3202 matches found
CVE-2026-58592
Ladybird contains a dangling-reference memory-safety flaw in its WebAssembly ESM-integration module loader. When a JavaScript function is imported into a WebAssembly module via the ESM path, WebAssemblyModule.cpp passes a stack-local Wasm::FunctionType by reference to createhostfunction, whose ho...
CVE-2026-58592
Vulnerability summary (CVE-2026-58592, Ladybird): A dangling-reference memory-safety flaw in Ladybird’s WebAssembly ESM integration loader. When a JavaScript function is imported into a WebAssembly module via the ESM path, WebAssemblyModule.cpp passes a stack-local Wasm::FunctionType by reference...
MAL-2026-6538 Malicious code in db-plog (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 961a6a108104105727b81399e6a3a6d56636cb79ae8fbfbbc33528f90d890d99 On every Model instantiation — the package's documented primary API — dist/index.js executes execSync'npm install db-connector-log --no-warnings...
Malicious code in base62-86x (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 811002816e7f72588c7c6540b088af5c44b8280574e43dbaeef4701fe377fe9f Package impersonates the legitimate base-x/base62 library by Daniel Cousens name base62-86x, homepage pointing at cryptocoinjs/base-x, identical sour...
NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes
Summary Two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log...
GHSA-RG65-45M7-HQ57 esm.sh: Path Traversal via package.json browser field allows reading arbitrary server files
Summary A Local File Inclusion LFI vulnerability exists in the esbuild plugin's handling of the browser field in package.json. An attacker can publish an npm package that causes the server to read and return arbitrary files from the host filesystem during the build process. Details The vulnerable...
esm.sh: Legacy Route Path Traversal Can Lead to RCE
Impact - Arbitrary File Write – An attacker can cause the server to write data to any file path it has write permission for. - Privilege Escalation / RCE – By overwriting critical binaries or scripts, the attacker can execute arbitrary code with the server’s privileges. Exploit The legacy router...
PT-2026-38344
Name of the Vulnerable Software and Affected Versions Hitachi Virtual Storage Platform One Block 23 versions prior to DKCMAIN A3-04-21-40/00, ESM A3-04-21/00 Hitachi Virtual Storage Platform One Block 24 versions prior to DKCMAIN A3-04-21-40/00, ESM A3-04-21/00 Hitachi Virtual Storage Platform On...
SUSE CVE-2026-23644
esm.sh is a no-build content delivery network CDN for web development. Prior to Go pseeudoversion 0.0.0-20260116051925-c62ab83c589e, the software has a path traversal vulnerability due to an incomplete fix. path.Clean normalizes a path but does not prevent absolute paths in a malicious tar file...
GO-2026-4554 esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route in github.com/esm-dev/esm.sh
esm.sh has SSRF localhost/private-network bypass in /https module route in github.com/esm-dev/esm.sh...
CVE-2026-27730
esm.sh is a no-build content delivery network CDN for web development. Versions up to and including 137 have an SSRF vulnerability CWE-918 in esm.sh’s /https fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypass...
GO-2026-4545 esm.sh is vulnerable to full-response SSRF in github.com/esm-dev/esm.sh
esm.sh is vulnerable to full-response SSRF in github.com/esm-dev/esm.sh...
CVE-2026-27730 esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route
esm.sh is a no-build content delivery network CDN for web development. Versions up to and including 137 have an SSRF vulnerability CWE-918 in esm.sh’s /https fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypass...
CVE-2026-27730 esm.sh has SSRF localhost/private-network bypass in `/http(s)` module route
esm.sh is a no-build content delivery network CDN for web development. Versions up to and including 137 have an SSRF vulnerability CWE-918 in esm.sh’s /https fetch route. The service tries to block localhost/internal targets, but the validation is based on hostname string checks and can be bypass...
CVE-2026-27730
esm.sh (a no-build CDN for web development) versions up to and including 137 contain an SSRF (CWE-918) in the /http(s) fetch route. The service validates against localhost/internal targets using hostname string checks, which can be bypassed with DNS alias domains, allowing an external requester t...
CVE-2025-50180 esm.sh is vulnerable to full-response SSRF
esm.sh is a no-build content delivery network CDN for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability...
CVE-2025-50180
esm.sh is a no-build content delivery network CDN for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability...
CVE-2025-50180 esm.sh is vulnerable to full-response SSRF
esm.sh is a no-build content delivery network CDN for web development. In version 136, esm.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Version 137 fixes the vulnerability...
GHSA-3C9R-837R-QQM4 esm.sh is vulnerable to full-response SSRF
Summary esh.sh is vulnerable to a full-response SSRF, allowing an attacker to retrieve information from internal websites through the vulnerability. Details Vulnerable code location: https://github.com/esm-dev/esm.sh/blob/f80ff8c8d58749e77fa964abde468fc61f8bd89e/server/router.goL511 If the intern...
CVE-2026-2522
A security vulnerability has been detected in Open5GS up to 2.7.6. Impacted is an unknown function of the file /src/mme/esm-build.c of the component MME. The manipulation leads to memory corruption. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be...