CVE-2026-29087

The connected IBM bulletin confirms CVE-2026-29087 affects the Node.js module hono used by IBM App Connect Enterprise Certified Container. The vulnerability arises from inconsistent URL decoding when static file serving and route-middleware protections are used together, allowing access to protec...

CVE-2026-29087 @hono/node-server: Authorization bypass for protected static paths via encoded slashes in Serve Static Middleware

@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections e.g. protecting /admin/, inconsistent URL decoding can allow protected static resources to be accessed...

@aikotools/repo-maintenance (>=1.0.2 <=1.3.4), @alstar/studio (=0.0.0-beta.20) +87 more potentially affected by CVE-2026-29087 via @hono/node-server (>=1.0.2 <=1.19.1)

@hono/node-server NPM version =1.0.2, =1.0.2, =1.0.25-beta.0, =0.0.1, =0.0.1-experimental.1, =0.0.3, =1.3.2, =0.2.305, =0.21.2-4.1, =0.0.0-beta-20241019152753, =0.0.0-beta-20241008010229, =4.0.0-alpha.1, =1.3.3, =0.14.2, =0.14.4 and more Source cves: CVE-2026-29087 Source advisory:...

@aikotools/repo-maintenance (>=1.0.2 <=1.3.4), @alstar/studio (=0.0.0-beta.20) +94 more potentially affected by CVE-2026-29087 via @hono/node-server (>=0.2.4 <=1.19.1)

@hono/node-server NPM version =0.2.4, =1.0.2, =1.0.25-beta.0, =0.0.1, =0.29.3, =0.0.1-experimental.1, =0.0.3, =1.3.2, =0.2.305, =0.21.2-4.1, =0.0.0-beta-20241019152753, =0.0.0-beta-20241008010229, =4.0.0-alpha.1, =1.3.3, =2.8.13 and more Source cves: CVE-2026-29087 Source advisory:...

Improper Handling of URL Encoding (Hex Encoding)

Overview @hono/node-server is a Node.js Adapter for Hono Affected versions of this package are vulnerable to Improper Handling of URL Encoding Hex Encoding via inconsistent URL decoding between the serveStatic process and route-based middleware protections. An attacker can access protected static...

GHSA-WC8C-QW6V-H7F6 @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware

Summary When using @hono/node-server's static file serving together with route-based middleware protections e.g. protecting /admin/, inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes %2F may be...

@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware

Summary When using @hono/node-server's static file serving together with route-based middleware protections e.g. protecting /admin/, inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes %2F may be...

CVE-2026-24040 jsPDF has a Shared State Race Condition in addJS Plugin

jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable text to store JavaScript content. When used in a concurrent environment e.g., a Node.js web server, this variable is shared across all requests. ...

EUVD-2025-198723

Malicious code in @actbase/node-server npm...

Malicious code in @actbase/node-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0017bb31e0f352229b8a7afc7305701c64b60033a69ccfec390385c507c6d85 The package @actbase/node-server was found to contain malicious code. Source: ghsa-malware...

MAL-2025-190707 Malicious code in @actbase/node-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a0017bb31e0f352229b8a7afc7305701c64b60033a69ccfec390385c507c6d85 The package @actbase/node-server was found to contain malicious code. Source: ghsa-malware...

Denial-of-service (DoS)

@plone/volto is vulnerable to a denial-of-service DoS. The vulnerability is due to improper handling of a specific URL request, which allows an attacker to crash the NodeJS server component by simply visiting that crafted URL...

EUVD-2018-0282

Malware in sbrugna...

EUVD-2024-25156

Malicious code in bioql PyPI...

Volto 代码问题漏洞

Volto is a content management system open-sourced by the Plone Foundation. A code issue vulnerability exists in Volto versions 16.34.0 and earlier, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, which stems from the fact that accessing a specific URL by...

PT-2025-40309

Name of the Vulnerable Software and Affected Versions Volto versions 16.34.0 through 16.34.1 Volto versions 17.0.0 through 17.22.1 Volto versions 18.0.0 through 18.27.1 Volto versions 19.0.0-alpha.1 through 19.0.0-alpha.5 Description An anonymous user can cause the NodeJS server part of Volto to...

Exploit for CVE-2025-27210

This is a PoC exploit for CVE-2025-27210, a vulnerability in a N...

CVE-2025-58047 Volto affected by possible DoS by invoking specific URL by anonymous user

Volto is a React based frontend for the Plone Content Management System. In versions from 19.0.0-alpha.1 to before 19.0.0-alpha.4, 18.0.0 to before 18.24.0, 17.0.0 to before 17.22.1, and prior to 16.34.0, an anonymous user could cause the NodeJS server part of Volto to quit with an error when...

Linux Distros Unpatched Vulnerability : CVE-2023-32695

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - socket.io parser is a socket.io encoder and decoder written in JavaScript complying with version 5 of socket.io-protocol. A specially crafted Socket.IO packet c...

MAL-2025-32577 Malicious code in rvi-http-node-server (npm)

The package rvi-http-node-server was found to contain malicious code...