CVE-2026-44578 Next.js: Server-side request forgery in applications using WebSocket upgrades

Next.js is a React framework for building full-stack web applications. From 13.4.13 to before 15.5.16 and 16.2.5, self-hosted applications using the built-in Node.js server can be vulnerable to server-side request forgery through crafted WebSocket upgrade requests. An attacker can cause the serve...

CVE-2026-31949

LibreChat (GitHub project) is affected through CVE-2026-31949 prior to version 0.8.3-rc1. The vulnerability is a DoS in the DELETE /api/convos endpoint: the route handler destructures req.body.arg without validating its existence, causing an unhandled TypeError that bypasses Express error handlin...

GHSA-7FV4-FMMC-86G2 @siteboon/claude-code-ui is Vulnerable to Shell Command Injection in Git Routes

Shell Command Injection in User Git Config Endpoint | Field | Value | |-------|-------| | Severity | High | | CVSS 3.1 | 8.8 High — when chained with VULN-01 | | CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' | | Attack Vector | Network | |...

CVE-2025-69211

Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses @nestjs/platform-fastify; relies on NestMiddleware via MiddlewareConsumer for security checks...

Malicious code in start-ursa-nodejs-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 593bc23c8976e4718436bc2e85ed27103ac307c4bd87d7308b8a3d041620871c This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-121641

Malicious code in start-ursa-nodejs-server npm...

EUVD-2025-26139

Malicious code in bioql PyPI...

CVE-2025-61668

Volto is a ReactJS-based frontend for the Plone Content Management System. Versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a...

CVE-2025-61668 @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user

Volto is a ReactJS-based frontend for the Plone Content Management System. Versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a...

CVE-2025-61668 @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user

Volto is a ReactJS-based frontend for the Plone Content Management System. Versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a...

CVE-2025-61668

CVE-2025-61668 affects Volto (Plone ReactJS frontend). Versions 16.34.0 and earlier; 17.0.0–17.22.1; 18.0.0–18.27.1; and 19.0.0-alpha.1–19.0.0-alpha.5 allow an anonymous user to trigger a NodeJS server crash by visiting a specific URL. Root cause: improper handling of a crafted URL request leadin...

CVE-2025-61668 @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user

Volto is a ReactJS-based frontend for the Plone Content Management System. Versions 16.34.0 and below, 17.0.0 through 17.22.1, 18.0.0 through 18.27.1, and 19.0.0-alpha.1 through 19.0.0-alpha.5, an anonymous user could cause the NodeJS server part of Volto to quit with an error when visiting a...

CVE-2025-58047

Volto is a React based frontend for the Plone Content Management System. In versions from 19.0.0-alpha.1 to before 19.0.0-alpha.4, 18.0.0 to before 18.24.0, 17.0.0 to before 17.22.1, and prior to 16.34.0, an anonymous user could cause the NodeJS server part of Volto to quit with an error when...

CVE-2025-58047 Volto affected by possible DoS by invoking specific URL by anonymous user

Volto is a React based frontend for the Plone Content Management System. In versions from 19.0.0-alpha.1 to before 19.0.0-alpha.4, 18.0.0 to before 18.24.0, 17.0.0 to before 17.22.1, and prior to 16.34.0, an anonymous user could cause the NodeJS server part of Volto to quit with an error when...

PT-2025-35112

Name of the Vulnerable Software and Affected Versions Volto versions 19.0.0-alpha.1 through 19.0.0-alpha.4 Volto versions 18.0.0 through 18.24.0 Volto versions 17.0.0 through 17.22.1 Volto versions prior to 16.34.0 Description Volto, a React-based frontend for the Plone Content Management System,...

MAL-2024-10267 Malicious code in webhooks-resources-nodejs-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3a43dfca0a81576880163a0fe81d037a7afb900df7a2de98b47f233cc57cc587 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Malicious code in webhooks-resources-nodejs-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3a43dfca0a81576880163a0fe81d037a7afb900df7a2de98b47f233cc57cc587 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

ALPINE-CVE-2024-27983

An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a T...

AZL-35047 CVE-2024-22019 affecting package nodejs for versions less than 20.14.0-1

A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service DoS. The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk...