12 matches found
Improper Control of Dynamically-Managed Code Resources
Overview vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Affected versions of this package are vulnerable to Improper Control of Dynamically-Managed Code Resources through the NodeVM constructor in lib/nodevm.js. An attacker can obtain host code execution by...
CVE-2026-44007
vm2 contains a vulnerability where creating a NodeVM with nesting: true allows sandbox code to bypass outer VM restrictions (e.g., require: false) and construct an inner NodeVM with unrestricted require settings to execute host commands. Affected: vm2 versions up to 3.11.0 (and prior to 3.11.1). ...
CVE-2026-41646
Summary (CVE-2026-41646) : Nuclei prior to 3.8.0 is vulnerable where the JavaScript protocol runtime allows templates to read local .js/.json files via the require() function, bypassing the local-file-access restriction. Affected versions range from 3.0.0 up to, but not including, 3.8.0. The issu...
CVE-2026-41646 Nuclei: Local File Read via require() Module Loader Bypass
Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require function, bypassing the default local file acce...
CVE-2026-41646 Nuclei: Local File Read via require() Module Loader Bypass
Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require function, bypassing the default local file acce...
Nuclei 访问控制错误漏洞
Nuclei is a fast-customizable vulnerability scanner based on simple YAML, open-sourced by ProjectDiscovery. In versions 3.0.0 to 3.8.0 of Nuclei, there was an access control vulnerability. This vulnerability stemmed from the JavaScript protocol’s runtime feature, which allowed reading of local.js...
GHSA-29RG-WMCW-HPF4 Nuclei: Local File Read via require() Module Loader Bypass
A vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require function, bypassing the default local file access restriction. Affected Component The issue is in the JavaScript runtime's module loading system. The goja...
AZL-27926 CVE-2023-32006 affecting package nodejs18 for versions less than 18.17.1-2
The use of module.constructor.createRequire can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note th...
nodejs: mainModule.proto bypass experimental policy mechanism
A vulnerability has been discovered in Node.js, where the use of proto in process.mainModule.proto.require can bypass the policy mechanism and require modules outside of the policy.json definition...
nodejs: mainModule.proto bypass experimental policy mechanism
A vulnerability has been discovered in Node.js, where the use of proto in process.mainModule.proto.require can bypass the policy mechanism and require modules outside of the policy.json definition...
nodejs: mainModule.proto bypass experimental policy mechanism
A vulnerability has been discovered in Node.js, where the use of proto in process.mainModule.proto.require can bypass the policy mechanism and require modules outside of the policy.json definition...
PT-2023-11344 · Apache · Apache Http Server
Name of the Vulnerable Software and Affected Versions: LemonLDAP::NG versions prior to 2.0.7 Description: The default Apache HTTP Server configuration in LemonLDAP::NG does not properly restrict access to SOAP/REST endpoints when certain setup options are used. This allows an attacker to bypass a...