@openrewrite/recipes-nodejs 0.46.0-20260601-080730 → 0.46.0-20260601-130430

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -4830,6 +4830,7 @@ CVE-2026-25958,2026-02-10T00:29:07Z,"Cube Core is vulnerable to privilege escala
4830
4830
  CVE-2026-25958,2026-02-10T00:29:07Z,"Cube Core is vulnerable to privilege escalation via a specially crafted request","@cubejs-backend/server-core",1.5.0,1.5.13,,HIGH,CWE-807,
4831
4831
  CVE-2026-26019,2026-02-11T15:13:20Z,"@langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation",@langchain/community,0,1.1.14,,MODERATE,CWE-918,
4832
4832
  CVE-2026-26021,2026-02-11T15:13:28Z,"set-in Affected by Prototype Pollution",set-in,2.0.1,2.0.5,,CRITICAL,CWE-1321,
4833
+ CVE-2026-26028,2026-05-26T19:05:10Z,"CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS",cryptpad,0,,5.9.0,MODERATE,CWE-79;CWE-116,
4833
4834
  CVE-2026-26063,2026-02-12T17:04:50Z,"CediPay Affected by Improper Input Validation in Payment Processing",cedipay-core,0,1.2.3,,HIGH,CWE-20,
4834
4835
  CVE-2026-26118,2026-03-10T18:31:21Z,"Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network",@azure/mcp,1.0.0,1.0.2,,HIGH,CWE-918,
4835
4836
  CVE-2026-26118,2026-03-10T18:31:21Z,"Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network",@azure/mcp,2.0.0-beta.1,2.0.0-beta.17,,HIGH,CWE-918,
@@ -5029,6 +5030,7 @@ CVE-2026-28397,2026-03-03T20:59:38Z,"NocoDB Vulnerable to Stored Cross-site Scri
5029
5030
  CVE-2026-28398,2026-03-03T20:58:44Z,"NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells",nocodb,0,0.301.3,,MODERATE,CWE-79,
5030
5031
  CVE-2026-28399,2026-03-03T20:58:55Z,"NocoDB Vulnerable to SQL Injection via DATEADD Formula",nocodb,0,0.301.3,,MODERATE,CWE-89,
5031
5032
  CVE-2026-28401,2026-03-03T20:59:50Z,"NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells",nocodb,0,0.301.3,,MODERATE,CWE-79,
5033
+ CVE-2026-28445,2026-05-26T17:39:59Z,"Typebot has Stored XSS via Rating Block Custom Icon that Bypasses isUnsafe Sandbox in Builder Preview",@typebot.io/js,0,0.10.1,,HIGH,CWE-79,
5032
5034
  CVE-2026-28446,2026-02-17T21:36:34Z,"OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)",openclaw,0,2026.2.2,,CRITICAL,CWE-287,
5033
5035
  CVE-2026-28447,2026-02-17T21:39:24Z,"OpenClaw has a Path Traversal in Plugin Installation",openclaw,2026.1.20,2026.2.1,,HIGH,CWE-22,
5034
5036
  CVE-2026-28448,2026-02-17T21:37:55Z,"OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline",openclaw,2026.1.29,2026.2.1,,HIGH,CWE-285,
@@ -5801,6 +5803,7 @@ CVE-2026-39885,2026-04-08T19:22:53Z,"mcp-from-openapi is Vulnerable to SSRF via
5801
5803
  CVE-2026-39885,2026-04-08T19:22:53Z,"mcp-from-openapi is Vulnerable to SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications",mcp-from-openapi,0,2.3.0,,HIGH,CWE-918,
5802
5804
  CVE-2026-39942,2026-04-04T06:06:39Z,"Directus: Path Traversal and Broken Access Control in File Management API",directus,0,11.17.0,,HIGH,CWE-284;CWE-639;CWE-915,
5803
5805
  CVE-2026-39943,2026-04-04T06:12:07Z,"Directus: Sensitive fields exposed in revision history",directus,0,11.17.0,,MODERATE,CWE-200;CWE-312,
5806
+ CVE-2026-39964,2026-05-26T18:00:24Z,"Typebot.io has stored XSS via `javascript`: URI in text bubble links — bot author executes JS on visitors' browsers",@typebot.io/js,0,0.10.1,,MODERATE,CWE-79,
5804
5807
