GHSA-Q9M2-FHV9-3JCF `potato-annotation` has a Project-Boundary Bypass

Summary validatepathsecurity uses string-prefix containment startswith for boundary checks. This allows paths that are outside the intended project directory but share its prefix string e.g., /tmp/potatoprojdemoevil/... vs /tmp/potatoprojdemo to be accepted. Details Affected source location root...

`potato-annotation` has a Project-Boundary Bypass

Summary validatepathsecurity uses string-prefix containment startswith for boundary checks. This allows paths that are outside the intended project directory but share its prefix string e.g., /tmp/potatoprojdemoevil/... vs /tmp/potatoprojdemo to be accepted. Details Affected source location root...

view_component - System Test Entry Point Path Check Allows Sibling Directory Escape

The system test entrypoint canonicalizes a user-controlled file path with File.realpath, then checks whether the resolved path starts with the temp directory path. This is not a safe containment check because sibling directories can share the same string prefix. Severity: Medium; test-route scope...

PT-2026-39303

Name of the Vulnerable Software and Affected Versions view component versions 3.0.0 through 4.8.9 Description The system test entrypoint canonicalizes a user-controlled file path using File.realpath and verifies if the resolved path starts with the temporary directory path. This containment check...

Astra Linux - уязвимость в open-vm-tools

A issue was discovered in open-vm-tools 2009.03.18-154848. Local users can bypass the intended access restrictions on mounting shares through a symlink attack that exploits a realpath race condition in mount.vmhgfs also known as hgfsmounter...

CLSA-2026-1776605836 glibc: Fix of 3 CVEs

CVE-2018-6485: fix integer overflows in memalign and malloc - CVE-2018-1000001: fix realpath buffer underflow via getcwd - CVE-2018-19591: fix ifnametoindex descriptor leak...

glibc: Fix of 3 CVEs

CVE-2018-6485: fix integer overflows in memalign and malloc - CVE-2018-1000001: fix realpath buffer underflow via getcwd - CVE-2018-19591: fix ifnametoindex descriptor leak...

SUSE SLES15 Security Update : nodejs22 (SUSE-SU-2026:1478-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1478-1 advisory. Update to version 22.22.2. - CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism...

CLSA-2026-1776606103 glibc: Fix of 3 CVEs

CVE-2018-6485: fix integer overflows in memalign and malloc - CVE-2018-1000001: fix realpath buffer underflow via getcwd - CVE-2018-19591: fix ifnametoindex descriptor leak...

SUSE SLES15 Security Update : nodejs20 (SUSE-SU-2026:1371-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1371-1 advisory. Update to version 20.20.2. - CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism...

SUSE SLES15 Security Update : nodejs20 (SUSE-SU-2026:1363-1)

The remote SUSE Linux SLES15 / SLESSAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:1363-1 advisory. Update to version 20.20.2. - CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism...

AlmaLinux 9 : nodejs:24 (ALSA-2026:7350)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2026:7350 advisory. nodejs: Nodejs denial of service CVE-2026-21637 brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion CVE-2026-25547...

Security update for nodejs20

This update for nodejs20 fixes the following issues: Update to version 20.20.2. CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for performance degradation via a crafted request bsc1260494. CVE-2026-21716: incomplete fix for CVE-2024-36137...

SUSE-SU-2026:21181-1 Security update for nodejs24

This update for nodejs24 fixes the following issues: Update to version 24.14.1. Security issues fixed: - CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for performance degradation via a crafted request bsc1260494. - CVE-2026-21716:...

Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions

A flaw was found in Node.js. The Node.js Permission Model, intended to restrict filesystem access, does not properly enforce read permission checks for the fs.realpathSync.native function. This vulnerability allows code operating under --permission with restricted --allow-fs-read flags to bypass...

Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions

A flaw was found in Node.js. The Node.js Permission Model, intended to restrict filesystem access, does not properly enforce read permission checks for the fs.realpathSync.native function. This vulnerability allows code operating under --permission with restricted --allow-fs-read flags to bypass...

ALSA-2026:7670 Important: nodejs:24 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: Nodejs denial of service CVE-2026-21637 minimatch: minimatch: Denial of Service via specially crafted glob patterns CVE-2026-26996 undici:...

RHEL 10 : nodejs24 (RHSA-2026:7675)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:7675 advisory. Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an...

Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions

A flaw was found in Node.js. The Node.js Permission Model, intended to restrict filesystem access, does not properly enforce read permission checks for the fs.realpathSync.native function. This vulnerability allows code operating under --permission with restricted --allow-fs-read flags to bypass...

ALSA-2026:7350 Important: nodejs:24 security update

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Security Fixes: nodejs: Nodejs denial of service CVE-2026-21637 brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion...