PT-2026-48489

Name of the Vulnerable Software and Affected Versions aws-cdk-lib versions prior to 2.245.0 aws-cdk-lib versions prior to 2.246.0 Windows Description OS command injection exists in the NodejsFunction local bundling pipeline. An actor who controls the value of one or more bundling...

AWS Cloud Development Kit 操作系统命令注入漏洞

AWS Cloud Development Kit is an open-source software development framework developed by Amazon Web Services. It is used to define cloud infrastructure in code and configure it using AWS CloudFormation. Versions of the AWS Cloud Development Kit prior to 2.245.0 contained a vulnerability related to...

CVE-2025-71319 image-size 2.0.2 Denial of Service via Infinite Loop in JXL/HEIF Parser

image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted image buffer with a zero-valued size field in a recognized box-type. Attackers can trigger an infinite loop in the JXL or...

Information Exposure

Axios is vulnerable to Information Exposure. The vulnerability is due to improper handling of the Proxy-Authorization header in the Node.js HTTP adapter, where proxy credentials can be retained across redirects and inadvertently sent to a redirected destination after the request is no longer rout...

nodejs24 security update

1:24.14.1-2.0.2 - Rebuild to correct NVR 1:24.14.1-2.0.1 - Update upstream references...

CVE-2026-41213

@node-oauth/oauth2-server is a module for implementing an OAuth2 server in Node.js. The token exchange path accepts RFC7636-invalid codeverifier values including one-character strings for S256 PKCE flows. Because short/weak verifiers are accepted and failed verifier attempts do not consume the...

CVE-2026-44003

A flaw was found in vm2 before 3.11.0. A code transformer fast-path skips AST analysis when catch, import, and async are absent, allowing direct access to VM2INTERNALSTATEDONOTUSEORPROGRAMWILLFAIL and internal security functions handleException, wrapWith, import. Fixed in 3.11.0...

CVE-2026-43997

A flaw was found in vm2 before 3.11.0, a Node.js sandbox library. Sandboxed code can obtain the host Object e.g. via HostObject.getOwnPropertySymbols and Symbolnodejs.util.inspect.custom, bypassing isolation and enabling arbitrary code execution on the host...

CVE-2026-46357

CVE-2026-46357 affects HAX CMS NodeJS backend. An authenticated attacker can crash the NodeJS process by sending a malformed request to the remote import workflow via the createSite endpoint, causing an availability DoS with a single HTTP request. The crash originates from a file object without o...

CVE-2026-46395

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the hmacBase64 function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing ke...

CVE-2026-46395 HAX CMS Vulnerable to Private Key Disclosure via Broken HMAC Implementation

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Prior to version 26.0.0, the hmacBase64 function in the HAXcms Node.js backend contains two critical cryptographic implementation errors that together allow any unauthenticated attacker to extract the system’s private signing ke...

CVE-2025-13230 affecting package nodejs for versions less than 24.14.1-3

CVE-2025-13230 affecting package nodejs for versions less than 24.14.1-3. An upgraded version of the package is available that resolves this issue...

CVE-2025-13226 affecting package nodejs for versions less than 24.14.1-3

CVE-2025-13226 affecting package nodejs for versions less than 24.14.1-3. An upgraded version of the package is available that resolves this issue...

CVE-2025-12432 affecting package nodejs for versions less than 24.14.1-3

CVE-2025-12432 affecting package nodejs for versions less than 24.14.1-3. An upgraded version of the package is available that resolves this issue...

CVE-2025-13227 affecting package nodejs for versions less than 24.14.1-3

CVE-2025-13227 affecting package nodejs for versions less than 24.14.1-3. An upgraded version of the package is available that resolves this issue...

CVE-2025-2137 affecting package nodejs for versions less than 24.14.1-3

CVE-2025-2137 affecting package nodejs for versions less than 24.14.1-3. An upgraded version of the package is available that resolves this issue...

CVE-2025-0612 affecting package nodejs for versions less than 24.14.1-3

CVE-2025-0612 affecting package nodejs for versions less than 24.14.1-3. An upgraded version of the package is available that resolves this issue...

CVE-2025-0611 affecting package nodejs for versions less than 24.14.1-3

CVE-2025-0611 affecting package nodejs for versions less than 24.14.1-3. An upgraded version of the package is available that resolves this issue...

CVE-2024-22018 affecting package nodejs for versions less than 24.14.1-3

CVE-2024-22018 affecting package nodejs for versions less than 24.14.1-3. An upgraded version of the package is available that resolves this issue...

CVE-2026-0899 affecting package nodejs for versions less than 24.14.1-3

CVE-2026-0899 affecting package nodejs for versions less than 24.14.1-3. An upgraded version of the package is available that resolves this issue...