Lucene search
K

354 matches found

Nuclei
Nuclei
added yesterday45 views

Mongoose < 8.8.3 - Remote Code Execution

Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. id: CVE-2024-53900 info: name: Mongoose 8.8.3 - Remote Code Execution author: h4mg severity: critical description: | Mongoose before 8.8.3 can improperly use $where in match, leading to search injection. impact...

9.1CVSS7.1AI score0.03988EPSS
Exploits3References5
OSV
OSV
added 2026/07/07 12:3 a.m.9 views

RLSA-2026:35892 Important: nodejs:22 security, bug fix, and enhancement update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input CVE-2026-42338 undici: undici: Denial of Service due to...

8.1CVSS6.5AI score0.02806EPSS
Exploits1References14
RedHat Linux
RedHat Linux
added 2026/07/06 5:32 a.m.6 views

nodejs: Node.js: Authentication bypass due to TLS hostname handling and unicode dot separator mismatch

A flaw was found in Node.js. This flaw involves a mismatch in how Node.js handles TLS Transport Layer Security hostnames and unicode dot separators during authentication. This mismatch can lead to a wildcard-depth authentication bypass. An attacker could exploit this to bypass intended security...

7.7CVSS5.9AI score0.00674EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2026/07/06 5:32 a.m.5 views

nodejs: Node.js: Unauthorized file metadata modification

A flaw was found in Node.js. The Permission API allows a local user to modify file metadata on paths that have been explicitly set as read-only. This can lead to unauthorized changes in file properties, impacting the integrity of the file system...

3.3CVSS5.9AI score0.00154EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2026/07/06 5:32 a.m.8 views

nodejs: Node.js: Denial of Service via unlimited HTTP/2 ORIGIN frames

A flaw was found in Node.js. A malicious server can exploit the HTTP/2 client by sending an unlimited number of ORIGIN frames. This can lead to an Out of Memory error on the client, resulting in a denial of service...

7.5CVSS5.9AI score0.00656EPSS
Exploits0References5
RedHat Linux
RedHat Linux
added 2026/07/06 4:52 a.m.6 views

nodejs: Node.js: Silent authority rebinding due to embedded-nul hostnames in TLS handling

A flaw was found in Node.js. This vulnerability in the TLS Transport Layer Security hostname handling allows embedded null characters in hostnames. This can lead to silent authority rebinding, potentially enabling an attacker to redirect network traffic to an unintended server and disclose...

9.8CVSS6.4AI score0.00405EPSS
Exploits0References7
CVE
CVE
added 2026/07/02 7:38 p.m.16 views

CVE-2026-58578

CVE-2026-58578 affects LobeChat prior to version 2.2.10-canary.15. A crafted basePath containing unescaped regex metacharacters in a GitHub repository URL path during skill import is used to inject a catastrophic-backtracking pattern into a dynamically constructed regex in the findSkillMd functio...

7.1CVSS5.8AI score0.00305EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/26 10:44 p.m.9 views

CVE-2026-48619

A flaw was found in Node.js. A malicious server can exploit the HTTP/2 client by sending an unlimited number of ORIGIN frames. This can lead to an Out of Memory error on the client, resulting in a denial of service. Mitigation Mitigation for this issue is either not available or the currently...

7.5CVSS5.9AI score0.00656EPSS
Exploits0References4
NVD
NVD
added 2026/06/26 2:16 a.m.9 views

CVE-2026-48930

A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebinding due to c-string truncation in resolver bindings. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

9.8CVSS0.00405EPSS
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/26 1:56 a.m.11 views

Malicious code in @dervix/ws (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 79b9ab7431b1a6a1250c089e2ea33f54ad92313f587fbd2aabc020c12be55f69 Package @dervix/ws impersonates the popular ws WebSocket library — package.json copies the legitimate ws project's homepage...

6.2AI score
Exploits0References4
EUVD
EUVD
added 2026/06/26 1:14 a.m.8 views

EUVD-2026-39612

A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

4.3CVSS6.3AI score0.00258EPSS
Exploits0References1
CVE
CVE
added 2026/06/26 1:14 a.m.23 views

CVE-2026-48934

CVE-2026-48934 affects Node.js releases 22, 24, and 26. The described flaw enables TLS host identity verification bypass when a session is reused with a different servername, leading to possible unauthorized connections . Advisories (SUSE/OpenSUSE) indicate a patch in the nodejs26-26.3.1-1.1 pack...

4.3CVSS6.6AI score0.00258EPSS
Exploits0References1Affected Software1
AlpineLinux
AlpineLinux
added 2026/06/26 1:14 a.m.6 views

CVE-2026-48615

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in ERRPROXYTUNNEL error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability...

7.5CVSS6.6AI score0.00437EPSS
Exploits0
Cvelist
Cvelist
added 2026/06/26 1:14 a.m.42 views

CVE-2026-48934

A flaw in Node.js TLS host verification can cause an attacker to bypass certification validation. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

4.3CVSS0.00258EPSS
Exploits0References1
Tenable Product Security Advisories
Tenable Product Security Advisories
added 2026/06/23 8:43 p.m.14 views

[R3] Tenable Identity Exposure Version 3.93.5 Fixes Multiple Vulnerabilities

R3 Tenable Identity Exposure Version 3.93.5 Fixes Multiple Vulnerabilities Aaron Roy Tue, 06/23/2026 - 16:43 Tenable Identity Exposure leverages third-party software to help provide underlying functionality. Several of the third-party components .NET Windows Server Hosting, NodeJS, Erlang OTP, SQ...

9.9CVSS7AI score0.65838EPSS
Exploits17
OSV
OSV
added 2026/06/23 2:50 p.m.6 views

BIT-NODE-2026-48937

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affects two supported release lines: Node.js 22 and Node.js 24...

5.3CVSS5.8AI score0.00445EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/23 1:26 p.m.8 views

CVE-2026-47141

A flaw was found in vm2, an open-source virtual machine VM sandbox for Node.js. Prior to version 3.11.4, NodeVM, a component of vm2, improperly exposed certain process-wide observability builtins, such as diagnosticschannel, asynchooks, and perfhooks. These builtins, which are designed for...

8.6CVSS5.7AI score0.00308EPSS
Exploits0References6
The Hacker News
The Hacker News
added 2026/06/22 1:20 p.m.60 views

New OXLOADER Loader Uses Malicious Google Ads to Deliver CastleStealer

Cybersecurity researchers have disclosed details of a new campaign that delivers CastleStealer by means of a previously unreported malware loader dubbed OXLOADER. According to Elastic Security Labs, the campaign leverages malicious Google Ads as a starting point to distribute the malware. Evidenc...

5.9AI score
Exploits0
OSV
OSV
added 2026/06/22 12:0 p.m.6 views

MAL-2026-6313 Malicious code in @zynkit/jwtbytes (npm)

@zynkit/jwtbytes malicious version 0.5.3, published by [email protected] is a trojanized npm package belonging to the wshu.net credential-stealer campaign. The campaign published trojanized look-alike utility packages across 12+ scopes whose publisher accounts all follow the pattern...

6.5AI score
Exploits0References7
OSV
OSV
added 2026/06/18 7:16 p.m.4 views

ALPINE-CVE-2026-48937

A flaw in Node.js HTTP/2 server API can cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affects two supported release lines: Node.js 22 and Node.js 24...

5.3CVSS6.1AI score0.00445EPSS
Exploits0References1
Rows per page
Query Builder