@openrewrite/recipes-nodejs 0.46.0-20260601-080730 → 0.46.0-20260601-130430
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -4830,6 +4830,7 @@ CVE-2026-25958,2026-02-10T00:29:07Z,"Cube Core is vulnerable to privilege escala
|
|
|
4830
4830
|
CVE-2026-25958,2026-02-10T00:29:07Z,"Cube Core is vulnerable to privilege escalation via a specially crafted request","@cubejs-backend/server-core",1.5.0,1.5.13,,HIGH,CWE-807,
|
|
4831
4831
|
CVE-2026-26019,2026-02-11T15:13:20Z,"@langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation",@langchain/community,0,1.1.14,,MODERATE,CWE-918,
|
|
4832
4832
|
CVE-2026-26021,2026-02-11T15:13:28Z,"set-in Affected by Prototype Pollution",set-in,2.0.1,2.0.5,,CRITICAL,CWE-1321,
|
|
4833
|
+
CVE-2026-26028,2026-05-26T19:05:10Z,"CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS",cryptpad,0,,5.9.0,MODERATE,CWE-79;CWE-116,
|
|
4833
4834
|
CVE-2026-26063,2026-02-12T17:04:50Z,"CediPay Affected by Improper Input Validation in Payment Processing",cedipay-core,0,1.2.3,,HIGH,CWE-20,
|
|
4834
4835
|
CVE-2026-26118,2026-03-10T18:31:21Z,"Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network",@azure/mcp,1.0.0,1.0.2,,HIGH,CWE-918,
|
|
4835
4836
|
CVE-2026-26118,2026-03-10T18:31:21Z,"Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network",@azure/mcp,2.0.0-beta.1,2.0.0-beta.17,,HIGH,CWE-918,
|
|
@@ -5029,6 +5030,7 @@ CVE-2026-28397,2026-03-03T20:59:38Z,"NocoDB Vulnerable to Stored Cross-site Scri
|
|
|
5029
5030
|
CVE-2026-28398,2026-03-03T20:58:44Z,"NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells",nocodb,0,0.301.3,,MODERATE,CWE-79,
|
|
5030
5031
|
CVE-2026-28399,2026-03-03T20:58:55Z,"NocoDB Vulnerable to SQL Injection via DATEADD Formula",nocodb,0,0.301.3,,MODERATE,CWE-89,
|
|
5031
5032
|
CVE-2026-28401,2026-03-03T20:59:50Z,"NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells",nocodb,0,0.301.3,,MODERATE,CWE-79,
|
|
5033
|
+
CVE-2026-28445,2026-05-26T17:39:59Z,"Typebot has Stored XSS via Rating Block Custom Icon that Bypasses isUnsafe Sandbox in Builder Preview",@typebot.io/js,0,0.10.1,,HIGH,CWE-79,
|
|
5032
5034
|
CVE-2026-28446,2026-02-17T21:36:34Z,"OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)",openclaw,0,2026.2.2,,CRITICAL,CWE-287,
|
|
5033
5035
|
CVE-2026-28447,2026-02-17T21:39:24Z,"OpenClaw has a Path Traversal in Plugin Installation",openclaw,2026.1.20,2026.2.1,,HIGH,CWE-22,
|
|
5034
5036
|
CVE-2026-28448,2026-02-17T21:37:55Z,"OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline",openclaw,2026.1.29,2026.2.1,,HIGH,CWE-285,
|
|
@@ -5801,6 +5803,7 @@ CVE-2026-39885,2026-04-08T19:22:53Z,"mcp-from-openapi is Vulnerable to SSRF via
|
|
|
5801
5803
|
CVE-2026-39885,2026-04-08T19:22:53Z,"mcp-from-openapi is Vulnerable to SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications",mcp-from-openapi,0,2.3.0,,HIGH,CWE-918,
|
|
5802
5804
|
CVE-2026-39942,2026-04-04T06:06:39Z,"Directus: Path Traversal and Broken Access Control in File Management API",directus,0,11.17.0,,HIGH,CWE-284;CWE-639;CWE-915,
|
|
5803
5805
|
CVE-2026-39943,2026-04-04T06:12:07Z,"Directus: Sensitive fields exposed in revision history",directus,0,11.17.0,,MODERATE,CWE-200;CWE-312,
|
|
5806
|
+
CVE-2026-39964,2026-05-26T18:00:24Z,"Typebot.io has stored XSS via `javascript`: URI in text bubble links — bot author executes JS on visitors' browsers",@typebot.io/js,0,0.10.1,,MODERATE,CWE-79,
|
|
5804
5807
|
CVE-2026-39974,2026-04-08T19:53:48Z,"n8n-mcp has authenticated SSRF via instance-URL header in multi-tenant HTTP mode",n8n-mcp,0,2.47.4,,HIGH,CWE-918,
|
|
5805
5808
|
CVE-2026-39983,2026-04-08T20:02:25Z,"basic-ftp has FTP Command Injection via CRLF",basic-ftp,5.2.0,5.2.1,,HIGH,CWE-93,
|
|
5806
5809
|
CVE-2026-40037,2026-04-09T17:37:08Z,"OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects",openclaw,0,2026.4.8,,HIGH,CWE-345,
|
|
@@ -6060,6 +6063,7 @@ CVE-2026-42074,2026-05-12T16:17:59Z,"OpenClaude Sandbox Bypass via Model-Control
|
|
|
6060
6063
|
CVE-2026-42075,2026-04-22T22:06:15Z,"Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write",@evomap/evolver,0,1.69.3,,HIGH,CWE-22,
|
|
6061
6064
|
CVE-2026-42076,2026-04-22T22:06:03Z,"Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution",@evomap/evolver,0,1.69.3,,CRITICAL,CWE-78,
|
|
6062
6065
|
CVE-2026-42077,2026-04-22T22:05:28Z,"Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations",@evomap/evolver,0,1.69.3,,MODERATE,CWE-1321,
|
|
6066
|
+
CVE-2026-42089,2026-05-26T23:10:38Z,"yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation",yeoman-environment,2.9.0,6.0.1,,HIGH,CWE-829,
|
|
6063
6067
|
CVE-2026-42190,2026-04-24T15:36:52Z,"RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions",rwsdk,1.0.0-beta.50,1.2.3,,MODERATE,CWE-352,
|
|
6064
6068
|
CVE-2026-42226,2026-04-29T21:22:26Z,"n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay",n8n,0,1.123.33,,HIGH,CWE-862,
|
|
6065
6069
|
CVE-2026-42226,2026-04-29T21:22:26Z,"n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay",n8n,2.17.0,2.17.5,,HIGH,CWE-862,
|
|
@@ -6162,6 +6166,7 @@ CVE-2026-42437,2026-04-17T21:48:36Z,"OpenClaw: Voice-call realtime WebSocket acc
|
|
|
6162
6166
|
CVE-2026-42438,2026-04-17T22:17:57Z,"OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure",openclaw,2026.4.9,2026.4.10,,MODERATE,CWE-863,
|
|
6163
6167
|
CVE-2026-42439,2026-04-17T22:01:57Z,"OpenClaw: Browser tabs action select and close routes bypassed SSRF policy",openclaw,0,2026.4.10,,MODERATE,CWE-862;CWE-918,
|
|
6164
6168
|
CVE-2026-42449,2026-04-30T18:12:54Z,"n8n-mcp's IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders",n8n-mcp,2.47.4,2.47.14,,HIGH,CWE-918,
|
|
6169
|
+
CVE-2026-42462,2026-05-26T23:38:37Z,"Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring",@fedify/fedify,0,2.2.3,,HIGH,"CWE-1289;CWE-180;CWE-347;CWE-436",
|
|
6165
6170
|
CVE-2026-42553,2026-05-07T16:40:52Z,"Cinny vulnerable to access token disclosure via invalidated emoji pack avatar URL in service worker",cinny,0,4.10.3,,HIGH,CWE-20,
|
|
6166
6171
|
CVE-2026-42565,2026-05-05T18:42:26Z,"@workos/authkit-session has an Open Redirect via state-derived redirect target",@workos/authkit-session,0,0.5.1,,MODERATE,CWE-601,
|
|
6167
6172
|
CVE-2026-42567,2026-05-14T20:29:05Z,"Svelte: ReDoS in `<svelte:element>` Tag Validation",svelte,5.51.5,5.55.7,,MODERATE,CWE-1333,
|
|
@@ -6212,6 +6217,9 @@ CVE-2026-43941,2026-05-08T18:35:17Z,"Electerm has an unvalidated shell.openExter
|
|
|
6212
6217
|
CVE-2026-43942,2026-05-08T18:37:42Z,"Electerm's full process.env exposed to renderer via window.pre.env",electerm,0,,3.8.15,MODERATE,CWE-200;CWE-312,
|
|
6213
6218
|
CVE-2026-43943,2026-05-08T18:43:52Z,"Electerm Security Vulnerability: RCE via malicious SSH server filename in openFileWithEditor",electerm,0,3.7.9,,HIGH,CWE-78;CWE-88,
|
|
6214
6219
|
CVE-2026-43944,2026-05-08T18:46:04Z,"Electerm users can run dangrous code through link or command line",electerm,3.0.6,3.8.8,,CRITICAL,CWE-20;CWE-829;CWE-94,
