Lucene search
K

401 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 3 days ago4 views

Malicious code in tailwind-animate-v4 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd43366b04ea80c2244079c09602623af157ce00cba9ae1837005b97ffe44bdb The package presents itself as a Tailwind CSS animation plugin and reproduces the legitimate tailwindcss-animate source including its original author...

6.2AI score
Exploits0References5
RedHat Linux
RedHat Linux
added 6 days ago6 views

nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames

A flaw was found in Node.js. A malicious server can exploit the HTTP/2 client by sending an unlimited number of ORIGIN frames. This can lead to an Out of Memory error on the client, resulting in a denial of service...

7.5CVSS6.7AI score0.00656EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 6 days ago5 views

nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch

A flaw was found in Node.js. This flaw involves a mismatch in how Node.js handles TLS Transport Layer Security hostnames and unicode dot separators during authentication. This mismatch can lead to a wildcard-depth authentication bypass. An attacker could exploit this to bypass intended security...

7.7CVSS7AI score0.00674EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 6 days ago6 views

nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling

A flaw was found in Node.js. This vulnerability in the TLS Transport Layer Security hostname handling allows embedded null characters in hostnames. This can lead to silent authority rebinding, potentially enabling an attacker to redirect network traffic to an unintended server and disclose...

9.8CVSS5.8AI score0.00405EPSS
Exploits0References7
OSV
OSV
added 2026/06/30 11:39 p.m.5 views

BIT-GHOST-2026-53948 Ghost: File Upload Content-Type Spoofing

Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served from the site with an attacker-chosen content type on S3/GCS storage backends. On...

5.4CVSS5.5AI score0.00133EPSS
Exploits0References2
OSV
OSV
added 2026/06/29 5:48 a.m.5 views

BIT-NODE-MIN-2026-48935

A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. --allow-fs-read. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

3.3CVSS6.6AI score0.00154EPSS
Exploits0References2
OSV
OSV
added 2026/06/29 5:48 a.m.6 views

BIT-NODE-MIN-2026-48934

A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

4.3CVSS6.1AI score0.00258EPSS
Exploits0References2
SUSE CVE
SUSE CVE
added 2026/06/27 2:5 a.m.6 views

SUSE CVE-2026-13311

shell-quote prior to 1.8.5 finalizes parsed tokens in parse using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse runs in On^2 time relative to the number of input tokens. An attacker who can supply an...

7.5CVSS6.3AI score0.0036EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/26 10:49 p.m.9 views

CVE-2026-48930

A flaw was found in Node.js. This vulnerability in the TLS Transport Layer Security hostname handling allows embedded null characters in hostnames. This can lead to silent authority rebinding, potentially enabling an attacker to redirect network traffic to an unintended server and disclose...

9.8CVSS6AI score0.00405EPSS
Exploits0References6
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/26 5:3 p.m.4 views

Security Bulletin: Vulnerabilities in Spring Security, Apache Tomcat, Netty, Lodash, Spring Framework and Node.js might affect IBM Storage Defender Copy Data Management

Summary IBM Storage Defender Copy Data Management can be affected by vulnerabilities in Spring Security, Apache Tomcat, Netty, Lodash, Spring Framework and Node.js. Vulnerabilities include the authentication, authorization, and other security controls being rendered inactive on intended requests,...

8.2CVSS7.3AI score0.01594EPSS
Exploits0Affected Software1
NVD
NVD
added 2026/06/26 2:16 a.m.9 views

CVE-2026-48934

A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

4.3CVSS0.00258EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 1:14 a.m.8 views

CVE-2026-48619

A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead to an Out of Memory error on the client. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

5.3CVSS6.5AI score0.00656EPSS
Exploits0References2Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/06/26 12:0 a.m.9 views

SUSE SLES15 Security Update : nodejs24 (SUSE-SU-2026:2633-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2633-1 advisory. This update for nodejs24 fixes the following issues Update to 24.17.0: - CVE-2026-2581: undici: Undici: Denial of Service due to...

9.8CVSS6.8AI score0.02806EPSS
Exploits3References64
NVD
NVD
added 2026/06/25 5:16 a.m.9 views

CVE-2026-13311

shell-quote prior to 1.8.5 finalizes parsed tokens in parse using Array.prototype.concat as a reduce accumulator, which reallocates and copies the entire growing array on every iteration. As a result parse runs in On^2 time relative to the number of input tokens. An attacker who can supply an...

8.7CVSS0.0036EPSS
Exploits0References2
OSV
OSV
added 2026/06/23 2:50 p.m.4 views

BIT-NODE-MIN-2026-48937

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affects two supported release lines: Node.js 22 and Node.js 24...

5.3CVSS6AI score0.00445EPSS
Exploits0References3
Tenable Nessus
Tenable Nessus
added 2026/06/20 12:0 a.m.15 views

Linux Distros Unpatched Vulnerability : CVE-2026-48931

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects al...

3.7CVSS6.3AI score0.00371EPSS
Exploits1References3
OSV
OSV
added 2026/06/18 7:16 p.m.7 views

UBUNTU-CVE-2026-48937

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affects two supported release lines: Node.js 22 and Node.js 24...

5.3CVSS6AI score0.00445EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/18 6:1 p.m.10 views

EUVD-2026-37928

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affects two supported release lines: Node.js 22 and Node.js 24...

5.3CVSS5.4AI score0.00445EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/06/15 12:0 a.m.16 views

Linux Distros Unpatched Vulnerability : CVE-2025-71330

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a...

8.7CVSS5.7AI score0.0043EPSS
Exploits1References2
OSV
OSV
added 2026/06/13 8:13 p.m.16 views

MAL-2026-5743 Malicious code in environment-gate (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 48e4ad756dbae70bb38049d363961eb27239c7cf18c6a92612579aeb818da7b1 The package's only export, gate, performs an HTTP GET to a base64-obfuscated URL https://www.jsonkeeper.com/b/VKUNI and passes the response body...

6.3AI score
Exploits0References2
Rows per page
Query Builder