OpenSearch has ineffective TLS certificate hostname verification

Description A regression was introduced in OpenSearch 2.18.0 that caused the plugins.security.ssl.transport.enforcehostnameverification setting to be ineffective. When this setting was enabled, OpenSearch did not verify that the hostname in a connecting node's TLS certificate matched the hostname...

XMLDOM 安全漏洞

XMLDOM is a JavaScript implementation of the W3C DOM for Node developed by jindw. Versions of XMLDOM prior to 0.9.10, 0.8.13, and xmldom 0.6.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from the lack of validation or neutralization when serializing comment...

CVE-2025-63706

NPM package next-npm-version1.0.1 is vulnerable to Command injection...

Node Typescript OCR 安全漏洞

Node Typescript OCR is a command-line PDF and image OCR processing tool developed by Nicolas Pearson. Version 1.0.15 of Node Typescript OCR contains a security vulnerability, which stems from the invokeImageOcr function in src/index.js, where OS command injection occurs...

CVE-2025-63704

NPM package query-parser-string 1.0.0 is vulnerable to Prototype Pollution. The package does not properly sanitize user supplied query parameters and merges them to the newly created object...

CVE-2025-63705

NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js...

XMLDOM 安全漏洞

XMLDOM is a JavaScript implementation of the W3C DOM for Node developed by jindw. Versions of XMLDOM prior to 0.9.10, 0.8.13, and xmldom 0.6.0 and earlier contained security vulnerabilities. These vulnerabilities stemmed from improper validation or neutralization of the PI end sequence when...

next-npm-version 1.0.1 安全漏洞

next-npm-version is a tool developed by Aric, a personal developer, for retrieving npm package versions. The version 1.0.1 of next-npm-version contains a security vulnerability, which stems from command injection...

PT-2026-41509

Name of the Vulnerable Software and Affected Versions OpenSearch versions 2.18.0 through 2.19.3 OpenSearch versions 3.0.0 through 3.2.x Description A regression caused the plugins.security.ssl.transport.enforce hostname verification setting to be ineffective. When enabled, the system failed to...

CVE-2025-63705

NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js...

CVE-2025-63705

NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js...

PT-2026-38438

NPM package node-ts-ocr 1.0.15 is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js...

MAL-2026-3643 Malicious code in camelotlabs-utils (npm)

Five packages camelotlabs-sdk, camelotlabs-core, camelotlabs-config, camelotlabs-worker, and camelotlabs-utils were published to the public npm registry at version 99.0.0 by the actor madman0619 as a dependency confusion attack targeting the internal npm packages of Camelot Labs. The inflated...

CVE-2025-63705

The CVE-2025-63705 entry concerns the NPM package node-ts-ocr version 1.0.15, with a reported OS Command Injection via the invokeImageOcr function in src/index.js. The vulnerability is described as enabling arbitrary command execution with a network attack vector, as indicated by the CVSS 3.1 met...

PT-2026-38453

Name of the Vulnerable Software and Affected Versions query-parser-string version 1.0.0 Description The software is subject to Prototype Pollution, a condition where an attacker can manipulate the prototype of an object to alter the behavior of the application. This occurs because the package fai...

NocoBase 2.0.27 - VM Sandbox Escape

Exploit Title: NocoBase 2.0.27 - VM Sandbox Escape Date: 2026-03-26 Exploit Author: Onurcan Genç Vendor Homepage: https://www.nocobase.com/ Software Link: https://github.com/nocobase/nocobase Version: -u -P --cmd "id"...

NPM: Hono: bodyLimit() can be bypassed for chunked / unknown-length requests

NPM: Hono: bodyLimit can be bypassed for chunked / unknown-length requests vulnerability discovered by ? in WordPress Npm hono versions 4.12.16...

CVE-2026-43264

A flaw was found in the Linux kernel's fbdev framebuffer device subsystem. This vulnerability, a reference count refcount leak, occurs within the ofgetdisplaytimings function. Specifically, when ofparsephandle returns a devicenode with an incremented refcount, certain error paths fail to decremen...

@100x/application (>=0.0.1 <=0.0.6), @aero-js/cli (=0.4.0) +36 more potentially affected by CVE-2026-44373 via nitro (>=0.0.0 <=3.0.260415-beta)

nitro NPM version =0.0.0, =0.0.1, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.3.3, =0.1.0, =0.1.0, =0.4.2, =2.4.0-alpha.2, =2.4.0-alpha.2, =3.0.0-alpha.55 and more Source cves: CVE-2026-44373 Source advisory: OSV:GHSA-5W89-W975-HF9Q...

MAL-2026-3361 Malicious code in 24712-pl5004 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d79bb37b62b8d47ca459db0858a93ffb3c35e3791423c11a0853fb4ab17388e The package 24712-pl5004 was found to contain malicious code. Source: ossf-package-analysis...