CVE-2026-31938

jsPDF is a library to generate PDFs in JavaScript. Prior to version 4.2.1, user control of the options argument of the output function allows attackers to inject arbitrary HTML such as scripts into the browser context the created PDF is opened in. The vulnerability can be exploited in the followi...

@saasmakers/ui (>=0.1.88 <=1.3.0), @styleframe/app (>=0.0.1 <=0.1.1) +13 more potentially affected by CVE-2026-31860 via unhead (>=2.0.0-alpha.0 <=2.1.10)

unhead NPM version =2.0.0-alpha.0, =0.1.88, =0.0.1, =1.1.0, =2.0.0, =2.0.0, =2.0.0-alpha.0, =2.0.0, =2.0.0, =2.0.0, =1.2.0, =0.0.2, =0.17.0, =2.0.0-alpha.8, =0.1.0-beta.10, =0.1.0-beta.14 Source cves: CVE-2026-31860 Source advisory: SNYK:JS-UNHEAD-15627227...

firefox: thunderbird: Integer overflow in the JavaScript: Standard Library component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Integer overflow in the JavaScript: Standard Library component...

Immutable collections for JavaScript 安全漏洞

Immutable Collections for JavaScript is an open-source immutable data collection library developed by Immutable.js. There were security vulnerabilities in versions prior to 3.8.3, 4.3.7, and 5.1.5 of Immutable Collections for JavaScript. These vulnerabilities stemmed from prototype pollution issu...

CVE-2026-2762

Integer overflow in the JavaScript: Standard Library component. This vulnerability affects Firefox 148, Firefox ESR 140.8, Thunderbird 148, and Thunderbird 140.8...

CASL 安全漏洞

CASL is a JavaScript library developed by Serhii Stotskyi. Versions 2.4.0 to 6.7.4 of CASL contain security vulnerabilities, which stem from prototype pollution and may lead to logical errors or other attacks...

003-gas-convert (=1.0.1), 0x-hunter-core (>=1.0.0 <=1.0.1-5) +13852 more potentially affected by CVE-2026-2739 via bn.js (>=4.10.3 <=4.12.0)

bn.js NPM version =4.10.3, =1.0.0, =0.0.3, =0.0.3, =0.0.11, =1.1.0, =0.0.2, =0.9.9, =0.10.33 - 108-gas-convert =1.0.0 - 2.typescript-init =1.0.0 - 260f-check-balance =1.0.0 - 260f-gas-convert =1.0.0 and more Source cves: CVE-2026-2739 Source advisory: SNYK:JS-BNJS-15274301...

Fedora 43 : openqa / os-autoinst (2026-abd2d2d60c)

The remote Fedora 43 host has packages installed that are affected by a vulnerability as referenced in the FEDORA-2026-abd2d2d60c advisory. This update provides new upstream snapshots of openQA and os-autoinst, with various fixes and enhancements. Please see upstream changelogs for details. They...

CVE-2026-24040 jsPDF has a Shared State Race Condition in addJS Plugin

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable text to store JavaScript content. When used in a concurrent environment e.g., a Node.js web server, this variable is shared across all requests. ...

CVE-2026-24040 jsPDF has a Shared State Race Condition in addJS Plugin

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable text to store JavaScript content. When used in a concurrent environment e.g., a Node.js web server, this variable is shared across all requests. ...

Cross-site Scripting (XSS)

Overview @typebot.io/js is a Javascript library to display typebots on your website Affected versions of this package are vulnerable to Cross-site Scripting XSS via the imported bot preview. An attacker can access sensitive credentials belonging to other users by tricking a victim into previewing...

CVE-2026-22775

A flaw was found in devalue, a JavaScript library used for serializing values. A remote attacker could exploit this vulnerability by providing specially crafted input to the devalue.parse function. This improper input validation, specifically during the ArrayBuffer hydration process, can cause th...

168wangxiao-ui (>=0.3.6 <=0.3.70), 3achatlibrary (>=1.0.0 <=1.0.9) +5430 more potentially affected by CVE-2025-15056 via quill (>=0.19.14 <=2.0.3)

quill NPM version =0.19.14, =0.3.6, =1.0.0, =19.0.0, =1.0.1, =1.0.0, =1.0.10, =3.1.1-0, =2.10.1, =0.1.6, =1.0.7, =19.0.0, =19.1.0 and more Source cves: CVE-2025-15056 Source advisory: SNYK:JS-QUILL-14927397...

WordPress NextGEN Gallery plugin <= 3.59.11 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via ThickBox JavaScript Library vulnerability

Authenticated Contributor+ Stored DOM-Based Cross-Site Scripting via ThickBox JavaScript Library vulnerability discovered by Webbernaut in WordPress Plugin NextGEN Gallery versions = 3.59.11...

MAL-2025-192844 Malicious code in node-calculator-f483 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 84a5e8d3f7bc17fcc1c20611e0b98235c4015291f1fe1af1f31497d604654663 The package node-calculator-f483 was found to contain malicious code...

CVE-2025-63700

Clerk-js 5.88.0 contains a security issue where an attacker can bypass the OAuth authentication flow by manipulating the OTP verification request. The publicly documented evidence across sources (Red Hat CVE notes, EUVD, GHSA advisory, and OSV/GHSA mirrors) consistently reference the OTP verifica...

MAL-2025-185505 Malicious code in apollo-nodejs-helmet-loglevel (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 03f8efa0ddd24ff187a77bfbf2653e94f12a622525a7c6ac90cd8bb470c36f55 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

MAL-2025-70613 Malicious code in sick-yellow-lynx (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bc33917aaa28ae9034322a9f94e68c8b5fa17ba84578b0099d28982c8dcfac63 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

CVE-2025-12735

Summary: CVE-2025-12735 affects the expr-eval JavaScript expression parser/evaluator. Insufficient input validation lets an attacker pass a crafted context object or leverage MEMBER of the context in evaluate(), enabling arbitrary code execution. This is a client-side JavaScript library vulnerabi...

@aangeles/jefeui (>=1.10.0 <=1.11.6), @adamjoelfraser/auth-drizzle (>=1.0.0 <=1.0.2) +265 more potentially affected by unknown CVE via @auth/core (>=0.0.0-manual.fdbc96ab <=0.41.0)

@auth/core NPM version =0.0.0-manual.fdbc96ab, =1.10.0, =1.0.0, =0.1.0, =0.0.1, =1.0.0, =0.2.0, =0.1.0, =0.1.0, =0.1.0, =1.11.0 and more Source cves: unknown CVE Source advisory: SNYK:JS-AUTHCORE-13744119...