RHCOS 3 : OpenShift Container Platform 3.11 (RHSA-2018:3537)

The remote Red Hat Enterprise Linux CoreOS 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:3537 advisory. - kibana: Cross-site scripting via the source field formatter CVE-2018-3830 - nodejs: Out of bounds OOB write via UCS-2 encoding...

Astra Linux – Vulnerability in Node.js

A vulnerability in Node.js has been identified, allowing for a Denial of Service DoS attack through resource exhaustion when using the fetch function to retrieve content from an untrusted URL. The vulnerability arises from the fact that the fetch function in Node.js always decodes Brotli, making ...

Astra Linux – Vulnerability in Node.js

A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not...

PT-2026-36847

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.10.5 Description An insufficient fix in the sandbox implementation allows attackers to bypass security restrictions, enabling them to escape the VM2 sandbox and execute arbitrary commands on the host system. This is...

Uncontrolled Recursion

Axios is vulnerable to uncontrolled recursion. The vulnerability is due to the toFormData function recursively processing deeply nested objects without a depth limit, which allows an attacker to supply specially crafted input that triggers a stack overflow and crashes the Node.js process...

Amazon Linux 2023 : nodejs22, nodejs22-devel, nodejs22-full-i18n (ALAS2023-2026-1616)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1616 advisory. A flaw was found in zlib. An attacker providing specially crafted input to the crc32combine64 or crc32combinegen64 functions could trigger an infinite loop within the x2nmodp function. This leads to...

Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2026-1608)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2026-1608 advisory. A flaw was found in zlib. An attacker providing specially crafted input to the crc32combine64 or crc32combinegen64 functions could trigger an infinite loop within the x2nmodp function. This leads to...

Low: nodejs20

Issue Overview: A flaw was found in zlib. An attacker providing specially crafted input to the crc32combine64 or crc32combinegen64 functions could trigger an infinite loop within the x2nmodp function. This leads to excessive CPU consumption, which can result in a Denial of Service DoS for the...

Amazon Linux 2023 : nodejs24, nodejs24-devel, nodejs24-full-i18n (ALAS2023-2026-1609)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1609 advisory. @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service DoS issue caused by unbound...

xsslab

Dalfox XSS Lab Stored XSS / second-order XSS laboratory for i...

Tenable Identity Exposure < 3.77.17 Multiple Vulnerabilities (TNS-2026-11)

The version of the Tenable Identity Exposure running on the remote host is prior to 3.77.17. It is, therefore, affected by multiple vulnerabilities according to advisory TNS-2026-11: - A flaw in Node.js's Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictio...

CVE-2026-41324

A flaw was found in basic-ftp, an FTP client for Node.js. A malicious or compromised remote FTP server can exploit this vulnerability by sending an extremely large or never-ending directory listing response. This can cause the client process to consume an unbounded amount of memory, leading to...

CVE-2026-42040

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the encode function in lib/helpers/AxiosURLSearchParams.js contains a character mapping charMap at line 21 that reverses the safe percent-encoding of null bytes. After encodeURIComponent'\x00' correctly...

CVE-2026-42043

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

CVE-2026-42039

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and...

CVE-2026-42041

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library is vulnerable to a Prototype Pollution "Gadget" attack that allows any Object.prototype pollution to silently suppress all HTTP error responses 401, 403, 500, etc., causing them to be...

CVE-2026-41324

basic-ftp is an FTP client for Node.js. Versions prior to 5.3.0 are vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to...

Basic FTP 资源管理错误漏洞

Basic FTP is a Node.js FTP client library developed by Patrick Juchli. Versions of Basic FTP prior to 5.3.0 contained a resource management vulnerability. This vulnerability stemmed from unlimited memory growth when processing directory lists, which could lead to a denial-of-service attack...

CLSA-2026-1776939108 nodejs: Fix of CVE-2026-21714

CVE-2026-21714: fix HTTP/2 Http2Session memory leak triggered by a connection-level WINDOWUPDATE that overflows the flow control window...

CVE-2026-41180

PsiTransfer is an open source, self-hosted file sharing solution. Prior to version 2.4.3, the upload PATCH flow under /files/:uploadId validates the mounted request path using the still-encoded req.path, but the downstream tus handler later writes using the decoded req.params.uploadId. In...