vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter

Summary defaultSandboxPrepareStackTrace in lib/setup-sandbox.js lines 605, 607 appends to a fresh sandbox-realm lines = via lineslines.length = value. This is the exact invariant-violating pattern that GHSA-9qj6-qjgg-37qq commit ca195f0, 2026-05-01 just patched in neutralizeArraySpeciesBatch and...

Improper Validation of Array Index

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Validation of Array Index through the defaultSandboxPrepareStackTrace function in lib/setup-sandbox.js. An attacker can observe or rewrite...

Information Exposure

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Information Exposure via the sandbox CallSite handling. An attacker can leak absolute host filesystem paths by causing error.stack or getEvalOrigin t...

Information Exposure

Overview org.webjars.npm:vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Information Exposure via the sandbox CallSite handling. An attacker can leak absolute host filesystem paths by causing error.stack or...

EUVD-2018-18296

Malware in sbrugna...

EUVD-2023-28001

Malicious code in bioql PyPI...

EUVD-2022-2446

Malicious code in bioql PyPI...

EUVD-2023-1101

Malicious code in bioql PyPI...

CVE-2024-56663 wifi: nl80211: fix NL80211_ATTR_MLO_LINK_ID off-by-one

In the Linux kernel, the following vulnerability has been resolved: wifi: nl80211: fix NL80211ATTRMLOLINKID off-by-one Since the netlink attribute range validation provides inclusive checking, the max of attribute NL80211ATTRMLOLINKID should be IEEE80211MLDMAXNUMLINKS - 1 otherwise causing an...

Malicious code in error-stack-parsersasasa (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 95ee2924307d088b5e7509bfa51de2136a5611527d0de92d5ea4020f7ba0edf0 The OpenSSF Package Analysis project identified 'error-stack-parsersasasa' @ 1.2.7 npm as malicious. It is considered malicious because: - The...

CVE-2024-37162 zsa Generates Error Messages Containing Sensitive Information

zsa is a library for building typesafe server actions in Next.js. All users are impacted. The zsa application transfers the parse error stack from the server to the client in production build mode. This can potentially reveal sensitive information about the server environment, such as the machine...

CVE-2024-37162 zsa Generates Error Messages Containing Sensitive Information

zsa is a library for building typesafe server actions in Next.js. All users are impacted. The zsa application transfers the parse error stack from the server to the client in production build mode. This can potentially reveal sensitive information about the server environment, such as the machine...

Jenkins: Information disclosure through error stack traces related to agents

A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers...

Jenkins: Information disclosure through error stack traces related to agents

A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers...

Jenkins: Information disclosure through error stack traces related to agents

A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers...

Azure MCS catalog update fails with FailedToStartImagePreparationVm - CreateUpdateVm-1 timed out

Unable to update a machine catalog for an Azure hosted MCS deployment. The MCS process fails early about 15% into the update The error message shows "Error - Terminated", and the action name is "MCUpdateMachineCatalog" The full stack trace is similar to this : TerminatedStack Trace: at...

Medium: nodejs

Issue Overview: In some cases Node.js did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service...

Jenkins: Information disclosure through error stack traces related to agents

A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers...

Important: Red Hat Security Advisory: jenkins and jenkins-2-plugins security update

An update for jenkins and jenkins-2-plugins is now available for OpenShift Developer Tools and Services for OCP 4.12. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

Node.js: OpenSSL error handling issues in nodejs crypto library

A cryptographic vulnerability exists in Node.js 19.2.0, 18.14.1, 16.19.1, 14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread...