnerable to multiple vulnerabilities in Node.js

Summary Automation Assets in IBM Cloud Pak for Integration is vulnerable to multiple vulnerabilities in Node.js and LangChain. CVE-2026-2359, CVE-2026-3304, CVE-2026-3520, CVE-2026-29063, CVE-2026-24001, CVE-2025-69873, CVE-2026-31808. The vulnerabilities have been addressed. Vulnerability Detail...

RockyLinux 10 : nodejs24 (RLSA-2026:7675)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:7675 advisory. nodejs: Nodejs denial of service CVE-2026-21637 brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion CVE-2026-25547...

[R3] Tenable Identity Exposure Version 3.77.17 Fixes Multiple Vulnerabilities

R3 Tenable Identity Exposure Version 3.77.17 Fixes Multiple Vulnerabilities Aaron Roy Tue, 04/14/2026 - 10:54 Tenable Identity Exposure leverages third-party software to help provide underlying functionality. Several of the third-party components .NET Windows Server Hosting, NodeJS, Erlang OTP, S...

nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix.

A flaw was found in Node.js. An incomplete security fix allows code operating under restricted file system write permissions to bypass these limitations. This vulnerability enables the modification of file permissions and ownership on already-open files, even when explicit write access is denied...

Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks

A flaw was found in Node.js. The Node.js Permission Model, designed to restrict network access, incorrectly omits permission checks for Unix Domain Socket UDS server operations. This allows local code, even when explicitly denied network access, to create and expose inter-process communication IP...

Amazon Linux 2023 : nodejs24, nodejs24-devel, nodejs24-full-i18n (ALAS2023-2026-1578)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1578 advisory. A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs,...

Oracle Linux 8 : nodejs:24 (ELSA-2026-7670)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-7670 advisory. nodejs 1:24.14.1-2 - Update bundled nghttp2 to 1.68.1 Related: RHEL-151374 1:24.14.1-1 - Update to 24.14.0 Resolves: RHEL-151374 nodejs-nodemon 3.0.3-1...

Important: nodejs:24 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: Nodejs denial of service CVE-2026-21637 minimatch: minimatch: Denial of Service via specially crafted glob patterns CVE-2026-26996 undici:...

RLSA-2026:7080 Important: nodejs22 security update

Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed...

RockyLinux 10 : nodejs22 (RLSA-2026:7080)

The remote RockyLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2026:7080 advisory. brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion CVE-2026-25547 minimatch: minimatch: Denial of Service via...

CVE-2026-5483

A flaw was found in odh-dashboard in Red Hat Openshift AI. This vulnerability in the odh-dashboard component of Red Hat OpenShift AI RHOAI allows for the disclosure of Kubernetes Service Account tokens through a NodeJS endpoint. This could enable an attacker to gain unauthorized access to...

SUSE-SU-2026:21024-1 Security update for cockpit-machines

This update for cockpit-machines fixes the following issues: - CVE-2026-25547: brace-expansion: unbounded brace range expansion can lead to excessive resource consumption and crash a Node.js process bsc1257836. - CVE-2026-26996: minimatch: processing of glob pattern containing repeated wildcards...

AlmaLinux 10 : nodejs22 (ALSA-2026:7080)

The remote AlmaLinux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:7080 advisory. brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion CVE-2026-25547 minimatch: minimatch: Denial of Service via...

undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter

A flaw was found in the undici WebSocket client. A remote malicious server can exploit this vulnerability by sending a WebSocket frame with an invalid servermaxwindowbits parameter within the permessage-deflate extension. This improper validation causes the client's Node.js process to terminate,...

Malicious code in kraken-trader (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4bf5ec6e8a6020de1e122cf07f2dde0f02fa1a484ff984586db379729da75523 The package is a loader of malicious code disguised as remote "credits" code. The remote location, built from the parts in the code, delivers highly obfuscated...