CVE-2026-41690

18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that...

CVE-2026-33979

CVE-2026-33979 affects the Express XSS Sanitizer middleware (Express 4.x/5.x). The root cause is that, in versions prior to 2.0.2, explicitly provided empty configurations for allowedTags or allowedAttributes are ignored, causing a fallback to sanitize-html’s permissive defaults. This leads to a ...

CVE-2026-33979 Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)

Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data in req.body, req.query, req.headers and req.params to prevent Cross Site Scripting XSS attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are...

Express - Node.js API with PostgreSQL 代码问题漏洞

Express - Node.js API with PostgreSQL is a RESTful API service developed by Jawher Kl, based on Node.js and PostgreSQL. There are code issues and vulnerabilities in versions 2.5 and earlier of Express - Node.js API with PostgreSQL. These vulnerabilities stem from incorrect operations on the...

Denial Of Service (DoS)

Servify Express is vulnerable to Denial of Service DoS. The vulnerability is due to the use of express.json without a request size limit, which allows an attacker to send extremely large JSON request bodies that exhaust memory or resources, leading to degraded performance or application crashes...

Exploit for CVE-2025-1302

Research: jsonpath-plus RCE CVE-2025-1302 Analysis !Securi...

Security Bulletin: A vulnerability in express.js affect IBM® Db2® Big SQL on IBM Cloud Pak for Data.

Summary A vulnerability in express.js affect IBM® Db2® Big SQL 7 on IBM Cloud Pak for Data 4 and 5 Vulnerability Details CVEID:CVE-2024-43796 DESCRIPTION: Express.js minimalist web framework for node. In express 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirec...

Security Bulletin: A vulnerability in Express.js affect IBM® Db2® Big SQL on IBM Cloud Pak for Data.

Summary A vulnerability in Express.js affect IBM® Db2® Big SQL 7 on IBM Cloud Pak for Data 4 and 5 Vulnerability Details CVEID:CVE-2024-29041 DESCRIPTION: Express.js minimalist web framework for node. Versions of Express.js prior to 4.19.0 and all pre-release alpha and beta versions of 5.0 are...

CVE-2025-66452 LibreChat's lack of JSON parsing error handling can lead to XSS

LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, there is no handler for JSON parsing errors; SyntaxError from express.json includes user input in the error message, which gets reflected in responses. User input including HTML/JavaScript can be exposed in error...

CVE-2024-51999

Express.js minimalist web framework for node. Prior to 5.2.0 and 4.22.0, when using the extended query parser in express 'query parser': 'extended', the request.query object inherits all object prototype properties, but these properties can be overwritten by query string parameter keys that match...

CVE-2024-51999

CVE-2024-51999 is rejected and not a valid vulnerability entry.

xss_test

It is an offensive tool for web application testing. The tool ta...

Node.js Express DevMode Enabled

Node.js Express installed on the remote host is configured to operate in development mode devMode. While this environment can help speed up development of web applications, it can leak information about the underlying web applications as well as the installation of Express, Node.js. No source dat...

test-reflected-xss-nodejs

It is an offensive tool for web application security testing. Th...

EUVD-2018-0603

Malware in sbrugna...

EUVD-2024-2859

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2017-16119

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is...

Linux Distros Unpatched Vulnerability : CVE-2014-6393

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which...

CVE-2023-23630

Eta is an embedded JS templating engine that works inside Node, Deno, and the browser. XSS attack - anyone using the Express API is impacted. The problem has been resolved. Users should upgrade to version 2.0.0. As a workaround, don't pass user supplied things directly to res.render...

Malicious code in express-exp (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3b858cc86e409526d24e16f5f635dea2d7cae8c178366e14a5d2843bed3931ae Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...