@openrewrite/recipes-nodejs 0.46.1 → 0.46.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/resources/advisories-npm.csv +136 -20
- package/package.json +2 -2
|
@@ -620,7 +620,8 @@ CVE-2018-1000136,2018-03-26T16:41:17Z,"Electron Vulnerable to Code Execution by
|
|
|
620
620
|
CVE-2018-1000136,2018-03-26T16:41:17Z,"Electron Vulnerable to Code Execution by Re-Enabling Node.js Integration",electron,2.0.0-beta.1,2.0.0-beta.5,,HIGH,CWE-20,
|
|
621
621
|
CVE-2018-1000160,2018-04-25T14:30:43Z,"Cross-Site Scripting in @risingstack/protect",@risingstack/protect,0,,1.2.0,MODERATE,CWE-79,
|
|
622
622
|
CVE-2018-1000534,2022-05-14T03:06:11Z,"Joplin Vulnerable to Cross-site Scripting in Note Content ",joplin,0,1.0.90,,MODERATE,CWE-79,
|
|
623
|
-
CVE-2018-1000620,2018-09-11T18:22:50Z,"Insufficient Entropy in cryptiles",cryptiles,3.1.0,
|
|
623
|
+
CVE-2018-1000620,2018-09-11T18:22:50Z,"Insufficient Entropy in cryptiles",cryptiles,3.1.0,3.1.3,,CRITICAL,CWE-331,
|
|
624
|
+
CVE-2018-1000620,2018-09-11T18:22:50Z,"Insufficient Entropy in cryptiles",cryptiles,4.0.0,4.1.2,,CRITICAL,CWE-331,
|
|
624
625
|
CVE-2018-1002203,2018-07-27T17:06:50Z,"Arbitrary File Write via Archive Extraction in unzipper",unzipper,0,0.8.13,,MODERATE,CWE-22,
|
|
625
626
|
CVE-2018-1002204,2018-07-27T17:07:14Z,"Arbitrary File Write in adm-zip",adm-zip,0,0.4.11,,MODERATE,CWE-22,
|
|
626
627
|
CVE-2018-1107,2022-01-06T20:44:07Z,"Regular expression deinal of service (ReDoS) in is-my-json-valid",is-my-json-valid,0,1.4.1,,MODERATE,CWE-400,
|
|
@@ -2687,7 +2688,7 @@ CVE-2023-29199,2023-04-12T20:42:44Z,"vm2 Sandbox Escape vulnerability",vm2,0,3.9
|
|
|
2687
2688
|
CVE-2023-29529,2023-04-14T16:14:17Z,"matrix-js-sdk vulnerable to invisible eavesdropping in group calls",matrix-js-sdk,0,24.1.0,,MODERATE,CWE-862,
|
|
2688
2689
|
CVE-2023-29566,2023-04-24T18:30:31Z,"Remote code execution in dawnsparks-node-tesseract","dawnsparks-node-tesseract",0,0.4.1,,CRITICAL,CWE-77,
|
|
2689
2690
|
CVE-2023-29641,2023-05-01T18:30:23Z,"editor.md vulnerable to Cross-site Scripting",editor.md,0,,1.5.0,MODERATE,CWE-79,
|
|
2690
|
-
CVE-2023-2968,2023-05-30T18:30:23Z,"proxy denial of service vulnerability",proxy,2.0.0,2.1.1,,
|
|
2691
|
+
CVE-2023-2968,2023-05-30T18:30:23Z,"proxy denial of service vulnerability",proxy,2.0.0,2.1.1,,HIGH,CWE-232,
|
|
2691
2692
|
CVE-2023-2972,2023-05-30T12:30:17Z,"antfu/utils vulnerable to prototype pollution",@antfu/utils,0,0.7.3,,MODERATE,CWE-1321,
|
|
2692
2693
|
CVE-2023-30094,2023-05-04T21:30:27Z,"Cross-site scripting in TotalJS",total4,0,0.0.81,,MODERATE,CWE-79,
|
|
2693
2694
|
CVE-2023-30363,2023-04-26T21:30:37Z,"Prototype Pollution in vConsole",vconsole,0,3.15.1,,CRITICAL,CWE-1321,
|
|
@@ -2910,7 +2911,7 @@ CVE-2023-48218,2023-11-20T21:01:43Z,"Bypass of field access control in strapi-pl
|
|
|
2910
2911
|
CVE-2023-48219,2023-11-15T18:32:34Z,"TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes",tinymce,0,5.10.9,,MODERATE,CWE-79,
|
|
2911
2912
|
CVE-2023-48219,2023-11-15T18:32:34Z,"TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes",tinymce,6.0.0,6.7.3,,MODERATE,CWE-79,
|
|
2912
2913
|
CVE-2023-48223,2023-11-20T20:58:56Z,"JWT Algorithm Confusion",fast-jwt,0,3.3.2,,MODERATE,CWE-20,
|
|
2913
|
-
CVE-2023-48238,2023-11-17T22:48:15Z,"json-web-token library is vulnerable to a JWT algorithm confusion attack",json-web-token,0
|
|
2914
|
+
CVE-2023-48238,2023-11-17T22:48:15Z,"json-web-token library is vulnerable to a JWT algorithm confusion attack",json-web-token,0,4.0.0,,HIGH,CWE-20;CWE-345,
|
|
2914
2915
|
CVE-2023-48309,2023-11-20T23:25:36Z,"Possible user mocking that bypasses basic authentication",next-auth,0,4.24.5,,MODERATE,CWE-285,
|
|
2915
2916
|
CVE-2023-4863,2023-09-12T15:30:20Z,"libwebp: OOB write in BuildHuffmanTable",electron,22.0.0,22.3.24,,HIGH,CWE-787,
|
|
2916
2917
|
CVE-2023-4863,2023-09-12T15:30:20Z,"libwebp: OOB write in BuildHuffmanTable",electron,24.0.0,24.8.3,,HIGH,CWE-787,
|
|
@@ -3222,7 +3223,7 @@ CVE-2024-30260,2024-04-04T14:20:39Z,"Undici's Proxy-Authorization header not cle
|
|
|
3222
3223
|
CVE-2024-30260,2024-04-04T14:20:39Z,"Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline",undici,6.0.0,6.11.1,,LOW,CWE-200;CWE-285;CWE-863,
|
|
3223
3224
|
CVE-2024-30261,2024-04-04T14:20:54Z,"Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect",undici,0,5.28.4,,LOW,CWE-284,
|
|
3224
3225
|
CVE-2024-30261,2024-04-04T14:20:54Z,"Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect",undici,6.0.0,6.11.1,,LOW,CWE-284,
|
|
3225
|
-
CVE-2024-30564,2024-04-18T15:30:49Z,"@andrei-tatar/nora-firebase-common Prototype Pollution vulnerability","@andrei-tatar/nora-firebase-common",1.0.41,1.12.3,,
|
|
3226
|
+
CVE-2024-30564,2024-04-18T15:30:49Z,"@andrei-tatar/nora-firebase-common Prototype Pollution vulnerability","@andrei-tatar/nora-firebase-common",1.0.41,1.12.3,,CRITICAL,CWE-1321,
|
|
3226
3227
|
CVE-2024-31206,2024-04-04T14:21:19Z,"dectalk-tts Uses Unencrypted HTTP Request",dectalk-tts,1.0.0,1.0.1,,HIGH,CWE-300;CWE-319;CWE-598,
|
|
3227
3228
|
CVE-2024-31207,2024-04-03T16:46:17Z,"Vite's `server.fs.deny` did not deny requests for patterns with directories.",vite,2.7.0,2.9.18,,MODERATE,CWE-200;CWE-284,
|
|
3228
3229
|
CVE-2024-31207,2024-04-03T16:46:17Z,"Vite's `server.fs.deny` did not deny requests for patterns with directories.",vite,3.0.0,3.2.10,,MODERATE,CWE-200;CWE-284,
|
|
