CVE-2026-32885

DDEV is an open-source tool for running local web development environments for PHP and Node.js. Versions prior to 1.25.2 have unsanitized extraction in both Untar and Unzip functions in pkg/archive/archive.go. Downloads and extracts archives from remote sources without path validation. Version...

GHSA-64CJ-QVX5-M4F3 Nhost CLI local configserver allows cross-origin unauthenticated read/write access to local development configuration and secrets

Summary The hidden nhost configserver used by nhost dev exposes the Mimir GraphQL API with dummy authorization directives and permissive CORS. When a developer is running the local development environment, any process that can reach the developer's localhost service, including a web page loaded...

Arbitrary Code Injection

Overview storybook is a frontend workshop for building UI components and pages in isolation. Affected versions of this package are vulnerable to Arbitrary Code Injection via the WebSocket message handlers for creating and saving stories, specifically through unsanitized input in the...

PT-2026-22027

Name of the Vulnerable Software and Affected Versions Storybook versions prior to 7.6.23 Storybook versions prior to 8.6.17 Storybook versions prior to 9.1.19 Storybook versions prior to 10.2.10 Description Storybook’s dev server WebSocket functionality, used for creating and updating stories, is...

OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests

Summary In affected versions, OpenClaw's optional @openclaw/voice-call plugin Telnyx webhook handler could accept unsigned inbound webhook requests when telnyx.publicKey was not configured, allowing unauthenticated callers to forge Telnyx events. This only impacts deployments where the Voice Call...

GHSA-524M-Q5M7-79MM Mailpit is vulnerable to Cross-Site WebSocket Hijacking (CSWSH) allowing unauthenticated access to emails

Summary The Mailpit WebSocket server is configured to accept connections from any origin. This lack of Origin header validation introduces a Cross-Site WebSocket Hijacking CSWSH vulnerability. An attacker can host a malicious website that, when visited by a developer running Mailpit locally,...

EUVD-2022-52739

Malicious code in bioql PyPI...

CVE-2025-59427

The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as...

CVE-2025-59427

The Cloudflare Vite plugin enables a full-featured integration between Vite and the Workers runtime. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain secret information such as...

Cloudflare Workers SDK 信息泄露漏洞

Cloudflare Workers SDK is an open source developer toolkit for Cloudflare. An information disclosure vulnerability exists in Cloudflare Workers SDK versions prior to 1.6.0, which stems from a default configuration where the local development server exposes all files, potentially leading to the...

CVE-2025-54782

Nest is a framework for building scalable Node.js server-side applications. In versions 0.2.0 and below, a critical Remote Code Execution RCE vulnerability was discovered in the @nestjs/devtools-integration package. When enabled, the package exposes a local development HTTP server with an API...

PT-2025-30105 · Npm · @Cloudflare/Vite-Plugin

Summary Note: originally posted on H1 but closed. Cross-posting over to here in abundance of caution instead of a public issue. When utilising the Cloudflare Vite plugin in its default configuration, all files are exposed by the local dev server, including files in the root directory that contain...

CVE-2025-48068

Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects...

CVE-2025-48068 Information exposure in Next.js dev server due to lack of origin verification

Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects...

CVE-2025-48068 Information exposure in Next.js dev server due to lack of origin verification

Next.js is a React framework for building full-stack web applications. In versions starting from 13.0 to before 14.2.30 and 15.0.0 to before 15.2.2, Next.js may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects...

CVE-2025-48068

CVE-2025-48068 affects Next.js up to versions before 14.2.30 and before 15.2.2, where the dev server with App Router enabled could expose limited source code when a user visits a malicious page while npm run dev is active. The issue is restricted to local development environments and has been pat...

PT-2025-23134 · Next.Js · Next.Js

Name of the Vulnerable Software and Affected Versions: Next.js versions 13.0 through 15.2.2 Description: Next.js is a React framework for building full-stack web applications. In affected versions, Next.js may have allowed limited source code exposure when the dev server was running with the App...

CVE-2023-3348

The Wrangler command line tool [email protected] or [email protected] was affected by a directory traversal vulnerability when running a local development server for Pages wrangler pages dev command. This vulnerability enabled an attacker in the same network as the victim to connect to the local...

CVE-2025-30207

Kirby is an open-source content management system. A vulnerability in versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development. Sites that use other server software such as Apache, nginx or...

Kirby vulnerable to path traversal in the router for PHP's built-in server

TL;DR This vulnerability affects all Kirby setups that use PHP's built-in server. Such setups are commonly only used during local development. Sites that use other server software such as Apache, nginx or Caddy are not affected. ---- Introduction For use with PHP's built-in web server, Kirby...