105 matches found
EUVD-2026-42306
node-tar is a tar archive manipulation library for Node.js. Prior to 7.5.18, tar.replace accepts a checksum-valid tar header with a negative base-256 encoded entry size, causing the archive scanner to make no progress while repeatedly parsing the same header. This issue is fixed in version 7.5.18...
Malicious code in nottuff23 (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 41d429b099904a530f5dc4dfdd4724b7b6160c1de1330e0b103e8b8e3c737dfd The package is one of approximately 100 identically-named-pattern publishes from an automated bulk-publish operation. The tarball ships...
Malicious code in twilio-sdk (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 737fede3d5b2007849cab0503cec191ce127c33c0b28f3b3285f347a064966e1 Package name twilio-sdk impersonates the official Twilio Node SDK twilio but ships an empty API module.exports = . The only real behavior runs in...
CVE-2026-40931
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but...
@3onedata/alsatian (>=0.1.8-fix.3 <=0.1.8-fix.5), @agimon-ai/browse-tool (>=0.2.0 <=0.11.1) +310 more potentially affected by CVE-2026-47673 via hono (>=4.0.0 <=4.12.2)
hono NPM version =4.0.0, =0.1.8-fix.3, =0.2.0, =0.2.0, =0.4.0, =0.2.0, =0.1.4, =2026.4.4, =1.0.2, =0.0.1, =1.7.2, =1.7.1, =0.2.1, =0.6.1, =0.5.2, =0.5.4 - @babylen/legion =0.1.7 and more Source cves: CVE-2026-47673 Source advisory: SNYK:JS-HONO-17055751...
CVE-2026-44232
The CVE-2026-44232 entry concerns the Node.js library dssrf . The vulnerability, described across the CVE and related records, is that prior to version 1.3.0 every IPv6 category bypasses the is_url_safe check, enabling potential SSRF bypasses. The issue affects the dssrf functionality that guards...
CVE-2026-40931
Compressing is a compressing and uncompressing lib for node. Prior to 2.1.1 and 1.10.5, the patch for CVE-2026-24884 relies on a purely logical string validation within the isPathWithinParent utility. This check verifies if a resolved path string starts with the destination directory string but...
DEBIAN-CVE-2026-40895
follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie header...
CVE-2026-40895
follow-redirects is an open source, drop-in replacement for Node's http and https modules that automatically follows redirects. Prior to 1.16.0, when an HTTP request follows a cross-domain redirect 301/302/307/308, follow-redirects only strips authorization, proxy-authorization, and cookie header...
EUVD-2026-5368
Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can caus...
CVE-2026-24884 Compressing Vulnerable to Arbitrary File Write via Symlink Extraction
Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can caus...
UBUNTU-CVE-2025-59437
The ip aka node-ip package through 2.0.1 in NPM might allow SSRF because the IP address value 0 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415. NOTE: in current versions of several applications, connection...
MAL-2025-14277 Malicious code in alchemy-s89r2-1zvdy-lucid-project (npm)
The package alchemy-s89r2-1zvdy-lucid-project was found to contain malicious code...
MAL-2025-22026 Malicious code in gtejmhrvkukqonps (npm)
The package gtejmhrvkukqonps was found to contain malicious code...
MAL-2025-19224 Malicious code in ednexio (npm)
The package ednexio was found to contain malicious code...
MAL-2025-15724 Malicious code in birch-c0vrp-j3rv5-quicksilver-project (npm)
The package birch-c0vrp-j3rv5-quicksilver-project was found to contain malicious code...
MAL-2025-25451 Malicious code in littletea (npm)
The package littletea was found to contain malicious code...
MAL-2025-25931 Malicious code in maquinita (npm)
The package maquinita was found to contain malicious code...
MAL-2025-10623 Malicious code in @zalastax/nolb-abz (npm)
The package @zalastax/nolb-abz was found to contain malicious code...
MAL-2025-11422 Malicious code in @zalastax/nolb-f7 (npm)
The package @zalastax/nolb-f7 was found to contain malicious code...