|
|
6220
|
+
CVE-2026-43945,2026-05-26T23:40:42Z,"FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection",@frangoteam/fuxa,1.2.11,1.3.1,,HIGH,"CWE-284;CWE-288;CWE-863;CWE-94",
|
|
6221
|
+
CVE-2026-43946,2026-05-26T23:41:45Z,"FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue",fuxa-server,1.3.0,1.3.1,,HIGH,CWE-863,
|
|
6222
|
+
CVE-2026-43947,2026-05-26T23:44:52Z,"FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass",fuxa-server,1.3.0,1.3.1,,HIGH,CWE-863,
|
|
6215
6223
|
CVE-2026-43995,2026-04-16T21:23:03Z,"Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)",flowise,0,3.1.0,,MODERATE,CWE-918,
|
|
6216
6224
|
CVE-2026-43995,2026-04-16T21:23:03Z,"Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)",flowise-components,0,3.1.0,,MODERATE,CWE-918,
|
|
6217
6225
|
CVE-2026-43997,2026-05-07T04:00:19Z,"vm2 Access to Host Object Enables Sandbox Escape",vm2,0,3.11.0,,CRITICAL,CWE-94,
|
|
@@ -6276,6 +6284,14 @@ CVE-2026-44459,2026-05-09T00:45:19Z,"Hono has improper validation of NumericDate
|
|
|
6276
6284
|
CVE-2026-44479,2026-05-07T00:05:20Z,"Vercel: Non-interactive mode includes CLI arguments in suggested command output",vercel,50.16.0,52.0.1,,MODERATE,CWE-200;CWE-532,
|
|
6277
6285
|
CVE-2026-44483,2026-05-11T16:09:40Z,"@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data)",@rvf/set-get,6.0.0,6.0.4,,HIGH,CWE-1321,
|
|
6278
6286
|
CVE-2026-44483,2026-05-11T16:09:40Z,"@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data)",@rvf/set-get,7.0.0,7.0.2,,HIGH,CWE-1321,
|
|
6287
|
+
CVE-2026-44489,2026-05-29T15:51:02Z,"Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix",axios,1.15.2,1.16.0,,LOW,CWE-113;CWE-1321,
|
|
6288
|
+
CVE-2026-44490,2026-05-29T15:54:57Z,"axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions",axios,0,0.32.0,,MODERATE,CWE-1321,
|
|
6289
|
+
CVE-2026-44490,2026-05-29T15:54:57Z,"axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions",axios,1.0.0,1.16.0,,MODERATE,CWE-1321,
|
|
6290
|
+
CVE-2026-44492,2026-05-29T15:59:30Z,"axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)",axios,0,0.32.0,,HIGH,CWE-918,
|
|
6291
|
+
CVE-2026-44492,2026-05-29T15:59:30Z,"axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)",axios,1.0.0,1.16.0,,HIGH,CWE-918,
|
|
6292
|
+
CVE-2026-44494,2026-05-29T16:04:00Z,"axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`",axios,1.0.0,1.16.0,,HIGH,CWE-441;CWE-1321,
|
|
6293
|
+
CVE-2026-44495,2026-05-29T16:07:31Z,"axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge",axios,0.19.0,0.31.1,,HIGH,CWE-94;CWE-1321,
|
|
6294
|
+
CVE-2026-44495,2026-05-29T16:07:31Z,"axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge",axios,1.0.0,1.15.2,,HIGH,CWE-94;CWE-1321,
|
|
6279
6295
|
CVE-2026-44503,2026-05-07T01:49:01Z,"Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect",kiota-typescript,0,1.0.0-preview.100,,HIGH,CWE-601,
|
|
6280
6296
|
CVE-2026-44572,2026-05-11T16:12:07Z,"Next.js's Middleware / Proxy redirects can be cache-poisoned",next,12.2.0,15.5.16,,LOW,CWE-349,
|
|
6281
6297
|
CVE-2026-44572,2026-05-11T16:12:07Z,"Next.js's Middleware / Proxy redirects can be cache-poisoned",next,16.0.0,16.2.5,,LOW,CWE-349,
|
|
@@ -6302,6 +6318,9 @@ CVE-2026-44582,2026-05-11T15:56:48Z,"Next.js vulnerable to cache poisoning via c
|
|
|
6302
6318
|
CVE-2026-44589,2026-05-07T20:52:30Z,"nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect)",nuxt-og-image,6.2.5,6.4.9,,LOW,CWE-918,
|
|
6303
6319
|
