GHSA-999R-QQ7V-R334 aws-cdk-lib: OS Command Injection in NodejsFunction Bundling

Summary AWS CDK aws-cdk-lib is an open-source framework for defining cloud infrastructure in code and provisioning it through AWS CloudFormation. OS command injection in the NodejsFunction local bundling pipeline in aws-cdk-lib before 2.245.0 2.246.0 on Windows might allow a threat actor who...

Withdrawn Advisory: esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY

Withdrawn Advisory This advisory has been withdrawn because the affected package was incorrectly identified and the actual affected package is not in a supported ecosystem. This link is maintained to preserve external references. Original Description Summary The esbuild Deno module lib/deno/mod.t...

GHSA-GV7W-RQVM-QJHR Withdrawn Advisory: esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY

Withdrawn Advisory This advisory has been withdrawn because the affected package was incorrectly identified and the actual affected package is not in a supported ecosystem. This link is maintained to preserve external references. Original Description Summary The esbuild Deno module lib/deno/mod.t...

esbuild allows arbitrary file read when running the development server on Windows

Summary The development server contains a path traversal vulnerability on Windows when serving files from servedir. Due to the use of path.Clean which only normalizes forward-slash / separators instead of a Windows-aware path normalization function, it is possible to craft requests using...

Command Injection

Overview aws-cdk-lib is a Version 2 of the AWS Cloud Development Kit library Affected versions of this package are vulnerable to Command Injection via the NodejsFunction local bundling pipeline, when an attacker controls the value of one or more of the properties externalModules, define, loader,...

PT-2026-48489

Name of the Vulnerable Software and Affected Versions aws-cdk-lib versions prior to 2.245.0 aws-cdk-lib versions prior to 2.246.0 Windows Description OS command injection exists in the NodejsFunction local bundling pipeline. An actor who controls the value of one or more bundling...

CVE-2026-44594

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, a Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return...

CVE-2026-44594

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, a Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return...

EUVD-2026-32911

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, a Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return...

CVE-2026-44594

esm.sh is a no-build content delivery network CDN for web development. In 137 and earlier, a Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return...

esm.sh 安全漏洞

esm.sh is an open-source content distribution network developed by esm.sh. Versions of esm.sh 137 and earlier contained a security vulnerability. This vulnerability stemmed from the esbuild plugin’s handling of the browser field in package.json, which allowed attackers to publish npm packages,...

GHSA-RG65-45M7-HQ57 esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files

Summary A Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process. Details The vulnerable...

PT-2026-40543

Name of the Vulnerable Software and Affected Versions esm.sh versions 137 and earlier Description A Local File Inclusion LFI issue exists in the esbuild plugin's handling of the browser field within the package.json file. An attacker can publish a malicious npm package that leverages ../ sequence...

CVE-2026-32283 vulnerabilities

Vulnerabilities for packages: aws-efs-csi-driver, azuredisk-csi, crossplane-provider-aws-acm, kuma, mariadb-operator-fips, prometheus-postgres-exporter, cert-exporter, k8s-driver-manager, eks-node-monitoring-agent-fips, aws-eks-pod-identity-agent, kubernetes-csi-external-snapshotter,...

CLEANSTART-2026-KD93706 Security fixes for CVE-2026-25679, CVE-2026-27139, CVE-2026-27142 applied in versions: 0.25.0-r0

Multiple security vulnerabilities affect the esbuild package. These issues are resolved in later releases. See references for individual vulnerability details...

org.webjars.npm:cssnano (=5.1.14), org.webjars.npm:cssnano-preset-default (=5.2.13) +2 more potentially affected by CVE-2026-29074 via org.webjars.npm:svgo (=2.8.0)

org.webjars.npm:svgo MAVEN version =2.8.0 is affected by a known vulnerability. The following packages have a transitive dependency on org.webjars.npm:svgo and may be impacted: - org.webjars.npm:cssnano =5.1.14 - org.webjars.npm:cssnano-preset-default =5.2.13 - org.webjars.npm:esbuild-plugin-svg...

AWS VDP: Command Injection via Unsanitized Bundling Options in `aws-cdk-lib/aws-lambda-nodejs`

Asset: aws-cdk-lib npm package, source: https://github.com/aws/aws-cdk Severity: High CWE: CWE-78 Improper Neutralization of Special Elements used in an OS Command, 'OS Command Injection' --- Summary The NodejsFunction construct in aws-cdk-lib/aws-lambda-nodejs constructs a shell command string...

[SECURITY] Fedora 42 Update: golang-github-evanw-esbuild-0.24.2-4.fc42

This is a JavaScript bundler and minifier. It packages up JavaScript and TypeScript code for distribution on the web...

Fedora 42 : golang-github-evanw-esbuild (2025-be54db24e3)

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-be54db24e3 advisory. Rebuild for CVEs Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested f...

Fedora: Security Advisory (FEDORA-2025-be54db24e3)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...