CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

103 matches found

OSSF Malicious Packages•added 2026/06/11 6:13 a.m.•9 views

Malicious code in twilio-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 737fede3d5b2007849cab0503cec191ce127c33c0b28f3b3285f347a064966e1 Package name twilio-sdk impersonates the official Twilio Node SDK twilio but ships an empty API module.exports = . The only real behavior runs in...

5.5AI score

Exploits0References9

RedhatCVE•added 2026/06/05 7:14 p.m.•8 views

CVE-2026-40931

Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but...

8.4CVSS5.5AI score0.0024EPSS

Exploits2References1

vulnersOsv•added 2026/05/28 6:24 p.m.•5 views

@3onedata/alsatian (>=0.1.8-fix.3 <=0.1.8-fix.5), @agimon-ai/browse-tool (>=0.2.0 <=0.10.1) +271 more potentially affected by CVE-2026-47673 via hono (>=4.0.0 <=4.12.2)

hono NPM version =4.0.0, =0.1.8-fix.3, =0.2.0, =0.2.0, =0.4.0, =0.2.0, =0.1.4, =2026.4.4, =1.0.2, =0.0.1, =1.7.2, =1.7.1, =0.2.1, =0.6.1, =0.5.2, =0.5.4 - @babylen/legion =0.1.7 and more Source cves: CVE-2026-47673 Source advisory: SNYK:JS-HONO-17055751...

6.5CVSS5.4AI score0.00199EPSS

Exploits0

CVE•added 2026/05/12 8:28 p.m.•23 views

CVE-2026-44232

The CVE-2026-44232 entry concerns the Node.js library dssrf . The vulnerability, described across the CVE and related records, is that prior to version 1.3.0 every IPv6 category bypasses the is_url_safe check, enabling potential SSRF bypasses. The issue affects the dssrf functionality that guards...

8.7CVSS5.2AI score0.00349EPSS

Exploits0References1

NVD•added 2026/04/21 10:16 p.m.•3 views

CVE-2026-40931

8.4CVSS0.0024EPSS

Exploits2References1

OSV•added 2026/04/21 9:16 p.m.•4 views

DEBIAN-CVE-2026-40895

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie header...

7.5CVSS5.4AI score0.00296EPSS

Exploits0References1

UbuntuCve•added 2026/04/21 9:16 p.m.•5 views

CVE-2026-40895

7.5CVSS5.8AI score0.00296EPSS

Exploits0References4

Cvelist•added 2026/02/04 7:35 p.m.•28 views

CVE-2026-24884 Compressing Vulnerable to Arbitrary File Write via Symlink Extraction

Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can caus...

8.4CVSS0.00334EPSS

Exploits1References3

EUVD•added 2026/02/04 7:35 p.m.•8 views

EUVD-2026-5368

8.4CVSS5.6AI score0.00334EPSS

Exploits1References3

OSV•added 2025/09/16 6:16 a.m.•2 views

UBUNTU-CVE-2025-59437

The ip aka node-ip package through 2.0.1 in NPM might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415. NOTE: in current versions of several applications, connection...

3.2CVSS5.8AI score0.00115EPSS

Exploits0References2

OSV•added 2025/08/14 6:52 p.m.•2 views

MAL-2025-19029 Malicious code in dynalogin (npm)

The package dynalogin was found to contain malicious code...

7.2AI score

Exploits0

OSV•added 2025/08/14 6:52 p.m.•3 views

MAL-2025-25057 Malicious code in leaiss (npm)

The package leaiss was found to contain malicious code...

7.2AI score

Exploits0