@openrewrite/recipes-nodejs 0.46.0 → 0.46.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -620,7 +620,8 @@ CVE-2018-1000136,2018-03-26T16:41:17Z,"Electron Vulnerable to Code Execution by
620
620
  CVE-2018-1000136,2018-03-26T16:41:17Z,"Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration",electron,2.0.0-beta.1,2.0.0-beta.5,,HIGH,CWE-20,
621
621
  CVE-2018-1000160,2018-04-25T14:30:43Z,"Cross-Site Scripting in @risingstack/protect",@risingstack/protect,0,,1.2.0,MODERATE,CWE-79,
622
622
  CVE-2018-1000534,2022-05-14T03:06:11Z,"Joplin Vulnerable to Cross-site Scripting in Note Content ",joplin,0,1.0.90,,MODERATE,CWE-79,
623
- CVE-2018-1000620,2018-09-11T18:22:50Z,"Insufficient Entropy in cryptiles",cryptiles,3.1.0,4.1.2,,CRITICAL,CWE-331,
623
+ CVE-2018-1000620,2018-09-11T18:22:50Z,"Insufficient Entropy in cryptiles",cryptiles,3.1.0,3.1.3,,CRITICAL,CWE-331,
624
+ CVE-2018-1000620,2018-09-11T18:22:50Z,"Insufficient Entropy in cryptiles",cryptiles,4.0.0,4.1.2,,CRITICAL,CWE-331,
624
625
  CVE-2018-1002203,2018-07-27T17:06:50Z,"Arbitrary File Write via Archive Extraction in unzipper",unzipper,0,0.8.13,,MODERATE,CWE-22,
625
626
  CVE-2018-1002204,2018-07-27T17:07:14Z,"Arbitrary File Write in adm-zip",adm-zip,0,0.4.11,,MODERATE,CWE-22,
626
627
  CVE-2018-1107,2022-01-06T20:44:07Z,"Regular expression deinal of service (ReDoS) in is-my-json-valid",is-my-json-valid,0,1.4.1,,MODERATE,CWE-400,
@@ -2687,7 +2688,7 @@ CVE-2023-29199,2023-04-12T20:42:44Z,"vm2 Sandbox Escape vulnerability",vm2,0,3.9
2687
2688
  CVE-2023-29529,2023-04-14T16:14:17Z,"matrix-js-sdk vulnerable to invisible eavesdropping in group calls",matrix-js-sdk,0,24.1.0,,MODERATE,CWE-862,
2688
2689
  CVE-2023-29566,2023-04-24T18:30:31Z,"Remote code execution in dawnsparks-node-tesseract","dawnsparks-node-tesseract",0,0.4.1,,CRITICAL,CWE-77,
2689
2690
  CVE-2023-29641,2023-05-01T18:30:23Z,"editor.md vulnerable to Cross-site Scripting",editor.md,0,,1.5.0,MODERATE,CWE-79,
2690
- CVE-2023-2968,2023-05-30T18:30:23Z,"proxy denial of service vulnerability",proxy,2.0.0,2.1.1,,MODERATE,CWE-232,
2691
+ CVE-2023-2968,2023-05-30T18:30:23Z,"proxy denial of service vulnerability",proxy,2.0.0,2.1.1,,HIGH,CWE-232,
2691
2692
  CVE-2023-2972,2023-05-30T12:30:17Z,"antfu/utils vulnerable to prototype pollution",@antfu/utils,0,0.7.3,,MODERATE,CWE-1321,
2692
2693
  CVE-2023-30094,2023-05-04T21:30:27Z,"Cross-site scripting in TotalJS",total4,0,0.0.81,,MODERATE,CWE-79,
2693
2694
  CVE-2023-30363,2023-04-26T21:30:37Z,"Prototype Pollution in vConsole",vconsole,0,3.15.1,,CRITICAL,CWE-1321,
@@ -2910,7 +2911,7 @@ CVE-2023-48218,2023-11-20T21:01:43Z,"Bypass of field access control in strapi-pl
2910
2911
  CVE-2023-48219,2023-11-15T18:32:34Z,"TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes",tinymce,0,5.10.9,,MODERATE,CWE-79,
2911
2912
  CVE-2023-48219,2023-11-15T18:32:34Z,"TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes",tinymce,6.0.0,6.7.3,,MODERATE,CWE-79,
2912
2913
  CVE-2023-48223,2023-11-20T20:58:56Z,"JWT Algorithm Confusion",fast-jwt,0,3.3.2,,MODERATE,CWE-20,
2913
- CVE-2023-48238,2023-11-17T22:48:15Z,"json-web-token library is vulnerable to a JWT algorithm confusion attack",json-web-token,0,,3.1.1,HIGH,CWE-20;CWE-345,
2914
+ CVE-2023-48238,2023-11-17T22:48:15Z,"json-web-token library is vulnerable to a JWT algorithm confusion attack",json-web-token,0,4.0.0,,HIGH,CWE-20;CWE-345,
2914
2915
  CVE-2023-48309,2023-11-20T23:25:36Z,"Possible user mocking that bypasses basic authentication",next-auth,0,4.24.5,,MODERATE,CWE-285,
2915
2916
  CVE-2023-4863,2023-09-12T15:30:20Z,"libwebp: OOB write in BuildHuffmanTable",electron,22.0.0,22.3.24,,HIGH,CWE-787,
2916
2917
  CVE-2023-4863,2023-09-12T15:30:20Z,"libwebp: OOB write in BuildHuffmanTable",electron,24.0.0,24.8.3,,HIGH,CWE-787,
@@ -3222,7 +3223,7 @@ CVE-2024-30260,2024-04-04T14:20:39Z,"Undici's Proxy-Authorization header not cle
3222
3223
  CVE-2024-30260,2024-04-04T14:20:39Z,"Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline",undici,6.0.0,6.11.1,,LOW,CWE-200;CWE-285;CWE-863,
3223
3224
  CVE-2024-30261,2024-04-04T14:20:54Z,"Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect",undici,0,5.28.4,,LOW,CWE-284,
3224
3225
  CVE-2024-30261,2024-04-04T14:20:54Z,"Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect",undici,6.0.0,6.11.1,,LOW,CWE-284,
3225
- CVE-2024-30564,2024-04-18T15:30:49Z,"@andrei-tatar/nora-firebase-common Prototype Pollution vulnerability","@andrei-tatar/nora-firebase-common",1.0.41,1.12.3,,HIGH,CWE-1321,
3226
+ CVE-2024-30564,2024-04-18T15:30:49Z,"@andrei-tatar/nora-firebase-common Prototype Pollution vulnerability","@andrei-tatar/nora-firebase-common",1.0.41,1.12.3,,CRITICAL,CWE-1321,
3226
3227
  CVE-2024-31206,2024-04-04T14:21:19Z,"dectalk-tts Uses Unencrypted HTTP Request",dectalk-tts,1.0.0,1.0.1,,HIGH,CWE-300;CWE-319;CWE-598,
3227
3228
  CVE-2024-31207,2024-04-03T16:46:17Z,"Vite's `server.fs.deny` did not deny requests for patterns with directories.",vite,2.7.0,2.9.18,,MODERATE,CWE-200;CWE-284,
3228
3229
  CVE-2024-31207,2024-04-03T16:46:17Z,"Vite's `server.fs.deny` did not deny requests for patterns with directories.",vite,3.0.0,3.2.10,,MODERATE,CWE-200;CWE-284,
@@ -3512,6 +3513,8 @@ CVE-2024-51753,2024-11-05T17:34:47Z,"@workos-inc/authkit-remix refresh tokens ar
3512
3513
  CVE-2024-51757,2024-11-06T15:27:50Z,"happy-dom allows for server side code to be executed by a <script> tag",happy-dom,0,15.10.2,,CRITICAL,CWE-79,
3513
3514
  CVE-2024-51999,2025-12-01T18:59:17Z,"Withdrawn Advisory: express improperly controls modification of query properties",express,0,4.22.0,,LOW,CWE-915,
3514
3515
  CVE-2024-51999,2025-12-01T18:59:17Z,"Withdrawn Advisory: express improperly controls modification of query properties",express,5.0.0,5.2.0,,LOW,CWE-915,
3516
+ CVE-2024-52011,2026-06-03T18:02:48Z,"launch-editor vulnerable to command injection via the crafted request on Windows",launch-editor,0,2.9.0,,HIGH,CWE-77,
3517
+ CVE-2024-52011,2026-06-03T18:02:48Z,"launch-editor vulnerable to command injection via the crafted request on Windows",vite,0,5.4.9,,HIGH,CWE-77,
3515
3518
  CVE-2024-52588,2025-05-27T17:59:52Z,"Strapi allows Server-Side Request Forgery in Webhook function",@strapi/admin,0,4.25.2,,MODERATE,CWE-918,
3516
3519
  CVE-2024-52798,2024-12-05T22:40:47Z,"path-to-regexp contains a ReDoS",path-to-regexp,0,0.1.12,,HIGH,CWE-1333,
3517
3520
  CVE-2024-52809,2024-12-02T17:26:20Z,"vue-i18n has cross-site scripting vulnerability with prototype pollution",@intlify/core,10.0.0,10.0.5,,MODERATE,CWE-79,
@@ -4175,7 +4178,7 @@ CVE-2025-5889,2025-06-09T21:30:51Z,"brace-expansion Regular Expression Denial of
4175
4178
  CVE-2025-5889,2025-06-09T21:30:51Z,"brace-expansion Regular Expression Denial of Service vulnerability",brace-expansion,2.0.0,2.0.2,,LOW,CWE-400,
4176
4179
  CVE-2025-5889,2025-06-09T21:30:51Z,"brace-expansion Regular Expression Denial of Service vulnerability",brace-expansion,3.0.0,3.0.1,,LOW,CWE-400,
4177
4180
  CVE-2025-5889,2025-06-09T21:30:51Z,"brace-expansion Regular Expression Denial of Service vulnerability",brace-expansion,4.0.0,4.0.1,,LOW,CWE-400,
4178
- CVE-2025-5891,2025-06-09T21:30:51Z,"pm2 Regular Expression Denial of Service vulnerability",pm2,0,7.0.0,,LOW,CWE-400;CWE-1333,
4181
+ CVE-2025-5891,2025-06-09T21:30:51Z,"pm2 Regular Expression Denial of Service vulnerability",pm2,0,7.0.0,,LOW,CWE-1333;CWE-400,
4179
4182
  CVE-2025-5896,2025-06-09T21:30:52Z,"taro-css-to-react-native Regular Expression Denial of Service vulnerability",taro-css-to-react-native,0,4.1.2,,MODERATE,CWE-1333;CWE-400,
