CVE-2026-30925

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This...

CVE-2026-31808

file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF WMV/WMA file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value...

Parse Server 注入漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that supports Node.js. Versions of Parse Server prior to 9.5.2-alpha.13 and 8.6.26 have a vulnerability related to injection attacks. This vulnerability stems from the improper handlin...

CVE-2026-29074

SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansi...

CVE-2026-29074

SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansi...

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Node.js and LangChain

Summary Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Node.js and LangChain. CVE-2025-65945, CVE-2025-68664, CVE-2025-12758 The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2025-65945 DESCRIPTION:...

PT-2026-21744

Name of the Vulnerable Software and Affected Versions FUXA versions 1.2.8 and prior Description FUXA versions 1.2.8 and prior contain an Authentication Bypass issue that can lead to Remote Code Execution RCE. The issue resides in the server/api/jwt-helper.js middleware, which incorrectly relies o...

CVE-2026-26280

CVE-2026-26280 affects the systeminformation library for Node.js. In versions prior to 5.30.8, wifiNetworks() is vulnerable to command injection: if the initial interface input yields no results, a retry path calls getWifiNetworkListIw(iface) with the original, unsanitized iface value, which is p...

Node.js: Denial of Service via `__proto__` header name in `req.headersDistinct` (Uncaught `TypeError` crashes Node.js process)

Vulnerability description not provided...

CLSA-2026-1771236630 nodejs: Fix of CVE-2026-21637

CVE-2026-21637: route callback exceptions through error handlers...

RHSA-2026:2420 Red Hat Security Advisory: nodejs:24 security update

Bulletin has no description...

Spelling Checker for Visual Studio Code 安全漏洞

Spelling Checker for Visual Studio Code is a simple source code spell checker developed by Street Side Software. Versions of Spelling Checker for Visual Studio Code prior to v4.5.4 contained a security vulnerability. This vulnerability stemmed from improper handling of trust flags, which could...

Cross-User Data Leakage

jsPDF is vulnerable to Cross-User Data Leakage. The vulnerability is due to use of a shared module-scoped variable in the addJS method, where JavaScript content is stored globally in the Node.js build, allowing concurrent PDF generation requests to overwrite each other’s data and cause one user’s...

RLSA-2026:1843 Important: nodejs22 security update

Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed...

nodejs: Nodejs denial of service

A denial of service flaw has been discovered in NodeJS. A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of...

GHSA-HG6J-8H7M-3W3J vulnerabilities

Vulnerabilities for packages: nodejs...

BIT-NODE-MIN-2026-21637

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths tlsClientError and error, causing either immediate...

BIT-NODE-2025-59466

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when asynchooks.createHook is enabled. Instead of reaching process.on'uncaughtException', the process terminates, making the crash unrecoverable. Applications that rely on...

Azure Linux 3.0 Security Update: nodejs (CVE-2025-23083)

The version of nodejs installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-23083 advisory. - With the aid of the diagnosticschannel utility, an event can be hooked into whenever a worker thread is...

CVE-2026-21636

A flaw in Node.js's permission model allows Unix Domain Socket UDS connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs such as URLs or socketPath options can connect to arbitrary local sockets via net, tls, or undici/fetch...