CVE-2026-31988

yauzl aka Yet Another Unzip Library version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate function. The while loop condition checks cursor data.length + 4 instead of cursor + 4 = data.length, allowing readUInt16LE to rea...

CVE-2026-31988

Vulnerability in yauzl 3.2.0 (Node.js): an off‑by‑one bug in the NTFS extended timestamp extra field parser inside getLastModDate() allows readUInt16LE() to exceed the buffer when the loop condition is cursor < data.length + 4 instead of cursor + 4

GHSA-7FV4-FMMC-86G2 @siteboon/claude-code-ui is Vulnerable to Shell Command Injection in Git Routes

Shell Command Injection in User Git Config Endpoint | Field | Value | |-------|-------| | Severity | High | | CVSS 3.1 | 8.8 High — when chained with VULN-01 | | CWE | CWE-78: Improper Neutralization of Special Elements used in an OS Command 'OS Command Injection' | | Attack Vector | Network | |...

EUVD-2026-10895

file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header...

CVE-2025-69418 affecting package nodejs24 for versions less than 24.13.0-3

CVE-2025-69418 affecting package nodejs24 for versions less than 24.13.0-3. A patched version of the package is available...

CVE-2026-28292

simple-git, an interface for running git commands in any node.js application, has an issue in versions 3.15.0 through 3.32.2 that allows an attacker to bypass two prior CVE fixes CVE-2022-25860 and CVE-2022-25912 and achieve full remote code execution on the host machine. Version 3.23.0 contains ...

EUVD-2026-10497

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. Vaadin’s build process can automatically download and extract Node.js if it...

CVE-2026-2741

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 15.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. Vaadin’s build process can automatically download and extract Node.js if it...

CVE-2026-2741

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 15.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. Vaadin’s build process can automatically download and extract Node.js if it...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the extractZipArchive function when downloading and extracting Node.js archives. An attacker can create or modify files outside the intended extraction directory by intercepting or controlling the Node.js downloa...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the extractZipArchive function when downloading and extracting Node.js archives. An attacker can create or modify files outside the intended extraction directory by intercepting or controlling the Node.js downloa...

PT-2026-24205

Name of the Vulnerable Software and Affected Versions Vaadin versions 14.2.0 through 14.14.0 Vaadin versions 23.0.0 through 23.6.6 Vaadin versions 24.0.0 through 24.9.8 Vaadin versions 25.0.0 through 25.0.2 Description A flaw exists in Vaadin that allows specially crafted ZIP archives to escape t...

Simple Git 安全漏洞

Simple Git is a lightweight interface developed by Steve King from the UK. It is used to execute Git commands within any Node.js application. Versions 3.15.0 to 3.32.2 of Simple Git contain security vulnerabilities. These vulnerabilities allow attackers to bypass previous CVE fixes, potentially...

CVE-2026-31802

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar npm can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x...

AZL-79556 CVE-2026-29786 affecting package tar 1.34-3

node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x extraction. Th...

Amazon Linux 2023 : nodejs20, nodejs20-devel, nodejs20-full-i18n (ALAS2023-2026-1464)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2026-1464 advisory. node-tar is a Tar for Node.js. The node-tar library = 7.5.2 fails to sanitize the linkpath of Link hardlink and SymbolicLink entries when preservePaths is false the default secure behavior. Th...

Exploit for Code Injection in Agentfront Enclave

RCE in ESM Environments — The require Problem When achievi...

CLSA-2026-1772617597 nodejs: Fix of 2 CVEs

CVE-2025-22150: fix issue where undici used Math.random to choose boundary for multipart/form-data request, now uses secure random number generator - CVE-2023-39333: fix maliciously crafted export names injection of JavaScript code - Run full Node.js tests in %check - Fix comment typo in spec...

PT-2026-22952

Name of the Vulnerable Software and Affected Versions Multer versions prior to 2.1.1 Description A flaw exists in Multer, a node.js middleware used for processing multipart/form-data. This issue can be exploited to cause a Denial of Service DoS by submitting specially crafted requests, which may...

Linux Distros Unpatched Vulnerability : CVE-2025-23084

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability has been identified in Node.js, specifically affecting the handling of drive names in the Windows environment. Certain Node.js functions do not...