252644 matches found
CVE-2026-21714
CVE-2026-21714 is a memory leak in Node.js HTTP/2 that occurs when a client sends WINDOW_UPDATE frames on stream 0, preventing proper Http2Session cleanup and potentially exhausting resources. Affected: Node.js 20, 22, 24, and 25. Connected advisories report fixes in downstream distributions: e.g...
CVE-2026-21714
A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOWUPDATE frames on stream 0 connection-level that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerabili...
CVE-2026-21713
CVE-2026-21713 (Node.js HMAC timing side-channel) involves a non-constant-time comparison in HMAC verification, exposing potential timing information proportional to the number of matching bytes. The issue is present across 20.x, 22.x, 24.x, and 25.x releases. The advisories note that Node.js alr...
CVE-2026-21717
A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the...
ALPINE-CVE-2026-21712
A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN containing invalid characters, crashing the Node.js process...
CVE-2026-21712
A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN containing invalid characters, crashing the Node.js process...
CVE-2026-21712
A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN containing invalid characters, crashing the Node.js process...
PT-2026-31957
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.24 Description OpenClaw versions before 2026.3.24 contain an arbitrary code execution vulnerability during local plugin and hook installation. Attackers can exploit this by crafting a malicious .npmrc file wit...
Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2026-1484)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1484 advisory. A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js...
Amazon Linux 2023 : nodejs22, nodejs22-devel, nodejs22-full-i18n (ALAS2023-2026-1483)
It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1483 advisory. node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that...
Node.js 安全漏洞
Node.js is an open-source, cross-platform JavaScript runtime environment developed by the Node.js community. Versions 20.x, 22.x, 24.x, and 25.x of Node.js have security vulnerabilities. These vulnerabilities stem from HMAC verification using a comparison that does not maintain constant time, whi...
MAL-2026-2296 Malicious code in bos-decoration-elements (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8cb5985779c5099333bec5b084b209c36dea0dd9fa47ef2c2d7c3630c33daaa5 The package bos-decoration-elements was found to contain malicious code. Source: ossf-package-analysis...
@agentholdings/agent-passport (>=0.1.0 <=0.1.5), @chrysb/alphaclaw (=0.8.3-beta.1) +12 more potentially affected by CVE-2026-35629 via openclaw (>=0.0.1 <=2026.3.24)
openclaw NPM version =0.0.1, =0.1.0, =2026.3.25, =2026.3.24-3, =0.14.39, =0.1.1, =2.0.1, =0.0.7, =0.14.6, =0.1.0, =3.3.2, =3.3.7 Source cves: CVE-2026-35629 Source advisory: OSV:GHSA-RHFG-J8JQ-7V2H...
Malicious code in f0-state-manager (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 989b5f62777b6b7fbd236eb28a54b0e42ba48548dc0a49919c5f311c1f1c7072 The package f0-state-manager was found to contain malicious code. Source: ossf-package-analysis...
MAL-2026-2287 Malicious code in f0-state-manager (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 989b5f62777b6b7fbd236eb28a54b0e42ba48548dc0a49919c5f311c1f1c7072 The package f0-state-manager was found to contain malicious code. Source: ossf-package-analysis...
MAL-2026-2284 Malicious code in bizsignupnodeweb (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector ceaf1cee13e367f987a97f8de4c8fb4985ab1eedd49be1912467793dce9f0ef9 The package bizsignupnodeweb was found to contain malicious code. Source: ossf-package-analysis...
MAL-2026-2286 Malicious code in sn3akysnak3-test (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 21fa246103030890351ed5948825f415a78600c6aacb5187dbd840518f744d92 The package sn3akysnak3-test was found to contain malicious code. Source: ossf-package-analysis...
Malicious code in @adac-fahrzeugplattform/ui (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 779ce69d66db89d0bc1c8b82a373e6fed7e1b6a84d2cdf56bcab4b3076226f5f The package @adac-fahrzeugplattform/ui was found to contain malicious code. Source: ghsa-malware...
CVE-2026-32241
Flannel is a network fabric for containers, designed for Kubernetes. The Flannel project includes an experimental Extension backend that allows users to easily prototype new backend types. In versions of Flannel prior to 0.28.2, this Extension backend is vulnerable to a command injection that...
CVE-2026-33976
Notesnook is a note-taking app. Prior to version 3.3.11 on Web/Desktop and 3.3.17 on Android/iOS, a stored XSS in the Web Clipper rendering flow can be escalated to remote code execution in the desktop app. The root cause is that the clipper preserves attacker-controlled attributes from the sourc...