4180
4183
  CVE-2025-5897,2025-06-09T21:30:52Z,"@vue/cli-plugin-pwa Regular Expression Denial of Service vulnerability",@vue/cli-plugin-pwa,0,,5.0.8,MODERATE,CWE-1333;CWE-400,
4181
4184
  CVE-2025-59037,2025-09-09T14:39:14Z,"DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware",@duckdb/duckdb-wasm,1.29.2,1.30.0,,HIGH,CWE-506,
@@ -4491,6 +4494,8 @@ CVE-2025-69985,2026-02-24T18:31:02Z,"FUXA has JWT Authentication Bypass via HTTP
4491
4494
  CVE-2025-70058,2026-02-23T18:32:02Z,"yapi disables TLS/SSL certificate validation via rejectUnauthorized: false in Axios HTTPS agent",yapi-vendor,0,,1.12.0,HIGH,CWE-295,
4492
4495
  CVE-2025-70948,2026-03-05T21:30:49Z,"@perfood/couch-auth has a host header injection vulnerability",@perfood/couch-auth,0,,0.26.0,MODERATE,CWE-644;CWE-74,
4493
4496
  CVE-2025-70949,2026-03-05T21:30:49Z,"@perfood/couch-auth has an Observable Timing Discrepancy ",@perfood/couch-auth,0,,0.26.0,HIGH,CWE-208,
4497
+ CVE-2025-71319,2025-04-02T15:04:58Z,"image-size Denial of Service via Infinite Loop during Image Processing",image-size,1.1.0,1.2.1,,HIGH,CWE-770;CWE-835,
4498
+ CVE-2025-71319,2025-04-02T15:04:58Z,"image-size Denial of Service via Infinite Loop during Image Processing",image-size,2.0.0,2.0.2,,HIGH,CWE-770;CWE-835,
4494
4499
  CVE-2025-7338,2025-07-17T21:01:54Z,"Multer vulnerable to Denial of Service via unhandled exception from malformed request",multer,1.4.4-lts.1,2.0.2,,HIGH,CWE-248,
4495
4500
  CVE-2025-7339,2025-07-17T21:17:19Z,"on-headers is vulnerable to http response header manipulation",on-headers,0,1.1.0,,LOW,CWE-241,
4496
4501
  CVE-2025-7783,2025-07-21T19:04:54Z,"form-data uses unsafe random function in form-data for choosing boundary",form-data,0,2.5.4,,CRITICAL,CWE-330,
@@ -4577,7 +4582,7 @@ CVE-2026-22178,2026-03-02T22:17:30Z,"OpenClaw has ReDoS and regex injection via
4577
4582
  CVE-2026-22179,2026-03-03T21:41:12Z,"OpenClaw has macOS `system.run` allowlist bypass via quoted command substitution",openclaw,0,2026.2.22,,HIGH,CWE-78,
4578
4583
  CVE-2026-22180,2026-03-03T21:20:01Z,"OpenClaw: Unified root-bound write hardening for browser output and related path-boundary flows",openclaw,0,2026.3.2,,MODERATE,CWE-367;CWE-59,
4579
4584
  CVE-2026-22181,2026-03-03T21:19:47Z,"OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured",openclaw,0,2026.3.2,,MODERATE,CWE-367;CWE-918,
4580
- CVE-2026-22217,2026-03-03T21:36:16Z,"OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL",openclaw,2026.2.22,2026.2.23,,HIGH,CWE-184;CWE-829,
4585
+ CVE-2026-22217,2026-03-03T21:36:16Z,"OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL",openclaw,2026.2.22,2026.2.23,,MODERATE,CWE-184;CWE-829,
4581
4586
  CVE-2026-2229,2026-03-13T20:41:41Z,"Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation",undici,0,6.24.0,,HIGH,CWE-248,
4582
4587
  CVE-2026-2229,2026-03-13T20:41:41Z,"Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation",undici,7.0.0,7.24.0,,HIGH,CWE-248,
4583
4588
  CVE-2026-22594,2026-01-08T21:29:47Z,"Ghost has Staff 2FA bypass",ghost,5.105.0,5.130.6,,HIGH,CWE-287,
@@ -4830,7 +4835,7 @@ CVE-2026-25958,2026-02-10T00:29:07Z,"Cube Core is vulnerable to privilege escala
4830
4835
  CVE-2026-25958,2026-02-10T00:29:07Z,"Cube Core is vulnerable to privilege escalation via a specially crafted request","@cubejs-backend/server-core",1.5.0,1.5.13,,HIGH,CWE-807,
4831
4836
  CVE-2026-26019,2026-02-11T15:13:20Z,"@langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation",@langchain/community,0,1.1.14,,MODERATE,CWE-918,
4832
4837
  CVE-2026-26021,2026-02-11T15:13:28Z,"set-in Affected by Prototype Pollution",set-in,2.0.1,2.0.5,,CRITICAL,CWE-1321,
4833
- CVE-2026-26028,2026-05-26T19:05:10Z,"CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS",cryptpad,0,,5.9.0,MODERATE,CWE-79;CWE-116,
4838
+ CVE-2026-26028,2026-05-26T19:05:10Z,"CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS",cryptpad,0,,5.9.0,MODERATE,CWE-116;CWE-79,
4834
4839
  CVE-2026-26063,2026-02-12T17:04:50Z,"CediPay Affected by Improper Input Validation in Payment Processing",cedipay-core,0,1.2.3,,HIGH,CWE-20,
4835
4840
  CVE-2026-26118,2026-03-10T18:31:21Z,"Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network",@azure/mcp,1.0.0,1.0.2,,HIGH,CWE-918,
4836
4841
  CVE-2026-26118,2026-03-10T18:31:21Z,"Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network",@azure/mcp,2.0.0-beta.1,2.0.0-beta.17,,HIGH,CWE-918,
@@ -4866,7 +4871,7 @@ CVE-2026-26833,2026-03-25T18:31:47Z,"thumbler allows OS Command Injection",thumb
4866
4871
  CVE-2026-26861,2026-02-27T18:31:06Z,"CleverTap Web SDK is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function",clevertap-web-sdk,0,1.15.3,,HIGH,CWE-346;CWE-79,
4867
4872
  CVE-2026-26862,2026-02-27T18:31:06Z,"CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage",clevertap-web-sdk,0,1.15.3,,HIGH,CWE-79,
4868
4873
  CVE-2026-26954,2026-03-13T13:46:08Z,"SandboxJS affected by a Sandbox Escape",@nyariv/sandboxjs,0,0.8.34,,CRITICAL,CWE-94,
4869
- CVE-2026-26956,2026-05-05T16:44:16Z,"VM2 Has a WASM Sandbox Escape (Node 25 only)",vm2,3.10.4,3.10.5,,CRITICAL,CWE-693;CWE-94,
4874
+ CVE-2026-26956,2026-05-05T16:44:16Z,"VM2 Has a WASM Sandbox Escape",vm2,0,3.10.5,,CRITICAL,CWE-94;CWE-693,
4870
4875
  CVE-2026-26960,2026-02-18T00:57:13Z,"Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction",tar,0,7.5.8,,HIGH,CWE-22,
4871
4876
  CVE-2026-26972,2026-02-18T17:37:52Z,"OpenClaw has a Path Traversal in Browser Download Functionality",openclaw,2026.1.12,2026.2.13,,MODERATE,CWE-22,
4872
4877
  CVE-2026-26974,2026-02-18T21:45:06Z,"Improper Control of Generation of Code ('Code Injection') in @tygo-van-den-hurk/slyde",@tygo-van-den-hurk/slyde,0,0.0.5,,HIGH,CWE-829,
@@ -5129,6 +5134,7 @@ CVE-2026-30229,2026-03-06T18:46:27Z,"parse-server's endpoint `/loginAs` allows `
5129
5134
  CVE-2026-30241,2026-03-06T18:47:52Z,"Mercurius's queryDepth limit bypassed for WebSocket subscriptions",mercurius,0,16.8.0,,LOW,CWE-863,
5130
5135
  CVE-2026-30587,2026-03-25T18:31:55Z,"Seafile Server has multiple stored XSS vulnerabilities",@seafile/sdoc-editor,0,2.0.209,,MODERATE,CWE-79,
5131
5136
  CVE-2026-30587,2026-03-25T18:31:55Z,"Seafile Server has multiple stored XSS vulnerabilities",@seafile/sdoc-editor,3.0.0,3.0.75,,MODERATE,CWE-79,
5137
+ CVE-2026-30691,2026-05-20T18:31:36Z,"@cyntler/react-doc-viewer's TXTRenderer fails to sanitize file content and explicitly casts raw data as a ReactNode","@cyntler/react-doc-viewer",0,,1.17.1,MODERATE,CWE-79,
5132
5138
  CVE-2026-30820,2026-03-06T18:48:22Z,"Flowise has Authorization Bypass via Spoofed x-request-from Header",flowise,0,3.0.13,,HIGH,CWE-863,
5133
5139
  CVE-2026-30821,2026-03-06T18:49:20Z,"Flowise has Arbitrary File Upload via MIME Spoofing",flowise,0,3.0.13,,HIGH,CWE-434,
5134
5140
  CVE-2026-30822,2026-03-06T22:19:14Z,"Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint",flowise,0,3.0.13,,HIGH,CWE-915,
@@ -5416,6 +5422,8 @@ CVE-2026-33163,2026-03-18T19:49:27Z,"Parse Server leaks protected fields via Liv
5416
5422
  CVE-2026-33163,2026-03-18T19:49:27Z,"Parse Server leaks protected fields via LiveQuery afterEvent trigger",parse-server,9.0.0,9.6.0-alpha.35,,HIGH,CWE-200,
5417
5423
  CVE-2026-33226,2026-03-18T20:22:11Z,"Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview",budibase,0,,3.30.6,HIGH,CWE-918,
5418
5424
  CVE-2026-33228,2026-03-19T17:43:54Z,"Prototype Pollution via parse() in NodeJS flatted",flatted,0,3.4.2,,HIGH,CWE-1321,
5425