CVE-2026-44635,2026-05-11T19:40:15Z,"Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`",kysely,0.26.0,0.28.17,,HIGH,"CWE-1284;CWE-22;CWE-89;CWE-915",
|
|
6304
6320
|
CVE-2026-44643,2026-05-11T16:20:58Z,"Angular Expressions - Remote Code Execution using filters",angular-expressions,0,1.5.2,,CRITICAL,CWE-95,
|
|
6321
|
+
CVE-2026-44644,2026-05-27T00:09:12Z,"LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS",liquidjs,0,,10.25.7,MODERATE,CWE-79,
|
|
6322
|
+
CVE-2026-44645,2026-05-27T00:11:46Z,"LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body",liquidjs,0,,10.25.7,MODERATE,CWE-400,
|
|
6323
|
+
CVE-2026-44646,2026-05-27T00:28:06Z,"LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`",liquidjs,0,,10.25.7,MODERATE,CWE-693,
|
|
6305
6324
|
CVE-2026-44648,2026-05-12T22:23:20Z,"SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover",sillytavern,0,1.18.0,,HIGH,CWE-613,
|
|
6306
6325
|
CVE-2026-44649,2026-05-12T22:23:30Z,"SillyTavern has Authentication Bypass via SSO Header Injection",sillytavern,0,1.18.0,,CRITICAL,"CWE-290;CWE-306;CWE-346;CWE-807",
|
|
6307
6326
|
CVE-2026-44650,2026-05-12T22:23:45Z,"SillyTavern has a Path Traversal issue",sillytavern,0,1.18.0,,CRITICAL,CWE-22,
|
|
@@ -6312,6 +6331,7 @@ CVE-2026-44665,2026-05-08T16:29:10Z,"fast-xml-builder allows attribute values wi
|
|
|
6312
6331
|
CVE-2026-44680,2026-05-08T19:17:45Z,"MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys",@mikro-orm/knex,0,6.6.14,,HIGH,CWE-89,
|
|
6313
6332
|
CVE-2026-44680,2026-05-08T19:17:45Z,"MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys",@mikro-orm/sql,0,7.0.14,,HIGH,CWE-89,
|
|
6314
6333
|
CVE-2026-44694,2026-05-08T16:59:17Z,"n8n-mcp webhook and API client paths has an authenticated SSRF",n8n-mcp,2.18.7,2.50.2,,HIGH,CWE-367;CWE-918,
|
|
6334
|
+
CVE-2026-44705,2026-05-27T00:34:06Z,"tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape",tmp,0,0.2.6,,HIGH,CWE-22,
|
|
6315
6335
|
CVE-2026-44720,2026-05-13T01:39:04Z,"OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover",openlearnx,0,2.0.4,,MODERATE,CWE-287;CWE-347,
|
|
6316
6336
|
CVE-2026-44721,2026-05-08T19:00:28Z,"open-webui Vulnerable to Stored XSS via Model Description",open-webui,0,0.9.0,,HIGH,CWE-79,
|
|
6317
6337
|
CVE-2026-44724,2026-05-13T15:29:21Z,"Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name",systeminformation,4.17.0,5.31.6,,HIGH,CWE-78,
|
|
@@ -6334,6 +6354,8 @@ CVE-2026-44902,2026-05-11T14:42:10Z,"Prometheus exporter process crash via malfo
|
|
|
6334
6354
|
CVE-2026-44902,2026-05-11T14:42:10Z,"Prometheus exporter process crash via malformed HTTP request","@opentelemetry/exporter-prometheus",0,0.217.0,,HIGH,CWE-755,
|
|
6335
6355
|
CVE-2026-44902,2026-05-11T14:42:10Z,"Prometheus exporter process crash via malformed HTTP request",@opentelemetry/sdk-node,0,0.217.0,,HIGH,CWE-755,
|
|
6336
6356
|
CVE-2026-44966,2026-05-09T00:40:16Z,"Velocity.js has a Prototype Pollution vulnerability through #set path assignment",velocityjs,0,,2.1.5,HIGH,CWE-1321,
|
|
6357
|
+
CVE-2026-44974,2026-05-27T00:37:20Z,"@hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters",@hapi/content,0,6.0.2,,HIGH,CWE-436,
|
|
6358
|
+
CVE-2026-44979,2026-05-27T00:38:09Z,"@hapi/wreck leaks sensitive `Proxy-Authorization` header across cross-hostname redirects",@hapi/wreck,0,18.1.1,,MODERATE,CWE-200;CWE-522,
|
|
6337
6359
|
CVE-2026-44990,2026-05-14T18:26:27Z,"Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`",sanitize-html,2.17.3,2.17.4,,CRITICAL,CWE-79,
|
|
6338
6360
|
CVE-2026-44991,2026-04-29T21:27:05Z,"OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners",openclaw,0,2026.4.21,,MODERATE,CWE-862,
|
|
6339
6361
|
CVE-2026-44992,2026-04-25T23:50:10Z,"OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests",openclaw,2026.4.5,2026.4.20,,MODERATE,CWE-15;CWE-522,
|
|
@@ -6357,6 +6379,10 @@ CVE-2026-45134,2026-05-13T15:29:30Z,"LangSmith SDK: Public prompt pull deseriali
|
|
|
6357
6379
|
CVE-2026-45136,2026-05-13T15:31:41Z,"claude-code-cache-fix vulnerable to local code execution via Python triple-quote injection in tools/quota-statusline.sh",claude-code-cache-fix,3.5.0,3.5.2,,HIGH,CWE-78;CWE-94,
|
|
6358
6380
|
CVE-2026-45149,2026-05-18T16:22:01Z,"brace-expansion: Large numeric range defeats documented `max` DoS protection",brace-expansion,5.0.0,5.0.6,,MODERATE,CWE-400,
|
|
6359
6381
|
CVE-2026-45222,2026-05-11T21:31:34Z,"@steipete/summarize allows local attackers to read bearer tokens and API credentials stored in ~/.summarize/daemon.json",@steipete/summarize,0,0.15.0,,MODERATE,CWE-732,
|
|
6382
|
+
CVE-2026-45242,2026-05-18T21:31:50Z,"Summarize contains a path traversal vulnerability",@steipete/summarize,0,0.15.0,,HIGH,CWE-862,
|
|
6383
|
+
CVE-2026-45243,2026-05-18T21:31:50Z,"Summarize contains a missing authorization vulnerability",@steipete/summarize,0,0.15.0,,MODERATE,CWE-862,
|
|
6384
|
+
CVE-2026-45244,2026-05-18T21:31:51Z,"Summarize contains a missing authorization vulnerability",@steipete/summarize,0,0.15.0,,LOW,CWE-862,
|
|
6385
|
+
CVE-2026-45245,2026-05-18T21:31:51Z,"Summarize's hover summary feature allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links",@steipete/summarize,0,0.15.1,,MODERATE,CWE-918,
|
|
6360
6386
|
CVE-2026-45302,2026-05-18T16:43:12Z,"parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names",parse-nested-form-data,0,1.0.1,,HIGH,CWE-1321,
|
|
6361
6387
|
CVE-2026-45310,2026-05-14T20:29:26Z,"DeepSeek TUI has SSRF via HTTP Redirect Bypass in fetch_url Tool",deepseek-tui,0,0.8.22,,HIGH,CWE-918,
|
|
6362
6388
|
CVE-2026-45311,2026-05-14T20:29:33Z,"DeepSeek TUI: run_tests Tool Enables RCE via Malicious Repository Without Approval",deepseek-tui,0.3.0,0.8.23,,CRITICAL,CWE-94,
|
|
@@ -6447,6 +6473,7 @@ CVE-2026-45321,2026-05-12T00:12:49Z,"Malware in @tanstack/* packages exfiltrates
|
|
|
6447
6473
|
CVE-2026-45325,2026-05-18T17:07:04Z,"@tmlmobilidade/utils has prototype pollution in its setValueAtPath",@tmlmobilidade/utils,0,20260509.0340.15,,HIGH,CWE-1321,
|
|
6448
6474
|
CVE-2026-45346,2026-05-14T20:21:51Z,"Open WebUI Has Stored Cross-Site Scripting in SVG Renderer",open-webui,0,0.6.31,,MODERATE,CWE-80,
|
|
6449
6475
|
CVE-2026-45353,2026-05-14T20:29:59Z,"Electerm Local code through electerm's single-instance socket",electerm,3.0.6,3.9.0,,CRITICAL,CWE-732;CWE-94;CWE-940,
|
|
6476
|
+
CVE-2026-45357,2026-05-27T17:33:52Z,"LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)",liquidjs,0,,10.25.7,HIGH,CWE-400,
|
|
6450
6477
|
CVE-2026-45364,2026-05-15T17:41:37Z,"Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation",better-auth,0,1.4.17,,HIGH,CWE-307,
|
|
6451
6478
|
CVE-2026-45364,2026-05-15T17:41:37Z,"Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation",better-auth,1.5.0-beta.1,1.5.0-beta.9,,HIGH,CWE-307,
|
|
6452
6479
|
CVE-2026-45366,2026-05-14T20:55:05Z,"@utcp/http: SSRF via attacker-controlled OpenAPI servers[0].url in HTTP communication protocol",@utcp/http,0,1.1.2,,MODERATE,CWE-918,
|
|
@@ -6455,6 +6482,8 @@ CVE-2026-45411,2026-05-14T21:14:32Z,"vm2 Has a Sandbox Breakout Using Async Gene
|
|
|
6455
6482
|
CVE-2026-45548,2026-05-15T17:47:10Z,"Budibase: SSRF in AI Extract File Automation Step via Missing IP Blacklist Validation",@budibase/server,0,3.34.8,,HIGH,CWE-918,
|
|
6456
6483
|
CVE-2026-45577,2026-05-18T14:20:06Z,"Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass",neotoma,0.6.0,0.11.1,,MODERATE,CWE-288;CWE-306,
|
|
6457
6484
|
CVE-2026-45582,2026-05-18T13:26:51Z,"n8n-MCP: Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters",n8n-mcp,0,2.51.3,,MODERATE,CWE-201,
|
|
6485
|
+
CVE-2026-45617,2026-05-27T18:08:19Z,"LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex",liquidjs,0,10.26.0,,HIGH,CWE-1333,
|
|
6486
|
+
CVE-2026-45618,2026-05-27T18:24:14Z,"LiquidJS is Vulnerable to Remote Code Execution",liquidjs,0,10.26.0,,CRITICAL,CWE-94,
|
|
6458
6487
|
CVE-2026-45665,2026-05-14T20:27:45Z,"Open WebUI has Stored XSS in Banner Component via Improper Sanitization Order",open-webui,0,0.8.0,,HIGH,CWE-79,
|
|
6459
6488
|
CVE-2026-45669,2026-05-19T15:49:25Z,"Nuxt: Reflected XSS in `navigateTo()` external redirect",nuxt,3.4.3,3.21.6,,MODERATE,CWE-83,
|
|
6460
6489
|
CVE-2026-45669,2026-05-19T15:49:25Z,"Nuxt: Reflected XSS in `navigateTo()` external redirect",nuxt,4.0.0-alpha.1,4.4.6,,MODERATE,CWE-83,
|
|
@@ -6546,12 +6575,33 @@ CVE-2026-46695,2026-05-21T21:52:51Z,"BoxLite: Permission Bypass Allows Modificat
|
|
|
6546
6575
|
CVE-2026-46701,2026-05-21T22:39:59Z,"Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret",network-ai,0,5.4.5,,HIGH,CWE-346,
|
|
6547
6576
|
CVE-2026-46703,2026-05-21T21:54:15Z,"Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host",@boxlite-ai/boxlite,0,0.9.0,,CRITICAL,CWE-22,
|
|
6548
6577
|
CVE-2026-47099,2026-04-02T23:21:23Z,"TeleJSON: DOM XSS via unsanitised constructor name in `new Function()`",telejson,0,6.0.0,,LOW,CWE-79,
|
|
6578
|
+
CVE-2026-47131,2026-05-29T17:33:58Z,"vm2 has a Sandbox Escape issue",vm2,0,3.11.4,,CRITICAL,CWE-913,
|
|
6579
|
+
CVE-2026-47135,2026-05-29T17:44:32Z,"vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks",vm2,0,3.11.4,,HIGH,CWE-693,
|
|
6580
|
+
CVE-2026-47137,2026-05-29T17:50:22Z,"vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE",vm2,0,3.11.4,,CRITICAL,CWE-913,
|
|
6549
6581
|
CVE-2026-47138,2026-05-23T00:11:25Z,"Parse Server: Pre-authentication denial of service via client version header regex backtracking",parse-server,0,8.6.77,,HIGH,CWE-1333,
|
|
6550
6582
|
CVE-2026-47138,2026-05-23T00:11:25Z,"Parse Server: Pre-authentication denial of service via client version header regex backtracking",parse-server,9.0.0,9.9.1-alpha.1,,HIGH,CWE-1333,
|
|
6583
|
+
CVE-2026-47139,2026-05-29T18:08:06Z,"NodeVM network builtin exclusions bypass via internal _http_client and _http_server",vm2,0,3.11.4,,HIGH,CWE-693,
|
|
6584
|
+
CVE-2026-47140,2026-05-29T17:59:23Z,"NodeVM builtin denylist bypass via process and inspector/promises allows host code execution",vm2,0,3.11.4,,CRITICAL,CWE-693,
|
|
6585
|
+
CVE-2026-47141,2026-05-29T18:20:45Z,"NodeVM observability builtins leak host process and HTTP request data",vm2,0,3.11.4,,MODERATE,CWE-668,
|
|
6586
|
+
CVE-2026-47144,2026-05-28T20:02:14Z,"Shamefile has an arbitrary file read via shamefile.yaml in shame next",shamefile,0,0.1.7,,MODERATE,CWE-22,
|
|
6587
|
+
CVE-2026-47200,2026-05-29T17:15:11Z,"Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`",@nuxt/nitro-server,3.20.0,3.21.6,,MODERATE,CWE-284;CWE-288,
|
|
6588
|
+
CVE-2026-47200,2026-05-29T17:15:11Z,"Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`",@nuxt/nitro-server,4.2.0,4.4.6,,MODERATE,CWE-284;CWE-288,
|
|
6589
|
+
CVE-2026-47200,2026-05-29T17:15:11Z,"Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`",nuxt,3.11.0,3.21.6,,MODERATE,CWE-284;CWE-288,
|
|
6590
|
+
CVE-2026-47200,2026-05-29T17:15:11Z,"Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`",nuxt,4.0.0-alpha.1,4.4.6,,MODERATE,CWE-284;CWE-288,
|
|
6591
|
+
CVE-2026-47208,2026-05-29T17:40:15Z,"vm2 is Vulnerable to Sandbox Breakout Through Promise Species",vm2,0,3.11.4,,CRITICAL,CWE-913,
|
|
6592
|
+
CVE-2026-47209,2026-05-29T17:49:18Z,"vm2's Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain",vm2,0,3.11.4,,HIGH,CWE-693,
|
|
6593
|
+
CVE-2026-47210,2026-05-29T17:51:05Z,"vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass",vm2,0,3.11.4,,CRITICAL,CWE-913,
|
|
6594
|
+
CVE-2026-47248,2026-05-29T19:18:01Z,"Parse Server's GraphQL ""Did you mean ...?"" validation suggestions disclose schema to unauthenticated callers",parse-server,0,8.6.78,,MODERATE,CWE-209,
|
|
6595
|
+
CVE-2026-47248,2026-05-29T19:18:01Z,"Parse Server's GraphQL ""Did you mean ...?"" validation suggestions disclose schema to unauthenticated callers",parse-server,9.0.0,9.9.1-alpha.2,,MODERATE,CWE-209,
|
|
6596
|
+
CVE-2026-47255,2026-05-29T19:23:29Z,"AgenticMail API/storage and outbound relay hardening fixes",@agenticmail/api,0,0.9.32,,HIGH,"CWE-20;CWE-284;CWE-319;CWE-798;CWE-89",
|
|
6597
|
+
CVE-2026-47255,2026-05-29T19:23:29Z,"AgenticMail API/storage and outbound relay hardening fixes",@agenticmail/core,0,0.9.10,,HIGH,"CWE-20;CWE-284;CWE-319;CWE-798;CWE-89",
|
|
6598
|
+
CVE-2026-47717,2026-05-27T22:51:18Z,"FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations",fuxa-server,1.3.0,1.3.1,,HIGH,CWE-201,
|
|
6599
|
+
CVE-2026-47718,2026-05-28T20:33:11Z,"FUXA provides guest and invalid-token access to protected read APIs in secure mode",fuxa-server,1.3.0-2773,1.3.1,,MODERATE,CWE-287;CWE-862,
|
|
6551
6600
|
CVE-2026-4800,2026-04-01T23:51:12Z,"lodash vulnerable to Code Injection via `_.template` imports key names",lodash,4.0.0,4.18.0,,HIGH,CWE-94,
|
|
6552
6601
|
CVE-2026-4800,2026-04-01T23:51:12Z,"lodash vulnerable to Code Injection via `_.template` imports key names",lodash-amd,4.0.0,4.18.0,,HIGH,CWE-94,
|
|
6553
6602
|
CVE-2026-4800,2026-04-01T23:51:12Z,"lodash vulnerable to Code Injection via `_.template` imports key names",lodash-es,4.0.0,4.18.0,,HIGH,CWE-94,
|
|
6554
6603
|
CVE-2026-4800,2026-04-01T23:51:12Z,"lodash vulnerable to Code Injection via `_.template` imports key names",lodash.template,4.0.0,4.18.0,,HIGH,CWE-94,
|
|
6604
|
+
CVE-2026-48527,2026-05-29T14:07:51Z,"HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint",@haxtheweb/haxcms-nodejs,0,26.0.1,,HIGH,CWE-79,
|
|
6555
6605
|
CVE-2026-4867,2026-03-27T20:04:53Z,"path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters",path-to-regexp,0,0.1.13,,HIGH,CWE-1333,
|
|
6556
6606
|
CVE-2026-4923,2026-03-27T22:23:52Z,"path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards",path-to-regexp,8.0.0,8.4.0,,MODERATE,CWE-1333,
|
|
6557
6607
|
CVE-2026-4926,2026-03-27T22:23:27Z,"path-to-regexp vulnerable to Denial of Service via sequential optional groups",path-to-regexp,8.0.0,8.4.0,,HIGH,CWE-1333;CWE-400,
|
|
@@ -6588,6 +6638,10 @@ CVE-2026-8159,2026-05-18T17:40:10Z,"multiparty vulnerable to ReDoS via filename
