CVE-2026-33872 elixir-nodejs has Cross-User Data Leakage or Information Disclosure due to Worker Protocol Race Condition

elixir-nodejs provides an Elixir API for calling Node.js functions. A vulnerability in versions prior to 3.1.4 results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol. The lack of request-response correlation creates a "stale response"...

CVE-2026-33872

CVE-2026-33872 affects elixir-nodejs prior to 3.1.4. A race condition in the worker protocol enables Cross-User Data Leakage due to lack of request–response correlation, potentially returning data intended for a different user in high‑throughput/ concurrent scenarios. The vulnerability can disclo...

Security Bulletin: IBM App Connect Enterprise is vulnerable to multiple vulnerabilities due to Node.js module Multer (CVE-2026-2359, CVE-2026-3304 & CVE-2026-3520)

Summary The IBM App Connect Enterprise Connector Discovery and OpenAPI Editor is vulnerable to multiple vulnerabilities due to Node.js module Multer. Vulnerability Details CVEID:CVE-2026-2359 DESCRIPTION: Multer is a node.js middleware for handling multipart/form-data. A vulnerability in Multer...

Important: nodejs22

Issue Overview: node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as th...

elixir-nodejs 竞争条件问题漏洞

Elixir-nodejs is an open-source project by Revelry that serves as an Elixir API for calling Node.js functions. Versions of elixir-nodejs prior to 3.1.4 contained a race condition vulnerability. This vulnerability stemmed from race conditions in the working protocol, which led to the loss of...

GHSA-Q67F-28XG-22RW Forge has signature forgery in Ed25519 due to missing S > L check

Summary Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order S = L. A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify OpenSSL-backed rejects the S + L variant, as defined by the...

elixir-nodejs has Cross-User Data Leakage or Information Disclosure due to Worker Protocol Race Condition

Impact This vulnerability results in Cross-User Data Leakage or Information Disclosure due to a race condition in the worker protocol. The lack of request-response correlation creates a "stale response" vulnerability. Because the worker does not verify which request a response belongs to, it may...

CVE-2026-33732 srvx is vulnerable to middleware bypass via absolute URI in request line

srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's FastURL allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme e.g. file://. Starting in version 0.11.13, the...

CVE-2026-33732 srvx is vulnerable to middleware bypass via absolute URI in request line

srvx is a universal server based on web standards. Prior to version 0.11.13, a pathname parsing discrepancy in srvx's FastURL allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme e.g. file://. Starting in version 0.11.13, the...

GHSA-P36Q-Q72M-GCHR srvx is vulnerable to middleware bypass via absolute URI in request line

Summary A pathname parsing discrepancy in srvx's FastURL allows middleware bypass on the Node.js adapter when a raw HTTP request uses an absolute URI with a non-standard scheme e.g. file://. Details When Node.js receives an absolute URI in the request line e.g. GET file://hehe?/internal/run...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via FileHandle.chmod or FileHandle.chown functions which can use a "read-only" file descriptor to change the owner and permissions of a file. Notes: - This is only exploitable for users using the experimental...

PT-2026-28543

Name of the Vulnerable Software and Affected Versions elixir-nodejs versions prior to 3.1.4 Description elixir-nodejs is an Elixir API for calling Node.js functions. A flaw exists due to a race condition in the worker protocol, leading to Cross-User Data Leakage or Information Disclosure. The...

CVE-2026-27135 affecting package nodejs for versions less than 20.14.0-14

CVE-2026-27135 affecting package nodejs for versions less than 20.14.0-14. A patched version of the package is available...

GHSA-48C2-RRV3-QJMP yaml is vulnerable to Stack Overflow via deeply nested YAML collections

Parsing a YAML document with yaml may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a RangeError: Maximum call stack size exceeded with a small payload...

CVE-2026-21717

creationtimestamp| type| source ---|---|--- 2026-03-25 16:26:55+00:00| seen| https://bsky.app/profile/nodejs.org/post/3mhvixzwybc2u 2026-03-25 16:26:56+00:00| seen| https://bsky.app/profile/nodejs.org/post/3mhviy2ktz22u 2026-03-25 16:26:56+00:00| seen|...

CVE-2026-21716

creationtimestamp| type| source ---|---|--- 2026-03-25 03:00:00+00:00| seen| https://www.hkcert.org/security-bulletin/node-js-multiple-vulnerabilities20260325 2026-03-30 20:05:16+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3michjcdym62q 2026-03-30 22:50:34+00:00| seen|...

CVE-2026-21715

creationtimestamp| type| source ---|---|--- 2026-03-25 03:00:00+00:00| seen| https://www.hkcert.org/security-bulletin/node-js-multiple-vulnerabilities20260325 2026-03-30 20:00:30+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3micharnlb322...

Malicious code in @xvortexsockets/baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector e6fe781d4e79519992d2b0f37577515da41d7e0deb2f9f32df7c39dfb8de3916 The package @xvortexsockets/baileys was found to contain malicious code. Source: ghsa-malware...

Linux Distros Unpatched Vulnerability : CVE-2026-21716

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An incomplete fix for CVE-2024-36137 leaves FileHandle.chmod and FileHandle.chown in the promises API without the required permission checks, while their...

Linux Distros Unpatched Vulnerability : CVE-2026-21710

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a header named proto and the application accesses...