Lucene search
K

14 matches found

OSV
OSV
added 3 days ago11 views

ROOT-APP-NPM-CVE-2026-55388 CVE-2026-55388 in @rootio/piscina - Patched by Root

Root has patched CVE-2026-55388 in the @rootio/piscina package for Root:npm. Multiple fixed versions available...

8.1CVSS5.8AI score0.00296EPSS
Exploits0
RedhatCVE
RedhatCVE
added 2026/06/25 8:4 p.m.4 views

CVE-2026-55388

A flaw was found in piscina, a Node.js worker pool implementation. This vulnerability allows an attacker to achieve arbitrary code execution by exploiting a prototype pollution issue. By manipulating the filename option, an attacker can cause their malicious code to be executed within the worker,...

8.1CVSS6.4AI score0.00296EPSS
Exploits0References4
NVD
NVD
added 2026/06/22 6:16 p.m.10 views

CVE-2026-55388

piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When...

8.1CVSS0.00296EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/22 4:50 p.m.4 views

CVE-2026-55388

piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When...

8.1CVSS5.8AI score0.00296EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/22 4:50 p.m.64 views

CVE-2026-55388

Summary: CVE-2026-55388 affects piscina (node.js worker pool). Before versions 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina reads options.filename by plain member access in both the constructor and run() paths, allowing the read to fall through the prototype chain. If Object.prototype.filename is pollut...

8.1CVSS5.8AI score0.00296EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/06/22 4:50 p.m.34 views

CVE-2026-55388 piscina: Prototype Pollution Gadget → RCE via inherited options.filename

piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When...

8.1CVSS0.00296EPSS
Exploits0References1
Patchstack
Patchstack
added 2026/06/18 1:5 p.m.11 views

NPM: piscina: Prototype Pollution Gadget → RCE via inherited options.filename

NPM: piscina: Prototype Pollution Gadget → RCE via inherited options.filename vulnerability discovered by ? in WordPress Npm piscina versions = 4.9.2...

8.1CVSS5.8AI score0.00296EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/18 1:5 p.m.4 views

GHSA-X9G3-XRWR-CWFG piscina: Prototype Pollution Gadget → RCE via inherited options.filename

Summary piscina's constructor and run paths read the filename option via plain member access: js // dist/index.js line 92 constructor const filename = options.filename ? 0, common1.maybeFileURLToPathoptions.filename : null; this.options = ...kDefaultOptions, ...options, filename, maxQueue: 0 ; //...

8.1CVSS5.5AI score0.00296EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/18 1:5 p.m.7 views

piscina: Prototype Pollution Gadget → RCE via inherited options.filename

Summary piscina's constructor and run paths read the filename option via plain member access: js // dist/index.js line 92 constructor const filename = options.filename ? 0, common1.maybeFileURLToPathoptions.filename : null; this.options = ...kDefaultOptions, ...options, filename, maxQueue: 0 ; //...

8.1CVSS5.4AI score0.00296EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.17 views

PT-2026-50733

Name of the Vulnerable Software and Affected Versions piscina versions prior to 6.0.0-rc.2 piscina versions prior to 5.2.0 piscina versions prior to 4.9.3 Description Prototype pollution in the constructor and run paths allows an attacker to control the filename option. When the options object...

8.1CVSS5.9AI score0.00296EPSS
Exploits0References7
Circl
Circl
added 2026/06/16 9:0 p.m.10 views

CVE-2026-55388

creationtimestamp| type| source ---|---|--- 2026-06-16 21:00:59+00:00| published-proof-of-concept| https://github.com/piscinajs/piscina/security/advisories/GHSA-x9g3-xrwr-cwfg 2026-06-22 16:44:13+00:00| seen| https://infosec.exchange/users/vuldb/statuses/116794762930791425 2026-06-22...

8.1CVSS5.8AI score0.00296EPSS
Exploits0References3
EUVD
EUVD
added 2025/11/24 1:46 p.m.5 views

EUVD-2025-198763

Malicious code in @posthog/piscina npm...

6.6AI score
Exploits0References1
OSV
OSV
added 2025/11/24 1:46 p.m.4 views

MAL-2025-190750 Malicious code in @posthog/piscina (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebd3d94d864b267499cd7c7897fa7fc4af2c420f3aa6bd152a0b22feae86418b The package @posthog/piscina was found to contain malicious code. Source: ghsa-malware 731794a5898b7ca6049626b91dad59ed65293d59335397c1989a1b45a498cb...

6.8AI score
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/11/24 1:46 p.m.7 views

Malicious code in @posthog/piscina (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebd3d94d864b267499cd7c7897fa7fc4af2c420f3aa6bd152a0b22feae86418b The package @posthog/piscina was found to contain malicious code. Source: ghsa-malware 731794a5898b7ca6049626b91dad59ed65293d59335397c1989a1b45a498cb...

6.9AI score
Exploits0References4
Rows per page
Query Builder