CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

76 matches found

CVE-2026-48615

A flaw in Node.js proxy tunnel error handling could expose proxy credentials in ERRPROXYTUNNEL error messages. When proxy credentials are embedded in the proxy URL, they may be exposed through error handling paths and captured by logs, diagnostics, or other error consumers. This vulnerability...

7.5CVSS

Exploits0References1

CVE•added yesterday•22 views

CVE-2026-48619

CVE-2026-48619 describes a flaw in Node.js HTTP/2 client where a server can send an unlimited number of ORIGIN frames, potentially causing an Out of Memory (OOM) on the client. Affected releases are Node.js 22, 24, and 26. The June 2026 security releases provide fixes in updated versions: 22.23.0...

7.5CVSS6.7AI score

Exploits0References1Affected Software1

Debian CVE•added yesterday•6 views

CVE-2026-48933

A flaw in Node.js WebCrypto implementation can crash the process if the input of subtle.encrypt is a multiple of 2GiB. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

7.5CVSS6.6AI score

Exploits0

NVD•added 5 days ago•5 views

CVE-2026-48931

A flaw in Node.js HTTP Agent can cause a client to accept as valid a response that is send before the client has sent the request. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

3.7CVSS0.00276EPSS

Exploits0References3

Debian CVE•added 5 days ago•10 views

CVE-2026-48931

3.7CVSS5.8AI score0.00276EPSS

Exploits0

AlpineLinux•added 2026/06/18 4:21 p.m.•5 views

CVE-2026-48617

A flaw in Node.js Permission Model enforcement allows Bypass via process.report.writeReport Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: Node.js 22,...

1.8CVSS5.8AI score0.00201EPSS

Exploits0

AstraLinux•added 2026/05/20 5:53 a.m.•4 views

Astra Linux - уязвимость в http-parser

Node.js versions before 10.23.1, 12.20.1, 14.15.4, and 15.5.1 allow for two copies of a header field in an HTTP request for example, two Transfer-Encoding header fields. In this case, Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling...

6.5CVSS6.9AI score0.16296EPSS

Exploits2References2

OSV•added 2026/04/22 8:25 p.m.•8 views

GHSA-C3H8-G69V-PJRG i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header

Summary Versions of i18next-http-middleware prior to 3.9.3 wrote user-controlled language values into the Content-Language response header after passing them through utils.escape, which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the...

8.6CVSS5.9AI score0.00327EPSS

Exploits0References4

RedHat Linux•added 2026/04/13 2:27 a.m.•2 views

nodejs: Nodejs denial of service

A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use. Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths tlsClientError and error, causing either immediate...

7.5CVSS7AI score0.01056EPSS

Exploits0References5

Positive Technologies•added 2026/04/10 12:0 a.m.•3 views

PT-2026-32033

GeoNode versions 4.0 before 4.4.5 and 5.0 before 5.0.2 contain a server-side request forgery vulnerability that allows authenticated users with document upload permissions to trigger arbitrary outbound HTTP requests by providing a malicious URL via the doc url parameter during document upload...

5.3CVSS5.9AI score0.00222EPSS

Exploits0References4

OSV•added 2026/04/06 7:58 a.m.•1 views

BIT-NODE-MIN-2026-21713

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...

5.9CVSS6.5AI score0.00385EPSS

Exploits0References2

Vulnrichment•added 2026/03/30 7:7 p.m.•2 views

CVE-2026-21714

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOWUPDATE frames on stream 0 connection-level that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerabili...

5.3CVSS6.4AI score0.00454EPSS

Exploits0References1

AlpineLinux•added 2026/03/30 7:7 p.m.•2 views

CVE-2026-21713

5.9CVSS6.5AI score0.00385EPSS

Exploits0

CNNVD•added 2026/03/30 12:0 a.m.•8 views

Node.js 安全漏洞

Node.js is an open-source, cross-platform JavaScript runtime environment developed by the Node.js community. Versions 20.x, 22.x, 24.x, and 25.x of Node.js have security vulnerabilities. These vulnerabilities stem from HMAC verification using a comparison that does not maintain constant time, whi...

5.9CVSS6.8AI score0.00385EPSS

Exploits0References1

vulnersOsv•added 2026/02/25 10:33 p.m.•8 views

@chocolatey-software/astro (>=2.0.0 <=2.5.0), choco-astro (>=0.3.1 <=0.4.0) potentially affected by CVE-2026-27729 via @astrojs/node (>=9.2.2 <=9.5.2)

@astrojs/node NPM version =9.2.2, =2.0.0, =0.3.1, =0.4.0 Source cves: CVE-2026-27729 Source advisory: OSV:GHSA-JM64-8M5Q-4QH8...

7.5CVSS5.8AI score0.00415EPSS

Exploits1

CVE•added 2026/01/20 8:41 p.m.•56 views

CVE-2025-55130

The CVE-2025-55130 entry describes a path traversal bypass in Node.js permission model: crafted relative symlink paths can cause reads/writes outside the allowed directory when --allow-fs-read/--allow-fs-write checks pass, enabling read/write of sensitive files and potential system compromise. Af...

9.1CVSS5.8AI score0.00489EPSS

Exploits2References1Affected Software1

Vulnrichment•added 2026/01/20 8:41 p.m.•7 views

CVE-2025-55130

A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory can escape the allowed path and read sensitive files...

7.1CVSS5.8AI score0.00489EPSS

Exploits2References1

Cvelist•added 2026/01/20 8:41 p.m.•29 views

CVE-2025-55132

A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via futimes even when the process has only read permissions. Unlike utimes, futimes does not apply the expected write-permission checks, which means file metadata can be modified in read-only...

2.8CVSS0.00227EPSS

Exploits0References1

CNNVD•added 2026/01/20 12:0 a.m.•6 views

Node.js security vulnerabilities

Node.js is an open-source, cross-platform JavaScript runtime environment developed by the Node.js community. Versions 20, 22, 24, and 25 of Node.js contain security vulnerabilities. These vulnerabilities stem from flaws in the permission model, which could allow attackers to bypass file system...

9.1CVSS7.1AI score0.00489EPSS

Exploits2References2

IBM Security Bulletins•added 2025/11/11 4:2 p.m.•4 views

Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in node

Summary Security Bulletin: IBM watsonx Orchestrate Developer Edition affected by vulnerability in node Vulnerability Details CVEID:CVE-2021-43803 DESCRIPTION: Next.js is a React framework. In versions of Next.js prior to 12.0.5 or 11.1.3, invalid or malformed URLs could lead to a server crash. In...

7.5CVSS7.3AI score0.44824EPSS

Exploits0Affected Software1

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by