Lucene search
K

16 matches found

OSV
OSV
added 2026/06/29 5:49 a.m.5 views

BIT-NODE-MIN-2026-48936

A flaw in Node.js Permission API can cause a local server to be started via a Unix domain socket, even without the --allow-net permission. This vulnerability affects one supported release line: Node.js 26...

3.3CVSS6AI score0.00154EPSS
Exploits0References2
OSV
OSV
added 2026/06/29 5:48 a.m.5 views

BIT-NODE-2026-48936

A flaw in Node.js Permission API can cause a local server to be started via a Unix domain socket, even without the --allow-net permission. This vulnerability affects one supported release line: Node.js 26...

3.3CVSS5.7AI score0.00154EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/26 10:40 p.m.10 views

CVE-2026-48935

A flaw was found in Node.js. The Permission API allows a local user to modify file metadata on paths that have been explicitly set as read-only. This can lead to unauthorized changes in file properties, impacting the integrity of the file system. Mitigation Mitigation for this issue is either not...

3.3CVSS5.6AI score0.00154EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/26 10:31 p.m.8 views

CVE-2026-48936

A flaw was found in Node.js. The Node.js Permission API can allow a local server to be started through a Unix domain socket, even when the --allow-net permission is not explicitly granted. This bypasses intended security restrictions, potentially leading to unintended local network exposure or...

3.3CVSS5.6AI score0.00154EPSS
Exploits0References4
OSV
OSV
added 2026/06/26 2:16 a.m.8 views

ALPINE-CVE-2026-48935

A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. --allow-fs-read. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

3.3CVSS5.8AI score0.00154EPSS
Exploits0References1
Debian CVE
Debian CVE
added 2026/06/26 1:14 a.m.9 views

CVE-2026-48935

A flaw in Node.js Permission API can cause a file metadata to be modified even on a path that was set as read-only with e.g. --allow-fs-read. This vulnerability affects all supported release lines: Node.js 22, Node.js 24, and Node.js 26...

3.3CVSS6.4AI score0.00154EPSS
Exploits0
SUSE CVE
SUSE CVE
added 2026/06/20 2:29 a.m.14 views

SUSE CVE-2026-48617

A flaw in Node.js Permission Model enforcement allows Bypass via process.report.writeReport Path Misvalidation. This can lead to confidentiality impact or bypass of the intended security boundary under affected configurations. This vulnerability affects all supported release lines: Node.js 22,...

2.9CVSS5.9AI score0.00208EPSS
Exploits0References7
OSV
OSV
added 2026/04/06 7:58 a.m.4 views

BIT-NODE-MIN-2026-21715

A flaw in Node.js Permission Model filesystem enforcement leaves fs.realpathSync.native without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under --permission with restricted --allow-fs-read can still use...

3.3CVSS6.3AI score0.00158EPSS
Exploits0References2
EUVD
EUVD
added 2026/03/30 9:31 p.m.6 views

EUVD-2026-17172

A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket UDS server operations without the required permission checks, while all comparable network paths correctly enforce them. As a result, code running under --permission without --allow-net can create and expose local IP...

5.3CVSS6AI score0.00146EPSS
Exploits0References2
NVD
NVD
added 2026/03/30 8:16 p.m.5 views

CVE-2026-21715

A flaw in Node.js Permission Model filesystem enforcement leaves fs.realpathSync.native without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under --permission with restricted --allow-fs-read can still use...

3.3CVSS0.00158EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/03/30 7:7 p.m.4 views

CVE-2026-21715

A flaw in Node.js Permission Model filesystem enforcement leaves fs.realpathSync.native without the required read permission checks, while all comparable filesystem functions correctly enforce them. As a result, code running under --permission with restricted --allow-fs-read can still use...

3.3CVSS5.9AI score0.00158EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/03/30 12:0 a.m.5 views

PT-2026-29099

Name of the Vulnerable Software and Affected Versions Node.js versions 25.x Description A flaw in the Node.js Permission Model’s network enforcement allows Unix Domain Socket UDS server operations to proceed without the necessary permission checks. All other network paths correctly enforce these...

5.3CVSS6.5AI score0.00146EPSS
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2026/03/28 12:0 a.m.3 views

Linux Distros Unpatched Vulnerability : CVE-2026-21711

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw in Node.js Permission Model network enforcement leaves Unix Domain Socket UDS server operations without the required permission checks, while all...

5.3CVSS6.7AI score0.00146EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/03/25 12:0 a.m.5 views

Linux Distros Unpatched Vulnerability : CVE-2026-21715

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw in Node.js Permission Model filesystem enforcement leaves fs.realpathSync.native without the required read permission checks, while all comparable...

3.3CVSS6.5AI score0.00158EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/01/20 8:41 p.m.7 views

CVE-2026-21636

A flaw in Node.js's permission model allows Unix Domain Socket UDS connections to bypass network restrictions when --permission is enabled. Even without --allow-net, attacker-controlled inputs such as URLs or socketPath options can connect to arbitrary local sockets via net, tls, or undici/fetch...

10CVSS5.7AI score0.00663EPSS
Exploits1References2Affected Software1
Tenable Nessus
Tenable Nessus
added 2025/12/04 12:0 a.m.13 views

RockyLinux 9 : nodejs:18 (RLSA-2023:2654)

The remote RockyLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:2654 advisory. glob-parent: Regular Expression Denial of Service CVE-2021-35065 c-ares: buffer overflow in configsortlist due to missing string length check CVE-2022-49...

8.6CVSS7.1AI score0.02209EPSS
Exploits5References17
Rows per page
Query Builder