  CVE-2026-39974,2026-04-08T19:53:48Z,"n8n-mcp has authenticated SSRF via instance-URL header in multi-tenant HTTP mode",n8n-mcp,0,2.47.4,,HIGH,CWE-918,
5805
5808
  CVE-2026-39983,2026-04-08T20:02:25Z,"basic-ftp has FTP Command Injection via CRLF",basic-ftp,5.2.0,5.2.1,,HIGH,CWE-93,
5806
5809
  CVE-2026-40037,2026-04-09T17:37:08Z,"OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects",openclaw,0,2026.4.8,,HIGH,CWE-345,
@@ -6060,6 +6063,7 @@ CVE-2026-42074,2026-05-12T16:17:59Z,"OpenClaude Sandbox Bypass via Model-Control
6060
6063
  CVE-2026-42075,2026-04-22T22:06:15Z,"Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write",@evomap/evolver,0,1.69.3,,HIGH,CWE-22,
6061
6064
  CVE-2026-42076,2026-04-22T22:06:03Z,"Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution",@evomap/evolver,0,1.69.3,,CRITICAL,CWE-78,
6062
6065
  CVE-2026-42077,2026-04-22T22:05:28Z,"Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations",@evomap/evolver,0,1.69.3,,MODERATE,CWE-1321,
6066
+ CVE-2026-42089,2026-05-26T23:10:38Z,"yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation",yeoman-environment,2.9.0,6.0.1,,HIGH,CWE-829,
6063
6067
  CVE-2026-42190,2026-04-24T15:36:52Z,"RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions",rwsdk,1.0.0-beta.50,1.2.3,,MODERATE,CWE-352,
6064
6068
  CVE-2026-42226,2026-04-29T21:22:26Z,"n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay",n8n,0,1.123.33,,HIGH,CWE-862,
6065
6069
  CVE-2026-42226,2026-04-29T21:22:26Z,"n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay",n8n,2.17.0,2.17.5,,HIGH,CWE-862,
@@ -6162,6 +6166,7 @@ CVE-2026-42437,2026-04-17T21:48:36Z,"OpenClaw: Voice-call realtime WebSocket acc
6162
6166
  CVE-2026-42438,2026-04-17T22:17:57Z,"OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure",openclaw,2026.4.9,2026.4.10,,MODERATE,CWE-863,
6163
6167
  CVE-2026-42439,2026-04-17T22:01:57Z,"OpenClaw: Browser tabs action select and close routes bypassed SSRF policy",openclaw,0,2026.4.10,,MODERATE,CWE-862;CWE-918,
6164
6168
  CVE-2026-42449,2026-04-30T18:12:54Z,"n8n-mcp's IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders",n8n-mcp,2.47.4,2.47.14,,HIGH,CWE-918,
6169
+ CVE-2026-42462,2026-05-26T23:38:37Z,"Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring",@fedify/fedify,0,2.2.3,,HIGH,"CWE-1289;CWE-180;CWE-347;CWE-436",
6165
6170
  CVE-2026-42553,2026-05-07T16:40:52Z,"Cinny vulnerable to access token disclosure via invalidated emoji pack avatar URL in service worker",cinny,0,4.10.3,,HIGH,CWE-20,
6166
6171
  CVE-2026-42565,2026-05-05T18:42:26Z,"@workos/authkit-session has an Open Redirect via state-derived redirect target",@workos/authkit-session,0,0.5.1,,MODERATE,CWE-601,
6167
6172
  CVE-2026-42567,2026-05-14T20:29:05Z,"Svelte: ReDoS in `<svelte:element>` Tag Validation",svelte,5.51.5,5.55.7,,MODERATE,CWE-1333,
@@ -6212,6 +6217,9 @@ CVE-2026-43941,2026-05-08T18:35:17Z,"Electerm has an unvalidated shell.openExter
6212
6217
  CVE-2026-43942,2026-05-08T18:37:42Z,"Electerm's full process.env exposed to renderer via window.pre.env",electerm,0,,3.8.15,MODERATE,CWE-200;CWE-312,
6213
6218
  CVE-2026-43943,2026-05-08T18:43:52Z,"Electerm Security Vulnerability: RCE via malicious SSH server filename in openFileWithEditor",electerm,0,3.7.9,,HIGH,CWE-78;CWE-88,
6214
6219
  CVE-2026-43944,2026-05-08T18:46:04Z,"Electerm users can run dangrous code through link or command line",electerm,3.0.6,3.8.8,,CRITICAL,CWE-20;CWE-829;CWE-94,
6220
+ CVE-2026-43945,2026-05-26T23:40:42Z,"FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection",@frangoteam/fuxa,1.2.11,1.3.1,,HIGH,"CWE-284;CWE-288;CWE-863;CWE-94",
6221
+ CVE-2026-43946,2026-05-26T23:41:45Z,"FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue",fuxa-server,1.3.0,1.3.1,,HIGH,CWE-863,
6222
+ CVE-2026-43947,2026-05-26T23:44:52Z,"FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass",fuxa-server,1.3.0,1.3.1,,HIGH,CWE-863,
6215
6223
  CVE-2026-43995,2026-04-16T21:23:03Z,"Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)",flowise,0,3.1.0,,MODERATE,CWE-918,
6216
6224
  CVE-2026-43995,2026-04-16T21:23:03Z,"Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)",flowise-components,0,3.1.0,,MODERATE,CWE-918,
6217
6225
  CVE-2026-43997,2026-05-07T04:00:19Z,"vm2 Access to Host Object Enables Sandbox Escape",vm2,0,3.11.0,,CRITICAL,CWE-94,
@@ -6276,6 +6284,14 @@ CVE-2026-44459,2026-05-09T00:45:19Z,"Hono has improper validation of NumericDate
6276
6284
  CVE-2026-44479,2026-05-07T00:05:20Z,"Vercel: Non-interactive mode includes CLI arguments in suggested command output",vercel,50.16.0,52.0.1,,MODERATE,CWE-200;CWE-532,
6277
6285
  CVE-2026-44483,2026-05-11T16:09:40Z,"@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data)",@rvf/set-get,6.0.0,6.0.4,,HIGH,CWE-1321,
6278
6286
  CVE-2026-44483,2026-05-11T16:09:40Z,"@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data)",@rvf/set-get,7.0.0,7.0.2,,HIGH,CWE-1321,
6287
+ CVE-2026-44489,2026-05-29T15:51:02Z,"Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix",axios,1.15.2,1.16.0,,LOW,CWE-113;CWE-1321,
6288
+ CVE-2026-44490,2026-05-29T15:54:57Z,"axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions",axios,0,0.32.0,,MODERATE,CWE-1321,
6289
+ CVE-2026-44490,2026-05-29T15:54:57Z,"axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions",axios,1.0.0,1.16.0,,MODERATE,CWE-1321,
6290
+ CVE-2026-44492,2026-05-29T15:59:30Z,"axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)",axios,0,0.32.0,,HIGH,CWE-918,
6291
+ CVE-2026-44492,2026-05-29T15:59:30Z,"axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)",axios,1.0.0,1.16.0,,HIGH,CWE-918,
6292
+ CVE-2026-44494,2026-05-29T16:04:00Z,"axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`",axios,1.0.0,1.16.0,,HIGH,CWE-441;CWE-1321,
6293
+ CVE-2026-44495,2026-05-29T16:07:31Z,"axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge",axios,0.19.0,0.31.1,,HIGH,CWE-94;CWE-1321,
6294
+ CVE-2026-44495,2026-05-29T16:07:31Z,"axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge",axios,1.0.0,1.15.2,,HIGH,CWE-94;CWE-1321,
6279
6295
  CVE-2026-44503,2026-05-07T01:49:01Z,"Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect",kiota-typescript,0,1.0.0-preview.100,,HIGH,CWE-601,
6280
6296
  CVE-2026-44572,2026-05-11T16:12:07Z,"Next.js's Middleware / Proxy redirects can be cache-poisoned",next,12.2.0,15.5.16,,LOW,CWE-349,
6281
6297
  CVE-2026-44572,2026-05-11T16:12:07Z,"Next.js's Middleware / Proxy redirects can be cache-poisoned",next,16.0.0,16.2.5,,LOW,CWE-349,
@@ -6302,6 +6318,9 @@ CVE-2026-44582,2026-05-11T15:56:48Z,"Next.js vulnerable to cache poisoning via c
6302
6318
  CVE-2026-44589,2026-05-07T20:52:30Z,"nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect)",nuxt-og-image,6.2.5,6.4.9,,LOW,CWE-918,
6303
6319
  CVE-2026-44635,2026-05-11T19:40:15Z,"Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`",kysely,0.26.0,0.28.17,,HIGH,"CWE-1284;CWE-22;CWE-89;CWE-915",
6304
6320
  CVE-2026-44643,2026-05-11T16:20:58Z,"Angular Expressions - Remote Code Execution using filters",angular-expressions,0,1.5.2,,CRITICAL,CWE-95,
6321
+ CVE-2026-44644,2026-05-27T00:09:12Z,"LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS",liquidjs,0,,10.25.7,MODERATE,CWE-79,
6322
+ CVE-2026-44645,2026-05-27T00:11:46Z,"LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body",liquidjs,0,,10.25.7,MODERATE,CWE-400,
6323
+ CVE-2026-44646,2026-05-27T00:28:06Z,"LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`",liquidjs,0,,10.25.7,MODERATE,CWE-693,
6305
6324
  CVE-2026-44648,2026-05-12T22:23:20Z,"SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover",sillytavern,0,1.18.0,,HIGH,CWE-613,
6306
6325
  CVE-2026-44649,2026-05-12T22:23:30Z,"SillyTavern has Authentication Bypass via SSO Header Injection",sillytavern,0,1.18.0,,CRITICAL,"CWE-290;CWE-306;CWE-346;CWE-807",
6307
6326
  CVE-2026-44650,2026-05-12T22:23:45Z,"SillyTavern has a Path Traversal issue",sillytavern,0,1.18.0,,CRITICAL,CWE-22,
@@ -6312,6 +6331,7 @@ CVE-2026-44665,2026-05-08T16:29:10Z,"fast-xml-builder allows attribute values wi
6312
6331
  CVE-2026-44680,2026-05-08T19:17:45Z,"MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys",@mikro-orm/knex,0,6.6.14,,HIGH,CWE-89,
6313
6332
  CVE-2026-44680,2026-05-08T19:17:45Z,"MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys",@mikro-orm/sql,0,7.0.14,,HIGH,CWE-89,
6314
6333
  CVE-2026-44694,2026-05-08T16:59:17Z,"n8n-mcp webhook and API client paths has an authenticated SSRF",n8n-mcp,2.18.7,2.50.2,,HIGH,CWE-367;CWE-918,
6334
+ CVE-2026-44705,2026-05-27T00:34:06Z,"tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape",tmp,0,0.2.6,,HIGH,CWE-22,
6315
6335
  CVE-2026-44720,2026-05-13T01:39:04Z,"OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover",openlearnx,0,2.0.4,,MODERATE,CWE-287;CWE-347,
6316
6336
  CVE-2026-44721,2026-05-08T19:00:28Z,"open-webui Vulnerable to Stored XSS via Model Description",open-webui,0,0.9.0,,HIGH,CWE-79,
6317
6337
  CVE-2026-44724,2026-05-13T15:29:21Z,"Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name",systeminformation,4.17.0,5.31.6,,HIGH,CWE-78,
@@ -6334,6 +6354,8 @@ CVE-2026-44902,2026-05-11T14:42:10Z,"Prometheus exporter process crash via malfo
6334
6354
  CVE-2026-44902,2026-05-11T14:42:10Z,"Prometheus exporter process crash via malformed HTTP request","@opentelemetry/exporter-prometheus",0,0.217.0,,HIGH,CWE-755,
6335
6355
  CVE-2026-44902,2026-05-11T14:42:10Z,"Prometheus exporter process crash via malformed HTTP request",@opentelemetry/sdk-node,0,0.217.0,,HIGH,CWE-755,
6336
6356
  CVE-2026-44966,2026-05-09T00:40:16Z,"Velocity.js has a Prototype Pollution vulnerability through #set path assignment",velocityjs,0,,2.1.5,HIGH,CWE-1321,
6357
+ CVE-2026-44974,2026-05-27T00:37:20Z,"@hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters",@hapi/content,0,6.0.2,,HIGH,CWE-436,
6358
+ CVE-2026-44979,2026-05-27T00:38:09Z,"@hapi/wreck leaks sensitive `Proxy-Authorization` header across cross-hostname redirects",@hapi/wreck,0,18.1.1,,MODERATE,CWE-200;CWE-522,
6337
6359
