CVE-2022-23654

Wiki.js is a wiki app built on Node.js. In affected versions an authenticated user with write access on a restricted set of paths can update a page outside the allowed paths by specifying a different target page ID while keeping the path intact. The access control incorrectly check the path acces...

EUVD-2025-4098

Malicious code in bioql PyPI...

EUVD-2024-3480

Malicious code in bioql PyPI...

EUVD-2024-35000

Malicious code in bioql PyPI...

CVE-2022-29256

sharp is an application for Node.js image processing. Prior to version 0.30.5, there is a possible vulnerability in logic that is run only at npm install time when installing versions of sharp prior to the latest v0.30.5. If an attacker has the ability to set the value of the PKGCONFIGPATH...

[SECURITY] Fedora 41 Update: nodejs-nodemon-3.1.9-3.fc41

Simple monitor script for use during development of a node.js app. For use during development of a node.js based application. nodemon will watch the files in the directory in which nodemon was started, and if any files change, nodemon will automatically restart your node application. nodemon does...

[SECURITY] Fedora 40 Update: nodejs-nodemon-3.1.9-3.fc40

Simple monitor script for use during development of a node.js app. For use during development of a node.js based application. nodemon will watch the files in the directory in which nodemon was started, and if any files change, nodemon will automatically restart your node application. nodemon does...

CVE-2025-25283

parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to 50ms per one operation, with a varying size from...

GHSA-HCRG-FC28-FCG5 parse-duration has a Regex Denial of Service that results in event loop delay and out of memory

Summary This report finds 2 availability issues due to the regex used in the parse-duration npm package: 1. An event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to 50ms per one operation, with a varying size from 0.01 MB and up to 4.3 MB...

CVE-2025-25283

parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to 50ms per one operation, with a varying size from...

CVE-2025-25283

CVE-2025-25283 concerns parse-duration (node package). Versions prior to 2.1.3 are vulnerable to event-loop delay due to CPU-bound duration resolution and may cause an out-of-memory crash with large Unicode-containing inputs. A patch is available in 2.1.3; remediation is to upgrade to that versio...

CVE-2024-53843

@dapperduckling/keycloak-connector-server is an opinionated series of libraries for Node.js applications and frontend clients to interface with keycloak. A Reflected Cross-Site Scripting XSS vulnerability was discovered in the authentication flow of the application. This issue arises due to...

BIT-NODE-MIN-2020-8277

A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions 15.2.1, 14.15.1, and 12.19.1 by getting the application to resolve a DNS record with a larger number of responses. This is fixed in 15.2.1, 14.15.1, and...

20 bug fix and enhancement update

An update is available for module.nodejs-nodemon, nodejs-packaging, module.nodejs-packaging, nodejs-nodemon. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list...

GHSA-28XR-MWXG-3QC8 Command injection in simple-git

simple-git maintained as git-js named repository on GitHub is a light weight interface for running git commands in any node.js application.The package simple-git before 3.5.0 are vulnerable to Command Injection due to an incomplete fix of CVE-2022-24433 which only patches against the git fetch...

CVE-2022-23654 Improper write access check in Requarks/wiki

Wiki.js is a wiki app built on Node.js. In affected versions an authenticated user with write access on a restricted set of paths can update a page outside the allowed paths by specifying a different target page ID while keeping the path intact. The access control incorrectly check the path acces...

EulerOS Virtualization 2.9.1 : c-ares (EulerOS-SA-2021-1710)

According to the version of the c-ares package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service i...

Fedora 33 : mingw-c-ares (2021-ee913722db)

The remote Fedora 33 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2021-ee913722db advisory. - A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service in versions...

Mailtrain SQL Injection Vulnerability

Mailtrain is an open source hosted newsletter application built on Node.js and MySQL/MariaDB. A SQL injection vulnerability exists in Mailtrain 1.24.1 and earlier in lib/models/campaigns.js in statsClickedSubscribersByColumn. The vulnerability stems from not properly escaping variable column name...

Node.js Security Scanner: Web Exploit Detector

Node.js Security Scanner: Web Exploit Detector The Web Exploit Detector is a Node.js application and NPM module used to detect possible infections, malicious code and suspicious files in web hosting environments. This application is intended to be run on web servers hosting one or more websites...