UBUNTU-CVE-2026-44240

basic-ftp is an FTP client for Node.js. Prior to 5.3.1, basic-ftp is vulnerable to client-side denial of service when parsing FTP control-channel multiline responses. A malicious or compromised FTP server can send an unterminated multiline response during the initial FTP banner phase, before...

DEBIAN-CVE-2026-26280

systeminformation is a System and OS information library for node.js. In versions prior to 5.30.8, a command injection vulnerability in the wifiNetworks function allows an attacker to execute arbitrary OS commands via an unsanitized network interface parameter in the retry code path. In...

PT-2026-6213

Name of the Vulnerable Software and Affected Versions Compressing versions 1.10.3 and prior Compressing version 2.0.0 Description Compressing, a compressing and uncompressing library for Node.js, does not validate symbolic link targets when extracting TAR archives. This allows an attacker to embe...

@aexol/opencode-tui (>=0.2.5 <=0.2.10), @alcyone-labs/arg-parser (>=2.11.0 <=2.13.4) +88 more potentially affected by CVE-2026-23736 via seroval (>=1.0.7 <=1.3.2)

seroval NPM version =1.0.7, =0.2.5, =2.11.0, =1.0.0, =1.0.0, =1.1.54, =1.1.54, =1.0.24, =0.1.0, =0.3.0, =1.0.0, =1.1.1 and more Source cves: CVE-2026-23736 Source advisory: SNYK:JS-SEROVAL-15054523...

@3onedata/alsatian (>=0.1.8-fix.3 <=0.1.8-fix.5), @any-code/agent (>=0.0.1 <=0.0.16) +123 more potentially affected by CVE-2026-22817 via hono (>=4.0.0 <=4.11.3)

hono NPM version =4.0.0, =0.1.8-fix.3, =0.0.1, =1.7.2, =1.7.1, =0.2.1, =0.6.1, =0.5.2, =1.0.2, =1.0.0, =4.0.0-alpha.28, =1.1.54, =1.1.54, =0.1.0, =0.0.4, =2.0.4 and more Source cves: CVE-2026-22817 Source advisory: SNYK:JS-HONO-14927374...

CVE-2025-15284

A flaw was found in qs, a module used for parsing query strings. A remote attacker can exploit an improper input validation vulnerability by sending specially crafted HTTP requests that use bracket notation e.g., a=value. This bypasses the arrayLimit option, which is designed to limit the size of...

EUVD-2025-14282

Malicious code in bioql PyPI...

EUVD-2024-1440

Malicious code in bioql PyPI...

CLSA-2025-1757609292 nodejs: Fix of CVE-2024-22025

CVE-2024-22025: fix resource exhaustion DoS vulnerability in fetch function...

MAL-2025-27077 Malicious code in nanotechnology-nodejs-library-nodemon (npm)

The package nanotechnology-nodejs-library-nodemon was found to contain malicious code...

CVE-2025-47828

Lumi H5P-Nodejs-library before 9.3.3 omits a sanitizeHtml call for plain text strings...

@lumieducation/h5p-server Fails to Sanitize Plain Text Strings

Lumi H5P-Nodejs-library before 9.3.3 omits a sanitizeHtml call for plain text strings...

GHSA-M7GM-V253-56HH @lumieducation/h5p-server Fails to Sanitize Plain Text Strings

Lumi H5P-Nodejs-library before 9.3.3 omits a sanitizeHtml call for plain text strings...

CVE-2025-47828

Lumi H5P-Nodejs-library before 9.3.3 omits a sanitizeHtml call for plain text strings...

CVE-2025-47828

Lumi H5P-Nodejs-library before 9.3.3 omits a sanitizeHtml call for plain text strings...

CVE-2025-47828

CVE-2025-47828 affects Lumi H5P-Nodejs-library before 9.3.3. The root cause is omission of sanitizeHtml for plain text strings, enabling potential Cross-Site Scripting (XSS) risks. Impact is limited to confidentiality and integrity with no reported availability impact; attack vector is network, w...

CVE-2025-47828

Lumi H5P-Nodejs-library before 9.3.3 omits a sanitizeHtml call for plain text strings...

CVE-2025-47828

Lumi H5P-Nodejs-library before 9.3.3 omits a sanitizeHtml call for plain text strings...

PT-2025-20649 · Unknown · Lumi H5P-Nodejs-Library

Name of the Vulnerable Software and Affected Versions: Lumi H5P-Nodejs-library versions prior to 9.3.3 Description: The issue is related to the omission of a sanitizeHtml call for plain text strings. This could potentially lead to security issues, although specific details about the estimated...

AZL-39734 CVE-2024-30260 affecting package nodejs for versions less than 20.14.0-1

Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for fetch, but did not clear them for undici.request. This vulnerability was patched in versions 5.28.4 and 6.11.1...