GHSA-J5W5-568X-RQ53 Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution

Summary A command injection vulnerability in the extractLLM function allows attackers to execute arbitrary shell commands on the server. The function constructs a curl command using string concatenation and passes it to execSync without proper sanitization, enabling remote code execution when the...

Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header

A flaw was found in Node.js. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request that includes a header named proto. When a Node.js application processes this request and attempts to access distinct headers, it encounters an unhandled error, leading to an...

Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Node.js

Summary Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Node.js. CVE-2026-32141, CVE-2026-0540, CVE-2026-2327, CVE-2026-27903, CVE-2026-27904. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2026-3214...

Important: Red Hat Security Advisory: nodejs:20 security update

An update for the nodejs:20 module is now available for Red Hat Enterprise Linux 9.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

Taint-Style Vulnerability Detection and Confirmation for Node.Js Packages Using LLM Agent Reasoning

The rapidly evolving Node$.$js ecosystem currently includes millions of packages and is a critical part of modern software supply chains, making vulnerability detection of Node$.$js packages increasingly important. However, traditional program analysis struggles in this setting because of dynamic...

RHEL 9 : nodejs:20 (RHSA-2026:9711)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:9711 advisory. Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language...

Moderate: Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update

An update for Red Hat Hardened Images RPMs is now available. This update includes the following RPMs: nodejs20: nodejs20-20.20.2-1.hum1 aarch64, x8664 nodejs20-bin-20.20.2-1.hum1 noarch nodejs20-devel-20.20.2-1.hum1 aarch64, x8664 nodejs20-docs-20.20.2-1.hum1 noarch...

CLSA-2026-1776782592 nodejs: Fix of 2 CVEs

CVE-2026-26996: fix ReDoS in bundled minimatch caused by consecutive non-globstar characters, by coalescing them during pattern compilation - CVE-2026-27904: fix ReDoS in bundled minimatch from nested extglobs and multiple non-adjacent wildcards, by limiting globstar recursion...

AZL-13703 CVE-2023-23920 for package nodejs is not applicable

This CVE either no longer is or was never applicable...

SUSE SLES15 Security Update : nodejs22 (SUSE-SU-2026:1478-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1478-1 advisory. Update to version 22.22.2. - CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism...

SUSE-SU-2026:1478-1 Security update for nodejs22

This update for nodejs22 fixes the following issues: Update to version 22.22.2. - CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for performance degradation via a crafted request bsc1260494. - CVE-2026-21716: incomplete fix for...

ROS-20260420-73-0038

Vulnerability in nodejs-minimatch related to the use of regular expression with inefficient computational complexity. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...

MiracleLinux 8 : nodejs:24 (AXSA:2026-465:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-465:01 advisory. nodejs: Nodejs denial of service CVE-2026-21637 minimatch: minimatch: Denial of Service via specially crafted glob patterns CVE-2026-26996 undici:...

MiracleLinux 8 : nodejs:20 (AXSA:2026-464:01)

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-464:01 advisory. minimatch: minimatch: Denial of Service via specially crafted glob patterns CVE-2026-26996 minimatch: Minimatch: Denial of Service via catastrophic...

OESA-2026-1953 nodejs security update

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

OESA-2026-1952 nodejs security update

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

OESA-2026-1951 nodejs security update

Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices...

MiracleLinux 9 : nodejs:24 (AXSA:2026-449:01)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2026-449:01 advisory. nodejs: Nodejs denial of service CVE-2026-21637 brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion CVE-2026-2554...

Oracle Linux 9 : nodejs:24 (ELSA-2026-7350)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2026-7350 advisory. nodejs 1:24.14.1-2 - Update bundled nghttp2 to 1.68.1 1:24.14.1-1 - Update to version 24.14.1 nodejs-nodemon 3.0.3-3 - Keep BR on just npm 3.0.3-2 - Fi...

ROS-20260417-73-0033

A vulnerability in the pskCallback and ALPNCallback functions of the Node.js software platform is related to incorrect resource sweep or release. Exploitation of the vulnerability could allow an attacker acting remotely to cause a denial of service...