CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

255 matches found

Github Security Blog•added 2026/03/26 6:55 p.m.•3 views

Convict has Prototype Pollution via startsWith() function

Summary A prototype pollution vulnerability exists in the latest version of the convict npm package 6.2.4. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute Object.prototype via a...

6.4AI score0.0084EPSS

Exploits0References3Affected Software1

OSV•added 2026/03/26 6:55 p.m.•1 views

GHSA-44FC-8FM5-Q62H Convict has Prototype Pollution via startsWith() function

9.4CVSS6.4AI score0.0084EPSS

Exploits0References3

Snyk•added 2026/03/26 6:50 p.m.•0 views

Prototype Pollution

Overview convict is a package that expands on the standard pattern of configuring node.js applications in a way that is more robust and accessible to collaborators, who may have less interest in digging through imperative code in order to inspect or modify settings. By introducing a configuration...

9.4CVSS6.5AI score0.00037EPSS

Exploits0References2

vulnersOsv•added 2026/03/26 6:50 p.m.•4 views

@antora/cli (>=2.3.2 <=3.0.0-alpha.9), @antora/playbook-builder (>=2.3.2 <=3.0.0-alpha.9) +100 more potentially affected by CVE-2026-33863 via convict (>=6.0.0 <=6.2.4)

convict NPM version =6.0.0, =2.3.2, =2.3.2, =2.3.2, =1.6.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.7.0 and more Source cves: CVE-2026-33863 Source advisory: SNYK:JS-CONVICT-15790594...

5.8AI score0.00037EPSS

Exploits0

OSV•added 2026/03/26 6:50 p.m.•6 views

GHSA-HF2R-9GF9-RWCH Convict has prototype pollution via load(), loadFile(), and schema initialization

Impact Two unguarded prototype pollution paths exist, not covered by previous fixes: 1. config.load / config.loadFile — overlay recursively merges config data without checking for forbidden keys. Input containing proto or constructor.prototype e.g. from a JSON file causes the recursion to reach...

9.4CVSS5.9AI score0.00037EPSS

Exploits0References4

Positive Technologies•added 2026/03/26 12:0 a.m.•5 views

PT-2026-28539

Name of the Vulnerable Software and Affected Versions Convict affected versions not specified Description The software contains two prototype pollution flaws not addressed by prior fixes. The first flaw exists in the config.load and config.loadFile functions, where the overlay function recursivel...

9.4CVSS6.1AI score0.00037EPSS

Exploits0References6

Positive Technologies•added 2026/03/26 12:0 a.m.•3 views

PT-2026-28540

Name of the Vulnerable Software and Affected Versions convict versions 6.2.4 Description A prototype pollution issue exists in the convict npm package. The issue stems from an incomplete fix that attempted to prevent prototype pollution by checking if user input begins with a prohibited key...

9.4CVSS6.5AI score0.0084EPSS

Exploits0References6

Circl•added 2026/03/24 3:53 p.m.•4 views

CVE-2026-33864

creationtimestamp| type| source ---|---|--- 2026-03-24 15:53:51+00:00| published-proof-of-concept| https://github.com/mozilla/node-convict/security/advisories/GHSA-44fc-8fm5-q62h...

5.8AI score0.0084EPSS

Exploits0References1

Snyk•added 2026/01/28 2:3 p.m.•1 views

Prototype Pollution

8.8CVSS6.6AI score0.0084EPSS

Exploits0References2

vulnersOsv•added 2026/01/28 2:3 p.m.•5 views

@antora/cli (>=2.3.2 <=3.0.0-alpha.9), @antora/playbook-builder (>=2.3.2 <=3.0.0-alpha.9) +54 more potentially affected by CVE-2026-33864 via convict (>=6.0.0 <=6.2.2)

convict NPM version =6.0.0, =2.3.2, =2.3.2, =2.3.2, =1.6.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.7.0 and more Source cves: CVE-2026-33864 Source advisory: SNYK:JS-CONVICT-15182994...

5.8AI score0.0084EPSS

Exploits0

OSSF Malicious Packages•added 2025/11/13 3:23 a.m.•3 views

Malicious code in convict-writable-webpack-cosmogenic (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector d97564ab9fc4db43f4230b9d93ccc412d62ff1b73b25e6ee7eeca8c3f4298df7 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

6.9AI score

Exploits0