165 matches found
Vite dev server - Cross-Site Scripting
Vite's dev server, when used with appType: 'custom' and manually invoking server.transformIndexHtml using the unmodified request URL, is vulnerable to XSS via a crafted URL payload. If the HTML being served includes an inline module script ..., an attacker can inject a script via the URL,...
Linux Distros Unpatched Vulnerability : CVE-2026-53331
"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - slimbus: qcom-ngd-ctrl: Avoid ABBA on txlock/ctrl-lock During the SSR/PDR down notification the txlock is taken with the intent to provide synchronization with...
CVE-2026-53332
In the Linux kernel, the following vulnerability has been resolved: slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd When the remoteproc starts in parallel with the NGD driver being probed, or the remoteproc is already up when the PDR lookup is being registered, or in the...
UBUNTU-CVE-2026-53332
In the Linux kernel, the following vulnerability has been resolved: slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd When the remoteproc starts in parallel with the NGD driver being probed, or the remoteproc is already up when the PDR lookup is being registered, or in the...
EUVD-2026-40966
In the Linux kernel, the following vulnerability has been resolved: slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd When the remoteproc starts in parallel with the NGD driver being probed, or the remoteproc is already up when the PDR lookup is being registered, or in the...
CVE-2026-53332 slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd
In the Linux kernel, the following vulnerability has been resolved: slimbus: qcom-ngd-ctrl: Register callbacks after creating the ngd When the remoteproc starts in parallel with the NGD driver being probed, or the remoteproc is already up when the PDR lookup is being registered, or in the...
CVE-2026-56787
RTKLIB through 2.4.3 contains an off-by-one out-of-bounds read vulnerability in the decodessr3 function at src/rtcm3.c:1446 that allows remote attackers to trigger a global buffer overflow via crafted RTCM3 SSR messages with attacker-controlled signal mode fields. Remote attackers can exploit thi...
EUVD-2026-39529
RTKLIB through 2.4.3 contains an off-by-one out-of-bounds read vulnerability in the decodessr3 function at src/rtcm3.c:1446 that allows remote attackers to trigger a global buffer overflow via crafted RTCM3 SSR messages with attacker-controlled signal mode fields. Remote attackers can exploit thi...
CVE-2026-56787
RTKLIB 2.4.3 is affected by CVE-2026-56787 due to an off-by-one out-of-bounds read in the decode_ssr3 function (src/rtcm3.c:1446). The issue can be triggered by crafted RTCM3 SSR messages with attacker-controlled signal mode fields, allowing remote attackers to cause a global buffer overflow and ...
EUVD-2026-38436
Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server nuxt dev on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit t...
CVE-2026-56301 Nuxt - Arbitrary File Read via World-Connectable vite-node IPC Socket on Linux
Nuxt 4.0.0 before 4.4.7 and 3.18.0 before 3.21.7, when running the development server nuxt dev on Linux, binds the vite-node IPC server to an abstract-namespace Unix socket without permission restrictions, allowing local users to enumerate and connect. Unprivileged co-resident users can exploit t...
Malicious code in ssr-auth-sync (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7fe43338279cb894ffacc18ef9ec757d4b4fa8b603672b0bedcb4c00d9f8a806 On require'ssr-auth-sync', index.js loads lib/writer.js, which immediately fetches a base64-hidden URL https://www.jsonkeeper.com/b/PJNZP, an anonymo...
MAL-2026-5934 Malicious code in ssr-auth-sync (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7fe43338279cb894ffacc18ef9ec757d4b4fa8b603672b0bedcb4c00d9f8a806 On require'ssr-auth-sync', index.js loads lib/writer.js, which immediately fetches a base64-hidden URL https://www.jsonkeeper.com/b/PJNZP, an anonymo...
NPM: Nuxt: URL-handling weaknesses in `navigateTo` and `reloadNuxtApp`: SSR open redirect, client-side script execution via the `open` option, and protocol-relative bypass in `reloadNuxtApp`
NPM: Nuxt: URL-handling weaknesses in navigateTo and reloadNuxtApp: SSR open redirect, client-side script execution via the open option, and protocol-relative bypass in reloadNuxtApp vulnerability discovered by ? in WordPress Npm nuxt versions 3.21.7...
CVE-2026-41321
@astrojs/cloudflare is an SSR adapter for use with Cloudflare Workers targets. Prior to 13.1.10, the fetch call for remote images in packages/integrations/cloudflare/src/utils/image-binding-transform.ts uses the default redirect: 'follow' behavior. This allows the Cloudflare Worker to follow HTTP...
CVE-2026-41322
@astrojs/node allows Astro to deploy your SSR site to Node targets. Prior to 10.0.5, requesting a static js/css resources from astro path with an incorrect/malformed if-match header returns a 500 error with a one year cache lifetime instead of 412 in some cases. This has the effect that all...
Linux Distros Unpatched Vulnerability : CVE-2026-44573
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Next.js is a React framework for building full-stack web applications. From 12.2.0 to before 15.5.16 and 16.2.5, Applications using the Pages Router with i18n...
Malicious code in @antv/g6-ssr (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
MAL-2026-4080 Malicious code in @antv/s2-ssr (npm)
Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...
@antv/gpt-vis (=0.5.0-beta.0), @antv/gpt-vis-ssr (>=0.1.0 <=0.3.8) +6 more potentially affected by unknown CVE via @antv/g6-ssr (>=0.0.16 <=0.1.1)
@antv/g6-ssr NPM version =0.0.16, =0.1.0, =0.0.1, =0.0.1, =0.2.1, =1.0.0, =1.0.0, =1.0.2 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVG6SSR-16754463...