@@ -3512,6 +3513,8 @@ CVE-2024-51753,2024-11-05T17:34:47Z,"@workos-inc/authkit-remix refresh tokens ar
|
|
|
3512
3513
|
CVE-2024-51757,2024-11-06T15:27:50Z,"happy-dom allows for server side code to be executed by a <script> tag",happy-dom,0,15.10.2,,CRITICAL,CWE-79,
|
|
3513
3514
|
CVE-2024-51999,2025-12-01T18:59:17Z,"Withdrawn Advisory: express improperly controls modification of query properties",express,0,4.22.0,,LOW,CWE-915,
|
|
3514
3515
|
CVE-2024-51999,2025-12-01T18:59:17Z,"Withdrawn Advisory: express improperly controls modification of query properties",express,5.0.0,5.2.0,,LOW,CWE-915,
|
|
3516
|
+
CVE-2024-52011,2026-06-03T18:02:48Z,"launch-editor vulnerable to command injection via the crafted request on Windows",launch-editor,0,2.9.0,,HIGH,CWE-77,
|
|
3517
|
+
CVE-2024-52011,2026-06-03T18:02:48Z,"launch-editor vulnerable to command injection via the crafted request on Windows",vite,0,5.4.9,,HIGH,CWE-77,
|
|
3515
3518
|
CVE-2024-52588,2025-05-27T17:59:52Z,"Strapi allows Server-Side Request Forgery in Webhook function",@strapi/admin,0,4.25.2,,MODERATE,CWE-918,
|
|
3516
3519
|
CVE-2024-52798,2024-12-05T22:40:47Z,"path-to-regexp contains a ReDoS",path-to-regexp,0,0.1.12,,HIGH,CWE-1333,
|
|
3517
3520
|
CVE-2024-52809,2024-12-02T17:26:20Z,"vue-i18n has cross-site scripting vulnerability with prototype pollution",@intlify/core,10.0.0,10.0.5,,MODERATE,CWE-79,
|
|
@@ -4175,7 +4178,7 @@ CVE-2025-5889,2025-06-09T21:30:51Z,"brace-expansion Regular Expression Denial of
|
|
|
4175
4178
|
CVE-2025-5889,2025-06-09T21:30:51Z,"brace-expansion Regular Expression Denial of Service vulnerability",brace-expansion,2.0.0,2.0.2,,LOW,CWE-400,
|
|
4176
4179
|
CVE-2025-5889,2025-06-09T21:30:51Z,"brace-expansion Regular Expression Denial of Service vulnerability",brace-expansion,3.0.0,3.0.1,,LOW,CWE-400,
|
|
4177
4180
|
CVE-2025-5889,2025-06-09T21:30:51Z,"brace-expansion Regular Expression Denial of Service vulnerability",brace-expansion,4.0.0,4.0.1,,LOW,CWE-400,
|
|
4178
|
-
CVE-2025-5891,2025-06-09T21:30:51Z,"pm2 Regular Expression Denial of Service vulnerability",pm2,0,7.0.0,,LOW,CWE-
|
|
4181
|
+
CVE-2025-5891,2025-06-09T21:30:51Z,"pm2 Regular Expression Denial of Service vulnerability",pm2,0,7.0.0,,LOW,CWE-1333;CWE-400,
|
|
4179
4182
|
CVE-2025-5896,2025-06-09T21:30:52Z,"taro-css-to-react-native Regular Expression Denial of Service vulnerability",taro-css-to-react-native,0,4.1.2,,MODERATE,CWE-1333;CWE-400,
|
|
4180
4183
|
CVE-2025-5897,2025-06-09T21:30:52Z,"@vue/cli-plugin-pwa Regular Expression Denial of Service vulnerability",@vue/cli-plugin-pwa,0,,5.0.8,MODERATE,CWE-1333;CWE-400,
|
|
4181
4184
|
CVE-2025-59037,2025-09-09T14:39:14Z,"DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware",@duckdb/duckdb-wasm,1.29.2,1.30.0,,HIGH,CWE-506,
|
|
@@ -4491,6 +4494,8 @@ CVE-2025-69985,2026-02-24T18:31:02Z,"FUXA has JWT Authentication Bypass via HTTP
|
|
|
4491
4494
|
CVE-2025-70058,2026-02-23T18:32:02Z,"yapi disables TLS/SSL certificate validation via rejectUnauthorized: false in Axios HTTPS agent",yapi-vendor,0,,1.12.0,HIGH,CWE-295,
|
|
4492
4495
|
CVE-2025-70948,2026-03-05T21:30:49Z,"@perfood/couch-auth has a host header injection vulnerability",@perfood/couch-auth,0,,0.26.0,MODERATE,CWE-644;CWE-74,
|
|
4493
4496
|
CVE-2025-70949,2026-03-05T21:30:49Z,"@perfood/couch-auth has an Observable Timing Discrepancy ",@perfood/couch-auth,0,,0.26.0,HIGH,CWE-208,
|
|
4497
|
+
CVE-2025-71319,2025-04-02T15:04:58Z,"image-size Denial of Service via Infinite Loop during Image Processing",image-size,1.1.0,1.2.1,,HIGH,CWE-770;CWE-835,
|
|
4498
|
+
CVE-2025-71319,2025-04-02T15:04:58Z,"image-size Denial of Service via Infinite Loop during Image Processing",image-size,2.0.0,2.0.2,,HIGH,CWE-770;CWE-835,
|
|
4494
4499
|
CVE-2025-7338,2025-07-17T21:01:54Z,"Multer vulnerable to Denial of Service via unhandled exception from malformed request",multer,1.4.4-lts.1,2.0.2,,HIGH,CWE-248,
|
|
4495
4500
|
CVE-2025-7339,2025-07-17T21:17:19Z,"on-headers is vulnerable to http response header manipulation",on-headers,0,1.1.0,,LOW,CWE-241,
|
|
4496
4501
|
CVE-2025-7783,2025-07-21T19:04:54Z,"form-data uses unsafe random function in form-data for choosing boundary",form-data,0,2.5.4,,CRITICAL,CWE-330,
|
|
@@ -4577,7 +4582,7 @@ CVE-2026-22178,2026-03-02T22:17:30Z,"OpenClaw has ReDoS and regex injection via
|
|
|
4577
4582
|
CVE-2026-22179,2026-03-03T21:41:12Z,"OpenClaw has macOS `system.run` allowlist bypass via quoted command substitution",openclaw,0,2026.2.22,,HIGH,CWE-78,
|
|
4578
4583
|
CVE-2026-22180,2026-03-03T21:20:01Z,"OpenClaw: Unified root-bound write hardening for browser output and related path-boundary flows",openclaw,0,2026.3.2,,MODERATE,CWE-367;CWE-59,
|
|
4579
4584
|
CVE-2026-22181,2026-03-03T21:19:47Z,"OpenClaw's web tools strict URL guard could lose DNS pinning when env proxy is configured",openclaw,0,2026.3.2,,MODERATE,CWE-367;CWE-918,
|
|
4580
|
-
CVE-2026-22217,2026-03-03T21:36:16Z,"OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL",openclaw,2026.2.22,2026.2.23,,
|
|
4585
|
+
CVE-2026-22217,2026-03-03T21:36:16Z,"OpenClaw: shell-env trusted-prefix fallback allowed attacker-controlled binary execution via $SHELL",openclaw,2026.2.22,2026.2.23,,MODERATE,CWE-184;CWE-829,
|
|
4581
4586
|
CVE-2026-2229,2026-03-13T20:41:41Z,"Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation",undici,0,6.24.0,,HIGH,CWE-248,
|
|
4582
4587
|
CVE-2026-2229,2026-03-13T20:41:41Z,"Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation",undici,7.0.0,7.24.0,,HIGH,CWE-248,
|
|
4583
4588
|
CVE-2026-22594,2026-01-08T21:29:47Z,"Ghost has Staff 2FA bypass",ghost,5.105.0,5.130.6,,HIGH,CWE-287,
|
|
@@ -4830,7 +4835,7 @@ CVE-2026-25958,2026-02-10T00:29:07Z,"Cube Core is vulnerable to privilege escala
|
|
|
4830
4835
|
CVE-2026-25958,2026-02-10T00:29:07Z,"Cube Core is vulnerable to privilege escalation via a specially crafted request","@cubejs-backend/server-core",1.5.0,1.5.13,,HIGH,CWE-807,
|
|
4831
4836
|
CVE-2026-26019,2026-02-11T15:13:20Z,"@langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation",@langchain/community,0,1.1.14,,MODERATE,CWE-918,
|
|
4832
4837
|
CVE-2026-26021,2026-02-11T15:13:28Z,"set-in Affected by Prototype Pollution",set-in,2.0.1,2.0.5,,CRITICAL,CWE-1321,
|
|
4833
|
-
CVE-2026-26028,2026-05-26T19:05:10Z,"CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS",cryptpad,0,,5.9.0,MODERATE,CWE-
|
|
4838
|
+
CVE-2026-26028,2026-05-26T19:05:10Z,"CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS",cryptpad,0,,5.9.0,MODERATE,CWE-116;CWE-79,
|
|
4834
4839
|
CVE-2026-26063,2026-02-12T17:04:50Z,"CediPay Affected by Improper Input Validation in Payment Processing",cedipay-core,0,1.2.3,,HIGH,CWE-20,
|
|
4835
4840
|
CVE-2026-26118,2026-03-10T18:31:21Z,"Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network",@azure/mcp,1.0.0,1.0.2,,HIGH,CWE-918,
|
|
4836
4841
|
CVE-2026-26118,2026-03-10T18:31:21Z,"Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network",@azure/mcp,2.0.0-beta.1,2.0.0-beta.17,,HIGH,CWE-918,
|
|
@@ -4866,7 +4871,7 @@ CVE-2026-26833,2026-03-25T18:31:47Z,"thumbler allows OS Command Injection",thumb
|
|
|
4866
4871
|
CVE-2026-26861,2026-02-27T18:31:06Z,"CleverTap Web SDK is vulnerable to DOM-based XSS via handleCustomHtmlPreviewPostMessageEvent function",clevertap-web-sdk,0,1.15.3,,HIGH,CWE-346;CWE-79,
|
|
4867
4872
|
CVE-2026-26862,2026-02-27T18:31:06Z,"CleverTap Web SDK is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage",clevertap-web-sdk,0,1.15.3,,HIGH,CWE-79,
|
|
4868
4873
|
CVE-2026-26954,2026-03-13T13:46:08Z,"SandboxJS affected by a Sandbox Escape",@nyariv/sandboxjs,0,0.8.34,,CRITICAL,CWE-94,
|
|
4869
|
-
CVE-2026-26956,2026-05-05T16:44:16Z,"VM2 Has a WASM Sandbox Escape
|
|
4874
|
+
CVE-2026-26956,2026-05-05T16:44:16Z,"VM2 Has a WASM Sandbox Escape",vm2,0,3.10.5,,CRITICAL,CWE-94;CWE-693,
|
|
4870
4875
|
CVE-2026-26960,2026-02-18T00:57:13Z,"Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction",tar,0,7.5.8,,HIGH,CWE-22,
|
|
4871
4876
|
CVE-2026-26972,2026-02-18T17:37:52Z,"OpenClaw has a Path Traversal in Browser Download Functionality",openclaw,2026.1.12,2026.2.13,,MODERATE,CWE-22,
|
|
4872
4877
|
CVE-2026-26974,2026-02-18T21:45:06Z,"Improper Control of Generation of Code ('Code Injection') in @tygo-van-den-hurk/slyde",@tygo-van-den-hurk/slyde,0,0.0.5,,HIGH,CWE-829,
|
|
@@ -5129,6 +5134,7 @@ CVE-2026-30229,2026-03-06T18:46:27Z,"parse-server's endpoint `/loginAs` allows `
|
|
|
5129
5134
|
CVE-2026-30241,2026-03-06T18:47:52Z,"Mercurius's queryDepth limit bypassed for WebSocket subscriptions",mercurius,0,16.8.0,,LOW,CWE-863,
|
|
5130
5135
|
CVE-2026-30587,2026-03-25T18:31:55Z,"Seafile Server has multiple stored XSS vulnerabilities",@seafile/sdoc-editor,0,2.0.209,,MODERATE,CWE-79,
|
|
5131
5136
|
CVE-2026-30587,2026-03-25T18:31:55Z,"Seafile Server has multiple stored XSS vulnerabilities",@seafile/sdoc-editor,3.0.0,3.0.75,,MODERATE,CWE-79,
|
|
5137
|
+
CVE-2026-30691,2026-05-20T18:31:36Z,"@cyntler/react-doc-viewer's TXTRenderer fails to sanitize file content and explicitly casts raw data as a ReactNode","@cyntler/react-doc-viewer",0,,1.17.1,MODERATE,CWE-79,
|
|
5132
5138
|
CVE-2026-30820,2026-03-06T18:48:22Z,"Flowise has Authorization Bypass via Spoofed x-request-from Header",flowise,0,3.0.13,,HIGH,CWE-863,
|
|
5133
5139
|
CVE-2026-30821,2026-03-06T18:49:20Z,"Flowise has Arbitrary File Upload via MIME Spoofing",flowise,0,3.0.13,,HIGH,CWE-434,
|
|
5134
5140
|
CVE-2026-30822,2026-03-06T22:19:14Z,"Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint",flowise,0,3.0.13,,HIGH,CWE-915,
|
|
@@ -5416,6 +5422,8 @@ CVE-2026-33163,2026-03-18T19:49:27Z,"Parse Server leaks protected fields via Liv
|
|
|
5416
5422
|
CVE-2026-33163,2026-03-18T19:49:27Z,"Parse Server leaks protected fields via LiveQuery afterEvent trigger",parse-server,9.0.0,9.6.0-alpha.35,,HIGH,CWE-200,
|
|
5417
5423
|
CVE-2026-33226,2026-03-18T20:22:11Z,"Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview",budibase,0,,3.30.6,HIGH,CWE-918,
|
|
5418
5424
|
CVE-2026-33228,2026-03-19T17:43:54Z,"Prototype Pollution via parse() in NodeJS flatted",flatted,0,3.4.2,,HIGH,CWE-1321,
|
|
5425
|
+
CVE-2026-33244,2026-06-03T20:33:01Z,"React Router has stored XSS via unescaped Location header in prerendered redirect HTML",react-router,7.5.1,7.13.2,,MODERATE,CWE-79,
|
|
5426
|
+
CVE-2026-33245,2026-06-03T20:33:32Z,"React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets",react-router,7.7.0,7.13.2,,HIGH,CWE-79,
|
|
5419
5427
|
CVE-2026-33285,2026-03-25T17:40:53Z,"LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash",liquidjs,0,,10.24.0,HIGH,CWE-20;CWE-400,
|
|
5420
5428
|
CVE-2026-33287,2026-03-25T17:44:23Z,"LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern",liquidjs,0,,10.24.0,HIGH,CWE-20;CWE-400,
|
|
5421
5429
|
CVE-2026-33311,2026-03-19T17:49:28Z,"SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials",@dicebear/core,5.0.0,5.4.4,,MODERATE,CWE-79,