|
|
|
6588
6638
|
CVE-2026-8161,2026-05-18T17:35:01Z,"multiparty: Denial of Service via Prototype Pollution leads to Uncaught Exception",multiparty,0,4.3.0,,HIGH,CWE-1321;CWE-248,
|
|
6589
6639
|
CVE-2026-8162,2026-05-18T17:35:24Z,"multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing",multiparty,0,4.3.0,,HIGH,CWE-755,
|
|
6590
6640
|
CVE-2026-8723,2026-05-22T17:27:19Z,"qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set",qs,6.11.1,6.15.2,,MODERATE,CWE-476,
|
|
6641
|
+
CVE-2026-8766,2026-05-18T00:31:36Z,"@kilocode/cli Vulnerable to Exposure of Sensitive Information to an Unauthorized Actor",@kilocode/cli,0,,7.0.47,LOW,CWE-200,
|
|
6642
|
+
CVE-2026-8769,2026-05-18T00:31:37Z,"@ai-sdk/provider-utils has an Uncontrolled Resource Consumption issue",@ai-sdk/provider-utils,0,,3.0.97,LOW,CWE-400,
|
|
6643
|
+
CVE-2026-8813,2026-05-29T17:58:37Z,"ExifReader is vulnerable to denial of service via crafted ICC `mluc` tag",exifreader,2.10.0,4.39.0,,HIGH,CWE-1284,
|
|
6644
|
+
CVE-2026-8814,2026-05-29T17:52:26Z,"ExifReader is vulnerable to denial of service via unbounded decompression of image metadata",exifreader,4.20.0,4.39.0,,MODERATE,CWE-409,
|
|
6591
6645
|
GHSA-224h-p7p5-rh85,2020-09-01T17:32:26Z,"Directory Traversal in wenluhong1",wenluhong1,0.0.0,,,HIGH,CWE-22,
|
|
6592
6646
|
GHSA-224p-v68g-5g8f,2025-08-26T18:45:55Z,"GraphQL Armor Max-Depth Plugin Bypass via fragment caching","@escape.tech/graphql-armor-max-depth",0,2.4.2,,MODERATE,CWE-400,
|
|
6593
6647
|
GHSA-226w-6hhj-69hp,2020-09-03T19:06:52Z,"Malicious Package in cal_rd",cal_rd,0.0.0,,,CRITICAL,CWE-506,
|
|
@@ -7704,6 +7758,7 @@ GHSA-q2c6-c6pm-g3gh,2020-09-04T15:07:38Z,"Arbitrary Code Execution in handlebars
|
|
|
7704
7758
|
GHSA-q2f7-m237-v562,2026-05-21T20:45:14Z,"@hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators",@hulumi/policies,0,1.3.2,,CRITICAL,CWE-284,
|
|
7705
7759
|
GHSA-q2qc-744p-66r2,2026-03-29T15:47:50Z,"OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility",openclaw,2026.3.11,2026.3.28,,HIGH,CWE-639;CWE-863,
|
|
7706
7760
|
GHSA-q324-q795-2q5p,2021-10-12T16:05:11Z,"Path traversal when using `preview-docs` when working dir contains files with question mark `?` in name",@redocly/openapi-cli,0,1.0.0-beta.59,,LOW,,
|
|
7761
|
+
GHSA-q3fm-4wcw-g57x,2026-05-29T17:38:33Z,"vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter",vm2,0,3.11.4,,LOW,CWE-693,
|
|
7707
7762
|
GHSA-q3w9-g74q-vp5f,2020-09-03T21:14:12Z,"Denial of Service in express-fileupload",express-fileupload,0,1.1.6-alpha.6,,LOW,,
|
|
7708
7763
|
GHSA-q3w9-g74q-vp5f,2020-09-03T21:14:12Z,"Denial of Service in express-fileupload",express-fileupload,0,1.1.6-alpha.6,,LOW,,
|
|
7709
7764
|
GHSA-q3w9-g74q-vp5f,2020-09-03T21:14:12Z,"Denial of Service in express-fileupload",express-fileupload,0,1.1.6-alpha.6,,LOW,,
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@openrewrite/recipes-nodejs",
|
|
3
|
-
"version": "0.46.0-20260601-
|
|
3
|
+
"version": "0.46.0-20260601-130430",
|
|
4
4
|
"license": "Moderne Proprietary",
|
|
5
5
|
"description": "OpenRewrite recipes for Node.js library migrations.",
|
|
6
6
|
"homepage": "https://github.com/moderneinc/rewrite-node",
|
|
@@ -25,7 +25,7 @@
|
|
|
25
25
|
"ci:test": "jest"
|
|
26
26
|
},
|
|
27
27
|
"dependencies": {
|
|
28
|
-
"@openrewrite/rewrite": "^8.84.0-20260601-
|
|
28
|
+
"@openrewrite/rewrite": "^8.84.0-20260601-124422",
|
|
29
29
|
"mutative": "^1.1.0",
|
|
30
30
|
"semver": "^7.7.3"
|
|
31
31
|
},
|