CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 2026/06/12 2:17 p.m.•30 views

CVE-2026-47210 vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass

9.8CVSS0.00507EPSS

CVE•added 2026/06/12 2:17 p.m.•29 views

CVE-2026-47210

Summary : CVE-2026-47210 affects the vm2 sandbox prior to version 3.11.4, where a JSPI-backed Promise pathway can bypass Promise species hardening via WebAssembly.promising/WebAssembly.Suspending, potentially exposing a host-originated rejection object to attacker-controlled logic and breaking sa...

9.8CVSS6AI score0.00507EPSS

Vulnrichment•added 2026/06/12 2:16 p.m.•8 views

CVE-2026-47208 vm2: Sandbox Breakout Using Promise Species

vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to write code which can escape from the VM2 sandbox and execute arbitrary commands on the host system. This issue has been patched in version 3.11.4...

10CVSS5.7AI score0.0051EPSS

OSSF Malicious Packages•added 2026/06/11 4:49 a.m.•8 views

Malicious code in js-crypto-promise (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a9d677e45bee46911d04564e9260f4b569119a4ca0a13a58bcd43760359fbb4f The package's prepinstall.js script base64-decodes a hidden URL stored in a constant misleadingly named HASHKEY decoding to...

5.9AI score

OSSF Malicious Packages•added 2026/06/10 3:8 p.m.•12 views

Malicious code in crypto-promise-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 00594a3ae015e55e13c94c904866eae7b86a39b904b2d79469c4b59508c3918f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

5.5AI score

OSV•added 2026/06/10 3:8 p.m.•9 views

MAL-2026-5507 Malicious code in crypto-promise-js (npm)

5.5AI score

Snyk•added 2026/06/10 3:8 p.m.•8 views

Malicious Package

Overview crypto-promise-js is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

9.8CVSS5.4AI score

Exploits0References2

RedhatCVE•added 2026/06/08 4:34 p.m.•8 views

CVE-2026-43972

A flaw was found in gun. A malicious or compromised HTTP/2 server can exploit an Origin Validation Error vulnerability by injecting unvalidated HTTP/2 PUSHPROMISE authority. This allows the server to plant cookies scoped to arbitrary third-party domains into the client's shared cookie store. This...

6.3CVSS5.6AI score0.00215EPSS

Exploits0References2

NVD•added 2026/06/08 3:16 p.m.•12 views

CVE-2026-43972

Origin Validation Error vulnerability in ninenines gun gunhttp2 module allows cross-origin cookie injection via unvalidated HTTP/2 PUSHPROMISE authority. In gunhttp2:pushpromiseframe/7, the :authority pseudo-header from an incoming PUSHPROMISE frame is stored verbatim into the promised stream...

6.3CVSS0.00215EPSS

ATTACKERKB•added 2026/06/08 2:12 p.m.•5 views

CVE-2026-43972

Exploits0References4Affected Software1

Vulnrichment•added 2026/06/08 2:12 p.m.•6 views

CVE-2026-43972 gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection

Cvelist•added 2026/06/08 2:12 p.m.•40 views

CVE-2026-43972 gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection

6.3CVSS0.00215EPSS

EUVD•added 2026/06/08 2:12 p.m.•8 views

EUVD-2026-35073

CVE•added 2026/06/08 2:12 p.m.•29 views

CVE-2026-43972

CVE-2026-43972 (gun_http2) : In gun_http2:push_promise_frame/7, the incoming PUSH_PROMISE :authority header is stored without validating it against the connection origin. Later, gun_http2:headers_frame/9 uses this unvalidated value when calling gun_cookies:set_cookie_header/7, before status handl...

OSV•added 2026/06/08 2:12 p.m.•6 views

EEF-CVE-2026-43972 gun HTTP/2 PUSH_PROMISE authority not validated against connection origin allows cross-origin cookie injection

Summary Origin Validation Error vulnerability in ninenines gun gunhttp2 module allows cross-origin cookie injection via unvalidated HTTP/2 PUSHPROMISE authority. In gunhttp2:pushpromiseframe/7, the :authority pseudo-header from an incoming PUSHPROMISE frame is stored verbatim into the promised...

Positive Technologies•added 2026/06/08 12:0 a.m.•9 views

Exploits0References2

PT-2026-47298

Name of the Vulnerable Software and Affected Versions ninenines gun versions 2.0.0 through 2.3.x Description An origin validation error in the gun http2 module allows cross-origin cookie injection through an unvalidated HTTP/2 PUSH PROMISE authority. In the push promise frame function, the...

6.3CVSS5.6AI score0.00215EPSS

Exploits0References6

RedhatCVE•added 2026/06/05 7:25 p.m.•8 views

CVE-2026-44000

A flaw was found in vm2 before 3.11.0. Host-side Promises that resolve to host objects deliver values to sandbox .then callbacks without cross-realm conversion ensureThis instead of from/proxy wrapping, allowing sandbox code to interact with host objects directly. Fixed in 3.11.0...

7.2CVSS5.8AI score0.002EPSS

Exploits1References4

RedhatCVE•added 2026/06/05 7:12 p.m.•8 views

CVE-2026-48862

Allocation of Resources Without Limits or Throttling vulnerability in elixir-mint Mint allows attacker-controlled HTTP/2 servers to exhaust memory in a Mint client via PUSHPROMISE flooding. In lib/mint/http2.ex, Mint.HTTP2.decodepushpromiseheadersandaddresponse/5 inserts a :reservedremote entry...

8.2CVSS5.5AI score0.00384EPSS