Security Bulletin: IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service due to vulnerabilities in Node.js dependencies

Summary Node.js is used by IBM App Connect Enterprise Certified Container. IBM App Connect Enterprise Certified Container operands are vulnerable to denial of service. This bulletin provides patch information to address the reported vulnerabilities in Node.js modules ajv CVE-2025-69873, axios...

CVE-2026-34780

A flaw was found in Electron, a framework for building cross-platform desktop applications. An attacker capable of executing JavaScript in the main world, for instance through a cross-site scripting XSS vulnerability, could exploit this flaw. By passing VideoFrame objects from the WebCodecs API...

CVE-2026-21712

A flaw was found in Node.js. This vulnerability allows an attacker to cause a Denial of Service DoS by providing a malformed Internationalized Domain Name IDN to the url.format function. When processed, this malformed input triggers an internal error, causing the Node.js application to crash. Thi...

ALPINE-CVE-2026-21717

A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the...

CVE-2026-21713

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...

CVE-2026-21714

CVE-2026-21714 corresponds to a memory leak in the Node.js HTTP/2 server triggered by WINDOW_UPDATE on stream 0, leading to resource exhaustion. The issue affects HTTP/2 users on Node.js 20.x, 22.x, 24.x and 25.x and is addressed in the March 24, 2026 security releases for the affected release li...

CVE-2026-21711

A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket UDS server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under --permission without --allow-net can create and expose local IP...

CVE-2026-21710

Summary: CVE-2026-21710 is a denial-of-service-type issue in Node.js HTTP request handling triggered by a header named __proto__ accessed via req.headersDistinct, which can cause an uncaught TypeError and crash the process when dest["proto "] resolves to Object.prototype and .push() is called on ...

ALPINE-CVE-2026-21712

A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN containing invalid characters, crashing the Node.js process...

CVE-2026-21712

A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN containing invalid characters, crashing the Node.js process...

CVE-2026-21712

creationtimestamp| type| source ---|---|--- 2026-03-25 03:00:00+00:00| seen| https://www.hkcert.org/security-bulletin/node-js-multiple-vulnerabilities20260325 2026-04-09 12:45:08+00:00| seen| https://bsky.app/profile/o2cloud.bsky.social/post/3mj2tlhrxnc2b...

CVE-2026-26830

pdf-image npm package through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format to interpolate user-controlled file paths into shell command strings that are executed via childprocess.e...

Malicious code in dotenv-express (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4a2a64c0b295657e6373168223a6131c966f09e6c0b7a1e150b7deba779b75be The package dotenv-express was found to contain malicious code...

ROS-20260319-73-0005

Vulnerability in nodejs20 related to lack of memory release after effective lifetime. Exploitation of the vulnerability could allow an attacker to cause a denial of service...

PT-2026-26160

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be...

DSA-6166-1 nodejs - security update

Bulletin has no description...

Express - Node.js API with PostgreSQL 代码问题漏洞

Express - Node.js API with PostgreSQL is a RESTful API service developed by Jawher Kl, based on Node.js and PostgreSQL. There are code issues and vulnerabilities in versions 2.5 and earlier of Express - Node.js API with PostgreSQL. These vulnerabilities stem from incorrect operations on the...

Linux Distros Unpatched Vulnerability : CVE-2026-29074

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from...

@saasmakers/ui (>=0.1.88 <=0.1.117), @styleframe/app (>=0.0.1 <=0.1.1) +13 more potentially affected by CVE-2026-31860 via unhead (>=2.0.0-alpha.0 <=2.1.10)

unhead NPM version =2.0.0-alpha.0, =0.1.88, =0.0.1, =1.1.0, =2.0.0, =2.0.0, =2.0.0-alpha.0, =2.0.0, =2.0.0, =2.0.0, =1.2.0, =0.0.2, =0.17.0, =2.0.0-alpha.8, =0.1.0-beta.10, =0.1.0-beta.14 Source cves: CVE-2026-31860 Source advisory: SNYK:JS-UNHEAD-15627227...

CVE-2026-31988

yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...