252646 matches found
Axios NPM Distribution Compromised in Supply Chain Attack
A compromised axios maintainer account led to malicious npm releases that propagated across environments. Learn how to assess impact, detect compromise, and secure your development workflows...
Axios Supply Chain Attack Pushes Cross-Platform RAT via Compromised npm Account
The popular HTTP client known as Axios has suffered a supply chain attack after two newly published versions of the npm package introduced a malicious dependency that delivers a trojan capable of targeting Windows, macOS, and Linux systems. Versions 1.14.1 and 0.30.4 of Axios have been found to...
Malicious code in plain-crypto-js (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f18d90df82216aedaaeca02607816457cfe0df4bc89bf292a4d7f3549e912d8c The package plain-crypto-js was found to contain malicious code. Source: ghsa-malware 4dfdc3dd18fb6fe824f34c663d26a2f7225e65a4b858a6f3ed6620a7a725c86...
PT-2026-29257
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.28 Description OpenClaw contains an insufficient scope validation issue in the node pairing approval path. This allows low-privilege operators to approve nodes with broader scopes than they are authorized to,...
PT-2026-29377
Name of the Vulnerable Software and Affected Versions SiYuan versions prior to 3.6.2 Description A security flaw exists in SiYuan that allows a malicious website to achieve Remote Code Execution RCE on a desktop system running the application. This is possible due to a permissive CORS policy...
OpenClaw 安全漏洞
OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw has a security vulnerability that can be exploited by an attacker to cause a low-privileged operator to approve nodes with a wider scope...
zebra 数据伪造问题漏洞
Zebra is an open-source implementation of Zcash full node written in Rust by the Zcash Foundation. Zebra has a vulnerability related to data forgery, which stems from logical errors in the transaction verification cache. This vulnerability could allow malicious miners to manipulate consensus...
SUSE CVE-2026-32241
Flannel is a network fabric for containers, designed for Kubernetes. The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. In versions of Flannel prior to 0.28.2, this Extension backend is vulnerable to a command injection that...
EUVD-2026-17176
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOWUPDATE frames on stream 0 connection-level that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerabili...
CVE-2026-21717
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the...
ALPINE-CVE-2026-21717
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the...
CVE-2026-21713
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...
CVE-2026-21714
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOWUPDATE frames on stream 0 connection-level that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerabili...
CVE-2026-21710
Summary: CVE-2026-21710 is a denial-of-service-type issue in Node.js HTTP request handling triggered by a header named __proto__ accessed via req.headersDistinct, which can cause an uncaught TypeError and crash the process when dest["proto "] resolves to Object.prototype and .push() is called on ...
CVE-2026-21713
A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...
CVE-2026-21715
A flaw in Node.js Permission Model filesystem enforcement leaves fs.realpathSync.native without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under --permission with restricted --allow-fs-read can still use...
CVE-2026-21711
A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket UDS server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under --permission without --allow-net can create and expose local IP...
CVE-2026-21714
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOWUPDATE frames on stream 0 connection-level that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerabili...
CVE-2026-21714
CVE-2026-21714 is a memory leak in Node.js HTTP/2 that occurs when a client sends WINDOW_UPDATE frames on stream 0, preventing proper Http2Session cleanup and potentially exhausting resources. Affected: Node.js 20, 22, 24, and 25. Connected advisories report fixes in downstream distributions: e.g...
CVE-2026-21714
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOWUPDATE frames on stream 0 connection-level that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerabili...