14 matches found
ROOT-APP-NPM-CVE-2026-55388 CVE-2026-55388 in @rootio/piscina - Patched by Root
Root has patched CVE-2026-55388 in the @rootio/piscina package for Root:npm. Multiple fixed versions available...
CVE-2026-55388
A flaw was found in piscina, a Node.js worker pool implementation. This vulnerability allows an attacker to achieve arbitrary code execution by exploiting a prototype pollution issue. By manipulating the filename option, an attacker can cause their malicious code to be executed within the worker,...
CVE-2026-55388
piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When...
CVE-2026-55388
piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When...
CVE-2026-55388
Summary: CVE-2026-55388 affects piscina (node.js worker pool). Before versions 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina reads options.filename by plain member access in both the constructor and run() paths, allowing the read to fall through the prototype chain. If Object.prototype.filename is pollut...
CVE-2026-55388 piscina: Prototype Pollution Gadget → RCE via inherited options.filename
piscina is a node.js worker pool implementation. Prior to 6.0.0-rc.2, 5.2.0, and 4.9.3, piscina's constructor and run paths read the filename option via plain member access. Both reads fall through the prototype chain when the caller's options object doesn't have filename as an own property. When...
NPM: piscina: Prototype Pollution Gadget → RCE via inherited options.filename
NPM: piscina: Prototype Pollution Gadget → RCE via inherited options.filename vulnerability discovered by ? in WordPress Npm piscina versions = 4.9.2...
GHSA-X9G3-XRWR-CWFG piscina: Prototype Pollution Gadget → RCE via inherited options.filename
Summary piscina's constructor and run paths read the filename option via plain member access: js // dist/index.js line 92 constructor const filename = options.filename ? 0, common1.maybeFileURLToPathoptions.filename : null; this.options = ...kDefaultOptions, ...options, filename, maxQueue: 0 ; //...
piscina: Prototype Pollution Gadget → RCE via inherited options.filename
Summary piscina's constructor and run paths read the filename option via plain member access: js // dist/index.js line 92 constructor const filename = options.filename ? 0, common1.maybeFileURLToPathoptions.filename : null; this.options = ...kDefaultOptions, ...options, filename, maxQueue: 0 ; //...
PT-2026-50733
Name of the Vulnerable Software and Affected Versions piscina versions prior to 6.0.0-rc.2 piscina versions prior to 5.2.0 piscina versions prior to 4.9.3 Description Prototype pollution in the constructor and run paths allows an attacker to control the filename option. When the options object...
CVE-2026-55388
creationtimestamp| type| source ---|---|--- 2026-06-16 21:00:59+00:00| published-proof-of-concept| https://github.com/piscinajs/piscina/security/advisories/GHSA-x9g3-xrwr-cwfg 2026-06-22 16:44:13+00:00| seen| https://infosec.exchange/users/vuldb/statuses/116794762930791425 2026-06-22...
EUVD-2025-198763
Malicious code in @posthog/piscina npm...
MAL-2025-190750 Malicious code in @posthog/piscina (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebd3d94d864b267499cd7c7897fa7fc4af2c420f3aa6bd152a0b22feae86418b The package @posthog/piscina was found to contain malicious code. Source: ghsa-malware 731794a5898b7ca6049626b91dad59ed65293d59335397c1989a1b45a498cb...
Malicious code in @posthog/piscina (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ebd3d94d864b267499cd7c7897fa7fc4af2c420f3aa6bd152a0b22feae86418b The package @posthog/piscina was found to contain malicious code. Source: ghsa-malware 731794a5898b7ca6049626b91dad59ed65293d59335397c1989a1b45a498cb...