CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

36 matches found

CNNVD•added 2026/05/13 12:0 a.m.•6 views

vm2 安全漏洞

vm2 is a high-level virtual machine/sandbox developed by Czech developer Patrik Simek. It runs untrusted code using Node’s built-in modules listed in the allowlist. Versions of vm2 prior to 3.11.0 have security vulnerabilities; these vulnerabilities stem from sandbox escape exploits, allowing...

8.6CVSS5.9AI score0.00052EPSS

Exploits1References2

RedhatCVE•added 2026/05/05 11:17 a.m.•1 views

CVE-2026-42039

A flaw was found in Axios, a promise-based HTTP client for browsers and Node.js. This vulnerability occurs because the toFormData function recursively processes nested objects without a depth limit. A remote attacker can exploit this by sending deeply nested request data, which causes the Node.js...

7.5CVSS5.8AI score0.00023EPSS

Exploits1References4

OPENSUSE Linux•added 2026/04/21 12:0 a.m.•3 views

Security update for cockpit (important)

openSUSE security update: security update for cockpit ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20504-1 Rating: important References: bsc1257836 bsc1258641 Cross-References: CVE-2026-25547 CVE-2026-26996 CVSS scores: CVE-2026-25547 SUSE : 7.5...

8.7CVSS5.7AI score0.00026EPSS

Exploits1References2

UbuntuCve•added 2026/03/27 10:16 p.m.•2 views

CVE-2026-33939

Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains decorator syntax referencing an unregistered decorator e.g. n, the compiled template calls lookupPropertydecorators, "n", which returns undefined. Th...

7.5CVSS5.9AI score0.00076EPSS

Exploits1References5

Github Security Blog•added 2026/03/27 6:21 p.m.•11 views

Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation

Summary When a Handlebars template contains decorator syntax referencing an unregistered decorator e.g. n, the compiled template calls lookupPropertydecorators, "n", which returns undefined. The runtime then immediately invokes the result as a function, causing an unhandled TypeError: ... is not ...

7.5CVSS6AI score0.00076EPSS

Exploits1References5Affected Software1

OSV•added 2026/03/27 6:21 p.m.•1 views

GHSA-9CX6-37PM-9JFF Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation

7.5CVSS6AI score0.00076EPSS

Exploits1References5

Debian CVE•added 2026/03/12 8:27 p.m.•1 views

CVE-2026-2229

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the servermaxwindowbits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. ...

7.5CVSS7.5AI score0.00175EPSS

Exploits0

CNNVD•added 2026/03/12 12:0 a.m.•4 views

flatted 安全漏洞

Flatted is a lightweight and fast cycle-based JSON parser developed by Andrea Giammarchi. Versions of Flatted prior to 3.4.0 contained a security vulnerability. This vulnerability stemmed from the recursive depth of the parse function when handling specially crafted payloads, which could lead to ...

7.5CVSS7.2AI score0.00022EPSS

Exploits1References4

CNNVD•added 2026/03/12 12:0 a.m.•2 views

undici 安全漏洞

Undici is an open-source HTTP/1.1 client developed by Node.js. Undici has a security vulnerability that stems from unlimited memory consumption during the decompression of permessage-deflate. This vulnerability could allow malicious WebSocket servers to send small compressed frames, causing the...

7.5CVSS6.8AI score0.00021EPSS

Exploits0References5

SUSE CVE•added 2026/02/07 12:23 a.m.•3 views

SUSE CVE-2026-25547

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service DoS issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, t...

7.5CVSS5.2AI score0.0002EPSS

Exploits0References31

Veracode•added 2026/01/28 7:57 a.m.•2 views

Denial Of Service (DoS)

Next.js is vulnerable to a Denial of Service DoS vulnerability. The vulnerability is due to unbounded request body buffering and unbounded decompression in the Partial Prerendering PPR resume endpoint, which allows an attacker to send specially crafted unauthenticated POST requests or compressed...

7.5CVSS5.9AI score0.0015EPSS

Exploits0References4Affected Software1

OSV•added 2026/01/26 10:15 p.m.•1 views

CVE-2025-59472

A denial of service vulnerability exists in Next.js versions with Partial Prerendering PPR enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related...

7.5CVSS5.8AI score

Exploits0References1

OSV•added 2026/01/20 9:16 p.m.•1 views

CVE-2025-59465

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not...

7.5CVSS5.9AI score

Exploits0References1