Information Disclosure

Node.js is vulnerable to Information Disclosure. The vulnerability is due to improper buffer allocation handling when using the vm module with the timeout option, where interrupted allocations may return buffers containing uninitialized memory, potentially exposing leftover data such as tokens or...

Security Bulletin: Vulnerabilities in MongoDB, Python, Node.js, Golang Go, Linux kernel affect IBM Spectrum Protect Plus

Summary IBM Spectrum Protect Plus can be affected by vulnerabilities in MongoDB, Python, Node.js, Golang Go and Linux. Vulnerabilities include obtaining sensitive information, causing a denial of service condition, the elevation of privileges, query parameter smuggling, remote execution of...

GHSA-8JRH-7JG8-FVMV Vaadin: Specially crafted ZIP archives can escape the intended extraction directory

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. Vaadin’s build process can automatically download and extract Node.js if it...

EUVD-2026-10496

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. Vaadin’s build process can automatically download and extract Node.js if it...

CVE-2026-2741 Zip Slip Path Traversal on Node Unpack

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 15.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. Vaadin’s build process can automatically download and extract Node.js if it...

CVE-2026-2741

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 15.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. Vaadin’s build process can automatically download and extract Node.js if it...

EUVD-2026-10436

Parse Server has Regular Expression Denial of Service ReDoS via $regex query in LiveQuery...

EUVD-2026-10437

Parse Server has Regular Expression Denial of Service ReDoS via $regex query in LiveQuery...

vaadin 安全漏洞

Vaadin is an open-source platform for web application development developed by Vaadin contributors. The Vaadin platform includes a set of web components, a Java web framework, as well as a set of tools and application starters. Vulnerabilities exist in Vaadin versions 14.14.0 and earlier, 23.6.6...

PT-2026-24151

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.0-alpha.14 Parse Server versions prior to 8.6.11 Description A crafted $regex pattern within a LiveQuery subscription can cause catastrophic backtracking, blocking the Node.js event loop and rendering the...

GHSA-H343-GG57-2Q67 OneUpTime's Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE

Summary OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape this.constructor.constructor, an...

CVE-2026-28466

OpenClaw, versions prior to 2026.2.14, contains a gateway vulnerability where internal approval fields in node.invoke parameters are not sanitized. This allows authenticated gateway users to inject approval control fields and bypass exec approval gating for system.run commands, enabling arbitrary...

Alibaba Cloud Linux 3 : 0045: nodejs:20 (ALINUX3-SA-2026:0045)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2026:0045 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2025-55130: A flaw in Node.jss...

CVE-2026-3304

A flaw was found in Multer, a Node.js middleware. A remote attacker could exploit this vulnerability by sending specially crafted malformed requests. This could lead to resource exhaustion, resulting in a Denial of Service DoS for the application using Multer...

CVE-2026-2359

A flaw was found in Multer, a Node.js middleware for handling multipart/form-data. A remote attacker can exploit this vulnerability by intentionally dropping a connection during a file upload. This can lead to a Denial of Service DoS due to resource exhaustion on the affected system...

CVE-2026-2359 Multer vulnerable to Denial of Service via resource exhaustion

Multer is a node.js middleware for handling multipart/form-data. A vulnerability in Multer prior to version 2.1.0 allows an attacker to trigger a Denial of Service DoS by dropping connection during file upload, potentially causing resource exhaustion. Users should upgrade to version 2.1.0 to...

Multer 安全漏洞

Multer is an open-source middleware for Node.js developed by ExpressJS. Versions of Multer prior to 2.1.0 contained a security vulnerability. This vulnerability stemmed from connection interruptions during file uploads, which could lead to resource exhaustion and denial-of-service attacks...

Multer 安全漏洞

Multer is an open-source middleware for Node.js developed by ExpressJS. Versions of Multer prior to 2.1.0 contained a security vulnerability, which was caused by improper handling of specially crafted requests, potentially leading to denial-of-service attacks...

📄 FUXA 1.2.8 Authentication Bypass / Remote Code Execution

This Metasploit module adds support for exploiting CVE-2025-69985 in FUXA SCADA/HMI software versions 1.2.8 and below. The vulnerability allows unauthenticated access to the /api/runscript endpoint due to an authentication bypass, leading to remote code execution via Node.js childprocess.execSync...

GHSA-7R86-CG39-JMMJ minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

Summary matchOne performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent GLOBSTAR segments and the input path does not match. The time complexity is OCn, k -- binomial -- where n is the number of path segments and k is the number of globstars. With k=11 and...