Lucene search
K

105 matches found

EUVD
EUVD
added 6 days ago6 views

EUVD-2026-42306

node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, tar.replace accepts a checksum-valid tar header with a negative base-256 encoded entry size, causing the archive scanner to make no progress while repeatedly parsing the same header. This issue is fixed in version 7.5.18...

8.7CVSS5.9AI score0.00358EPSS
Exploits1References3
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/16 7:27 p.m.10 views

Malicious code in nottuff23 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 41d429b099904a530f5dc4dfdd4724b7b6160c1de1330e0b103e8b8e3c737dfd The package is one of approximately 100 identically-named-pattern publishes from an automated bulk-publish operation. The tarball ships...

6.2AI score
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/11 6:13 a.m.15 views

Malicious code in twilio-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 737fede3d5b2007849cab0503cec191ce127c33c0b28f3b3285f347a064966e1 Package name twilio-sdk impersonates the official Twilio Node SDK twilio but ships an empty API module.exports = . The only real behavior runs in...

5.5AI score
Exploits0References9
RedhatCVE
RedhatCVE
added 2026/06/05 7:14 p.m.10 views

CVE-2026-40931

Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but...

8.4CVSS5.5AI score0.0024EPSS
Exploits2References1
vulnersOsv
vulnersOsv
added 2026/05/28 6:24 p.m.6 views

@3onedata/alsatian (>=0.1.8-fix.3 <=0.1.8-fix.5), @agimon-ai/browse-tool (>=0.2.0 <=0.11.1) +310 more potentially affected by CVE-2026-47673 via hono (>=4.0.0 <=4.12.2)

hono NPM version =4.0.0, =0.1.8-fix.3, =0.2.0, =0.2.0, =0.4.0, =0.2.0, =0.1.4, =2026.4.4, =1.0.2, =0.0.1, =1.7.2, =1.7.1, =0.2.1, =0.6.1, =0.5.2, =0.5.4 - @babylen/legion =0.1.7 and more Source cves: CVE-2026-47673 Source advisory: SNYK:JS-HONO-17055751...

6.5CVSS5.7AI score0.00199EPSS
Exploits0
CVE
CVE
added 2026/05/12 8:28 p.m.29 views

CVE-2026-44232

The CVE-2026-44232 entry concerns the Node.js library dssrf . The vulnerability, described across the CVE and related records, is that prior to version 1.3.0 every IPv6 category bypasses the is_url_safe check, enabling potential SSRF bypasses. The issue affects the dssrf functionality that guards...

8.7CVSS5.2AI score0.00349EPSS
Exploits0References1
NVD
NVD
added 2026/04/21 10:16 p.m.4 views

CVE-2026-40931

Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but...

8.4CVSS0.0024EPSS
Exploits2References1
OSV
OSV
added 2026/04/21 9:16 p.m.5 views

DEBIAN-CVE-2026-40895

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie header...

7.5CVSS5.4AI score0.00486EPSS
Exploits0References1
UbuntuCve
UbuntuCve
added 2026/04/21 9:16 p.m.6 views

CVE-2026-40895

follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie header...

7.5CVSS5.8AI score0.00486EPSS
Exploits0References4
EUVD
EUVD
added 2026/02/04 7:35 p.m.8 views

EUVD-2026-5368

Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can caus...

8.4CVSS5.6AI score0.00334EPSS
Exploits1References3
Cvelist
Cvelist
added 2026/02/04 7:35 p.m.30 views

CVE-2026-24884 Compressing Vulnerable to Arbitrary File Write via Symlink Extraction

Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can caus...

8.4CVSS0.00334EPSS
Exploits1References3
OSV
OSV
added 2025/09/16 6:16 a.m.5 views

UBUNTU-CVE-2025-59437

The ip aka node-ip package through 2.0.1 in NPM might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415. NOTE: in current versions of several applications, connection...

3.2CVSS5.8AI score0.00116EPSS
Exploits0References2
OSV
OSV
added 2025/08/14 6:52 p.m.7 views

MAL-2025-14277 Malicious code in alchemy-s89r2-1zvdy-lucid-project (npm)

The package alchemy-s89r2-1zvdy-lucid-project was found to contain malicious code...

7.2AI score
Exploits0
OSV
OSV
added 2025/08/14 6:52 p.m.3 views

MAL-2025-22026 Malicious code in gtejmhrvkukqonps (npm)

The package gtejmhrvkukqonps was found to contain malicious code...

7.2AI score
Exploits0
OSV
OSV
added 2025/08/14 6:52 p.m.3 views

MAL-2025-19224 Malicious code in ednexio (npm)

The package ednexio was found to contain malicious code...

7.2AI score
Exploits0
OSV
OSV
added 2025/08/14 6:52 p.m.3 views

MAL-2025-15724 Malicious code in birch-c0vrp-j3rv5-quicksilver-project (npm)

The package birch-c0vrp-j3rv5-quicksilver-project was found to contain malicious code...

7.2AI score
Exploits0
OSV
OSV
added 2025/08/14 6:52 p.m.2 views

MAL-2025-25451 Malicious code in littletea (npm)

The package littletea was found to contain malicious code...

7.2AI score
Exploits0
OSV
OSV
added 2025/08/14 6:52 p.m.2 views

MAL-2025-25931 Malicious code in maquinita (npm)

The package maquinita was found to contain malicious code...

7.2AI score
Exploits0
OSV
OSV
added 2025/08/14 6:52 p.m.3 views

MAL-2025-10623 Malicious code in @zalastax/nolb-abz (npm)

The package @zalastax/nolb-abz was found to contain malicious code...

7.2AI score
Exploits0
OSV
OSV
added 2025/08/14 6:52 p.m.5 views

MAL-2025-11422 Malicious code in @zalastax/nolb-f7 (npm)

The package @zalastax/nolb-f7 was found to contain malicious code...

7.2AI score
Exploits0
Rows per page
Query Builder