HAXcms with nodejs backend 安全漏洞

HAXcms with nodejs backend is an open source backend management system from HAX The Web. A security vulnerability exists in HAXcms with nodejs backend version 11.0.6 and earlier, which stems from disabling JWT checking in the default configuration, which could lead to authentication bypass...

PT-2025-30359 · Unknown · Haxcms-Nodejs

Name of the Vulnerable Software and Affected Versions: HAX CMS NodeJS versions 11.0.9 and below Description: HAX CMS NodeJS is distributed with hardcoded default credentials for user and superuser accounts and default private keys for JWTs. Users are not prompted to change these credentials or...

CLSA-2025-1752922753 nodejs: Fix of CVE-2024-27983

CVE-2024-27983: ensure to close stream when destroying session to prevent memory leak...

CBL Mariner 2.0 Security Update: nodejs / nodejs18 (CVE-2025-23166)

The version of nodejs / nodejs18 installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-23166 advisory. - The C++ method SignTraits::DeriveBits May incorrectly call ThrowException based on user-supplied...

NodeJS 24.x - Path Traversal

Exploit Title : NodeJS 24.x - Path Traversal Exploit Author : Abdualhadi khalifa CVE : CVE-2025-27210 import argparse import requests import urllib.parse import json import sys def exploitpathtraversalprecisetargeturl: str, targetfile: str, method: str - dict: traversesequence = "..\" 6...

AZL-65583 CVE-2025-7656 affecting package nodejs18 for versions less than 18.20.3-8

Integer overflow in V8 in Google Chrome prior to 138.0.7204.157 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Chromium security severity: High...

CVE-2025-53642 haxcms-nodejs and haxcms-php Improperly Terminate Sessions

haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application does not terminate a user's session or clear their cookies. Additionally, the application issues a refresh token when logging out. This vulnerability is fixed in 11.0.6...

In Node.js, the `ReadFileUtf8` internal binding leaks memory due to a corrupted pointer in `uv_fs_s.file`: a UTF-16 path buffer is allocated but subsequently overwritten when the file descriptor is set. This results in an unrecoverable memory leak on every call. Repeated use can cause unbounded memory growth, leading to a denial of service. Impact: * This vulnerability affects APIs relying on `ReadFileUtf8` on Node.js release lines: v20 and v22.

...

HAXcms with nodejs backend 代码问题漏洞

HAXcms with nodejs backend is an open source backend management system from HAX The Web. A code issue vulnerability exists in HAXcms with nodejs backend that stems from improper session termination, which could lead to unauthorized access...

Azure Linux 3.0 Security Update: nodejs / nodejs18 (CVE-2025-47279)

The version of nodejs / nodejs18 installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-47279 advisory. - Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applicatio...

CBL Mariner 2.0 Security Update: nodejs / nodejs18 (CVE-2025-47279)

The version of nodejs / nodejs18 installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-47279 advisory. - Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applicatio...

CVE-2025-23165 affecting package nodejs for versions less than 20.14.0-9

CVE-2025-23165 affecting package nodejs for versions less than 20.14.0-9. A patched version of the package is available...

CVE-2025-23166 affecting package nodejs for versions less than 20.14.0-9

CVE-2025-23166 affecting package nodejs for versions less than 20.14.0-9. A patched version of the package is available...

CVE-2025-47279 affecting package nodejs for versions less than 20.14.0-8

CVE-2025-47279 affecting package nodejs for versions less than 20.14.0-8. A patched version of the package is available...

Node.js Sandbox MCP Server 安全漏洞

Node.js Sandbox MCP Server is a context protocol server based on the Node.js model by the individual developer Alfonso Graziano. A security vulnerability exists in Node.js Sandbox MCP Server versions prior to 1.3.0 that stems from command injection and could lead to remote code execution...

Fedora 42 : nodejs-bash-language-server / nodejs-pnpm (2025-69a1acbbc0)

The remote Fedora 42 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2025-69a1acbbc0 advisory. Update pnpm to version 10.9.0 to fix CVE-2024-47829 and nodejs-bash-language-server to version 5.6.0 Tenable has extracted the preceding description block...

nodejs-electron-35.6.0-1.2 on GA media (moderate)

nodejs-electron-35.6.0-1.2 on GA media Announcement ID: openSUSE-SU-2025:15249-1 Rating: moderate Cross-References: CVE-2025-5419 Affected Products: openSUSE Tumbleweed An update that solves one vulnerability can now be installed. Description: These are all security issues fixed in the...

OPENSUSE-SU-2025:15249-1 nodejs-electron-35.6.0-1.2 on GA media

These are all security issues fixed in the nodejs-electron-35.6.0-1.2 package on the GA media of openSUSE Tumbleweed...

Malicious code in pyroscope-nodejs (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0f63660c0844969995da8de5a83535772031d00f3247e8cbb5a40addbc21a234 Any computer that has this package installed or running should be considered...

MAL-2025-5535 Malicious code in pyroscope-nodejs (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 0f63660c0844969995da8de5a83535772031d00f3247e8cbb5a40addbc21a234 Any computer that has this package installed or running should be considered...