+ CVE-2026-33244,2026-06-03T20:33:01Z,"React Router has stored XSS via unescaped Location header in prerendered redirect HTML",react-router,7.5.1,7.13.2,,MODERATE,CWE-79,
5426
+ CVE-2026-33245,2026-06-03T20:33:32Z,"React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets",react-router,7.7.0,7.13.2,,HIGH,CWE-79,
5419
5427
  CVE-2026-33285,2026-03-25T17:40:53Z,"LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash",liquidjs,0,,10.24.0,HIGH,CWE-20;CWE-400,
5420
5428
  CVE-2026-33287,2026-03-25T17:44:23Z,"LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern",liquidjs,0,,10.24.0,HIGH,CWE-20;CWE-400,
5421
5429
  CVE-2026-33311,2026-03-19T17:49:28Z,"SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials",@dicebear/core,5.0.0,5.4.4,,MODERATE,CWE-79,
@@ -5543,6 +5551,8 @@ CVE-2026-34076,2026-03-27T19:58:19Z,"Clerk: SSRF in the opt-in clerkFrontendApiP
5543
5551
  CVE-2026-34076,2026-03-27T19:58:19Z,"Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host",@clerk/express,2.0.0,2.0.7,,HIGH,CWE-918,
5544
5552
  CVE-2026-34076,2026-03-27T19:58:19Z,"Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host",@clerk/fastify,3.1.0,3.1.5,,HIGH,CWE-918,
5545
5553
  CVE-2026-34076,2026-03-27T19:58:19Z,"Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host",@clerk/hono,0.1.0,0.1.5,,HIGH,CWE-918,
5554
+ CVE-2026-34077,2026-06-04T15:23:51Z,"React Router vulnerable to Denial of Service via reflected user input in single-fetch",react-router,7.0.0,7.14.0,,HIGH,CWE-770,
5555
+ CVE-2026-34077,2026-06-04T15:23:51Z,"React Router vulnerable to Denial of Service via reflected user input in single-fetch",turbo-stream,0,3.0.0,,HIGH,CWE-770,
5546
5556
  CVE-2026-34083,2026-04-03T21:43:22Z,"Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow",signalk-server,2.20.0,2.24.0,,MODERATE,CWE-346;CWE-601,
5547
5557
  CVE-2026-34148,2026-04-07T18:04:09Z,"Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution",@fedify/fedify,0,1.9.6,,HIGH,CWE-400;CWE-770,
5548
5558
  CVE-2026-34148,2026-04-07T18:04:09Z,"Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution",@fedify/fedify,1.10.0,1.10.5,,HIGH,CWE-400;CWE-770,
@@ -5819,6 +5829,8 @@ CVE-2026-40171,2026-04-30T17:25:47Z,"Jupyter Notebook Vulnerable to Authenticati
5819
5829
  CVE-2026-40171,2026-04-30T17:25:47Z,"Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS","@jupyterlab/help-extension",0,4.5.7,,HIGH,CWE-601;CWE-79,
5820
5830
  CVE-2026-40175,2026-04-10T19:47:16Z,"Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain",axios,0,0.31.0,,MODERATE,CWE-113;CWE-444;CWE-918,
5821
5831
  CVE-2026-40175,2026-04-10T19:47:16Z,"Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain",axios,1.0.0,1.15.0,,MODERATE,CWE-113;CWE-444;CWE-918,
5832
+ CVE-2026-40181,2026-06-03T20:58:01Z,"React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation",react-router,6.7.0,6.30.4,,MODERATE,CWE-601,
5833
+ CVE-2026-40181,2026-06-03T20:58:01Z,"React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation",react-router,7.0.0,7.14.1,,MODERATE,CWE-601,
5822
5834
  CVE-2026-40186,2026-04-16T21:08:29Z,"sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements",sanitize-html,2.17.2,2.17.3,,MODERATE,CWE-79,
5823
5835
  CVE-2026-40190,2026-04-10T20:18:02Z,"LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`",langsmith,0,0.5.18,,MODERATE,CWE-1321,
5824
5836
  CVE-2026-40201,2026-05-01T09:30:25Z,"@diplodoc/search-extension allows stored XSS via Markdown file title","@diplodoc/search-extension",1.0.0,3.0.5,,MODERATE,CWE-79,
@@ -6065,6 +6077,7 @@ CVE-2026-42076,2026-04-22T22:06:03Z,"Evolver: Command Injection via `execSync` i
6065
6077
  CVE-2026-42077,2026-04-22T22:05:28Z,"Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations",@evomap/evolver,0,1.69.3,,MODERATE,CWE-1321,
6066
6078
  CVE-2026-42089,2026-05-26T23:10:38Z,"yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation",yeoman-environment,2.9.0,6.0.1,,HIGH,CWE-829,
6067
6079
  CVE-2026-42190,2026-04-24T15:36:52Z,"RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions",rwsdk,1.0.0-beta.50,1.2.3,,MODERATE,CWE-352,
6080
+ CVE-2026-42211,2026-06-03T21:03:32Z,"React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE",react-router,7.0.0,7.14.2,,HIGH,CWE-502,
6068
6081
  CVE-2026-42226,2026-04-29T21:22:26Z,"n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay",n8n,0,1.123.33,,HIGH,CWE-862,
6069
6082
  CVE-2026-42226,2026-04-29T21:22:26Z,"n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay",n8n,2.17.0,2.17.5,,HIGH,CWE-862,
6070
6083
  CVE-2026-42227,2026-04-29T21:21:00Z,"n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure",n8n,0,1.123.32,,MODERATE,CWE-639,
@@ -6116,6 +6129,8 @@ CVE-2026-42334,2026-05-05T21:48:06Z,"Mongoose's Improper Sanitization of $nor in
6116
6129
  CVE-2026-42334,2026-05-05T21:48:06Z,"Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection",mongoose,8.0.0,8.22.1,,HIGH,CWE-74,
6117
6130
  CVE-2026-42334,2026-05-05T21:48:06Z,"Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection",mongoose,9.0.0,9.1.6,,HIGH,CWE-74,
6118
6131
  CVE-2026-42338,2026-05-05T21:50:58Z,"ip-address has XSS in Address6 HTML-emitting methods",ip-address,0,10.1.1,,MODERATE,CWE-79,
6132
+ CVE-2026-42342,2026-06-03T21:05:17Z,"React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint","@remix-run/server-runtime",2.10.0,2.17.5,,HIGH,CWE-400,
6133
+ CVE-2026-42342,2026-06-03T21:05:17Z,"React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint",react-router,7.0.0,7.15.0,,HIGH,CWE-400,
6119
6134
  CVE-2026-42349,2026-04-30T18:20:02Z,"Clerk has an authorization bypass when combining organization, billing, or reverification checks","@clerk/tanstack-react-start",0.0.1,0.29.11,,HIGH,CWE-754;CWE-863,
6120
6135
  CVE-2026-42349,2026-04-30T18:20:02Z,"Clerk has an authorization bypass when combining organization, billing, or reverification checks","@clerk/tanstack-react-start",1.0.0,1.1.4,,HIGH,CWE-754;CWE-863,
6121
6136
  CVE-2026-42349,2026-04-30T18:20:02Z,"Clerk has an authorization bypass when combining organization, billing, or reverification checks",@clerk/astro,2.0.0,2.17.11,,HIGH,CWE-754;CWE-863,
@@ -6154,10 +6169,10 @@ CVE-2026-42424,2026-04-09T17:32:58Z,"OpenClaw: Shared reply MEDIA - paths are tr
6154
6169
  CVE-2026-42426,2026-04-09T17:36:33Z,"OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval",openclaw,0,2026.4.8,,MODERATE,CWE-269;CWE-863,
6155
6170
  CVE-2026-42427,2026-04-09T14:22:29Z,"OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class)",openclaw,0,2026.4.8,,HIGH,CWE-184;CWE-78,
6156
6171
  CVE-2026-42428,2026-04-09T17:37:13Z,"OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification",openclaw,0,2026.4.8,,MODERATE,CWE-353,
6157
- CVE-2026-42429,2026-04-09T17:36:53Z,"OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`",openclaw,0,2026.4.8,,LOW,CWE-269,
6172
+ CVE-2026-42429,2026-04-09T17:36:53Z,"OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`",openclaw,0,2026.4.8,,LOW,CWE-269;CWE-863,
6158
6173
  CVE-2026-42430,2026-04-09T17:36:59Z,"OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable",openclaw,0,2026.4.8,,MODERATE,CWE-918,
6159
6174
  CVE-2026-42431,2026-04-09T17:34:21Z,"OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard",openclaw,0,2026.4.8,,MODERATE,CWE-863,
6160
- CVE-2026-42432,2026-04-09T17:35:53Z,"OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement",openclaw,0,2026.4.8,,HIGH,CWE-288,
6175
+ CVE-2026-42432,2026-04-09T17:35:53Z,"OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement",openclaw,0,2026.4.8,,HIGH,CWE-288;CWE-863,
6161
6176
  CVE-2026-42433,2026-04-17T22:15:27Z,"OpenClaw: Matrix profile config persistence was reachable from operator.write message tools",openclaw,0,2026.4.10,,HIGH,CWE-266;CWE-862;CWE-863,
6162
6177
  CVE-2026-42434,2026-04-17T22:14:56Z,"OpenClaw: Sandboxed agents could escape exec routing via host=node override",openclaw,2026.4.5,2026.4.10,,HIGH,CWE-863,
6163
6178
  CVE-2026-42435,2026-04-17T21:53:36Z,"OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms",openclaw,2026.2.22,2026.4.12,,MODERATE,CWE-78,
@@ -6166,7 +6181,11 @@ CVE-2026-42437,2026-04-17T21:48:36Z,"OpenClaw: Voice-call realtime WebSocket acc
6166
6181
  CVE-2026-42438,2026-04-17T22:17:57Z,"OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure",openclaw,2026.4.9,2026.4.10,,MODERATE,CWE-863,
6167
6182
  CVE-2026-42439,2026-04-17T22:01:57Z,"OpenClaw: Browser tabs action select and close routes bypassed SSRF policy",openclaw,0,2026.4.10,,MODERATE,CWE-862;CWE-918,
6168
6183
  CVE-2026-42449,2026-04-30T18:12:54Z,"n8n-mcp's IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders",n8n-mcp,2.47.4,2.47.14,,HIGH,CWE-918,
6169
- CVE-2026-42462,2026-05-26T23:38:37Z,"Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring",@fedify/fedify,0,2.2.3,,HIGH,"CWE-1289;CWE-180;CWE-347;CWE-436",
6184
+ CVE-2026-42462,2026-05-26T23:38:37Z,"Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring",@fedify/fedify,0,1.9.11,,HIGH,"CWE-1289;CWE-180;CWE-347;CWE-436",
6185
+ CVE-2026-42462,2026-05-26T23:38:37Z,"Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring",@fedify/fedify,1.10.0,1.10.10,,HIGH,"CWE-1289;CWE-180;CWE-347;CWE-436",
6186
+ CVE-2026-42462,2026-05-26T23:38:37Z,"Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring",@fedify/fedify,2.0.0,2.0.18,,HIGH,"CWE-1289;CWE-180;CWE-347;CWE-436",
6187
+ CVE-2026-42462,2026-05-26T23:38:37Z,"Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring",@fedify/fedify,2.1.0,2.1.14,,HIGH,"CWE-1289;CWE-180;CWE-347;CWE-436",
6188
+ CVE-2026-42462,2026-05-26T23:38:37Z,"Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring",@fedify/fedify,2.2.0,2.2.3,,HIGH,"CWE-1289;CWE-180;CWE-347;CWE-436",
6170
6189
  CVE-2026-42553,2026-05-07T16:40:52Z,"Cinny vulnerable to access token disclosure via invalidated emoji pack avatar URL in service worker",cinny,0,4.10.3,,HIGH,CWE-20,
6171
6190
  CVE-2026-42565,2026-05-05T18:42:26Z,"@workos/authkit-session has an Open Redirect via state-derived redirect target",@workos/authkit-session,0,0.5.1,,MODERATE,CWE-601,
6172
6191
  CVE-2026-42567,2026-05-14T20:29:05Z,"Svelte: ReDoS in `<svelte:element>` Tag Validation",svelte,5.51.5,5.55.7,,MODERATE,CWE-1333,
@@ -6180,6 +6199,7 @@ CVE-2026-42856,2026-05-05T17:25:37Z,"Network-AI missing authentication on MCP HT
6180
6199
  CVE-2026-42861,2026-05-14T14:52:24Z,"FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment",flowise,0,3.1.2,,HIGH,CWE-284;CWE-639;CWE-915,
6181
6200
  CVE-2026-42862,2026-05-14T14:52:40Z,"FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment",flowise,0,3.1.2,,HIGH,CWE-284;CWE-639;CWE-915,
6182
6201
  CVE-2026-42863,2026-05-14T14:54:28Z,"FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment",flowise,0,3.1.2,,HIGH,CWE-284;CWE-639;CWE-915,
6202
+ CVE-2026-42890,2026-06-08T18:21:26Z,"actual Allows Electron to Run As Node",actual,0,26.5.0,,MODERATE,CWE-250;CWE-693;CWE-94,
6183
6203
  CVE-2026-43526,2026-04-17T21:57:31Z,"OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes",openclaw,0,2026.4.12,,MODERATE,CWE-918,
6184
6204
  CVE-2026-43527,2026-04-17T21:58:15Z,"OpenClaw: Browser SSRF policy default allowed private-network navigation",openclaw,0,2026.4.14,,MODERATE,CWE-1188;CWE-918,
6185
6205
  CVE-2026-43528,2026-04-17T21:47:15Z,"OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases",openclaw,0,2026.4.14,,HIGH,CWE-212,
@@ -6264,6 +6284,7 @@ CVE-2026-44294,2026-05-12T15:06:17Z,"protobuf.js: Denial of service from crafted
6264
6284
  CVE-2026-44294,2026-05-12T15:06:17Z,"protobuf.js: Denial of service from crafted field names in generated code",protobufjs,8.0.0,8.0.2,,MODERATE,CWE-20,
6265
6285
  CVE-2026-44295,2026-05-12T15:06:22Z,"protobuf.js: Code injection in pbjs static output from crafted schema names",protobufjs-cli,0,1.2.1,,HIGH,CWE-94,
6266
6286
  CVE-2026-44295,2026-05-12T15:06:22Z,"protobuf.js: Code injection in pbjs static output from crafted schema names",protobufjs-cli,2.0.0,2.0.2,,HIGH,CWE-94,
6287
+ CVE-2026-44311,2026-06-12T21:00:32Z,"Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization",fabric,0,7.4.0,,MODERATE,CWE-116;CWE-79,
6267
6288
  CVE-2026-44351,2026-05-06T22:26:37Z,"fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver",fast-jwt,0,6.2.4,,CRITICAL,CWE-1391;CWE-287;CWE-326,
6268
6289
  CVE-2026-44372,2026-05-06T23:02:45Z,"Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules",nitro,0,3.0.260429-beta,,MODERATE,CWE-601,
6269
6290
  CVE-2026-44372,2026-05-06T23:02:45Z,"Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules",nitropack,0,2.13.4,,MODERATE,CWE-601,
@@ -6284,14 +6305,21 @@ CVE-2026-44459,2026-05-09T00:45:19Z,"Hono has improper validation of NumericDate
6284
6305
  CVE-2026-44479,2026-05-07T00:05:20Z,"Vercel: Non-interactive mode includes CLI arguments in suggested command output",vercel,50.16.0,52.0.1,,MODERATE,CWE-200;CWE-532,
6285
6306
  CVE-2026-44483,2026-05-11T16:09:40Z,"@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data)",@rvf/set-get,6.0.0,6.0.4,,HIGH,CWE-1321,
6286
6307
  CVE-2026-44483,2026-05-11T16:09:40Z,"@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data)",@rvf/set-get,7.0.0,7.0.2,,HIGH,CWE-1321,
6308
+ CVE-2026-44486,2026-06-04T14:15:01Z,"Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection",axios,0,0.32.0,,HIGH,CWE-200,
6309
+ CVE-2026-44486,2026-06-04T14:15:01Z,"Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection",axios,1.0.0,1.16.0,,HIGH,CWE-200,
6310
+ CVE-2026-44487,2026-06-04T14:19:53Z,"Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter",axios,0,0.32.0,,HIGH,CWE-201,
6311
+ CVE-2026-44487,2026-06-04T14:19:53Z,"Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter",axios,1.0.0,1.16.0,,HIGH,CWE-201,
6312
+ CVE-2026-44488,2026-06-04T14:21:37Z,"Allocation of Resources Without Limits or Throttling in Axios",axios,1.7.0,1.16.0,,HIGH,CWE-770,
6287
6313
  CVE-2026-44489,2026-05-29T15:51:02Z,"Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix",axios,1.15.2,1.16.0,,LOW,CWE-113;CWE-1321,
6288
6314
  CVE-2026-44490,2026-05-29T15:54:57Z,"axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions",axios,0,0.32.0,,MODERATE,CWE-1321,
6289
6315
  CVE-2026-44490,2026-05-29T15:54:57Z,"axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions",axios,1.0.0,1.16.0,,MODERATE,CWE-1321,
6290
6316
  CVE-2026-44492,2026-05-29T15:59:30Z,"axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)",axios,0,0.32.0,,HIGH,CWE-918,
6291
6317
  CVE-2026-44492,2026-05-29T15:59:30Z,"axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)",axios,1.0.0,1.16.0,,HIGH,CWE-918,
6292
- CVE-2026-44494,2026-05-29T16:04:00Z,"axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`",axios,1.0.0,1.16.0,,HIGH,CWE-441;CWE-1321,
6293
- CVE-2026-44495,2026-05-29T16:07:31Z,"axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge",axios,0.19.0,0.31.1,,HIGH,CWE-94;CWE-1321,
6294
- CVE-2026-44495,2026-05-29T16:07:31Z,"axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge",axios,1.0.0,1.15.2,,HIGH,CWE-94;CWE-1321,
6318
+ CVE-2026-44494,2026-05-29T16:04:00Z,"axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`",axios,1.0.0,1.16.0,,HIGH,CWE-1321;CWE-441,
6319
+ CVE-2026-44495,2026-05-29T16:07:31Z,"axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge",axios,0.19.0,0.31.1,,HIGH,CWE-1321;CWE-94,
6320
+ CVE-2026-44495,2026-05-29T16:07:31Z,"axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge",axios,1.0.0,1.15.2,,HIGH,CWE-1321;CWE-94,
6321
+ CVE-2026-44496,2026-06-04T14:24:06Z,"Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection",axios,0,0.32.0,,HIGH,CWE-400;CWE-1333,
6322
+ CVE-2026-44496,2026-06-04T14:24:06Z,"Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection",axios,1.0.0,1.16.0,,HIGH,CWE-400;CWE-1333,
6295
6323
  CVE-2026-44503,2026-05-07T01:49:01Z,"Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect",kiota-typescript,0,1.0.0-preview.100,,HIGH,CWE-601,
6296
6324
  CVE-2026-44572,2026-05-11T16:12:07Z,"Next.js's Middleware / Proxy redirects can be cache-poisoned",next,12.2.0,15.5.16,,LOW,CWE-349,
6297
6325
  CVE-2026-44572,2026-05-11T16:12:07Z,"Next.js's Middleware / Proxy redirects can be cache-poisoned",next,16.0.0,16.2.5,,LOW,CWE-349,
@@ -6471,6 +6499,7 @@ CVE-2026-45321,2026-05-12T00:12:49Z,"Malware in @tanstack/* packages exfiltrates
6471
6499
  CVE-2026-45321,2026-05-12T00:12:49Z,"Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys",@tanstack/zod-adapter,1.166.12,1.166.16,,CRITICAL,CWE-506,
6472
6500
  CVE-2026-45321,2026-05-12T00:12:49Z,"Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys",@tanstack/zod-adapter,1.166.15,1.166.16,,CRITICAL,CWE-506,
6473
6501
  CVE-2026-45325,2026-05-18T17:07:04Z,"@tmlmobilidade/utils has prototype pollution in its setValueAtPath",@tmlmobilidade/utils,0,20260509.0340.15,,HIGH,CWE-1321,
6502
+ CVE-2026-45337,2026-06-04T14:55:52Z,"Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending",better-auth,1.6.0,1.6.11,,HIGH,"CWE-285;CWE-345;CWE-639;CWE-863",
6474
6503
  CVE-2026-45346,2026-05-14T20:21:51Z,"Open WebUI Has Stored Cross-Site Scripting in SVG Renderer",open-webui,0,0.6.31,,MODERATE,CWE-80,
6475
6504
  CVE-2026-45353,2026-05-14T20:29:59Z,"Electerm Local code through electerm's single-instance socket",electerm,3.0.6,3.9.0,,CRITICAL,CWE-732;CWE-94;CWE-940,
6476
6505
  CVE-2026-45357,2026-05-27T17:33:52Z,"LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)",liquidjs,0,,10.25.7,HIGH,CWE-400,
@@ -6517,12 +6546,12 @@ CVE-2026-4601,2026-03-23T06:30:29Z,"jsrsasign: Missing cryptographic validation
6517
6546
  CVE-2026-4602,2026-03-23T06:30:29Z,"jsrsasign: Negative Exponent Handling Leads to Signature Verification Bypass",jsrsasign,0,11.1.1,,HIGH,CWE-681,
6518
6547
  CVE-2026-4603,2026-03-23T06:30:29Z,"jsrsasign: Division by Zero Allows Invalid JWK Modulus to Cause Deterministic Zero Output in RSA Operations",jsrsasign,0,11.1.1,,LOW,CWE-369,
6519
6548
  CVE-2026-46339,2026-05-19T19:22:05Z,"9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes",9router,0.4.30,0.4.37,,CRITICAL,CWE-306;CWE-78,
6520
- CVE-2026-46341,2026-05-19T16:34:34Z,"Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching",@apify/actors-mcp-server,0,0.9.21,,MODERATE,CWE-20;CWE-183,
6549
+ CVE-2026-46341,2026-05-19T16:34:34Z,"Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching",@apify/actors-mcp-server,0,0.9.21,,MODERATE,CWE-183;CWE-20,
6521
6550
  CVE-2026-46342,2026-05-19T20:03:24Z,"Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning",@nuxt/nitro-server,3.20.0,3.21.6,,LOW,CWE-349;CWE-444;CWE-79,
6522
6551
  CVE-2026-46342,2026-05-19T20:03:24Z,"Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning",@nuxt/nitro-server,4.2.0,4.4.6,,LOW,CWE-349;CWE-444;CWE-79,
6523
6552
  CVE-2026-46342,2026-05-19T20:03:24Z,"Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning",nuxt,3.1.0,3.21.6,,LOW,CWE-349;CWE-444;CWE-79,
6524
6553
  CVE-2026-46342,2026-05-19T20:03:24Z,"Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning",nuxt,4.0.0-alpha.1,4.4.6,,LOW,CWE-349;CWE-444;CWE-79,
6525
- CVE-2026-46357,2026-05-19T19:51:51Z,"HAX CMS: Denial of Service using Malicious Import Request",@haxtheweb/haxcms-nodejs,0,26.0.0,,MODERATE,CWE-476,
6554
+ CVE-2026-46357,2026-05-19T19:51:51Z,"HAX CMS: Denial of Service using Malicious Import Request",@haxtheweb/haxcms-nodejs,0,26.0.0,,MODERATE,CWE-20;CWE-476,
6526
6555
  CVE-2026-46372,2026-05-19T20:09:52Z,"SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl",sillytavern,0,1.18.0,,HIGH,CWE-918,
6527
6556
  CVE-2026-46391,2026-05-19T14:44:46Z,"HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis",@haxtheweb/open-apis,0,26.0.0,,HIGH,CWE-183;CWE-918,
6528
6557
  CVE-2026-46393,2026-05-19T14:44:20Z,"HAXcms createSite SSRF Enables Arbitrary File Read",@haxtheweb/haxcms-nodejs,0,26.0.0,,HIGH,CWE-918,
@@ -6556,7 +6585,7 @@ CVE-2026-46490,2026-05-21T17:14:07Z,"samlify: XML Injection in AttributeValue Al
6556
6585
  CVE-2026-46492,2026-05-21T17:57:32Z,"md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)",md-fileserver,0,1.10.3,,HIGH,CWE-80;CWE-87,
6557
6586
  CVE-2026-46496,2026-05-19T14:44:34Z,"HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft",@haxtheweb/haxcms-nodejs,0,26.0.0,,MODERATE,CWE-116;CWE-79,
6558
6587
  CVE-2026-46496,2026-05-19T14:44:34Z,"HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft",@haxtheweb/video-player,0,26.0.0,,MODERATE,CWE-116;CWE-79,
6559
- CVE-2026-46509,2026-05-14T20:55:24Z,"Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @ranfdev/deepobj",@ranfdev/deepobj,0,1.0.3,,HIGH,CWE-1321,
6588
+ CVE-2026-46509,2026-05-14T20:55:24Z,"@ranfdev/deepobj has a Prototype Pollution vulnerability",@ranfdev/deepobj,0,1.0.3,,HIGH,CWE-1321,
6560
6589
  CVE-2026-46510,2026-05-18T13:28:31Z,"form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation form keys",form-data-objectizer,0,1.0.1,,HIGH,CWE-1321,
6561
6590
  CVE-2026-46511,2026-05-19T14:47:03Z,"HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack ",@haxtheweb/haxcms-nodejs,0,26.0.0,,HIGH,CWE-522;CWE-79;CWE-922,
6562
6591
  CVE-2026-46519,2026-05-21T20:33:46Z,"MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement",mcp-server-kubernetes,0,3.6.0,,HIGH,CWE-863,
@@ -6593,20 +6622,105 @@ CVE-2026-47209,2026-05-29T17:49:18Z,"vm2's Bridge Proxy set trap ignores receive
6593
6622
  CVE-2026-47210,2026-05-29T17:51:05Z,"vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass",vm2,0,3.11.4,,CRITICAL,CWE-913,
6594
6623
  CVE-2026-47248,2026-05-29T19:18:01Z,"Parse Server's GraphQL ""Did you mean ...?"" validation suggestions disclose schema to unauthenticated callers",parse-server,0,8.6.78,,MODERATE,CWE-209,
6595
6624
  CVE-2026-47248,2026-05-29T19:18:01Z,"Parse Server's GraphQL ""Did you mean ...?"" validation suggestions disclose schema to unauthenticated callers",parse-server,9.0.0,9.9.1-alpha.2,,MODERATE,CWE-209,
6625
+ CVE-2026-47250,2026-06-05T15:40:00Z,"MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration",mcp-server-kubernetes,0,3.7.0,,MODERATE,CWE-88,
6596
6626
  CVE-2026-47255,2026-05-29T19:23:29Z,"AgenticMail API/storage and outbound relay hardening fixes",@agenticmail/api,0,0.9.32,,HIGH,"CWE-20;CWE-284;CWE-319;CWE-798;CWE-89",
6597
6627
  CVE-2026-47255,2026-05-29T19:23:29Z,"AgenticMail API/storage and outbound relay hardening fixes",@agenticmail/core,0,0.9.10,,HIGH,"CWE-20;CWE-284;CWE-319;CWE-798;CWE-89",
6628
+ CVE-2026-47279,2026-06-05T15:52:54Z,"NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints",nocodb,0,2026.05.1,,MODERATE,CWE-284,
6629
+ CVE-2026-47375,2026-06-05T15:59:28Z,"NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`",nocodb,0,2026.04.1,,MODERATE,CWE-89,
6630
+ CVE-2026-47376,2026-06-05T15:59:53Z,"NocoDB: Reflected Cross-Site Scripting via Password Reset Token",nocodb,0,2026.04.1,,MODERATE,CWE-79,
