undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter

A flaw was found in the undici WebSocket client. A remote malicious server can exploit this vulnerability by sending a WebSocket frame with an invalid servermaxwindowbits parameter within the permessage-deflate extension. This improper validation causes the client's Node.js process to terminate,...

CVE-2026-39883 vulnerabilities

Vulnerabilities for packages: gcsfuse, docker, frankenphp-8.4, crossplane-provider-gcp-fips, kubernetes-csi-external-attacher, kcp-fips-0.29, crossplane-function-patch-and-transform-fips, kcp-0.29, docker-compose, distribution, gogatekeeper, thanos, crossplane-provider-family-aws-fips,...

undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter

A flaw was found in the undici WebSocket client. A remote malicious server can exploit this vulnerability by sending a WebSocket frame with an invalid servermaxwindowbits parameter within the permessage-deflate extension. This improper validation causes the client's Node.js process to terminate,...

MAL-2026-2523 Malicious code in @telekom-wfa/auth-core (npm)

Package is malware. Hardcoded Telegram credentials, data exfiltration, and preinstall script execution indicate malicious intent. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9a2fe12e5542ae8cf1cf339c13c3480629ccfd6e2fb391427c4f1b17bbdc9f85 The package...

MAL-2026-2518 Malicious code in viewer-assets-generator (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0022cddbfa3afc707bea5e0e70c8bff5b3249847bd891c628a1fd2d0dc9fa259 The package viewer-assets-generator was found to contain malicious code. Source: ghsa-malware...

PT-2026-31679

A flaw has been found in FoundationAgents MetaGPT up to 0.8.1. This vulnerability affects the function ActionNode.xml fill of the file metagpt/actions/action node.py of the component XML Handler. Executing a manipulation can lead to improper neutralization of directives in dynamically evaluated...

Malicious code in kraken-trader (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 4bf5ec6e8a6020de1e122cf07f2dde0f02fa1a484ff984586db379729da75523 The package is a loader of malicious code disguised as remote "credits" code. The remote location, built from the parts in the code, delivers highly obfuscated...

MAL-2026-2870 Malicious code in black-moon-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7c672e4ab8770773551a9ff9b6b95a5740894bd1c689154056f69e5da4fdb879 The package black-moon-js was found to contain malicious code. Source: ossf-package-analysis...

CVE-2026-39406

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...

Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the handling of table captions during the rendering process. An attacker can execute arbitrary code with the privileges of the desktop client by syncing a crafted note containing malicious HTML or JavaScript ...

EUVD-2026-19973

SiYuan: Remote Code Execution in the Electron desktop client via stored XSS in synced table captions...

CVE-2026-39406 @hono/node-server has a middleware bypass via repeated slashes in serveStatic

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...

CVE-2026-39406 @hono/node-server has a middleware bypass via repeated slashes in serveStatic

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...

CVE-2026-39406

@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes // in the request path. When route-based middleware e.g., /admin/ is used for authorization, the...

Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header

A flaw was found in Node.js. A remote attacker can exploit this vulnerability by sending a specially crafted HTTP request that includes a header named proto. When a Node.js application processes this request and attempts to access distinct headers, it encounters an unhandled error, leading to an...

Malicious code in gprofiler (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4de7c58d59c5e16064d8ecf21d0f57675869c93be663ac27da95d040be7d0aff The package gprofiler was found to contain malicious code. Source: ghsa-malware 42c93390009c40d727cdfd4fedc3b160ff5e7e8730ec94ff196022996855d39c Any...

N. Korean Hackers Spread 1,700 Malicious Packages Across npm, PyPI, Go, Rust

The North Korea-linked persistent campaign known as Contagious Interview has spread its tentacles by publishing malicious packages targeting the Go, Rust, and PHP ecosystems. "The threat actor's packages were designed to impersonate legitimate developer tooling ..., while quietly functioning as...

Directory Traversal

Overview @hono/node-server is a Node.js Adapter for Hono Affected versions of this package are vulnerable to Directory Traversal due to inconsistent handling of repeated slashes in the serveStatic process. An attacker can access sensitive static files that are intended to be protected by bypassin...

EUVD-2026-20491

@hono/node-server: Middleware bypass via repeated slashes in serveStatic...

@activepieces/piece-ai (>=0.3.1 <=0.3.4), @aikotools/repo-maintenance (>=1.0.2 <=1.7.0) +253 more potentially affected by CVE-2026-39406 via @hono/node-server (>=1.0.2 <=1.19.12)

@hono/node-server NPM version =1.0.2, =0.3.1, =1.0.2, =1.0.25-beta.0, =0.0.1, =0.36.0, =0.0.1, =0.0.1-experimental.1, =0.0.3, =1.0.1, =1.3.2, =0.2.305, =0.21.2-4.1, =0.0.0-beta-20241019152753, =0.13.0 and more Source cves: CVE-2026-39406 Source advisory: SNYK:JS-HONONODESERVER-15928840...