query-parser-string is vulnerable to Prototype Pollution

NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object...

Prototype Pollution

Overview parse-ini is a Parse ini file to get the content and variables of the ini file as node object. Affected versions of this package are vulnerable to Prototype Pollution via the index.js file. An attacker can manipulate object properties and potentially execute arbitrary code or alter...

GHSA-54PG-9963-V8VG Compromised version of intercom-client published to npm

Impact On April 30, 2026, version 7.0.4 of intercom-client was published to npm using credentials obtained from a compromised developer account. This version was not produced by Intercom's build pipeline. The malicious version contained an obfuscated JavaScript payload that executed during packag...

CVE-2025-65122

Regex Denial of Service in youtube-regex npm package through version 1.0.5...

Malicious code in owa-analytics-utils (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 644a42250298e29b58f2cfe75c1d362637e2c31f1a1ef9b9cfbe5d9ff0475fb8 The package owa-analytics-utils was found to contain malicious code. Source: ossf-package-analysis...

NPM: node-ts-ocr is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js

NPM: node-ts-ocr is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js vulnerability discovered by ? in WordPress Npm node-ts-ocr versions 1.0.15...

EUVD-2025-209722

NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js...

stats-fr-emarque-basketball-extractor (>=1.0.0 <=1.0.2) potentially affected by CVE-2025-63705 via node-ts-ocr (=1.0.15)

node-ts-ocr NPM version =1.0.15 is affected by a known vulnerability. The following packages have a transitive dependency on node-ts-ocr and may be impacted: - stats-fr-emarque-basketball-extractor =1.0.0, =1.0.2 Source cves: CVE-2025-63705 Source advisory: OSV:GHSA-8JH2-3MW6-6PFM...

GHSA-8JH2-3MW6-6PFM node-ts-ocr is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js

NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js...

node-ts-ocr is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js

NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js...

stats-fr-emarque-basketball-extractor (>=1.0.0 <=1.0.2) potentially affected by CVE-2025-63705 via node-ts-ocr (=1.0.15)

node-ts-ocr NPM version =1.0.15 is affected by a known vulnerability. The following packages have a transitive dependency on node-ts-ocr and may be impacted: - stats-fr-emarque-basketball-extractor =1.0.0, =1.0.2 Source cves: CVE-2025-63705 Source advisory: SNYK:JS-NODETSOCR-16787371...

Command Injection

Overview node-ts-ocr is an A simple wrapper around command-line utils to assist in PDF / Image OCR Optical Character Recognition processing using Tesseract. Affected versions of this package are vulnerable to Command Injection via the invokeImageOcr function. An attacker can execute arbitrary...

CVE-2025-63705

NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js...

hfs: Replace BUG_ON with error handling for CNID count checks

...

Improper Isolation or Compartmentalization

Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through the NodeVM constructor in lib/nodevm.js. An attacker can run host commands when the VM is set up...

NPM: vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution

NPM: vm2 NodeVM nesting: true bypasses require: false allowing sandbox escape and arbitrary OS command execution vulnerability discovered by ? in WordPress Npm vm2 versions = 3.11.0...

vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution

Summary When a NodeVM is created with nesting: true, sandbox code can unconditionally require'vm2' regardless of the outer VM's require configuration — including require: false. With access to vm2, the sandbox constructs a new inner NodeVM with its own unrestricted require settings and executes...

@aiconnect/codelets-runner (>=0.1.0 <=0.2.0), @cairncms/api (>=1.0.0-beta.1 <=1.0.0-beta.4) +16 more potentially affected by CVE-2026-43998 via vm2 (>=3.0.0 <=3.10.5)

vm2 NPM version =3.0.0, =0.1.0, =1.0.0-beta.1, =3.0.46, =1.0.0-beta.1, =0.1.64, =0.1.61, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.66.16, =1.72.1 and more Source cves: CVE-2026-43998 Source advisory: SNYK:JS-VM2-16439013...

NPM: vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape

NPM: vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape vulnerability discovered by ? in WordPress Npm vm2 versions 3.10.5...

GHSA-CP6G-6699-WX9C vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape

Summary NodeVM's require.root path restriction can be bypassed using filesystem symlinks, allowing sandboxed code to load modules from outside the allowed root directory in host context. Because path validation uses path.resolve which does not dereference symlinks but module loading uses Node's...