CVE-2026-33285 LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash

LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to version 10.25.1, LiquidJS's memoryLimit security mechanism can be completely bypassed by using reverse range expressions e.g., 100000000..1, allowing an attacker to allocate unlimited memory. Combined wit...

DEBIAN-CVE-2026-2229

ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the servermaxwindowbits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. ...

Linux Distros Unpatched Vulnerability : CVE-2025-59465

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggering an unhandled TLSSocket error ECONNRESET. Instead of...

Volto 安全漏洞

Volto is a content management system open-sourced by Plone Foundation. A security vulnerability exists in Volto versions prior to 19.0.0-alpha.4 and 18.24.0, which stems from the fact that an anonymous user's access to a specific URL may cause the NodeJS server to exit...

engine.io: Specially crafted HTTP request can trigger an uncaught exception

A flaw was found in engine.io. The Socket.IO Engine.IO is vulnerable to a denial of service caused by an uncaught exception flaw. By sending a specially-crafted HTTP request, a remote, authenticated attacker can cause the Node.js process to crash, resulting in a denial of service...