Malicious code in midpatch (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fe668e556f4b46fce125c318ebc3bea93185c78ec36c19f8991bbcb36172a62b The package advertises a logger middleware keywords fast/logger/stream/json, exports module.exports.pino = middleware, file.js wraps a ./pino module ...

CVE-2026-30972

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by...

CVE-2026-30972 Parse Server has a rate limit bypass via batch request endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by...

CVE-2026-30972 Parse Server has a rate limit bypass via batch request endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by...

CVE-2026-30972 Parse Server has a rate limit bypass via batch request endpoint

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint /batch processes sub-requests internally by...

Remote Code Execution (RCE)

Overview @whyour/qinglong is a Timed task management platform supporting Python3, JavaScript, Shell, Typescript Affected versions of this package are vulnerable to Remote Code Execution RCE via the application's Express.js middleware that allows to rewrite /open/ to /api/$1 api interface. A remot...

MAL-2025-49176 Malicious code in epic-okta-express-middleware (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 236ca6a4112270418e1024dd6136da781ae916d8e5e2db49347e687cd5c85ac0 The package epic-okta-express-middleware was found to contain malicious code...

Malicious code in epic-okta-express-middleware (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 236ca6a4112270418e1024dd6136da781ae916d8e5e2db49347e687cd5c85ac0 The package epic-okta-express-middleware was found to contain malicious code...

MAL-2025-17190 Malicious code in cluep-express-middleware (npm)

The package cluep-express-middleware was found to contain malicious code...

MAL-2025-20080 Malicious code in express-middleware-ip-blocker (npm)

The package express-middleware-ip-blocker was found to contain malicious code...

Malicious code in cluep-express-middleware (npm)

The package cluep-express-middleware was found to contain malicious code...

Malicious code in express-middleware-ip-blocker (npm)

The package express-middleware-ip-blocker was found to contain malicious code...

Malicious code in iifl_express_middleware (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 5bd6065d5aeb8d845fa2198e1ffedbb927895fbac183920ec87d85e89c79c03b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

@cloud-carbon-footprint/client (>=0.0.0 <=0.2.0), @financial-times/ed-tech-auth (>=1.1.0 <=1.7.0) +5 more potentially affected by CVE-2022-3145 via @okta/oidc-middleware (>=0.0.2 <=4.5.1)

@okta/oidc-middleware NPM version =0.0.2, =0.0.0, =1.1.0, =0.0.1, =1.78.0, =0.1.0, =0.3.1 Source cves: CVE-2022-3145 Source advisory: OSV:GHSA-58H4-9M7M-J9M4...

Open Redirect

Overview Slashify is an Express middleware that normalises routes by stripping any final slash, redirecting, for example, bookings/latest/ to bookings/latest. However, it does not validate the path it redirects to in any way. In particular, if the path starts with two slashes or two backslashes, ...

GHSA-F4HQ-453J-P95F Open redirect in Slashify

The package is an Express middleware that normalises routes by stripping any final slash, redirecting, for example, bookings/latest/ to bookings/latest. However, it does not validate the path it redirects to in any way. In particular, if the path starts with two slashes or two backslashes, or a...

Server-side Request Forgery (SSRF)

Overview phantomjs-seo is an express middleware for prerendering pages with phantomjs for search engine crawling Affected versions of this package are vulnerable to Server-side Request Forgery SSRF. It is possible for an attacker to craft a url that will be passed to a PhantomJS instance allowing...