Linux Distros Unpatched Vulnerability : CVE-2026-21715

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw in Node.js Permission Model filesystem enforcement leaves fs.realpathSync.native without the required read permission checks, while all comparable...

Linux Distros Unpatched Vulnerability : CVE-2026-71717

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Debian Linux - nodejs - None CVE-2026-71717 Note that Nessus relies on the presence of the package as reported by the vendor. %NASLMINLEVEL 80900 C Tenable, Inc...

Linux Distros Unpatched Vulnerability : CVE-2026-21712

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw in Node.js URL processing causes an assertion failure in native code when url.format is called with a malformed internationalized domain name IDN...

Linux Distros Unpatched Vulnerability : CVE-2026-21714

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A memory leak occurs in Node.js HTTP/2 servers when a client sends WINDOWUPDATE frames on stream 0 connection-level that cause the flow control window to exceed...

MAL-2026-2365 Malicious code in env-nodejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b9fdb2ca296901d2020b959a63ec369c661ac063698529ced5230cd04717a5c0 The package env-nodejs was found to contain malicious code...

Malicious code in env-nodejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b9fdb2ca296901d2020b959a63ec369c661ac063698529ced5230cd04717a5c0 The package env-nodejs was found to contain malicious code...

Tuesday, March 24, 2026 Security Releases

Tuesday, March 24, 2026 Security Releases Security releases available Updates are now available for the 25.x, 24.x, 22.x, 20.x Node.js release lines for the following issues. This security release includes the following dependency updates to address public vulnerabilities: undici 6.24.1, 7.24.4 o...

@1auth/authn-webauthn (>=0.0.0-alpha.0 <=0.0.0-alpha.3), @agentic/stdlib (>=7.4.0 <=7.6.9) +786 more potentially affected by CVE-2026-4598 via jsrsasign (>=0.0.3 <=11.1.0)

jsrsasign NPM version =0.0.3, =0.0.0-alpha.0, =7.4.0, =7.4.0, =6.0.0, =1.0.0-1.0.1.0, =1.0.0-1.0.1.0, =0.0.3-alpha.0, =2.0.0, =2.7.1, =6.0.0, =6.0.0, =0.1.0, =1.0.0, =5.0.0-3998.0 and more Source cves: CVE-2026-4598 Source advisory: OSV:GHSA-8G7P-JF3G-GXCP...

K000160399: Node.js vulnerability CVE-2025-59464

Security Advisory Description A memory leak in Node.js’s OpenSSL integration occurs when converting X.509 certificate fields to UTF-8 without freeing the allocated buffer. When applications call socket.getPeerCertificatetrue, each certificate field leaks memory, allowing remote clients to trigger...

ROS-20260319-73-0004

Vulnerability in nodejs related to lack of memory release after effective lifetime. Exploitation of the vulnerability could allow an attacker to cause a denial of service...

Directory Traversal

Overview org.webjars.npm:h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to Directory Traversal via the serveStatic function. An attacker can access arbitrary files outside the intended static directory by sending crafted...

MAL-2026-1715 Malicious code in dotenv-nodejs (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 14a15bdceba2f650e2c3d04e2be33994e406c2548812e89a520fc511c2529266 The package dotenv-nodejs was found to contain malicious code...

Debian: Security Advisory (DSA-6166-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

[SECURITY] [DSA 6166-1] nodejs security update

------------------------------------------------------------------------- Debian Security Advisory DSA-6166-1 [email protected] https://www.debian.org/security/ Moritz Muehlenhoff March 17, 2026 https://www.debian.org/security/faq -...

Debian dsa-6166 : libnode-dev - security update

The remote Debian 13 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-6166 advisory. - ------------------------------------------------------------------------- Debian Security Advisory DSA-6166-1 [email protected] https://www.debian.org/securit...

CVE-2026-31949

LibreChat (GitHub project) is affected through CVE-2026-31949 prior to version 0.8.3-rc1. The vulnerability is a DoS in the DELETE /api/convos endpoint: the route handler destructures req.body.arg without validating its existence, causing an unhandled TypeError that bypasses Express error handlin...

TencentOS Server 3: nodejs:20 (TSSA-2026:0171)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2026:0171 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...

CVE-2026-1526

A flaw was found in undici. A remote attacker can exploit this vulnerability by sending a specially crafted compressed frame, known as a "decompression bomb," during permessage-deflate decompression. The undici WebSocket client does not properly limit the size of decompressed data, leading to...

UBUNTU-CVE-2026-32141

flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse function uses a recursive revive phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow...

yauzl contains an off-by-one error

yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...