  CVE-2026-44990,2026-05-14T18:26:27Z,"Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`",sanitize-html,2.17.3,2.17.4,,CRITICAL,CWE-79,
6338
6360
  CVE-2026-44991,2026-04-29T21:27:05Z,"OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners",openclaw,0,2026.4.21,,MODERATE,CWE-862,
6339
6361
  CVE-2026-44992,2026-04-25T23:50:10Z,"OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests",openclaw,2026.4.5,2026.4.20,,MODERATE,CWE-15;CWE-522,
@@ -6357,6 +6379,10 @@ CVE-2026-45134,2026-05-13T15:29:30Z,"LangSmith SDK: Public prompt pull deseriali
6357
6379
  CVE-2026-45136,2026-05-13T15:31:41Z,"claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh",claude-code-cache-fix,3.5.0,3.5.2,,HIGH,CWE-78;CWE-94,
6358
6380
  CVE-2026-45149,2026-05-18T16:22:01Z,"brace-expansion: Large numeric range defeats documented `max` DoS protection",brace-expansion,5.0.0,5.0.6,,MODERATE,CWE-400,
6359
6381
  CVE-2026-45222,2026-05-11T21:31:34Z,"@steipete/summarize allows local attackers to read bearer tokens and API credentials stored in ~/.summarize/daemon.json",@steipete/summarize,0,0.15.0,,MODERATE,CWE-732,
6382
+ CVE-2026-45242,2026-05-18T21:31:50Z,"Summarize contains a path traversal vulnerability",@steipete/summarize,0,0.15.0,,HIGH,CWE-862,
6383
+ CVE-2026-45243,2026-05-18T21:31:50Z,"Summarize contains a missing authorization vulnerability",@steipete/summarize,0,0.15.0,,MODERATE,CWE-862,
6384
+ CVE-2026-45244,2026-05-18T21:31:51Z,"Summarize contains a missing authorization vulnerability",@steipete/summarize,0,0.15.0,,LOW,CWE-862,
6385
+ CVE-2026-45245,2026-05-18T21:31:51Z,"Summarize's hover summary feature allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links",@steipete/summarize,0,0.15.1,,MODERATE,CWE-918,
6360
6386
  CVE-2026-45302,2026-05-18T16:43:12Z,"parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names",parse-nested-form-data,0,1.0.1,,HIGH,CWE-1321,
6361
6387
  CVE-2026-45310,2026-05-14T20:29:26Z,"DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetch_url Tool",deepseek-tui,0,0.8.22,,HIGH,CWE-918,
6362
6388
  CVE-2026-45311,2026-05-14T20:29:33Z,"DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval",deepseek-tui,0.3.0,0.8.23,,CRITICAL,CWE-94,
@@ -6447,6 +6473,7 @@ CVE-2026-45321,2026-05-12T00:12:49Z,"Malware in @tanstack/* packages exfiltrates
6447
6473
  CVE-2026-45325,2026-05-18T17:07:04Z,"@tmlmobilidade/utils has prototype pollution in its setValueAtPath",@tmlmobilidade/utils,0,20260509.0340.15,,HIGH,CWE-1321,
6448
6474
  CVE-2026-45346,2026-05-14T20:21:51Z,"Open WebUI Has Stored Cross-Site Scripting in SVG Renderer",open-webui,0,0.6.31,,MODERATE,CWE-80,
6449
6475
  CVE-2026-45353,2026-05-14T20:29:59Z,"Electerm Local code through electerm's single-instance socket",electerm,3.0.6,3.9.0,,CRITICAL,CWE-732;CWE-94;CWE-940,
6476
+ CVE-2026-45357,2026-05-27T17:33:52Z,"LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)",liquidjs,0,,10.25.7,HIGH,CWE-400,
6450
6477
  CVE-2026-45364,2026-05-15T17:41:37Z,"Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation",better-auth,0,1.4.17,,HIGH,CWE-307,
6451
6478
  CVE-2026-45364,2026-05-15T17:41:37Z,"Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation",better-auth,1.5.0-beta.1,1.5.0-beta.9,,HIGH,CWE-307,
6452
6479
  CVE-2026-45366,2026-05-14T20:55:05Z,"@utcp/http: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol",@utcp/http,0,1.1.2,,MODERATE,CWE-918,