|
|
@@ -5543,6 +5551,8 @@ CVE-2026-34076,2026-03-27T19:58:19Z,"Clerk: SSRF in the opt-in clerkFrontendApiP
|
|
|
5543
5551
|
CVE-2026-34076,2026-03-27T19:58:19Z,"Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host",@clerk/express,2.0.0,2.0.7,,HIGH,CWE-918,
|
|
5544
5552
|
CVE-2026-34076,2026-03-27T19:58:19Z,"Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host",@clerk/fastify,3.1.0,3.1.5,,HIGH,CWE-918,
|
|
5545
5553
|
CVE-2026-34076,2026-03-27T19:58:19Z,"Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host",@clerk/hono,0.1.0,0.1.5,,HIGH,CWE-918,
|
|
5554
|
+
CVE-2026-34077,2026-06-04T15:23:51Z,"React Router vulnerable to Denial of Service via reflected user input in single-fetch",react-router,7.0.0,7.14.0,,HIGH,CWE-770,
|
|
5555
|
+
CVE-2026-34077,2026-06-04T15:23:51Z,"React Router vulnerable to Denial of Service via reflected user input in single-fetch",turbo-stream,0,3.0.0,,HIGH,CWE-770,
|
|
5546
5556
|
CVE-2026-34083,2026-04-03T21:43:22Z,"Signal K Server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow",signalk-server,2.20.0,2.24.0,,MODERATE,CWE-346;CWE-601,
|
|
5547
5557
|
CVE-2026-34148,2026-04-07T18:04:09Z,"Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution",@fedify/fedify,0,1.9.6,,HIGH,CWE-400;CWE-770,
|
|
5548
5558
|
CVE-2026-34148,2026-04-07T18:04:09Z,"Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution",@fedify/fedify,1.10.0,1.10.5,,HIGH,CWE-400;CWE-770,
|
|
@@ -5819,6 +5829,8 @@ CVE-2026-40171,2026-04-30T17:25:47Z,"Jupyter Notebook Vulnerable to Authenticati
|
|
|
5819
5829
|
CVE-2026-40171,2026-04-30T17:25:47Z,"Jupyter Notebook Vulnerable to Authentication Token Theft via CommandLinker XSS","@jupyterlab/help-extension",0,4.5.7,,HIGH,CWE-601;CWE-79,
|
|
5820
5830
|
CVE-2026-40175,2026-04-10T19:47:16Z,"Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain",axios,0,0.31.0,,MODERATE,CWE-113;CWE-444;CWE-918,
|
|
5821
5831
|
CVE-2026-40175,2026-04-10T19:47:16Z,"Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain",axios,1.0.0,1.15.0,,MODERATE,CWE-113;CWE-444;CWE-918,
|
|
5832
|
+
CVE-2026-40181,2026-06-03T20:58:01Z,"React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation",react-router,6.7.0,6.30.4,,MODERATE,CWE-601,
|
|
5833
|
+
CVE-2026-40181,2026-06-03T20:58:01Z,"React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation",react-router,7.0.0,7.14.1,,MODERATE,CWE-601,
|
|
5822
5834
|
CVE-2026-40186,2026-04-16T21:08:29Z,"sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements",sanitize-html,2.17.2,2.17.3,,MODERATE,CWE-79,
|
|
5823
5835
|
CVE-2026-40190,2026-04-10T20:18:02Z,"LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`",langsmith,0,0.5.18,,MODERATE,CWE-1321,
|
|
5824
5836
|
CVE-2026-40201,2026-05-01T09:30:25Z,"@diplodoc/search-extension allows stored XSS via Markdown file title","@diplodoc/search-extension",1.0.0,3.0.5,,MODERATE,CWE-79,
|
|
@@ -6065,6 +6077,7 @@ CVE-2026-42076,2026-04-22T22:06:03Z,"Evolver: Command Injection via `execSync` i
|
|
|
6065
6077
|
CVE-2026-42077,2026-04-22T22:05:28Z,"Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations",@evomap/evolver,0,1.69.3,,MODERATE,CWE-1321,
|
|
6066
6078
|
CVE-2026-42089,2026-05-26T23:10:38Z,"yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation",yeoman-environment,2.9.0,6.0.1,,HIGH,CWE-829,
|
|
6067
6079
|
CVE-2026-42190,2026-04-24T15:36:52Z,"RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions",rwsdk,1.0.0-beta.50,1.2.3,,MODERATE,CWE-352,
|
|
6080
|
+
CVE-2026-42211,2026-06-03T21:03:32Z,"React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE",react-router,7.0.0,7.14.2,,HIGH,CWE-502,
|
|
6068
6081
|
CVE-2026-42226,2026-04-29T21:22:26Z,"n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay",n8n,0,1.123.33,,HIGH,CWE-862,
|
|
6069
6082
|
CVE-2026-42226,2026-04-29T21:22:26Z,"n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay",n8n,2.17.0,2.17.5,,HIGH,CWE-862,
|
|
6070
6083
|
CVE-2026-42227,2026-04-29T21:21:00Z,"n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure",n8n,0,1.123.32,,MODERATE,CWE-639,
|
|
@@ -6116,6 +6129,8 @@ CVE-2026-42334,2026-05-05T21:48:06Z,"Mongoose's Improper Sanitization of $nor in
|
|
|
6116
6129
|
CVE-2026-42334,2026-05-05T21:48:06Z,"Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection",mongoose,8.0.0,8.22.1,,HIGH,CWE-74,
|
|
6117
6130
|
CVE-2026-42334,2026-05-05T21:48:06Z,"Mongoose's Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection",mongoose,9.0.0,9.1.6,,HIGH,CWE-74,
|
|
6118
6131
|
CVE-2026-42338,2026-05-05T21:50:58Z,"ip-address has XSS in Address6 HTML-emitting methods",ip-address,0,10.1.1,,MODERATE,CWE-79,
|
|
6132
|
+
CVE-2026-42342,2026-06-03T21:05:17Z,"React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint","@remix-run/server-runtime",2.10.0,2.17.5,,HIGH,CWE-400,
|
|
6133
|
+
CVE-2026-42342,2026-06-03T21:05:17Z,"React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint",react-router,7.0.0,7.15.0,,HIGH,CWE-400,
|
|
6119
6134
|
CVE-2026-42349,2026-04-30T18:20:02Z,"Clerk has an authorization bypass when combining organization, billing, or reverification checks","@clerk/tanstack-react-start",0.0.1,0.29.11,,HIGH,CWE-754;CWE-863,
|
|
6120
6135
|
CVE-2026-42349,2026-04-30T18:20:02Z,"Clerk has an authorization bypass when combining organization, billing, or reverification checks","@clerk/tanstack-react-start",1.0.0,1.1.4,,HIGH,CWE-754;CWE-863,
