CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

NVD•added 3 days ago•4 views

CVE-2026-49859

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to 2.8.1, when fetch was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name...

5.2CVSS0.00106EPSS

CVE•added 3 days ago•4 views

CVE-2026-49411

Summary (technical, grounded): CVE-2026-49411 affects Deno’s Node.js compatibility TCP path. Prior to v2.8.0, permission checks for deny-net were performed on the original hostname string before DNS resolution and not re-checked after resolution. This allowed a numeric IP alias (for example 21307...

6.5CVSS5.8AI score0.00108EPSS

Cvelist•added 3 days ago•32 views

CVE-2026-49860 Deno: WebSocket API sandbox bypass via missing post-DNS check

5.2CVSS0.00106EPSS

CVE•added 3 days ago•10 views

CVE-2026-49859

CVE-2026-49859 affects Deno before version 2.8.1. The bug occurs in fetch() where Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that the hostname resolves to, allowing an attacker-controlled domain that passes the hostname check to resolve to...

5.2CVSS5.8AI score0.00106EPSS

NVD•added 4 days ago•7 views

CVE-2026-53571

Vite is a frontend tooling framework for JavaScript. Prior to 8.0.16, 7.3.5, and 6.4.3, the contents of files that are specified by server.fs.deny can be returned to the browser on Windows. Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as...

8.2CVSS0.00393EPSS

Exploits1References1

Cvelist•added 4 days ago•30 views

CVE-2026-53571 Vite: `server.fs.deny` bypass on Windows alternate paths

8.2CVSS0.00393EPSS

Exploits1References1

CVE•added 4 days ago•73 views

CVE-2026-53571

CVE-2026-53571 affects the Vite dev server. On Windows, the denial mechanism implemented by the option server.fs.deny fails to normalize NTFS ADS path forms before access checks, allowing bypasses such as /.env::$DATA?raw and access via 8.3 short-name tricks. This can enable exposure of sensitive...

8.2CVSS5.9AI score0.00393EPSS

Exploits1References1Affected Software2

NVD•added 2026/06/17 5:16 p.m.•6 views

CVE-2025-71320

picklescan before 0.0.33 contains an incomplete deny-list that fails to block pydoc.locate and operator.methodcaller functions, allowing attackers to bypass security checks. Remote attackers can craft malicious pickle files using these unblocked functions to achieve arbitrary code execution when...

9.8CVSS0.00623EPSS

Cvelist•added 2026/06/17 3:4 p.m.•16 views

CVE-2025-71320 picklescan - Remote Code Execution via Incomplete Disallowed Inputs

9.8CVSS0.00623EPSS

CVE•added 2026/06/17 3:4 p.m.•18 views

CVE-2025-71320

The CVE identifies a vulnerability in picklescan prior to 0.0.33, where an incomplete deny-list fails to block pydoc.locate and operator.methodcaller. This allows remote attackers to craft malicious pickle files that, when deserialized, yield arbitrary code execution. The issue is tied to deseria...

9.8CVSS6.1AI score0.00623EPSS

EUVD•added 2026/06/17 3:4 p.m.•9 views

EUVD-2025-210267

9.8CVSS6.1AI score0.00623EPSS

Github Security Blog•added 2026/06/16 7:11 p.m.•7 views

Deno: Permission Bypass via Unicode Normalization Mismatch on macOS (APFS)

Summary Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to --deny-read, --deny-write, --deny-run, or --deny-ffi. On macOS, that comparison was done at the raw-byte level while the APFS filesystem treats different...

7.3CVSS5.8AI score0.00137EPSS

Github Security Blog•added 2026/06/16 7:9 p.m.•7 views

Deno: Node TCPWrap numeric hostname aliases bypass --deny-net resolved-IP deny checks

Summary Deno's network permission model is designed so that --deny-net rules apply to the resolved IP address of a destination, not just the literal string supplied by the caller. That means --deny-net=127.0.0.1 or --deny-net=127.0.0.0/8 is expected to block any attempt to reach loopback,...

6.5CVSS5.5AI score0.00108EPSS

Github Security Blog•added 2026/06/16 7:4 p.m.•7 views

Deno: process.loadEnvFile() bypasses env permission checks and mutates process.env with only read access

Summary In Deno, environment access is gated by the env permission. You can deny it with --deny-env, or restrict it to a specific allowlist with --allow-env=FOO,BAR. The expectation is that a program running without env permission cannot change process.env. process.loadEnvFile the Node-compatible...

5.2CVSS5.4AI score0.00098EPSS

Github Security Blog•added 2026/06/16 7:4 p.m.•19 views

Deno: WebSocket API sandbox bypass via missing post-DNS check

Summary When a WebSocket connection was opened, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a...

5.2CVSS5.4AI score0.00106EPSS

Github Security Blog•added 2026/06/16 7:2 p.m.•7 views

Deno: `fetch()` API sandbox bypass via missing DNS resolution check

Summary When fetch was called, Deno checked the destination hostname against --deny-net rules but did not re-check the IP addresses that hostname resolved to. An attacker-controlled script could use a specially crafted domain name that passes the hostname check yet resolves to a denied IP,...

5.2CVSS5.4AI score0.00106EPSS