@@ -6455,6 +6482,8 @@ CVE-2026-45411,2026-05-14T21:14:32Z,"vm2 Has a Sandbox Breakout Using Async Gene
6455
6482
  CVE-2026-45548,2026-05-15T17:47:10Z,"Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation",@budibase/server,0,3.34.8,,HIGH,CWE-918,
6456
6483
  CVE-2026-45577,2026-05-18T14:20:06Z,"Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass",neotoma,0.6.0,0.11.1,,MODERATE,CWE-288;CWE-306,
6457
6484
  CVE-2026-45582,2026-05-18T13:26:51Z,"n8n-MCP: Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters",n8n-mcp,0,2.51.3,,MODERATE,CWE-201,
6485
+ CVE-2026-45617,2026-05-27T18:08:19Z,"LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex",liquidjs,0,10.26.0,,HIGH,CWE-1333,
6486
+ CVE-2026-45618,2026-05-27T18:24:14Z,"LiquidJS is Vulnerable to Remote Code Execution",liquidjs,0,10.26.0,,CRITICAL,CWE-94,
6458
6487
  CVE-2026-45665,2026-05-14T20:27:45Z,"Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order",open-webui,0,0.8.0,,HIGH,CWE-79,
6459
6488
  CVE-2026-45669,2026-05-19T15:49:25Z,"Nuxt: Reflected XSS in `navigateTo()` external redirect",nuxt,3.4.3,3.21.6,,MODERATE,CWE-83,
6460
6489
  CVE-2026-45669,2026-05-19T15:49:25Z,"Nuxt: Reflected XSS in `navigateTo()` external redirect",nuxt,4.0.0-alpha.1,4.4.6,,MODERATE,CWE-83,
@@ -6546,12 +6575,33 @@ CVE-2026-46695,2026-05-21T21:52:51Z,"BoxLite: Permission Bypass Allows Modificat
6546
6575
  CVE-2026-46701,2026-05-21T22:39:59Z,"Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret",network-ai,0,5.4.5,,HIGH,CWE-346,
6547
6576
  CVE-2026-46703,2026-05-21T21:54:15Z,"Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host",@boxlite-ai/boxlite,0,0.9.0,,CRITICAL,CWE-22,
6548
6577
  CVE-2026-47099,2026-04-02T23:21:23Z,"TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`",telejson,0,6.0.0,,LOW,CWE-79,
6578
+ CVE-2026-47131,2026-05-29T17:33:58Z,"vm2 has a Sandbox Escape issue",vm2,0,3.11.4,,CRITICAL,CWE-913,
6579
+ CVE-2026-47135,2026-05-29T17:44:32Z,"vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks",vm2,0,3.11.4,,HIGH,CWE-693,
6580
+ CVE-2026-47137,2026-05-29T17:50:22Z,"vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE",vm2,0,3.11.4,,CRITICAL,CWE-913,
6549
6581
  CVE-2026-47138,2026-05-23T00:11:25Z,"Parse Server: Pre-authentication denial of service via client version header regex backtracking",parse-server,0,8.6.77,,HIGH,CWE-1333,
6550
6582
  CVE-2026-47138,2026-05-23T00:11:25Z,"Parse Server: Pre-authentication denial of service via client version header regex backtracking",parse-server,9.0.0,9.9.1-alpha.1,,HIGH,CWE-1333,
6583
+ CVE-2026-47139,2026-05-29T18:08:06Z,"NodeVM network builtin exclusions bypass via internal _http_client and _http_server",vm2,0,3.11.4,,HIGH,CWE-693,
6584
+ CVE-2026-47140,2026-05-29T17:59:23Z,"NodeVM builtin denylist bypass via process and inspector/promises allows host code execution",vm2,0,3.11.4,,CRITICAL,CWE-693,
6585
+ CVE-2026-47141,2026-05-29T18:20:45Z,"NodeVM observability builtins leak host process and HTTP request data",vm2,0,3.11.4,,MODERATE,CWE-668,
6586
+ CVE-2026-47144,2026-05-28T20:02:14Z,"Shamefile has an arbitrary file read via shamefile.yaml in shame next",shamefile,0,0.1.7,,MODERATE,CWE-22,
6587
+ CVE-2026-47200,2026-05-29T17:15:11Z,"Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`",@nuxt/nitro-server,3.20.0,3.21.6,,MODERATE,CWE-284;CWE-288,
6588
+ CVE-2026-47200,2026-05-29T17:15:11Z,"Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`",@nuxt/nitro-server,4.2.0,4.4.6,,MODERATE,CWE-284;CWE-288,
6589
+ CVE-2026-47200,2026-05-29T17:15:11Z,"Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`",nuxt,3.11.0,3.21.6,,MODERATE,CWE-284;CWE-288,
6590
+ CVE-2026-47200,2026-05-29T17:15:11Z,"Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`",nuxt,4.0.0-alpha.1,4.4.6,,MODERATE,CWE-284;CWE-288,
6591
+ CVE-2026-47208,2026-05-29T17:40:15Z,"vm2 is Vulnerable to Sandbox Breakout Through Promise Species",vm2,0,3.11.4,,CRITICAL,CWE-913,
6592
+ CVE-2026-47209,2026-05-29T17:49:18Z,"vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain",vm2,0,3.11.4,,HIGH,CWE-693,
6593
+ CVE-2026-47210,2026-05-29T17:51:05Z,"vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass",vm2,0,3.11.4,,CRITICAL,CWE-913,
6594
+ CVE-2026-47248,2026-05-29T19:18:01Z,"Parse Server's GraphQL ""Did you mean ...?"" validation suggestions disclose schema to unauthenticated callers",parse-server,0,8.6.78,,MODERATE,CWE-209,
6595
+ CVE-2026-47248,2026-05-29T19:18:01Z,"Parse Server's GraphQL ""Did you mean ...?"" validation suggestions disclose schema to unauthenticated callers",parse-server,9.0.0,9.9.1-alpha.2,,MODERATE,CWE-209,
6596
+ CVE-2026-47255,2026-05-29T19:23:29Z,"AgenticMail API/storage and outbound relay hardening fixes",@agenticmail/api,0,0.9.32,,HIGH,"CWE-20;CWE-284;CWE-319;CWE-798;CWE-89",
6597
+ CVE-2026-47255,2026-05-29T19:23:29Z,"AgenticMail API/storage and outbound relay hardening fixes",@agenticmail/core,0,0.9.10,,HIGH,"CWE-20;CWE-284;CWE-319;CWE-798;CWE-89",
6598
+ CVE-2026-47717,2026-05-27T22:51:18Z,"FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations",fuxa-server,1.3.0,1.3.1,,HIGH,CWE-201,
6599
+ CVE-2026-47718,2026-05-28T20:33:11Z,"FUXA provides guest and invalid-token access to protected read APIs in secure mode",fuxa-server,1.3.0-2773,1.3.1,,MODERATE,CWE-287;CWE-862,
6551
6600
  CVE-2026-4800,2026-04-01T23:51:12Z,"lodash vulnerable to Code Injection via `_.template` imports key names",lodash,4.0.0,4.18.0,,HIGH,CWE-94,
6552
6601
  CVE-2026-4800,2026-04-01T23:51:12Z,"lodash vulnerable to Code Injection via `_.template` imports key names",lodash-amd,4.0.0,4.18.0,,HIGH,CWE-94,
6553
6602
  CVE-2026-4800,2026-04-01T23:51:12Z,"lodash vulnerable to Code Injection via `_.template` imports key names",lodash-es,4.0.0,4.18.0,,HIGH,CWE-94,
6554
6603
  CVE-2026-4800,2026-04-01T23:51:12Z,"lodash vulnerable to Code Injection via `_.template` imports key names",lodash.template,4.0.0,4.18.0,,HIGH,CWE-94,
6604
+ CVE-2026-48527,2026-05-29T14:07:51Z,"HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint",@haxtheweb/haxcms-nodejs,0,26.0.1,,HIGH,CWE-79,
6555
6605
  CVE-2026-4867,2026-03-27T20:04:53Z,"path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters",path-to-regexp,0,0.1.13,,HIGH,CWE-1333,
6556
6606
  CVE-2026-4923,2026-03-27T22:23:52Z,"path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards",path-to-regexp,8.0.0,8.4.0,,MODERATE,CWE-1333,
6557
6607
  CVE-2026-4926,2026-03-27T22:23:27Z,"path-to-regexp vulnerable to Denial of Service via sequential optional groups",path-to-regexp,8.0.0,8.4.0,,HIGH,CWE-1333;CWE-400,
@@ -6588,6 +6638,10 @@ CVE-2026-8159,2026-05-18T17:40:10Z,"multiparty vulnerable to ReDoS via filename