|
|
6121
6136
|
CVE-2026-42349,2026-04-30T18:20:02Z,"Clerk has an authorization bypass when combining organization, billing, or reverification checks",@clerk/astro,2.0.0,2.17.11,,HIGH,CWE-754;CWE-863,
|
|
@@ -6154,10 +6169,10 @@ CVE-2026-42424,2026-04-09T17:32:58Z,"OpenClaw: Shared reply MEDIA - paths are tr
|
|
|
6154
6169
|
CVE-2026-42426,2026-04-09T17:36:33Z,"OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval",openclaw,0,2026.4.8,,MODERATE,CWE-269;CWE-863,
|
|
6155
6170
|
CVE-2026-42427,2026-04-09T14:22:29Z,"OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class)",openclaw,0,2026.4.8,,HIGH,CWE-184;CWE-78,
|
|
6156
6171
|
CVE-2026-42428,2026-04-09T17:37:13Z,"OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification",openclaw,0,2026.4.8,,MODERATE,CWE-353,
|
|
6157
|
-
CVE-2026-42429,2026-04-09T17:36:53Z,"OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`",openclaw,0,2026.4.8,,LOW,CWE-269,
|
|
6172
|
+
CVE-2026-42429,2026-04-09T17:36:53Z,"OpenClaw: Gateway plugin HTTP `auth: gateway` widens identity-bearing `operator.read` requests into runtime `operator.write`",openclaw,0,2026.4.8,,LOW,CWE-269;CWE-863,
|
|
6158
6173
|
CVE-2026-42430,2026-04-09T17:36:59Z,"OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable",openclaw,0,2026.4.8,,MODERATE,CWE-918,
|
|
6159
6174
|
CVE-2026-42431,2026-04-09T17:34:21Z,"OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard",openclaw,0,2026.4.8,,MODERATE,CWE-863,
|
|
6160
|
-
CVE-2026-42432,2026-04-09T17:35:53Z,"OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement",openclaw,0,2026.4.8,,HIGH,CWE-288,
|
|
6175
|
+
CVE-2026-42432,2026-04-09T17:35:53Z,"OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement",openclaw,0,2026.4.8,,HIGH,CWE-288;CWE-863,
|
|
6161
6176
|
CVE-2026-42433,2026-04-17T22:15:27Z,"OpenClaw: Matrix profile config persistence was reachable from operator.write message tools",openclaw,0,2026.4.10,,HIGH,CWE-266;CWE-862;CWE-863,
|
|
6162
6177
|
CVE-2026-42434,2026-04-17T22:14:56Z,"OpenClaw: Sandboxed agents could escape exec routing via host=node override",openclaw,2026.4.5,2026.4.10,,HIGH,CWE-863,
|
|
6163
6178
|
CVE-2026-42435,2026-04-17T21:53:36Z,"OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms",openclaw,2026.2.22,2026.4.12,,MODERATE,CWE-78,
|
|
@@ -6166,7 +6181,11 @@ CVE-2026-42437,2026-04-17T21:48:36Z,"OpenClaw: Voice-call realtime WebSocket acc
|
|
|
6166
6181
|
CVE-2026-42438,2026-04-17T22:17:57Z,"OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure",openclaw,2026.4.9,2026.4.10,,MODERATE,CWE-863,
|
|
6167
6182
|
CVE-2026-42439,2026-04-17T22:01:57Z,"OpenClaw: Browser tabs action select and close routes bypassed SSRF policy",openclaw,0,2026.4.10,,MODERATE,CWE-862;CWE-918,
|
|
6168
6183
|
CVE-2026-42449,2026-04-30T18:12:54Z,"n8n-mcp's IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders",n8n-mcp,2.47.4,2.47.14,,HIGH,CWE-918,
|
|
6169
|
-
CVE-2026-42462,2026-05-26T23:38:37Z,"Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring",@fedify/fedify,0,
|
|
6184
|
+
CVE-2026-42462,2026-05-26T23:38:37Z,"Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring",@fedify/fedify,0,1.9.11,,HIGH,"CWE-1289;CWE-180;CWE-347;CWE-436",
|
|
6185
|
+
CVE-2026-42462,2026-05-26T23:38:37Z,"Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring",@fedify/fedify,1.10.0,1.10.10,,HIGH,"CWE-1289;CWE-180;CWE-347;CWE-436",
|
|
6186
|
+
CVE-2026-42462,2026-05-26T23:38:37Z,"Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring",@fedify/fedify,2.0.0,2.0.18,,HIGH,"CWE-1289;CWE-180;CWE-347;CWE-436",
|
|
6187
|
+
CVE-2026-42462,2026-05-26T23:38:37Z,"Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring",@fedify/fedify,2.1.0,2.1.14,,HIGH,"CWE-1289;CWE-180;CWE-347;CWE-436",
|
|
6188
|
+
CVE-2026-42462,2026-05-26T23:38:37Z,"Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring",@fedify/fedify,2.2.0,2.2.3,,HIGH,"CWE-1289;CWE-180;CWE-347;CWE-436",
|
|
6170
6189
|
CVE-2026-42553,2026-05-07T16:40:52Z,"Cinny vulnerable to access token disclosure via invalidated emoji pack avatar URL in service worker",cinny,0,4.10.3,,HIGH,CWE-20,
|
|
6171
6190
|
CVE-2026-42565,2026-05-05T18:42:26Z,"@workos/authkit-session has an Open Redirect via state-derived redirect target",@workos/authkit-session,0,0.5.1,,MODERATE,CWE-601,
|
|
6172
6191
|
CVE-2026-42567,2026-05-14T20:29:05Z,"Svelte: ReDoS in `<svelte:element>` Tag Validation",svelte,5.51.5,5.55.7,,MODERATE,CWE-1333,
|
|
@@ -6180,6 +6199,7 @@ CVE-2026-42856,2026-05-05T17:25:37Z,"Network-AI missing authentication on MCP HT
|
|
|
6180
6199
|
CVE-2026-42861,2026-05-14T14:52:24Z,"FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment",flowise,0,3.1.2,,HIGH,CWE-284;CWE-639;CWE-915,
|
|
6181
6200
|
CVE-2026-42862,2026-05-14T14:52:40Z,"FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment",flowise,0,3.1.2,,HIGH,CWE-284;CWE-639;CWE-915,
|
|
6182
6201
|
CVE-2026-42863,2026-05-14T14:54:28Z,"FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment",flowise,0,3.1.2,,HIGH,CWE-284;CWE-639;CWE-915,
|
|
6202
|
+
CVE-2026-42890,2026-06-08T18:21:26Z,"actual Allows Electron to Run As Node",actual,0,26.5.0,,MODERATE,CWE-250;CWE-693;CWE-94,
|
|
6183
6203
|
CVE-2026-43526,2026-04-17T21:57:31Z,"OpenClaw: QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes",openclaw,0,2026.4.12,,MODERATE,CWE-918,
|
|
6184
6204
|