6631
+ CVE-2026-47377,2026-06-05T16:00:15Z,"NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin",nocodb,0,2026.04.1,,MODERATE,CWE-601,
6632
+ CVE-2026-47378,2026-06-05T16:03:11Z,"NocoDB: Hidden Column Exposure in Public Shared View Endpoints",nocodb,0,2026.04.1,,MODERATE,CWE-639,
6633
+ CVE-2026-47379,2026-06-05T16:03:33Z,"NocoDB: Plaintext Password Comparison in Shared Views",nocodb,0,2026.05.1,,MODERATE,CWE-200;CWE-203,
6634
+ CVE-2026-47380,2026-06-05T16:03:55Z,"NocoDB: User Enumeration via Sign-In Timing",nocodb,0,2026.04.1,,LOW,CWE-208;CWE-307,
6635
+ CVE-2026-47381,2026-06-05T16:04:32Z,"NocoDB: Cross-Workspace Integration Use in Connection Test",nocodb,0,2026.05.1,,MODERATE,CWE-290,
6636
+ CVE-2026-47382,2026-06-05T16:19:01Z,"NocoDB: Server-Side Request Forgery via Database Connection Host",nocodb,0,2026.05.1,,MODERATE,CWE-918,
6637
+ CVE-2026-47383,2026-06-05T16:19:22Z,"NocoDB: Stored Cross-Site Scripting via Row Comments",nocodb,0,2026.05.1,,HIGH,CWE-79,
6638
+ CVE-2026-47384,2026-06-05T16:19:59Z,"NocoDB: SQL Injection via Column Title in Bulk GroupBy",nocodb,0,2026.05.1,,MODERATE,CWE-89,
6639
+ CVE-2026-47385,2026-06-05T16:20:20Z,"NocoDB: Path Traversal via SQLite Source Filename",nocodb,0,2026.05.1,,MODERATE,CWE-22,
6640
+ CVE-2026-47386,2026-06-05T16:20:32Z,"NocoDB: OAuth Authorization Code Race Condition",nocodb,0,2026.05.1,,MODERATE,CWE-362,
6641
+ CVE-2026-47387,2026-06-05T16:20:44Z,"NocoDB: Stored Cross-Site Scripting via Form View Redirect URL",nocodb,0,2026.05.1,,HIGH,CWE-79,
6642
+ CVE-2026-47388,2026-06-05T16:22:28Z,"NocoDB: Missing Ownership Check in MCP Attachment Read",nocodb,0,2026.05.1,,LOW,CWE-639,
6643
+ CVE-2026-47423,2026-06-01T14:07:29Z,"DOMPurify XSS via selectedcontent re-clone",dompurify,3.4.4,3.4.5,,HIGH,CWE-79,
6644
+ CVE-2026-47428,2026-06-01T14:12:18Z,"Vitest browser mode serves unsanitized otelCarrier query parameter as inline script",@vitest/browser,4.0.17,4.1.6,,CRITICAL,CWE-79,
6645
+ CVE-2026-47428,2026-06-01T14:12:18Z,"Vitest browser mode serves unsanitized otelCarrier query parameter as inline script",@vitest/browser,5.0.0-beta.0,5.0.0-beta.3,,CRITICAL,CWE-79,
6646
+ CVE-2026-47429,2026-06-01T14:09:53Z,"When Vitest UI server is listening, arbitrary file can be read and executed",vitest,0,3.2.6,,CRITICAL,CWE-862,
6647
+ CVE-2026-47429,2026-06-01T14:09:53Z,"When Vitest UI server is listening, arbitrary file can be read and executed",vitest,4.0.0,4.1.0,,CRITICAL,CWE-862,
6648
+ CVE-2026-47430,2026-06-08T12:30:29Z,"Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews.","cordova-plugin-inappbrowser",0,6.0.1,,CRITICAL,CWE-20,
6649
+ CVE-2026-47668,2026-06-05T16:25:23Z,"DbGate: Unauthenticated Remote Code Execution via JSON Script Runner",dbgate-serve,0,7.1.9,,CRITICAL,CWE-1188;CWE-20;CWE-94,
6650
+ CVE-2026-47669,2026-06-05T16:26:01Z,"DbGate: Zip Slip in archive/unzip allows arbitrary file write leading to RCE",dbgate,0,7.1.9,,CRITICAL,CWE-22,
6651
+ CVE-2026-47670,2026-06-05T16:30:59Z,"Authenticated Remote Code Execution via loadReader functionName code injection in DbGate",dbgate-api,0,7.1.9,,CRITICAL,CWE-77;CWE-78,
6652
+ CVE-2026-47673,2026-06-04T17:52:04Z,"Hono: JWT middleware accepts any Authorization scheme, not only Bearer",hono,0,4.12.21,,MODERATE,CWE-285,
6653
+ CVE-2026-47674,2026-06-04T18:00:22Z,"Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 ",hono,0,4.12.21,,MODERATE,CWE-1289;CWE-185,
6654
+ CVE-2026-47675,2026-06-04T17:59:25Z,"Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection",hono,0,4.12.21,,MODERATE,CWE-113;CWE-1287,
6655
+ CVE-2026-47676,2026-06-04T18:01:00Z,"Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths",hono,0,4.12.21,,MODERATE,CWE-444;CWE-693,
6656
+ CVE-2026-47684,2026-06-05T16:34:59Z,"Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP",@sync-in/server,0,2.3.0,,HIGH,CWE-918,
6598
6657
  CVE-2026-47717,2026-05-27T22:51:18Z,"FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations",fuxa-server,1.3.0,1.3.1,,HIGH,CWE-201,
6599
6658
  CVE-2026-47718,2026-05-28T20:33:11Z,"FUXA provides guest and invalid-token access to protected read APIs in secure mode",fuxa-server,1.3.0-2773,1.3.1,,MODERATE,CWE-287;CWE-862,
6659
+ CVE-2026-47719,2026-06-08T23:06:40Z,"FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading",fuxa-server,0,,1.1.14-1243,HIGH,CWE-918,
6660
+ CVE-2026-47720,2026-06-08T23:06:43Z,"FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString",fuxa-server,0,,1.1.14-1243,MODERATE,CWE-89,
6661
+ CVE-2026-47721,2026-06-08T23:07:02Z,"FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions",fuxa-server,0,,1.1.14-1243,MODERATE,CWE-862,
6662
+ CVE-2026-47759,2026-06-05T20:27:50Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes",tinymce,0,,,HIGH,CWE-79,
6663
+ CVE-2026-47759,2026-06-05T20:27:50Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes",tinymce,6.0.0,7.9.3,,HIGH,CWE-79,
6664
+ CVE-2026-47759,2026-06-05T20:27:50Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes",tinymce,8.0.0,8.5.1,,HIGH,CWE-79,
6665
+ CVE-2026-47760,2026-06-05T20:09:38Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs",tinymce,6.8.0,7.1.0,,HIGH,CWE-79,
6666
+ CVE-2026-47761,2026-06-05T20:29:43Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection",tinymce,0,,,HIGH,CWE-79,
6667
+ CVE-2026-47761,2026-06-05T20:29:43Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection",tinymce,6.0.0,7.9.3,,HIGH,CWE-79,
6668
+ CVE-2026-47761,2026-06-05T20:29:43Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection",tinymce,8.0.0,8.5.1,,HIGH,CWE-79,
6669
+ CVE-2026-47762,2026-06-05T20:29:07Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments",tinymce,0,,,HIGH,CWE-79,
6670
+ CVE-2026-47762,2026-06-05T20:29:07Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments",tinymce,6.0.0,7.9.3,,HIGH,CWE-79,
6671
+ CVE-2026-47762,2026-06-05T20:29:07Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments",tinymce,8.0.0,8.5.1,,HIGH,CWE-79,
6600
6672
  CVE-2026-4800,2026-04-01T23:51:12Z,"lodash vulnerable to Code Injection via `_.template` imports key names",lodash,4.0.0,4.18.0,,HIGH,CWE-94,
6601
6673
  CVE-2026-4800,2026-04-01T23:51:12Z,"lodash vulnerable to Code Injection via `_.template` imports key names",lodash-amd,4.0.0,4.18.0,,HIGH,CWE-94,
6602
6674
  CVE-2026-4800,2026-04-01T23:51:12Z,"lodash vulnerable to Code Injection via `_.template` imports key names",lodash-es,4.0.0,4.18.0,,HIGH,CWE-94,
6603
6675
  CVE-2026-4800,2026-04-01T23:51:12Z,"lodash vulnerable to Code Injection via `_.template` imports key names",lodash.template,4.0.0,4.18.0,,HIGH,CWE-94,
6676
+ CVE-2026-48007,2026-06-11T13:26:17Z,"Element Call reports full URLs of visited pages to analytics server","@element-hq/element-call-embedded",0.5.17,0.19.4,,HIGH,CWE-200,
6677
+ CVE-2026-48017,2026-06-05T16:39:38Z,"DbGate: Remote Code Execution via functionName injection in loadReader endpoint",dbgate-api,0,7.1.9,,HIGH,CWE-94,
6678
+ CVE-2026-48022,2026-06-11T13:27:05Z,"@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects",@hapi/wreck,0,18.1.2,,MODERATE,"CWE-200;CWE-319;CWE-346;CWE-522;CWE-940",
6679
+ CVE-2026-48032,2026-06-10T13:37:08Z,"@hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers",@hulumi/policies,0,1.4.0,,HIGH,CWE-697,
6680
+ CVE-2026-48033,2026-06-10T13:37:38Z,"@hulumi/policies bypasses policy packs with a forged Pulumi-URN logical name",@hulumi/policies,0,1.4.0,,HIGH,CWE-693,
6681
+ CVE-2026-48034,2026-06-10T13:38:15Z,"@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket",@hulumi/policies,0,1.4.0,,HIGH,CWE-284,
