CVE-2026-44578 Next.js: Server-side request forgery in applications using WebSocket upgrades

Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the serve...

vm2 代码注入漏洞

vm2 is a high-level virtual machine/sandbox for Node.js developed by Czech developer Patrik Simek. It runs untrusted code using built-in Node modules listed in the allowlist. Versions of vm2 prior to 3.11.0 had a code injection vulnerability, which was due to the access to...

UBUNTU-CVE-2026-44240

basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before...

CVE-2026-44240

basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before...

10minions-engine (>=0.0.1 <=0.0.4), @0xr404/lol404 (>=1.1.0 <=1.1.6) +3362 more potentially affected by CVE-2026-44295 via protobufjs (>=7.0.0 <=7.5.5)

protobufjs NPM version =7.0.0, =0.0.1, =1.1.0, =1.0.1-beta.0, =0.0.2-beta.0, =1.0.0, =1.5.10, =0.10.1, =1.1.0, =6.0.0, =2.0.2, =3.3.2 and more Source cves: CVE-2026-44295 Source advisory: SNYK:JS-PROTOBUFJS-16643442...

[SECURITY] Fedora 44 Update: nodejs22-22.22.2-3.fc44

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

CVE-2026-41690

18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that...

ROS-20260508-73-0014

Vulnerability in nodejs-minimatch related to the use of regular expression with inefficient computational complexity. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

Node.js Module axios < 1.15.1 CRLF Injection (CVE-2026-42037)

The version of the axios Node.js module installed on the remote host is prior to 1.15.1. It is, therefore, affected by the following vulnerability: - CRLF injection in multipart/form-data body via unsanitized blob.type in formDataToStream. CVE-2026-42037 Note that Nessus has not tested for this...

ROS-20260508-73-0013

Vulnerability in nodejs-minimatch related to algorithmic complexity. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

Fedora 44 : nodejs22 (2026-3b76d8047d)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-3b76d8047d advisory. Update to version 22.22.2 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

Fedora 43 : nodejs22 (2026-e3f870229a)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-e3f870229a advisory. Update to version 22.22.2 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

NPM: vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)

NPM: vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection Process Crash DoS vulnerability discovered by ? in WordPress Npm vm2 versions = 3.10.5...

RHCOS 3 : OpenShift Container Platform 3.11 (RHSA-2020:2992)

The remote Red Hat Enterprise Linux CoreOS 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:2992 advisory. - cri-o: infra container reparented to systemd following OOM Killer killing it's conmon CVE-2019-14891 - nodejs-minimist: prototype...

EUVD-2026-26986

VM2 Has Sandbox Breakout Through Promise Species...

Fedora 44 : nodejs20 (2026-c99f9dc3b1)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-c99f9dc3b1 advisory. Update to version 20.20.2 ---- Automatic update for nodejs20-20.20.0-7.fc44. Tenable has extracted the preceding description block directly from the...

Fedora 43 : nodejs20 (2026-9dc3a61ad8)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-9dc3a61ad8 advisory. Update to version 20.20.2 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not...

CVE-2026-26956

CVE-2026-26956 concerns the vm2 sandbox for Node.js. Affected: vm2 v3.10.4 allows full sandbox escape enabling arbitrary code execution when code runs inside VM.run(); attacker code can access the host process and execute host commands. Patch available in v3.10.5. Impact flags from CVSS indicate ...

CVE-2026-26332

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0...

CVE-2026-26332 vm2: Sandbox Escape

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. This issue has been patched in version 3.11.0...