@amazeelabs/bridge-waku (>=1.1.9 <=2.0.1), @amazeelabs/executors (>=3.1.12 <=3.1.14) +20 more potentially affected by CVE-2026-23870 via react-server-dom-webpack (>=19.0.0 <=19.0.1)

react-server-dom-webpack NPM version =19.0.0, =1.1.9, =3.1.12, =1.4.7, =1.1.3, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859, =1.0.0-canary.12859,...

Linux Distros Unpatched Vulnerability : CVE-2025-68458

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack's HTTPS resolver HttpUriPlugin can be bypasse...

EUVD-2025-206877

Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTPS resolver HttpUriPlugin can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo username:password@host. If allowedUris...

Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the HttpUriPlugin component when HTTP redirects are followed without re-validating the allowed URIs. An attacker can cause unauthorized network requests to internal services and inclusion of untruste...

CVE-2025-68458

creationtimestamp| type| source ---|---|--- 2026-02-05 17:34:57+00:00| published-proof-of-concept| https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x...

Security Bulletin: Multiple vulnerabilities in IBM Controller

Summary Multiple vulnerabilities were addressed in IBM Controller. Vulnerability Details CVEID:CVE-2024-4067 DESCRIPTION: The NPM package micromatch prior to 4.0.8 is vulnerable to Regular Expression Denial of Service ReDoS. The vulnerability occurs in micromatch.braces in index.js because the...

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object.

...

Security Bulletin: Platform UI and Automation Assets in IBM Cloud Pak for Integration are vulnerable to cross-site scripting due to Webpack and Rspack CVE-2024-43788

Summary Platform UI and Automation Assets in IBM Cloud Pak for Integration are vulnerable to cross-site scripting due to Webpack and Rspack CVE-2024-43788 with details below. The vulnerabilities have been addressed. Vulnerability Details CVEID:CVE-2024-43788 DESCRIPTION: Webpack and Rspack are...

PT-2024-40181 · Webpack · Webpack

Name of the Vulnerable Software and Affected Versions: Webpack versions affected versions not specified Description: A DOM Clobbering vulnerability was discovered in Webpack's AutoPublicPathRuntimeModule, which can lead to cross-site scripting XSS in web pages where scriptless attacker-controlled...

-react-file-list-components (=1.1.1), 00ricardo-utils (>=2.1.1 <=2.1.12) +34266 more potentially affected by CVE-2024-43788 +2 more via webpack (>=5.0.0-alpha.14 <=5.93.0)

webpack NPM version =5.0.0-alpha.14, =2.1.1, =1.0.0, =0.1.0, =1.0.0, =1.0.0, =1.0.0, =0.1.0, =0.1.6 - 0beny1s =1.1.6 - 0scarclassa =1.0.1 - 0scarclassb =1.0.1 - 0scarclassc =1.0.1 - 0scarclassd =1.0.1 and more Source cves: CVE-2024-43788, CVE-2024-45389, CVE-2024-45812 Source advisory:...

UBUNTU-CVE-2024-43788

Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundling, or packaging just about any resource or asset. The webpack developers have discovered a DOM Clobbering vulnerability in Webpack’s...

SUSE CVE-2023-28154

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object...

-react-file-list-components (=1.1.1), 00ricardo-utils (>=2.1.1 <=2.1.12) +33899 more potentially affected by CVE-2023-28154 via webpack (>=5.0.0 <=5.75.0)

webpack NPM version =5.0.0, =2.1.1, =1.0.0, =0.1.0, =1.0.0, =1.0.0, =1.0.0, =0.1.0, =0.1.6 - 0beny1s =1.1.6 - 0scarclassa =1.0.1 - 0scarclassb =1.0.1 - 0scarclassc =1.0.1 - 0scarclassd =1.0.1 and more Source cves: CVE-2023-28154 Source advisory: OSV:GHSA-HC6Q-2MPP-QW7J...

CVE-2023-28154

Webpack 5 before 5.76.0 does not avoid cross-realm object access. ImportParserPlugin.js mishandles the magic comment feature. An attacker who controls a property of an untrusted object can obtain access to the real global object...