CVE-2026-34780

A flaw was found in Electron, a framework for building cross-platform desktop applications. An attacker capable of executing JavaScript in the main world, for instance through a cross-site scripting XSS vulnerability, could exploit this flaw. By passing VideoFrame objects from the WebCodecs API...

CVE-2026-34775

A flaw was found in Electron, a framework for building desktop applications. In specific scenarios where applications enable Node.js integration, a misconfiguration could allow workers, which are background scripts, to gain Node.js capabilities even when explicitly disabled. This could enable a...

Malicious code in use-form-builder-plugin (npm)

Package is malware. Collects system info, exfiltrates data via HTTP/DNS, executes commands, and uses preinstall script for auto-execution. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bdced38cb2f5f34bb91f39b16697369424bf1cbde84ca18363e78454b31d6ddc The packag...

CVE-2026-34211

SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions...

BIT-PARSE-2026-34573 Parse Server: GraphQL complexity validator exponential fragment traversal DoS

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A singl...

CVE-2026-5532

A vulnerability was found in ScrapeGraphAI scrapegraph-ai up to 1.74.0. The affected element is the function createsandboxandexecute of the file scrapegraphai/nodes/generatecodenode.py of the component GenerateCodeNode Component. The manipulation results in os command injection. The attack may be...

Malicious code in commerce-utils (npm)

Malicious package due to data exfiltration to a suspicious host, combined with arbitrary code execution during preinstall. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3bb3d6d3a8a8898abe7e371e54753d5902a5062151888ccff6c656f5edac6ba6 The package commerce-utils...

BIT-NODE-MIN-2026-21717

A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the...

BIT-NODE-MIN-2026-21714

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOWUPDATE frames on stream 0 connection-level that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerabili...

BIT-NODE-MIN-2026-21713

A flaw in Node.js HMAC verification uses a non-constant-time comparison when validating user-provided signatures, potentially leaking timing information proportional to the number of matching bytes. Under certain threat models where high-resolution timing measurements are possible, this behavior...

BIT-NODE-MIN-2026-21711

A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket UDS server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under --permission without --allow-net can create and expose local IP...

BIT-NODE-2026-21714

A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOWUPDATE frames on stream 0 connection-level that cause the flow control window to exceed the maximum value of 2³¹-1. The server correctly sends a GOAWAY frame, but the Http2Session object is never cleaned up. This vulnerabili...

BIT-NODE-2026-21712

A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN containing invalid characters, crashing the Node.js process...

BIT-NODE-2026-21710

A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses req.headersDistinct. When this occurs, dest"proto" resolves to Object.prototype rather than undefined, causing .push to be called on a non-array...

BIT-HUBBLE-RELAY-2026-33726 Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network Policies are not enforced for traffic from pods to L7 Services Envoy, GAMMA with a local backend on the same node, when Per-Endpoint Routing is...

BIT-CILIUM-2026-33726 Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network Policies are not enforced for traffic from pods to L7 Services Envoy, GAMMA with a local backend on the same node, when Per-Endpoint Routing is...

BIT-CILIUM-OPERATOR-2026-33726 Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Prior to versions 1.17.14, 1.18.8, and 1.19.2, Ingress Network Policies are not enforced for traffic from pods to L7 Services Envoy, GAMMA with a local backend on the same node, when Per-Endpoint Routing is...

A week in security (March 30 – April 5)

Last week on Malwarebytes Labs: That dream job offer from Coca-Cola or Ferrari? It’s a trap for your passwords Blocking children from social media is a badly executed good idea Apple expands "DarkSword" patches to iOS 18.7.7 Malwarebytes Privacy VPN receives full third-party audit Wikipedia’s AI...

Malicious code in chess-sec-ssrf1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 25205345915fdf089bcbd90b35f9e852c02281bd7452805479d18c610063ac52 The package chess-sec-ssrf1 was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-2496 Malicious code in chess-sec-ssrf1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 25205345915fdf089bcbd90b35f9e852c02281bd7452805479d18c610063ac52 The package chess-sec-ssrf1 was found to contain malicious code. Source: ossf-package-analysis...