Lucene search
K

91 matches found

Cvelist
Cvelist
added 2026/06/24 12:17 a.m.33 views

CVE-2026-54639 Style Dictionary - Prototype Pollution in convertTokenData utility function

Style Dictionary, a build system for creating cross-platform styles, has a prototype pollution vulnerability starting in version 4.3.0 and prior to version 5.4.4. Impact users have: direct usage of convertTokenDatatokens, output: 'object' ;; indirect usage, via using Expand API; and/or indirect...

8.8CVSS0.00132EPSS
Exploits0References4
IBM Security Bulletins
IBM Security Bulletins
added 2026/06/11 4:10 p.m.6 views

Security Bulletin: IBM App Connect Enterprise is vulnerable to Incorrect Authorization and Middleware Bypass due to Node.js module @hono/node-server ( CVE-2026-29087 & CVE-2026-39406 )

Summary IBM App Connect Enterprise runtime is vulnerable to Incorrect Authorization and Middleware Bypass due to Node.js module @hono/node-server. Vulnerability Details CVEID:CVE-2026-29087 DESCRIPTION: @hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, wh...

7.5CVSS5.3AI score0.00376EPSS
Exploits0Affected Software1
RedhatCVE
RedhatCVE
added 2026/06/05 7:25 p.m.10 views

CVE-2026-39406

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...

5.3CVSS5.4AI score0.00376EPSS
Exploits0References1
IBM Security Bulletins
IBM Security Bulletins
added 2026/05/19 5:43 a.m.11 views

Security Bulletin: Multiple vulnerabilities in IBM watsonx Orchestrate Developer Edition

Summary Multiple vulnerabilities were addressed in IBM watsonx Orchestrate Developer Edition version 2.10.0 Vulnerability Details CVEID:CVE-2025-69873 DESCRIPTION: ajv Another JSON Schema Validator before 8.18.0 is vulnerable to Regular Expression Denial of Service ReDoS when the $data option is...

9.8CVSS7.2AI score0.025EPSS
Exploits4Affected Software1
OSV
OSV
added 2026/05/13 5:1 p.m.1 views

CVE-2026-44578 Next.js: Server-side request forgery in applications using WebSocket upgrades

Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the serve...

8.6CVSS6AI score0.38811EPSS
Exploits9References8
CNNVD
CNNVD
added 2026/05/13 12:0 a.m.17 views

Next.js 代码问题漏洞

Next.js is a React framework open source by Vercel. Versions of Next.js from 13.4.13 to 15.5.16, as well as versions before 16.2.5, have code vulnerabilities. These vulnerabilities stem from the use of the built-in Node.js server for hosting. When a custom WebSocket upgrade request is made, it ma...

8.6CVSS5.9AI score0.38811EPSS
Exploits9References1
GithubExploit
GithubExploit
added 2026/04/27 5:0 p.m.105 views

reflected-xss-demo

Reflected XSS Demo Small intentionally vulnerable loca...

5.2AI score
Exploits0
NVD
NVD
added 2026/04/08 3:16 p.m.10 views

CVE-2026-39406

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...

5.3CVSS0.00376EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/08 2:34 p.m.4 views

CVE-2026-39406 @hono/node-server has a middleware bypass via repeated slashes in serveStatic

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...

5.3CVSS5.9AI score0.00376EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/08 2:34 p.m.5 views

CVE-2026-39406

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...

5.3CVSS5.9AI score0.00376EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/04/08 2:34 p.m.22 views

CVE-2026-39406 @hono/node-server has a middleware bypass via repeated slashes in serveStatic

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...

5.3CVSS0.00376EPSS
Exploits0References1
Snyk
Snyk
added 2026/04/08 12:16 a.m.4 views

Directory Traversal

Overview @hono/node-server is a Node.js Adapter for Hono Affected versions of this package are vulnerable to Directory Traversal due to inconsistent handling of repeated slashes in the serveStatic process. An attacker can access sensitive static files that are intended to be protected by bypassin...

6.9CVSS6.3AI score0.00376EPSS
Exploits0References2
vulnersOsv
vulnersOsv
added 2026/04/08 12:16 a.m.6 views

@activepieces/piece-ai (>=0.3.1 <=0.3.4), @aikotools/repo-maintenance (>=1.0.2 <=1.7.0) +253 more potentially affected by CVE-2026-39406 via @hono/node-server (>=1.0.2 <=1.19.12)

@hono/node-server NPM version =1.0.2, =0.3.1, =1.0.2, =1.0.25-beta.0, =0.0.1, =0.36.0, =0.0.1, =0.0.1-experimental.1, =0.0.3, =1.0.1, =1.3.2, =0.2.305, =0.21.2-4.1, =0.0.0-beta-20241019152753, =0.13.0 and more Source cves: CVE-2026-39406 Source advisory: SNYK:JS-HONONODESERVER-15928840...

5.3CVSS5.4AI score0.00376EPSS
Exploits0
EUVD
EUVD
added 2026/04/08 12:16 a.m.5 views

EUVD-2026-20491

@hono/node-server: Middleware bypass via repeated slashes in serveStatic...

5.3CVSS5.9AI score0.00376EPSS
Exploits0References3
vulnersOsv
vulnersOsv
added 2026/04/08 12:16 a.m.7 views

@activepieces/piece-ai (>=0.3.1 <=0.3.4), @aikotools/repo-maintenance (>=1.0.2 <=1.7.0) +260 more potentially affected by CVE-2026-39406 via @hono/node-server (>=0.2.4 <=1.19.12)

@hono/node-server NPM version =0.2.4, =0.3.1, =1.0.2, =1.0.25-beta.0, =0.0.1, =0.29.3, =0.36.0, =0.0.1, =0.0.1-experimental.1, =0.0.3, =1.0.1, =1.3.2, =0.2.305, =1.0.0 - @bojanrajkovic/mcp-paprika =1.1.0 and more Source cves: CVE-2026-39406 Source advisory: OSV:GHSA-92PP-H63X-V22M...

5.3CVSS5.4AI score0.00376EPSS
Exploits0
NVD
NVD
added 2026/03/13 7:54 p.m.13 views

CVE-2026-31949

LibreChat is a ChatGPT clone with additional features. Prior to 0.8.3-rc1, a Denial of Service DoS vulnerability exists in the DELETE /api/convos endpoint that allows an authenticated attacker to crash the Node.js server process by sending malformed requests. The DELETE /api/convos route handler...

6.5CVSS0.00377EPSS
Exploits1References1
CVE
CVE
added 2026/03/12 12:2 a.m.18 views

CVE-2026-3966

CVE-2026-3966 affects the 648540858 wvp-GB28181-pro package up to version 2.7.4-20260107. The issue lies in the getDownloadFilePath function of ABLMediaNodeServerService.java under the IP Address Handler; manipulating the MediaServer.streamIp argument triggers server-side request forgery (SSRF). ...

6.5CVSS5.4AI score0.00206EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/03/07 7:31 p.m.4 views

CVE-2026-29087

@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections e.g. protecting /admin/, inconsistent URL decoding can allow protected static resources to be accessed...

7.5CVSS5.7AI score0.00327EPSS
Exploits0References1
NVD
NVD
added 2026/03/06 6:16 p.m.9 views

CVE-2026-29087

@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections e.g. protecting /admin/, inconsistent URL decoding can allow protected static resources to be accessed...

7.5CVSS0.00327EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/03/06 5:3 p.m.10 views

CVE-2026-29087

@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections e.g. protecting /admin/, inconsistent URL decoding can allow protected static resources to be accessed...

7.5CVSS5.7AI score0.00327EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder