CVE-2026-21713

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...

UBUNTU-CVE-2026-21717

A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the...

CVE-2026-21714

CVE-2026-21714 corresponds to a memory leak in the Node.js HTTP/2 server triggered by WINDOW_UPDATE on stream 0, leading to resource exhaustion. The issue affects HTTP/2 users on Node.js 20.x, 22.x, 24.x and 25.x and is addressed in the March 24, 2026 security releases for the affected release li...

CVE-2026-21710

Summary: CVE-2026-21710 is a denial-of-service-type issue in Node.js HTTP request handling triggered by a header named __proto__ accessed via req.headersDistinct, which can cause an uncaught TypeError and crash the process when dest["proto "] resolves to Object.prototype and .push() is called on ...

CVE-2026-21711

A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket UDS server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under --permission without --allow-net can create and expose local IP...

CVE-2026-21717

A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the...

Cross-site Scripting (XSS)

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Cross-site Scripting XSS via the plugin parameter in plugin/YPTWallet/plugins/YPTWalletStripe/confirmButton.php. An attacker can execute arbitrary JavaScript in a...

Improper Control of Dynamically-Managed Code Resources

Overview @nocobase/plugin-workflow-javascript is an Execute a piece of JavaScript in an isolated Node.js environment. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources via the console object passed into the sandbox context, which exposes...

ALPINE-CVE-2026-21712

A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN containing invalid characters, crashing the Node.js process...

firefox: thunderbird: Use-after-free in the JavaScript Engine component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Use-after-free in the JavaScript Engine component...

firefox: thunderbird: JIT miscompilation in the JavaScript Engine: JIT component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: JIT miscompilation in the JavaScript Engine: JIT component...

firefox: thunderbird: JIT miscompilation in the JavaScript Engine component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: JIT miscompilation in the JavaScript Engine component...

firefox: thunderbird: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component

A flaw was found in Firefox and Thunderbird. The Mozilla Foundation's Security Advisory describes the following issue: Incorrect boundary conditions, uninitialized memory in the JavaScript Engine component...

Important: Red Hat Security Advisory: thunderbird security update

An update for thunderbird is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability fr...

CVE-2026-21712

A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN containing invalid characters, crashing the Node.js process...

Security Bulletin: IBM Content Navigator is affected by CVE-2026-1243, a Cross-Site Scripting (XSS) vulnerability

Summary IBM Content Navigator is affected by CVE-2026-1243, a Cross-Site Scripting XSS vulnerability that allows an authenticated user to embed arbitrary JavaScript into the Web UI. This could alter intended application behaviour and potentially lead to credentials disclosure within a trusted...

RHEL 9 : thunderbird (RHSA-2026:6188)

The remote Redhat Enterprise Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2026:6188 advisory. Mozilla Thunderbird is a standalone mail and newsgroup client. Security Fixes: firefox: thunderbird: Use-after-free in the JavaScript Engine...

AlmaLinux 9 : firefox (ALSA-2026:5930)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:5930 advisory. firefox: thunderbird: Use-after-free in the JavaScript Engine component CVE-2026-4701 firefox: thunderbird: Memory safety bugs fixed in Firefox ESR 115.34...

PT-2026-29049

Name of the Vulnerable Software and Affected Versions CrewAI affected versions not specified Description The software contains a flaw where the JSON loader tool reads files without proper path validation. This allows unauthorized access to files on the server. The issue involves an arbitrary loca...

PT-2026-29127

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.0.0 Description CI4MS is a CodeIgniter 4-based CMS skeleton offering a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application does not properly...