Node.js: FS Permissions Bypass

A flaw was discovered in Node.js's Permissions model that allowed attackers to bypass --allow-fs-read and --allow-fs-write restrictions using crafted relative symlink paths. By chaining directories and symlinks, a script granted access only to the current directory could escape the allowed path a...

SUSE SLES12 Security Update : nodejs18 (SUSE-SU-2025:3919-1)

The remote SUSE Linux SLES12 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2025:3919-1 advisory. - CVE-2025-7783: Switched away from Math.random in boundary values for multipart form-encoded data bsc1246818 Tenable has extracted the preceding...

AZL-69902 CVE-2025-11219 affecting package nodejs18 18.20.3-11

Use after free in V8 in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to potentially perform out of bounds memory access via a crafted HTML page. Chromium security severity: Low...

AZL-69878 CVE-2025-11215 affecting package nodejs 20.14.0-13

Off by one error in V8 in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. Chromium security severity: Medium...

AZL-69905 CVE-2025-11215 affecting package nodejs18 18.20.3-11

Off by one error in V8 in Google Chrome prior to 141.0.7390.54 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. Chromium security severity: Medium...

SUSE-SU-2025:3919-1 Security update for nodejs18

This update for nodejs18 fixes the following issues: - CVE-2025-7783: Switched away from Math.random in boundary values for multipart form-encoded data bsc1246818...

Security update for nodejs18

This update for nodejs18 fixes the following issues: CVE-2025-7783: Switched away from Math.random in boundary values for multipart form-encoded data bsc1246818 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch"...

Exploit for Code Injection in Flowiseai Flowise

CVE-2025-59528.yaml Flowise is a drag & drop user interface to...

Node.js: Timeout-based race conditions make Uint8Array/Buffer.alloc non-zerofilled

A flaw in Node.js's buffer allocation logic was discovered, where buffers allocated with Buffer.alloc and other TypedArray instances like Uint8Array may contain leftover data from previous operations under specific timing conditions...

Malicious code in zohocrm-nodejs-sdk-3.0 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 8667273dd1820eda9a1a67abda3359d484492251a23ee3bb7acb310721b92ed5 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

NewStart CGSL MAIN 7.02 : nodejs Vulnerability (NS-SA-2025-0245)

The remote NewStart CGSL host, running version MAIN 7.02, has nodejs packages installed that are affected by a vulnerability: - Versions of the package cross-spawn before 6.0.6, from 7.0.0 and before 7.0.5 are vulnerable to Regular Expression Denial of Service ReDoS due to improper input...

CVE-2025-62380 Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails

mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Mailgen versions through 2.0.31 contain an HTML injection vulnerability in plaintext emails generated with the generatePlaintext method when user generated content is supplied. The plaintext...

EUVD-2025-34231

Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails...

CVE-2025-62366

mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Mailgen versions through 2.0.30 contain an HTML injection vulnerability in plaintext emails produced by the generatePlaintext method when user‑generated content is supplied. The function attempts t...

Malicious code in redirect-j8m62u (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 2a45464226511d36e1577cefa67e4d6eeabc65682d19be60c094416acaeb3d94 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

AlmaLinux 10 : nodejs22 (ALSA-2025:8493)

The remote AlmaLinux 10 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2025:8493 advisory. nodejs: Remote Crash via SignTraits::DeriveBits in Node.js CVE-2025-23166 Tenable has extracted the preceding description block directly from the AlmaLinux securi...

GHSA-35G6-RRW3-V6XC FlowiseAI/Flosise has File Upload vulnerability

Summary A file upload vulnerability in FlowiseAI allows authenticated users to upload arbitrary files without proper validation. This enables attackers to persistently store malicious Node.js web shells on the server, potentially leading to Remote Code Execution RCE. Details The system fails to...

EUVD-2018-0666

Malware in sbrugna...

EUVD-2017-0340

Malware in sbrugna...

EUVD-2019-16203

Malware in sbrugna...