6682
+ CVE-2026-48035,2026-06-10T13:38:37Z,"@hulumi/baseline: AccountFoundation audit-delivery S3 bucket could be silently weakened",@hulumi/baseline,0,1.4.0,,HIGH,CWE-1059,
6683
+ CVE-2026-48036,2026-06-10T13:38:50Z,"@hulumi/drift: Drift classifier fails open on adapter errors and over-promotes Mixed verdicts",@hulumi/drift,0,1.4.0,,HIGH,CWE-755,
6684
+ CVE-2026-48037,2026-06-10T13:38:59Z,"@hulumi/baseline: AccountFoundation reuse paths silently downgrade GuardDuty / Security Hub posture",@hulumi/baseline,0,1.4.0,,MODERATE,CWE-693,
6685
+ CVE-2026-48038,2026-06-11T13:27:32Z,"joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas",joi,0,17.13.4,,MODERATE,CWE-248;CWE-400,
6686
+ CVE-2026-48038,2026-06-11T13:27:32Z,"joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas",joi,18.0.0,18.2.1,,MODERATE,CWE-248;CWE-400,
6687
+ CVE-2026-48049,2026-06-11T17:10:15Z,"@hapi/inert has a static-file confinement bypass via sibling-prefix path",@hapi/inert,4.0.0,7.1.1,,MODERATE,CWE-22,
6688
+ CVE-2026-48051,2026-06-10T13:39:10Z,"Papra HTTP redirect bypass can lead to SSRF via webhook delivery system",@papra/webhooks,0,0.3.3,,LOW,CWE-918,
6689
+ CVE-2026-48054,2026-06-11T13:27:24Z,"OpenZeppelin Contracts Wizard has Code Injection in Generated Hardhat and Foundry Tests via Unsanitized opts.name / opts.uri",@openzeppelin/wizard,0,0.10.9,,HIGH,CWE-94,
6690
+ CVE-2026-48063,2026-06-10T19:33:20Z,"Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload",@whiskeysockets/baileys,0,6.7.22,,CRITICAL,CWE-290;CWE-345;CWE-346,
6691
+ CVE-2026-48063,2026-06-10T19:33:20Z,"Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload",@whiskeysockets/baileys,7.0.0-rc.1,7.0.0-rc12,,CRITICAL,CWE-290;CWE-345;CWE-346,
6692
+ CVE-2026-48063,2026-06-10T19:33:20Z,"Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload",baileys,0,6.7.22,,CRITICAL,CWE-290;CWE-345;CWE-346,
6693
+ CVE-2026-48063,2026-06-10T19:33:20Z,"Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload",baileys,7.0.0-rc.1,7.0.0-rc12,,CRITICAL,CWE-290;CWE-345;CWE-346,
6694
+ CVE-2026-48068,2026-06-11T13:27:54Z,"@grpc/grpc-js: A malformed request can cause a server crash",@grpc/grpc-js,0,1.9.16,,HIGH,CWE-248,
6695
+ CVE-2026-48068,2026-06-11T13:27:54Z,"@grpc/grpc-js: A malformed request can cause a server crash",@grpc/grpc-js,1.10.0,1.10.12,,HIGH,CWE-248,
6696
+ CVE-2026-48068,2026-06-11T13:27:54Z,"@grpc/grpc-js: A malformed request can cause a server crash",@grpc/grpc-js,1.11.0,1.11.4,,HIGH,CWE-248,
6697
+ CVE-2026-48068,2026-06-11T13:27:54Z,"@grpc/grpc-js: A malformed request can cause a server crash",@grpc/grpc-js,1.12.0,1.12.7,,HIGH,CWE-248,
6698
+ CVE-2026-48068,2026-06-11T13:27:54Z,"@grpc/grpc-js: A malformed request can cause a server crash",@grpc/grpc-js,1.13.0,1.13.5,,HIGH,CWE-248,
6699
+ CVE-2026-48068,2026-06-11T13:27:54Z,"@grpc/grpc-js: A malformed request can cause a server crash",@grpc/grpc-js,1.14.0,1.14.4,,HIGH,CWE-248,
6700
+ CVE-2026-48069,2026-06-11T13:27:44Z,"@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash",@grpc/grpc-js,0,1.9.16,,HIGH,CWE-248;CWE-400,
6701
+ CVE-2026-48069,2026-06-11T13:27:44Z,"@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash",@grpc/grpc-js,1.10.0,1.10.12,,HIGH,CWE-248;CWE-400,
6702
+ CVE-2026-48069,2026-06-11T13:27:44Z,"@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash",@grpc/grpc-js,1.11.0,1.11.4,,HIGH,CWE-248;CWE-400,
6703
+ CVE-2026-48069,2026-06-11T13:27:44Z,"@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash",@grpc/grpc-js,1.12.0,1.12.7,,HIGH,CWE-248;CWE-400,
6704
+ CVE-2026-48069,2026-06-11T13:27:44Z,"@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash",@grpc/grpc-js,1.13.0,1.13.5,,HIGH,CWE-248;CWE-400,
6705
+ CVE-2026-48069,2026-06-11T13:27:44Z,"@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash",@grpc/grpc-js,1.14.0,1.14.4,,HIGH,CWE-248;CWE-400,
6706
+ CVE-2026-48121,2026-06-12T15:05:32Z,"LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access","@langchain/langgraph-checkpoint-mongodb",0,1.3.1,,MODERATE,CWE-943,
6707
+ CVE-2026-48128,2026-06-12T15:08:23Z,"Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step",budibase,0,3.39.0,,MODERATE,CWE-918,
6708
+ CVE-2026-48146,2026-06-12T15:08:28Z,"Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection",@budibase/server,0,3.39.0,,HIGH,CWE-918,
6709
+ CVE-2026-48147,2026-06-12T18:23:41Z,"Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker ",@budibase/backend-core,0,3.35.4,,MODERATE,CWE-185;CWE-352,
6710
+ CVE-2026-48148,2026-06-12T18:27:45Z,"Budibase: Unvalidated VectorDB Host Parameter Enables SSRF",@budibase/server,0,3.35.3,,MODERATE,CWE-918,
6711
+ CVE-2026-48150,2026-06-12T18:28:26Z,"Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign",@budibase/server,0,3.39.0,,CRITICAL,CWE-915,
6712
+ CVE-2026-48151,2026-06-12T18:28:34Z,"Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema",@budibase/server,0,3.39.0,,HIGH,CWE-862,
6713
+ CVE-2026-48152,2026-06-12T18:28:40Z,"Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL",@budibase/server,0,3.39.0,,HIGH,CWE-863,
6604
6714
  CVE-2026-48527,2026-05-29T14:07:51Z,"HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint",@haxtheweb/haxcms-nodejs,0,26.0.1,,HIGH,CWE-79,
6605
6715
  CVE-2026-4867,2026-03-27T20:04:53Z,"path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters",path-to-regexp,0,0.1.13,,HIGH,CWE-1333,
6716
+ CVE-2026-49143,2026-06-03T21:39:32Z,"browserstack-runner vulnerable to Remote Code Execution via vm sandbox escape in _log HTTP handler",browserstack-runner,0,,0.9.5,HIGH,CWE-94,
6717
+ CVE-2026-49144,2026-06-03T21:38:40Z,"browserstack-runner has an unauthenticated arbitrary file read via path traversal in HTTP server",browserstack-runner,0,,0.9.5,HIGH,CWE-22,
6606
6718
  CVE-2026-4923,2026-03-27T22:23:52Z,"path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards",path-to-regexp,8.0.0,8.4.0,,MODERATE,CWE-1333,
6607
6719
  CVE-2026-4926,2026-03-27T22:23:27Z,"path-to-regexp vulnerable to Denial of Service via sequential optional groups",path-to-regexp,8.0.0,8.4.0,,HIGH,CWE-1333;CWE-400,
6720
+ CVE-2026-50287,2026-06-01T13:58:33Z,"@agenticmail/mcp Missing Authentication for Critical Function",@agenticmail/mcp,0,0.9.27,,HIGH,CWE-306,
6608
6721
  CVE-2026-5323,2026-04-02T09:30:24Z,"a11y-mcp: Server-Side Request Forgery (SSRF) vulnerability in A11yServer function",a11y-mcp,0,1.0.5,,LOW,CWE-918,
6609
6722
  CVE-2026-5327,2026-04-02T12:31:05Z,"fast-filesystem-mcp is vulnerable to command injection through handleGetDiskUsage function",fast-filesystem-mcp,0,,3.5.0,LOW,CWE-74,
6723
+ CVE-2026-53926,2026-06-05T16:43:09Z,"NocoDB: OAuth Tokens Persist Through Security Events",nocodb,0,2026.05.1,,MODERATE,CWE-613,
6610
6724
  CVE-2026-5602,2026-04-06T00:30:24Z,"@nor2/heim-mcp vulnerable to command injection",@nor2/heim-mcp,0,,0.1.3,LOW,CWE-77,
6611
6725
  CVE-2026-5603,2026-04-06T00:30:24Z,"@elgentos/magento2-dev-mcp vulnerable to command injection","@elgentos/magento2-dev-mcp",0,,1.0.2,LOW,CWE-77,
6612
6726
  CVE-2026-5758,2026-04-15T18:31:58Z,"Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution",protocol-buffers-schema,0,3.6.1,,MODERATE,CWE-1321,
@@ -6642,6 +6756,7 @@ CVE-2026-8766,2026-05-18T00:31:36Z,"@kilocode/cli Vulnerable to Exposure of Sens
6642
6756
  CVE-2026-8769,2026-05-18T00:31:37Z,"@ai-sdk/provider-utils has an Uncontrolled Resource Consumption issue",@ai-sdk/provider-utils,0,,3.0.97,LOW,CWE-400,
6643
6757
  CVE-2026-8813,2026-05-29T17:58:37Z,"ExifReader is vulnerable to denial of service via crafted ICC `mluc` tag",exifreader,2.10.0,4.39.0,,HIGH,CWE-1284,
