Uncaught Exception

Overview @grpc/grpc-js is a gRPC Library for Node Affected versions of this package are vulnerable to Uncaught Exception via the handling of invalid incoming HTTP/2 stream initiation. An attacker can cause the server process to crash by sending a specially crafted malformed request. Remediation...

GHSA-5375-PQ7M-F5R2 @grpc/grpc-js: A malformed request can cause a server crash

Impact An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js. Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5 - 1.14.4 Workarounds There is no workaround...

PT-2026-48691

Impact An invalid incoming HTTP/2 stream initiation can cause a server process to crash. This affects all servers created using @grpc/grpc-js. Patches The following version have fixes for this vulnerability: - 1.9.16 - 1.10.12 - 1.11.4 - 1.12.7 - 1.13.5 - 1.14.4 Workarounds There is no workaround...

EUVD-2026-36154

JavaScript Cookie is a JavaScript API for handling cookies, client-side. Prior to version 3.0.7, js-cookie's internal assign helper copies properties with for...in + plain assignment. When the source object is produced by JSON.parse, the JSON object's "proto" member is an own enumerable property,...

CVE-2026-45740

protobufjs compiles protobuf definitions into JavaScript JS functions. Prior to 7.5.8 and 8.2.0, protobufjs could recurse without a depth limit while expanding nested JSON descriptors through Root.fromJSON and Namespace.addJSON. A crafted JSON descriptor with deeply nested namespace definitions...

PT-2026-45967

These are all security issues fixed in the libmozjs-115-0-115.15.0-9.1 package on the GA media of openSUSE Tumbleweed...

CVE-2026-42280 Improper Permission Checking in Auth.js SDK

Auth0.js is a client-side JavaScript library for Auth0. From 8.11.0 to 9.32.0, under specific preconditions, the Auth0.js SDK may improperly return user profile information using a valid access token when a specifically crafted invalid ID token is provided. This vulnerability is fixed in 10.0.0...

@21epub/matomo-echarts-components (>=0.1.0 <=0.1.21), @abtnode/ux (>=1.16.40 <=1.17.13-beta-20260512-042419-7b556a38) +1359 more potentially affected by unknown CVE via size-sensor (>=1.0.1 <=1.0.3)

size-sensor NPM version =1.0.1, =0.1.0, =1.16.40, =0.1.1, =0.0.1, =0.1.1, =0.1.0, =0.0.2, =0.26.6, =0.1.2, =0.0.3, =0.1.0, =0.0.2-7.1, =1.1.15, =1.1.24 and more Source cves: unknown CVE Source advisory: SNYK:JS-SIZESENSOR-16754846...

@aidps/canvas-flow (>=1.0.0 <=1.0.1), @antv/xflow (>=2.0.1 <=2.2.4) +83 more potentially affected by unknown CVE via @antv/x6-plugin-history (>=2.2.3 <=2.2.4)

@antv/x6-plugin-history NPM version =2.2.3, =1.0.0, =2.0.1, =0.0.1, =0.0.2, =1.0.0-beta.46, =0.0.4, =0.7.0, =0.0.3, =2.0.4, =0.0.27, =0.0.34 - @ithinkdt/lowcode =3.0.0-0 and more Source cves: unknown CVE Source advisory: SNYK:JS-ANTVX6PLUGINHISTORY-16754887...

qs 代码问题漏洞

QS is a JavaScript library developed by Jordan Harband. Versions of QS from 6.11.1 to 6.15.2 had code vulnerabilities. This vulnerability occurred when calling qs.stringify on an array containing null or undefined, with arrayFormat set to comma and encodeValuesOnly set to true. This resulted in a...

CVE-2026-45783

creationtimestamp| type| source ---|---|--- 2026-05-13 02:15:12+00:00| published-proof-of-concept| https://github.com/libp2p/js-libp2p/security/advisories/GHSA-32mq-hpph-xfvr 2026-06-11 03:00:44+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mnyacgz5pr2p...

CVE-2026-42338

ip-address is a library for parsing and manipulating IPv4 and IPv6 addresses in JavaScript. Prior to 10.1.1, Address6.group and Address6.link do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage emitted by the Address6...

NPM: protobuf.js: Process-wide denial of service through unsafe option paths

NPM: protobuf.js: Process-wide denial of service through unsafe option paths vulnerability discovered by ? in WordPress Npm protobufjs versions = 7.5.5...

0xpay-cc-sdk (>=0.0.8 <=0.1.0), 1inch-agent-kit (=1.0.53) +6204 more potentially affected by CVE-2026-40175 via axios (>=1.0.0 <=1.14.0)

axios NPM version =1.0.0, =0.0.8, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.2-beta.0, =8.0.5, =6.1.0, =0.0.1-alpha.3, =0.1.6-alpha.11, =1.0.3-rc.0, =2.1.0 - @1tokenfe/hd-ble-sdk =1.1.15 - @1tokenfe/hd-common-connect-sdk =1.1.15 and more Source cves: CVE-2026-40175 Source advisory: SNYK:JS-AXIOS-159692...

Official Clerk JavaScript SDKs 代码问题漏洞

The Official Clerk JavaScript SDKs are an open-source repository for Clerk authentication purposes. These SDKs have code-related vulnerabilities. The vulnerability stems from the clerkFrontendApiProxy function in @clerk/backend, which involves server-side request forgeing. This could allow...

4coders-commons (>=0.0.1 <=0.0.2), @11ty/eleventy (=0.3.3) +3655 more potentially affected by CVE-2026-33938 via handlebars (>=4.0.0 <=4.7.8)

handlebars NPM version =4.0.0, =0.0.1, =0.1.0, =0.1.0, =0.0.11, =0.0.52, =0.1.0, =0.0.72, =0.1.0, =1.1.1, =0.0.0-3b548b7bf6ff6554f724240da3a11be924237e6c, =1.16.0, =1.16.0, =1.16.0, =2.4.4 and more Source cves: CVE-2026-33938 Source advisory: SNYK:JS-HANDLEBARS-15803082...

EUVD-2026-14377

Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key by forcing r or s to be zero, so the library emits an invalid signature witho...

CVE-2026-4603

Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations e.g., verify and encryption to collapse to...

0xkit (=0.0.1), 0xpass (>=0.0.11 <=0.1.26) +7819 more potentially affected by unknown CVE via h3 (>=1.0.1 <=1.15.5)

h3 NPM version =1.0.1, =0.0.11, =0.0.0-canary-3a59770274bcb6f3bebd5d1b93a2c92d1fc4edbd, =0.0.2, =0.1.0, =1.1.0, =0.1.0, =0.1.0, =1.0.21, =2.0.0, =0.1.4, =0.1.0, =1.0.10, =1.0.11 and more Source cves: unknown CVE Source advisory: SNYK:JS-H3-15683856...

MAL-2026-1687 Malicious code in chain-cli-promised (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8f7e399daf13fda688fc1a6bb911c0bf7582ef52fff3eb5af58fbd8c0934b88a The package chain-cli-promised was found to contain malicious code...