CVE-2026-43527,2026-04-17T21:58:15Z,"OpenClaw: Browser SSRF policy default allowed private-network navigation",openclaw,0,2026.4.14,,MODERATE,CWE-1188;CWE-918,
|
|
6185
6205
|
CVE-2026-43528,2026-04-17T21:47:15Z,"OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases",openclaw,0,2026.4.14,,HIGH,CWE-212,
|
|
@@ -6264,6 +6284,7 @@ CVE-2026-44294,2026-05-12T15:06:17Z,"protobuf.js: Denial of service from crafted
|
|
|
6264
6284
|
CVE-2026-44294,2026-05-12T15:06:17Z,"protobuf.js: Denial of service from crafted field names in generated code",protobufjs,8.0.0,8.0.2,,MODERATE,CWE-20,
|
|
6265
6285
|
CVE-2026-44295,2026-05-12T15:06:22Z,"protobuf.js: Code injection in pbjs static output from crafted schema names",protobufjs-cli,0,1.2.1,,HIGH,CWE-94,
|
|
6266
6286
|
CVE-2026-44295,2026-05-12T15:06:22Z,"protobuf.js: Code injection in pbjs static output from crafted schema names",protobufjs-cli,2.0.0,2.0.2,,HIGH,CWE-94,
|
|
6287
|
+
CVE-2026-44311,2026-06-12T21:00:32Z,"Fabric.js improper escaping in fabric.Gradient colorStops leads to XSS in SVG serialization",fabric,0,7.4.0,,MODERATE,CWE-116;CWE-79,
|
|
6267
6288
|
CVE-2026-44351,2026-05-06T22:26:37Z,"fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver",fast-jwt,0,6.2.4,,CRITICAL,CWE-1391;CWE-287;CWE-326,
|
|
6268
6289
|
CVE-2026-44372,2026-05-06T23:02:45Z,"Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules",nitro,0,3.0.260429-beta,,MODERATE,CWE-601,
|
|
6269
6290
|
CVE-2026-44372,2026-05-06T23:02:45Z,"Nitro has an Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules",nitropack,0,2.13.4,,MODERATE,CWE-601,
|
|
@@ -6284,14 +6305,21 @@ CVE-2026-44459,2026-05-09T00:45:19Z,"Hono has improper validation of NumericDate
|
|
|
6284
6305
|
CVE-2026-44479,2026-05-07T00:05:20Z,"Vercel: Non-interactive mode includes CLI arguments in suggested command output",vercel,50.16.0,52.0.1,,MODERATE,CWE-200;CWE-532,
|
|
6285
6306
|
CVE-2026-44483,2026-05-11T16:09:40Z,"@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data)",@rvf/set-get,6.0.0,6.0.4,,HIGH,CWE-1321,
|
|
6286
6307
|
CVE-2026-44483,2026-05-11T16:09:40Z,"@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data)",@rvf/set-get,7.0.0,7.0.2,,HIGH,CWE-1321,
|
|
6308
|
+
CVE-2026-44486,2026-06-04T14:15:01Z,"Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection",axios,0,0.32.0,,HIGH,CWE-200,
|
|
6309
|
+
CVE-2026-44486,2026-06-04T14:15:01Z,"Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection",axios,1.0.0,1.16.0,,HIGH,CWE-200,
|
|
6310
|
+
CVE-2026-44487,2026-06-04T14:19:53Z,"Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter",axios,0,0.32.0,,HIGH,CWE-201,
|
|
6311
|
+
CVE-2026-44487,2026-06-04T14:19:53Z,"Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter",axios,1.0.0,1.16.0,,HIGH,CWE-201,
|
|
6312
|
+
CVE-2026-44488,2026-06-04T14:21:37Z,"Allocation of Resources Without Limits or Throttling in Axios",axios,1.7.0,1.16.0,,HIGH,CWE-770,
|
|
6287
6313
|
CVE-2026-44489,2026-05-29T15:51:02Z,"Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix",axios,1.15.2,1.16.0,,LOW,CWE-113;CWE-1321,
|
|
6288
6314
|
CVE-2026-44490,2026-05-29T15:54:57Z,"axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions",axios,0,0.32.0,,MODERATE,CWE-1321,
|
|
6289
6315
|
CVE-2026-44490,2026-05-29T15:54:57Z,"axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions",axios,1.0.0,1.16.0,,MODERATE,CWE-1321,
|
|
6290
6316
|
CVE-2026-44492,2026-05-29T15:59:30Z,"axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)",axios,0,0.32.0,,HIGH,CWE-918,
|
|
6291
6317
|
CVE-2026-44492,2026-05-29T15:59:30Z,"axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)",axios,1.0.0,1.16.0,,HIGH,CWE-918,
|
|
6292
|
-
CVE-2026-44494,2026-05-29T16:04:00Z,"axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`",axios,1.0.0,1.16.0,,HIGH,CWE-
|
|
6293
|
-
CVE-2026-44495,2026-05-29T16:07:31Z,"axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge",axios,0.19.0,0.31.1,,HIGH,CWE-
|
|
6294
|
-
CVE-2026-44495,2026-05-29T16:07:31Z,"axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge",axios,1.0.0,1.15.2,,HIGH,CWE-
|
|
6318
|
+
CVE-2026-44494,2026-05-29T16:04:00Z,"axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`",axios,1.0.0,1.16.0,,HIGH,CWE-1321;CWE-441,
|
|
6319
|
+
CVE-2026-44495,2026-05-29T16:07:31Z,"axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge",axios,0.19.0,0.31.1,,HIGH,CWE-1321;CWE-94,
|
|
6320
|
+
CVE-2026-44495,2026-05-29T16:07:31Z,"axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge",axios,1.0.0,1.15.2,,HIGH,CWE-1321;CWE-94,
|
|
6321
|
+
CVE-2026-44496,2026-06-04T14:24:06Z,"Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection",axios,0,0.32.0,,HIGH,CWE-400;CWE-1333,
|
|
6322
|
+
CVE-2026-44496,2026-06-04T14:24:06Z,"Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection",axios,1.0.0,1.16.0,,HIGH,CWE-400;CWE-1333,
|
|
6295
6323
|
CVE-2026-44503,2026-05-07T01:49:01Z,"Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect",kiota-typescript,0,1.0.0-preview.100,,HIGH,CWE-601,
|
|
6296
6324
|
CVE-2026-44572,2026-05-11T16:12:07Z,"Next.js's Middleware / Proxy redirects can be cache-poisoned",next,12.2.0,15.5.16,,LOW,CWE-349,
|
|
6297
6325
|
CVE-2026-44572,2026-05-11T16:12:07Z,"Next.js's Middleware / Proxy redirects can be cache-poisoned",next,16.0.0,16.2.5,,LOW,CWE-349,
|
|
@@ -6471,6 +6499,7 @@ CVE-2026-45321,2026-05-12T00:12:49Z,"Malware in @tanstack/* packages exfiltrates
|
|
|
6471
6499
|
CVE-2026-45321,2026-05-12T00:12:49Z,"Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys",@tanstack/zod-adapter,1.166.12,1.166.16,,CRITICAL,CWE-506,