6644
6758
  CVE-2026-8814,2026-05-29T17:52:26Z,"ExifReader is vulnerable to denial of service via unbounded decompression of image metadata",exifreader,4.20.0,4.39.0,,MODERATE,CWE-409,
6759
+ CVE-2026-9277,2026-06-09T14:27:15Z,"shell-quote quote() does not escape newlines in object .op values",shell-quote,1.1.0,1.8.4,,CRITICAL,CWE-77;CWE-78,
6645
6760
  GHSA-224h-p7p5-rh85,2020-09-01T17:32:26Z,"Directory Traversal in wenluhong1",wenluhong1,0.0.0,,,HIGH,CWE-22,
6646
6761
  GHSA-224p-v68g-5g8f,2025-08-26T18:45:55Z,"GraphQL Armor Max-Depth Plugin Bypass via fragment caching","@escape.tech/graphql-armor-max-depth",0,2.4.2,,MODERATE,CWE-400,
6647
6762
  GHSA-226w-6hhj-69hp,2020-09-03T19:06:52Z,"Malicious Package in cal_rd",cal_rd,0.0.0,,,CRITICAL,CWE-506,
@@ -7424,6 +7539,7 @@ GHSA-g74r-ffvr-5q9f,2019-06-03T17:26:44Z,"Memory Exposure in concat-stream",conc
7424
7539
  GHSA-g753-jx37-7xwh,2020-06-30T16:05:08Z,"ECDSA signature vulnerability of Minerva timing attack in jsrsasign",jsrsasign,4.0.0,8.0.13,,MODERATE,CWE-362,
7425
7540
  GHSA-g7h8-p22m-2rvx,2020-09-04T15:08:46Z,"Prototype Pollution in flat-wrap",flat-wrap,0.0.0,,,HIGH,CWE-1321,
7426
7541
  GHSA-g7mw-5cq6-fv82,2020-09-02T21:20:40Z,"Cross-Site Scripting in wangeditor",wangeditor,0,,,HIGH,CWE-79,
7542
+ GHSA-g7r4-m6w7-qqqr,2026-06-12T20:08:53Z,"esbuild allows arbitrary file read when running the development server on Windows",esbuild,0.27.3,0.28.1,,LOW,CWE-22,
7427
7543
  GHSA-g839-vp47-wgh8,2026-03-21T03:31:15Z,"Duplicate Advisory: OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress",openclaw,0,,2026.2.24,MODERATE,CWE-863,
7428
7544
  GHSA-g86v-f9qv-rh6m,2026-03-31T23:58:43Z,"OpenClaw SSRF guard misses four IPv6 special-use ranges",openclaw,0,2026.3.28,,LOW,CWE-918,
7429
7545
  GHSA-g8jc-mm3c-cwhj,2020-09-02T20:31:06Z,"Malicious Package in reques",reques,0,,,CRITICAL,CWE-506,
@@ -7468,6 +7584,7 @@ GHSA-gqqj-85qm-8qhf,2026-04-16T22:47:40Z,"Paperclip: codex_local inherited ChatG
7468
7584
  GHSA-gr4j-r575-g665,2020-08-25T14:04:47Z,"Cross-Site Scripting in highcharts",highcharts,0,7.2.2,,HIGH,CWE-79,
7469
7585
  GHSA-gr4j-r575-g665,2020-08-25T14:04:47Z,"Cross-Site Scripting in highcharts",highcharts,8.0.0,8.1.1,,HIGH,CWE-79,
7470
7586
  GHSA-gv2f-q4wp-fvh5,2026-04-24T00:31:51Z,"Duplicate Advisory: OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials",openclaw,0,2026.3.28,,HIGH,CWE-346,
7587
+ GHSA-gv7w-rqvm-qjhr,2026-06-12T20:08:59Z,"esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY",esbuild,0.17.0,0.28.1,,HIGH,CWE-426;CWE-494,
7471
7588
  GHSA-gvff-25cc-4f66,2020-09-03T17:15:56Z,"Path Traversal in restify-swagger-jsdoc",restify-swagger-jsdoc,0,3.2.1,,HIGH,CWE-22,
7472
7589
  GHSA-gvm7-8fq3-qjj2,2020-09-03T19:43:18Z,"Malicious Package in bs85",bs85,0.0.0,,,CRITICAL,CWE-506,
7473
7590
  GHSA-gw32-9rmw-qwww,2026-01-16T21:02:56Z,"svelte is vulnerable to XSS with textarea bind:value",svelte,3.0.0,3.59.2,,HIGH,CWE-79,
@@ -7601,6 +7718,7 @@ GHSA-jmqm-f2gx-4fjv,2020-07-07T18:59:10Z,"Sensitive information exposure through
7601
7718
  GHSA-jp4j-q5fc-58gv,2026-03-31T23:58:08Z,"OpenClaw's Discord component interaction ingress skips guild/channel policy enforcement",openclaw,2026.2.14,2026.3.28,,MODERATE,CWE-862,
7602
7719
  GHSA-jp99-5h8w-gmxc,2020-09-04T15:03:13Z,"Sandbox Breakout / Arbitrary Code Execution in @zhaoyao91/eval-in-vm",@zhaoyao91/eval-in-vm,0.0.0,,,CRITICAL,,
7603
7720
  GHSA-jp9g-5x75-ccp8,2020-09-02T21:34:30Z,"Malicious Package in colro-name",colro-name,0,,,CRITICAL,CWE-506,
7721
+ GHSA-jpvj-wpmj-h7rv,2026-06-04T19:37:04Z,"Supply chain compromise via malicious @cap-js/openapi",@cap-js/openapi,1.4.1,1.4.2,,CRITICAL,CWE-506,
7604
7722
  GHSA-jq4x-98m3-ggq6,2026-03-02T22:32:23Z,"OpenClaw Canvas Path Traversal Information Disclosure Vulnerability",openclaw,0,2026.2.21,,HIGH,CWE-22,
7605
7723
  GHSA-jqjg-v355-hr9q,2020-09-03T22:11:02Z,"Malicious Package in buffer-xop",buffer-xop,0.0.0,,,CRITICAL,CWE-506,
7606
7724
  GHSA-jqpf-vj28-9v7r,2026-03-19T03:30:57Z,"Duplicate Advisory: Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch",openclaw,2026.2.22,,2026.2.23,HIGH,CWE-863,
@@ -7629,8 +7747,6 @@ GHSA-m5ch-gx8g-rg73,2020-09-02T15:43:53Z,"Remote Code Execution in pomelo-monito
7629
7747
  GHSA-m5j2-r859-r5cv,2026-05-11T18:31:46Z,"Duplicate Advisory: OpenClaw: Isolated cron awareness events were recorded as trusted system events",openclaw,0,2026.4.20,,MODERATE,CWE-345,
7630
7748
  GHSA-m5jp-p3r5-mfqp,2026-04-10T00:30:30Z,"Duplicate Advisory: OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`",openclaw,0,,2026.3.24,MODERATE,CWE-648;CWE-863,
7631
7749
  GHSA-m5p4-7wf9-6w99,2020-09-01T21:10:53Z,"Malicious Package in regenrator",regenrator,0,,,CRITICAL,CWE-506,
7632
- GHSA-m5qc-5hw7-8vg7,2025-04-02T15:04:58Z,"image-size Denial of Service via Infinite Loop during Image Processing",image-size,1.1.0,1.2.1,,HIGH,CWE-770,
7633
- GHSA-m5qc-5hw7-8vg7,2025-04-02T15:04:58Z,"image-size Denial of Service via Infinite Loop during Image Processing",image-size,2.0.0,2.0.2,,HIGH,CWE-770,
7634
7750
  GHSA-m69h-jm2f-2pv8,2026-03-13T20:54:30Z,"OpenClaw: Feishu reaction events could bypass group authorization and mention gating",openclaw,0,2026.3.12,,MODERATE,CWE-285;CWE-863,
7635
7751
  GHSA-m6q2-9pfm-2wvr,2020-09-03T17:02:49Z,"Malicious Package in wallet-address-vaildator",wallet-address-vaildator,0.0.0,,,CRITICAL,CWE-506,
7636
7752
  GHSA-m6w8-fq7v-ph4m,2022-01-13T16:09:36Z,"GovernorCompatibilityBravo incorrect ABI encoding may lead to unexpected behavior","@openzeppelin/contracts-upgradeable",4.3.0,4.4.2,,MODERATE,,
@@ -8153,7 +8269,7 @@ GHSA-xrr6-6ww3-f3qm,2020-09-02T21:25:58Z,"Sandbox Breakout / Arbitrary Code Exec
8153
8269
  GHSA-xrrg-wfwc-c7r3,2020-09-04T15:33:52Z,"Malicious Package in bictoin-ops",bictoin-ops,0.0.0,,,CRITICAL,CWE-506,
8154
8270
  GHSA-xv3q-jrmm-4fxv,2023-04-18T22:28:02Z,"Authentication Bypass in @strapi/plugin-users-permissions","@strapi/plugin-users-permissions",3.2.1,4.6.0,,HIGH,,
8155
8271
  GHSA-xv56-3wq5-9997,2026-01-13T19:57:06Z,"Renovate vulnerable to arbitrary command injection via kustomize manager and malicious helm repository",renovate,39.218.0,40.33.0,,MODERATE,CWE-77,
8156
- GHSA-xvp7-8vm8-xfxx,2025-10-20T17:55:59Z,"Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers",@actual-app/sync-server,0,,25.10.0,MODERATE,CWE-209;CWE-219,
8272
+ GHSA-xvp7-8vm8-xfxx,2025-10-20T17:55:59Z,"Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers",@actual-app/sync-server,0,25.11.0,,MODERATE,CWE-209;CWE-215;CWE-219,
8157
8273
  GHSA-xw79-hhv6-578c,2020-09-11T21:16:59Z,"Cross-Site Scripting in serve",serve,0,10.0.2,,HIGH,CWE-79,
8158
8274
  GHSA-xwcj-hwhf-h378,2026-03-16T20:40:13Z,"OpenClaw Telegram media fetch errors exposed bot tokens in logged file URLs",openclaw,0,2026.3.13,,MODERATE,CWE-532,
8159
8275
  GHSA-xwqw-rf2q-xmhf,2020-09-01T21:23:38Z,"Cross-Site Scripting in buefy",buefy,0,0.7.2,,HIGH,CWE-79,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@openrewrite/recipes-nodejs",
3
- "version": "0.46.0",
3
+ "version": "0.46.2",
4
4
  "license": "Moderne Proprietary",
5
5
  "description": "OpenRewrite recipes for Node.js library migrations.",
6
6
  "homepage": "https://github.com/moderneinc/rewrite-node",
@@ -25,7 +25,7 @@
25
25
  "ci:test": "jest"
26
26
  },
27
27
  "dependencies": {
28
- "@openrewrite/rewrite": "^8.84.0-20260603-101048",
28
+ "@openrewrite/rewrite": "^8.86.0-20260617-083043",
29
29
  "mutative": "^1.1.0",
30
30
  "semver": "^7.7.3"
31
31
  },