CVE-2026-43995

Flowise is affected by an SSRF-related vulnerability in which multiple tools (OpenAPIToolkit.ts, WebScraperTool.ts, MCP/core.ts, Arxiv/core.ts) directly import raw HTTP clients (node-fetch, axios) instead of the centralized httpSecurity.ts wrapper. This bypass allows outbound requests to evade th...

MAL-2026-3508 Malicious code in crypto-javascri (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e3f73f5a262aba7ba05c713d409646e419e998232fd536fd99c51750fa070699 The package crypto-javascri was found to contain malicious code. Source: google-open-source-security...

MAL-2026-3507 Malicious code in @mimecast-ui/components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7e59a7d55636b02d0a28954889c22f021de5b4f33c525ce7712706df60cd9af3 The package @mimecast-ui/components was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in @mimecast-ui/components (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7e59a7d55636b02d0a28954889c22f021de5b4f33c525ce7712706df60cd9af3 The package @mimecast-ui/components was found to contain malicious code. Source: ossf-package-analysis...

Malicious code in @mimecast-ui/charts (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e603deff481f2fdd492adde6f7d1f060fa7aa7d15f63abc4cc43fa7782409705 The package @mimecast-ui/charts was found to contain malicious code. Source: ossf-package-analysis...

@algotech-ce/business (>=1.0.1445 <=6.0.28), @algotech-ce/interpretor (>=2.0.0 <=6.0.19) +7 more potentially affected by CVE-2026-44643 via angular-expressions (>=1.0.0 <=1.5.1)

angular-expressions NPM version =1.0.0, =1.0.1445, =2.0.0, =2.7.9, =2.11.5, =1.1.1, =0.1.0, =0.2.2-alpha, =0.5.0, =1.4.0, =3.0.0-alpha.1 Source cves: CVE-2026-44643 Source advisory: SNYK:JS-ANGULAREXPRESSIONS-16642302...

MAL-2026-3427 Malicious code in @cplace-workflow-fe/cf-workflow (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector aa219c5fdaf0ec8e6e0467fb1f23bfde9a07c18276187464062943e612848781 The package @cplace-workflow-fe/cf-workflow was found to contain malicious code. Source: ghsa-malware...

NPM: Facebook React has a Denial of Service Vulnerability in React Server Components

NPM: Facebook React has a Denial of Service Vulnerability in React Server Components discovered by ? in WordPress Npm react-server-dom-turbopack versions = 19.0.0, 19.0.6...

Prometheus exporter process crash via malformed HTTP request

Summary A single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint default 0.0.0.0:9464 has no error handling around URL parsing, so a request with an invalid URI causes an uncaught TypeError that terminates the process. You...

GHSA-Q7RR-3CGH-J5R3 Prometheus exporter process crash via malformed HTTP request

Summary A single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint default 0.0.0.0:9464 has no error handling around URL parsing, so a request with an invalid URI causes an uncaught TypeError that terminates the process. You...

0perator (>=0.1.0 <=0.3.0), 0pflow (>=0.1.0 <=0.1.0-dev.f5622ac) +1703 more potentially affected by CVE-2026-44902 via @opentelemetry/sdk-node (>=0.10.2 <=0.216.0)

@opentelemetry/sdk-node NPM version =0.10.2, =0.1.0, =0.1.0, =0.1.1, =0.0.1, =0.8.0, =0.1.1, =0.1.1, =0.1.1, =0.1.8, =0.1.5, =0.0.0-dev-nicolas-fix-publishing-aurora-mcp-1750279939, =0.0.65, =0.3.4, =0.1.0, =0.4.0, =5.0.1-staging.f17326334 and more Source cves: CVE-2026-44902 Source advisory:...

SUSE CVE-2026-7263

In PHP versions 8.4. before 8.4.21 and 8.5. before 8.5.6, DOMNode::C14N method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processing of the XML document to enter infinite loop, causing denial ...

Malicious code in byvendors (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3d3ae01e4f5473c61cf7c26fdf51f64fa34c7f16451ce6c093a52fd85b79eff5 The package byvendors was found to contain malicious code. Source: ossf-package-analysis...

Unity Linux 20.1070e Security Update: batik (UTSA-2026-017770)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017770 advisory. Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an...

Unity Linux 20.1060e / 20.1070e Security Update: nodejs (UTSA-2026-017558)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-017558 advisory. Node.js before 16.4.1, 14.17.2, 12.22.2 is vulnerable to an out-of-bounds read when uvidnatoascii is used to convert strings to ASCII. The pointer p is read and...

PT-2026-39676

Summary A single malformed HTTP request crashes any Node.js process running the OpenTelemetry JS Prometheus exporter. The metrics endpoint default 0.0.0.0:9464 has no error handling around URL parsing, so a request with an invalid URI causes an uncaught TypeError that terminates the process. You...

DEBIAN-CVE-2026-8177

XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory...

CVE-2026-8177 XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences

XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory...

CVE-2026-8177

XML::LibXML for Perl versions up to 2.0210 parses XML node names containing truncated UTF-8 byte sequences, causing out-of-bounds reads in heap memory when a node name ends mid-multi-byte UTF-8. This can crash the Perl process and lead to denial of service. Evidence across multiple sources (NVD/S...

CVE-2026-8177

XML::LibXML versions through 2.0210 for Perl read out-of-bounds heap memory when parsing XML node names containing truncated UTF-8 byte sequences. A node name ending in the middle of a multi byte UTF-8 sequence causes the parser to read past the end of the input string into adjacent heap memory...