|
|
6472
6500
|
CVE-2026-45321,2026-05-12T00:12:49Z,"Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys",@tanstack/zod-adapter,1.166.15,1.166.16,,CRITICAL,CWE-506,
|
|
6473
6501
|
CVE-2026-45325,2026-05-18T17:07:04Z,"@tmlmobilidade/utils has prototype pollution in its setValueAtPath",@tmlmobilidade/utils,0,20260509.0340.15,,HIGH,CWE-1321,
|
|
6502
|
+
CVE-2026-45337,2026-06-04T14:55:52Z,"Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending",better-auth,1.6.0,1.6.11,,HIGH,"CWE-285;CWE-345;CWE-639;CWE-863",
|
|
6474
6503
|
CVE-2026-45346,2026-05-14T20:21:51Z,"Open WebUI Has Stored Cross-Site Scripting in SVG Renderer",open-webui,0,0.6.31,,MODERATE,CWE-80,
|
|
6475
6504
|
CVE-2026-45353,2026-05-14T20:29:59Z,"Electerm Local code through electerm's single-instance socket",electerm,3.0.6,3.9.0,,CRITICAL,CWE-732;CWE-94;CWE-940,
|
|
6476
6505
|
CVE-2026-45357,2026-05-27T17:33:52Z,"LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)",liquidjs,0,,10.25.7,HIGH,CWE-400,
|
|
@@ -6517,12 +6546,12 @@ CVE-2026-4601,2026-03-23T06:30:29Z,"jsrsasign: Missing cryptographic validation
|
|
|
6517
6546
|
CVE-2026-4602,2026-03-23T06:30:29Z,"jsrsasign: Negative Exponent Handling Leads to Signature Verification Bypass",jsrsasign,0,11.1.1,,HIGH,CWE-681,
|
|
6518
6547
|
CVE-2026-4603,2026-03-23T06:30:29Z,"jsrsasign: Division by Zero Allows Invalid JWK Modulus to Cause Deterministic Zero Output in RSA Operations",jsrsasign,0,11.1.1,,LOW,CWE-369,
|
|
6519
6548
|
CVE-2026-46339,2026-05-19T19:22:05Z,"9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes",9router,0.4.30,0.4.37,,CRITICAL,CWE-306;CWE-78,
|
|
6520
|
-
CVE-2026-46341,2026-05-19T16:34:34Z,"Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching",@apify/actors-mcp-server,0,0.9.21,,MODERATE,CWE-
|
|
6549
|
+
CVE-2026-46341,2026-05-19T16:34:34Z,"Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching",@apify/actors-mcp-server,0,0.9.21,,MODERATE,CWE-183;CWE-20,
|
|
6521
6550
|
CVE-2026-46342,2026-05-19T20:03:24Z,"Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning",@nuxt/nitro-server,3.20.0,3.21.6,,LOW,CWE-349;CWE-444;CWE-79,
|
|
6522
6551
|
CVE-2026-46342,2026-05-19T20:03:24Z,"Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning",@nuxt/nitro-server,4.2.0,4.4.6,,LOW,CWE-349;CWE-444;CWE-79,
|
|
6523
6552
|
CVE-2026-46342,2026-05-19T20:03:24Z,"Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning",nuxt,3.1.0,3.21.6,,LOW,CWE-349;CWE-444;CWE-79,
|
|
6524
6553
|
CVE-2026-46342,2026-05-19T20:03:24Z,"Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning",nuxt,4.0.0-alpha.1,4.4.6,,LOW,CWE-349;CWE-444;CWE-79,
|
|
6525
|
-
CVE-2026-46357,2026-05-19T19:51:51Z,"HAX CMS: Denial of Service using Malicious Import Request",@haxtheweb/haxcms-nodejs,0,26.0.0,,MODERATE,CWE-476,
|
|
6554
|
+
CVE-2026-46357,2026-05-19T19:51:51Z,"HAX CMS: Denial of Service using Malicious Import Request",@haxtheweb/haxcms-nodejs,0,26.0.0,,MODERATE,CWE-20;CWE-476,
|
|
6526
6555
|
CVE-2026-46372,2026-05-19T20:09:52Z,"SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl",sillytavern,0,1.18.0,,HIGH,CWE-918,
|
|
6527
6556
|
CVE-2026-46391,2026-05-19T14:44:46Z,"HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis",@haxtheweb/open-apis,0,26.0.0,,HIGH,CWE-183;CWE-918,
|
|
6528
6557
|
CVE-2026-46393,2026-05-19T14:44:20Z,"HAXcms createSite SSRF Enables Arbitrary File Read",@haxtheweb/haxcms-nodejs,0,26.0.0,,HIGH,CWE-918,
|
|
@@ -6556,7 +6585,7 @@ CVE-2026-46490,2026-05-21T17:14:07Z,"samlify: XML Injection in AttributeValue Al
|
|
|
6556
6585
|
CVE-2026-46492,2026-05-21T17:57:32Z,"md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)",md-fileserver,0,1.10.3,,HIGH,CWE-80;CWE-87,
|
|
6557
6586
|
CVE-2026-46496,2026-05-19T14:44:34Z,"HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft",@haxtheweb/haxcms-nodejs,0,26.0.0,,MODERATE,CWE-116;CWE-79,
|
|
6558
6587
|
CVE-2026-46496,2026-05-19T14:44:34Z,"HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft",@haxtheweb/video-player,0,26.0.0,,MODERATE,CWE-116;CWE-79,
|
|
6559
|
-
CVE-2026-46509,2026-05-14T20:55:24Z,"
|
|
6588
|
+
CVE-2026-46509,2026-05-14T20:55:24Z,"@ranfdev/deepobj has a Prototype Pollution vulnerability",@ranfdev/deepobj,0,1.0.3,,HIGH,CWE-1321,
|
|
6560
6589
|
CVE-2026-46510,2026-05-18T13:28:31Z,"form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation form keys",form-data-objectizer,0,1.0.1,,HIGH,CWE-1321,
|
|
6561
6590
|
CVE-2026-46511,2026-05-19T14:47:03Z,"HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack ",@haxtheweb/haxcms-nodejs,0,26.0.0,,HIGH,CWE-522;CWE-79;CWE-922,
|
|
6562
6591
|
CVE-2026-46519,2026-05-21T20:33:46Z,"MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement",mcp-server-kubernetes,0,3.6.0,,HIGH,CWE-863,
|
|
@@ -6593,20 +6622,105 @@ CVE-2026-47209,2026-05-29T17:49:18Z,"vm2's Bridge Proxy set trap ignores receive
|
|
|
6593
6622
|
CVE-2026-47210,2026-05-29T17:51:05Z,"vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass",vm2,0,3.11.4,,CRITICAL,CWE-913,
|
|
6594
6623
|
CVE-2026-47248,2026-05-29T19:18:01Z,"Parse Server's GraphQL ""Did you mean ...?"" validation suggestions disclose schema to unauthenticated callers",parse-server,0,8.6.78,,MODERATE,CWE-209,
|
|
6595
6624
|
CVE-2026-47248,2026-05-29T19:18:01Z,"Parse Server's GraphQL ""Did you mean ...?"" validation suggestions disclose schema to unauthenticated callers",parse-server,9.0.0,9.9.1-alpha.2,,MODERATE,CWE-209,
