Lucene search
K

14 matches found

OSV
OSV
added 2026/06/26 2:16 a.m.3 views

ALPINE-CVE-2026-48615

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in ERRPROXYTUNNEL error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability...

7.5CVSS6.8AI score0.00437EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/26 1:14 a.m.8 views

EUVD-2026-39611

A flaw in Node.js Permission API can cause a local server to be started via a Unix domain socket, even without the --allow-net permission. This vulnerability affects one supported release line: Node.js 26...

3.3CVSS6.4AI score0.00154EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2026/06/26 1:14 a.m.6 views

CVE-2026-48615

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in ERRPROXYTUNNEL error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability...

7.5CVSS6.6AI score0.00437EPSS
Exploits0
Debian CVE
Debian CVE
added 2026/06/26 1:14 a.m.8 views

CVE-2026-48936

A flaw in Node.js Permission API can cause a local server to be started via a Unix domain socket, even without the --allow-net permission. This vulnerability affects one supported release line: Node.js 26...

3.3CVSS6.4AI score0.00154EPSS
Exploits0
Patchstack
Patchstack
added 2026/05/05 4:44 p.m.8 views

NPM: VM2 Has a WASM Sandbox Escape (Node 25 only)

NPM: VM2 Has a WASM Sandbox Escape Node 25 only vulnerability discovered by ? in WordPress Npm vm2 versions 3.10.4...

9.8CVSS6AI score0.00921EPSS
Exploits1References4Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/05 4:44 p.m.9 views

VM2 Has a WASM Sandbox Escape

Summary Full sandbox escape with arbitrary code execution. Attacker code inside VM.run obtains host process object and runs host commands with zero host cooperation. Details Confirmed on: vm2 3.10.4, Node.js v25.6.1 x64 Linux Trigger: Attacker-controlled code passed to VM.run Requires: Node.js...

9.8CVSS6.2AI score0.00921EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2026/05/05 4:44 p.m.6 views

GHSA-FFH4-J6H5-PG66 VM2 Has a WASM Sandbox Escape

Summary Full sandbox escape with arbitrary code execution. Attacker code inside VM.run obtains host process object and runs host commands with zero host cooperation. Details Confirmed on: vm2 3.10.4, Node.js v25.6.1 x64 Linux Trigger: Attacker-controlled code passed to VM.run Requires: Node.js...

9.8CVSS6.2AI score0.00921EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2026/05/05 4:33 p.m.10 views

VM2 Has a Sandbox Escape Issue via SuppressedError

In vm2 v3.10.4 on Node.js v24.13.0, SuppressedError allows attackers to escape the sandbox and run arbitrary code. PoC js const VM = require"vm2"; const vm = new VM; vm.run const ds = new DisposableStack; ds.defer = throw null; ; ds.defer = const e = Error; e.name = Symbol; e.stack; ; try...

10CVSS5.9AI score0.0071EPSS
Exploits1References9Affected Software1
Cvelist
Cvelist
added 2026/05/04 4:37 p.m.34 views

CVE-2026-26956 vm2: WASM Sandbox Escape (Node 25 only)

vm2 is an open source vm/sandbox for Node.js. In version 3.10.4, vm2 is vulnerable to full sandbox escape with arbitrary code execution. Attacker code inside VM.run obtains host process object and runs host commands with zero host cooperation. This issue has been patched in version 3.10.5...

9.8CVSS0.00921EPSS
Exploits1References2
GithubExploit
GithubExploit
added 2025/12/04 3:13 a.m.147 views

Exploit for CVE-2025-55182

RSC Report Lab – CVE-2025-55182 React 19.2.0 Учебный стенд,...

10CVSS7.1AI score0.99562EPSS
Exploits372
EUVD
EUVD
added 2025/10/03 8:7 p.m.3 views

EUVD-2025-27706

Malicious code in bioql PyPI...

6.5CVSS6.8AI score0.00466EPSS
Exploits1References1
Microsoft CVE
Microsoft CVE
added 2025/09/04 3:12 a.m.8 views

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

...

2.9CVSS6.6AI score0.00458EPSS
Exploits0
OSV
OSV
added 2024/07/10 2:15 a.m.5 views

UBUNTU-CVE-2024-22018

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve...

2.9CVSS6.6AI score0.00458EPSS
Exploits0References7
Microsoft CVE
Microsoft CVE
added 2024/06/30 2:0 p.m.3 views

The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals namely Buffer.prototype.utf8Write the application can modify the result of path.resolve() which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued the permission model is an experimental feature of Node.js.

...

9.8CVSS7AI score0.01262EPSS
Exploits0
Rows per page
Query Builder