6588
6638
  CVE-2026-8161,2026-05-18T17:35:01Z,"multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception",multiparty,0,4.3.0,,HIGH,CWE-1321;CWE-248,
6589
6639
  CVE-2026-8162,2026-05-18T17:35:24Z,"multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing",multiparty,0,4.3.0,,HIGH,CWE-755,
6590
6640
  CVE-2026-8723,2026-05-22T17:27:19Z,"qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set",qs,6.11.1,6.15.2,,MODERATE,CWE-476,
6641
+ CVE-2026-8766,2026-05-18T00:31:36Z,"@kilocode/cli Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor",@kilocode/cli,0,,7.0.47,LOW,CWE-200,
6642
+ CVE-2026-8769,2026-05-18T00:31:37Z,"@ai-sdk/provider-utils has an Uncontrolled Resource Consumption issue",@ai-sdk/provider-utils,0,,3.0.97,LOW,CWE-400,
6643
+ CVE-2026-8813,2026-05-29T17:58:37Z,"ExifReader is vulnerable to denial of service via crafted ICC `mluc` tag",exifreader,2.10.0,4.39.0,,HIGH,CWE-1284,
6644
+ CVE-2026-8814,2026-05-29T17:52:26Z,"ExifReader is vulnerable to denial of service via unbounded decompression of image metadata",exifreader,4.20.0,4.39.0,,MODERATE,CWE-409,
6591
6645
  GHSA-224h-p7p5-rh85,2020-09-01T17:32:26Z,"Directory Traversal in wenluhong1",wenluhong1,0.0.0,,,HIGH,CWE-22,
6592
6646
  GHSA-224p-v68g-5g8f,2025-08-26T18:45:55Z,"GraphQL Armor Max-Depth Plugin Bypass via fragment caching","@escape.tech/graphql-armor-max-depth",0,2.4.2,,MODERATE,CWE-400,
6593
6647
  GHSA-226w-6hhj-69hp,2020-09-03T19:06:52Z,"Malicious Package in cal_rd",cal_rd,0.0.0,,,CRITICAL,CWE-506,
@@ -7704,6 +7758,7 @@ GHSA-q2c6-c6pm-g3gh,2020-09-04T15:07:38Z,"Arbitrary Code Execution in handlebars
7704
7758
  GHSA-q2f7-m237-v562,2026-05-21T20:45:14Z,"@hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators",@hulumi/policies,0,1.3.2,,CRITICAL,CWE-284,
7705
7759
  GHSA-q2qc-744p-66r2,2026-03-29T15:47:50Z,"OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility",openclaw,2026.3.11,2026.3.28,,HIGH,CWE-639;CWE-863,
7706
7760
  GHSA-q324-q795-2q5p,2021-10-12T16:05:11Z,"Path traversal when using `preview-docs` when working dir contains files with question mark `?` in name",@redocly/openapi-cli,0,1.0.0-beta.59,,LOW,,
7761
+ GHSA-q3fm-4wcw-g57x,2026-05-29T17:38:33Z,"vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter",vm2,0,3.11.4,,LOW,CWE-693,
7707
7762
  GHSA-q3w9-g74q-vp5f,2020-09-03T21:14:12Z,"Denial of Service in express-fileupload",express-fileupload,0,1.1.6-alpha.6,,LOW,,
7708
7763
  GHSA-q3w9-g74q-vp5f,2020-09-03T21:14:12Z,"Denial of Service in express-fileupload",express-fileupload,0,1.1.6-alpha.6,,LOW,,
7709
7764
  GHSA-q3w9-g74q-vp5f,2020-09-03T21:14:12Z,"Denial of Service in express-fileupload",express-fileupload,0,1.1.6-alpha.6,,LOW,,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@openrewrite/recipes-nodejs",
3
- "version": "0.46.0-20260601-080730",
3
+ "version": "0.46.0-20260601-130430",
4
4
  "license": "Moderne Proprietary",
5
5
  "description": "OpenRewrite recipes for Node.js library migrations.",
6
6
  "homepage": "https://github.com/moderneinc/rewrite-node",
@@ -25,7 +25,7 @@
25
25
  "ci:test": "jest"
26
26
  },
27
27
  "dependencies": {
28
- "@openrewrite/rewrite": "^8.84.0-20260601-075852",
28
+ "@openrewrite/rewrite": "^8.84.0-20260601-124422",
29
29
  "mutative": "^1.1.0",
30
30
  "semver": "^7.7.3"
31
31
  },