CVE-2026-46510

form-data-objectizer converts FormData to object. Prior to 1.0.1, form-data-objectizer walks bracket-notation form keys e.g. namesub into nested objects without filtering proto, constructor, or prototype. A single HTTP form field whose name starts with proto... causes the library to mutate...

MAL-2026-5014 Malicious code in @mlspace/dtransfer-history (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter

A flaw was found in the undici WebSocket client. A remote malicious server can exploit this vulnerability by sending a WebSocket frame with an invalid servermaxwindowbits parameter within the permessage-deflate extension. This improper validation causes the client's Node.js process to terminate,...

CVE-2026-40190

LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. Prior to 0.5.18, the LangSmith JavaScript/TypeScript SDK langsmith contains an incomplete prototype pollution fix in its internally vendored lodash set utility. The baseAssignValue function only guards against the...

CASL Ability contains a prototype pollution vulnerability

Overview A prototype pollution vulnerability present in CASL Ability versions 2.4.0 through 6.7.4 is triggered through the rulesToFields function in the extra module. The program’s library contains a method called setByPath that does not properly sanitize property names, allowing attackers to add...

EUVD-2019-4598

Malware in sbrugna...

EUVD-2025-15702

Malicious code in bioql PyPI...

EUVD-2024-1878

Malicious code in bioql PyPI...

EUVD-2023-1610

Malicious code in bioql PyPI...

CBL Mariner 2.0 Security Update: nodejs / nodejs18 (CVE-2025-23166)

The version of nodejs / nodejs18 installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-23166 advisory. - The C++ method SignTraits::DeriveBits May incorrectly call ThrowException based on user-supplied...

PT-2025-28958 · Builder.Io · @Builder.Io/Qwik-City

Name of the Vulnerable Software and Affected Versions: @builder.io/qwik-city versions prior to 1.13.0 Description: The @builder.io/qwik-city meta-framework for Qwik is susceptible to an issue where improper handling of invalid qfunc during the execution of a Qwik Server Action QRL can lead to a...

CVE-2024-38372

Undici is an HTTP/1.1 client, written from scratch for Node.js. Depending on network and process conditions of a fetch request, response.arrayBuffer might include portion of memory from the Node.js process. This has been patched in v6.19.2...

CVE-2025-23166

The C++ method SignTraits::DeriveBits may incorrectly call ThrowException based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary...

Linux Distros Unpatched Vulnerability : CVE-2024-21536

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Versions of the package http-proxy-middleware before 2.0.7, from 3.0.0 and before 3.0.3 are vulnerable to Denial of Service DoS due to an...

CVE-2024-21536

A flaw was found in the http-proxy-middleware package. Affected versions of this package are vulnerable to denial of service DoS due to an UnhandledPromiseRejection error thrown by micromatch. This flaw allows an attacker to kill the Node.js process and crash the server by requesting certain path...

CVE-2023-31125 Uncaught exception in engine.io

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. An uncaught exception vulnerability was introduced in version 5.1.0 and included in version 4.1.0 of the socket.io parent package. Older versions are not impacted. A...

Cross site scripting

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io...

Denial Of Service (DoS)

engine.io is vulnerable to denial of service DoS attacks. A remote attacker is able to cause denial of service conditions by ending the node.js process using a specially crafted HTTP request to trigger an uncaught exception in onWebSocket function...

Cross site scripting

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io...

CVE-2022-21676 Uncaught Exception in engine.io

Engine.IO is the implementation of transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. A specially crafted HTTP request can trigger an uncaught exception on the Engine.IO server, thus killing the Node.js process. This impacts all the users of the engine.io...