|
|
6625
|
+
CVE-2026-47250,2026-06-05T15:40:00Z,"MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration",mcp-server-kubernetes,0,3.7.0,,MODERATE,CWE-88,
|
|
6596
6626
|
CVE-2026-47255,2026-05-29T19:23:29Z,"AgenticMail API/storage and outbound relay hardening fixes",@agenticmail/api,0,0.9.32,,HIGH,"CWE-20;CWE-284;CWE-319;CWE-798;CWE-89",
|
|
6597
6627
|
CVE-2026-47255,2026-05-29T19:23:29Z,"AgenticMail API/storage and outbound relay hardening fixes",@agenticmail/core,0,0.9.10,,HIGH,"CWE-20;CWE-284;CWE-319;CWE-798;CWE-89",
|
|
6628
|
+
CVE-2026-47279,2026-06-05T15:52:54Z,"NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints",nocodb,0,2026.05.1,,MODERATE,CWE-284,
|
|
6629
|
+
CVE-2026-47375,2026-06-05T15:59:28Z,"NocoDB: Postgres SQL Injection in Formula `ARRAYSORT`",nocodb,0,2026.04.1,,MODERATE,CWE-89,
|
|
6630
|
+
CVE-2026-47376,2026-06-05T15:59:53Z,"NocoDB: Reflected Cross-Site Scripting via Password Reset Token",nocodb,0,2026.04.1,,MODERATE,CWE-79,
|
|
6631
|
+
CVE-2026-47377,2026-06-05T16:00:15Z,"NocoDB: Open Redirect via Hash Fragment in hashRedirect Plugin",nocodb,0,2026.04.1,,MODERATE,CWE-601,
|
|
6632
|
+
CVE-2026-47378,2026-06-05T16:03:11Z,"NocoDB: Hidden Column Exposure in Public Shared View Endpoints",nocodb,0,2026.04.1,,MODERATE,CWE-639,
|
|
6633
|
+
CVE-2026-47379,2026-06-05T16:03:33Z,"NocoDB: Plaintext Password Comparison in Shared Views",nocodb,0,2026.05.1,,MODERATE,CWE-200;CWE-203,
|
|
6634
|
+
CVE-2026-47380,2026-06-05T16:03:55Z,"NocoDB: User Enumeration via Sign-In Timing",nocodb,0,2026.04.1,,LOW,CWE-208;CWE-307,
|
|
6635
|
+
CVE-2026-47381,2026-06-05T16:04:32Z,"NocoDB: Cross-Workspace Integration Use in Connection Test",nocodb,0,2026.05.1,,MODERATE,CWE-290,
|
|
6636
|
+
CVE-2026-47382,2026-06-05T16:19:01Z,"NocoDB: Server-Side Request Forgery via Database Connection Host",nocodb,0,2026.05.1,,MODERATE,CWE-918,
|
|
6637
|
+
CVE-2026-47383,2026-06-05T16:19:22Z,"NocoDB: Stored Cross-Site Scripting via Row Comments",nocodb,0,2026.05.1,,HIGH,CWE-79,
|
|
6638
|
+
CVE-2026-47384,2026-06-05T16:19:59Z,"NocoDB: SQL Injection via Column Title in Bulk GroupBy",nocodb,0,2026.05.1,,MODERATE,CWE-89,
|
|
6639
|
+
CVE-2026-47385,2026-06-05T16:20:20Z,"NocoDB: Path Traversal via SQLite Source Filename",nocodb,0,2026.05.1,,MODERATE,CWE-22,
|
|
6640
|
+
CVE-2026-47386,2026-06-05T16:20:32Z,"NocoDB: OAuth Authorization Code Race Condition",nocodb,0,2026.05.1,,MODERATE,CWE-362,
|
|
6641
|
+
CVE-2026-47387,2026-06-05T16:20:44Z,"NocoDB: Stored Cross-Site Scripting via Form View Redirect URL",nocodb,0,2026.05.1,,HIGH,CWE-79,
|
|
6642
|
+
CVE-2026-47388,2026-06-05T16:22:28Z,"NocoDB: Missing Ownership Check in MCP Attachment Read",nocodb,0,2026.05.1,,LOW,CWE-639,
|
|
6643
|
+
CVE-2026-47423,2026-06-01T14:07:29Z,"DOMPurify XSS via selectedcontent re-clone",dompurify,3.4.4,3.4.5,,HIGH,CWE-79,
|
|
6644
|
+
CVE-2026-47428,2026-06-01T14:12:18Z,"Vitest browser mode serves unsanitized otelCarrier query parameter as inline script",@vitest/browser,4.0.17,4.1.6,,CRITICAL,CWE-79,
|
|
6645
|
+
CVE-2026-47428,2026-06-01T14:12:18Z,"Vitest browser mode serves unsanitized otelCarrier query parameter as inline script",@vitest/browser,5.0.0-beta.0,5.0.0-beta.3,,CRITICAL,CWE-79,
|
|
6646
|
+
CVE-2026-47429,2026-06-01T14:09:53Z,"When Vitest UI server is listening, arbitrary file can be read and executed",vitest,0,3.2.6,,CRITICAL,CWE-862,
|
|
6647
|
+
CVE-2026-47429,2026-06-01T14:09:53Z,"When Vitest UI server is listening, arbitrary file can be read and executed",vitest,4.0.0,4.1.0,,CRITICAL,CWE-862,
|
|
6648
|
+
CVE-2026-47430,2026-06-08T12:30:29Z,"Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews.","cordova-plugin-inappbrowser",0,6.0.1,,CRITICAL,CWE-20,
|
|
6649
|
+
CVE-2026-47668,2026-06-05T16:25:23Z,"DbGate: Unauthenticated Remote Code Execution via JSON Script Runner",dbgate-serve,0,7.1.9,,CRITICAL,CWE-1188;CWE-20;CWE-94,
|
|
6650
|
+
CVE-2026-47669,2026-06-05T16:26:01Z,"DbGate: Zip Slip in archive/unzip allows arbitrary file write leading to RCE",dbgate,0,7.1.9,,CRITICAL,CWE-22,
|
|
6651
|
+
CVE-2026-47670,2026-06-05T16:30:59Z,"Authenticated Remote Code Execution via loadReader functionName code injection in DbGate",dbgate-api,0,7.1.9,,CRITICAL,CWE-77;CWE-78,
|
|
6652
|
+
CVE-2026-47673,2026-06-04T17:52:04Z,"Hono: JWT middleware accepts any Authorization scheme, not only Bearer",hono,0,4.12.21,,MODERATE,CWE-285,
|
|
6653
|
+
CVE-2026-47674,2026-06-04T18:00:22Z,"Hono: IP Restriction bypasses static deny rules for non-canonical IPv6 ",hono,0,4.12.21,,MODERATE,CWE-1289;CWE-185,
|
|
6654
|
+
CVE-2026-47675,2026-06-04T17:59:25Z,"Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection",hono,0,4.12.21,,MODERATE,CWE-113;CWE-1287,
|
|
6655
|
+
CVE-2026-47676,2026-06-04T18:01:00Z,"Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths",hono,0,4.12.21,,MODERATE,CWE-444;CWE-693,
|
|
6656
|
+
CVE-2026-47684,2026-06-05T16:34:59Z,"Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP",@sync-in/server,0,2.3.0,,HIGH,CWE-918,
|
|
6598
6657
|
CVE-2026-47717,2026-05-27T22:51:18Z,"FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations",fuxa-server,1.3.0,1.3.1,,HIGH,CWE-201,
|
|
6599
6658
|
CVE-2026-47718,2026-05-28T20:33:11Z,"FUXA provides guest and invalid-token access to protected read APIs in secure mode",fuxa-server,1.3.0-2773,1.3.1,,MODERATE,CWE-287;CWE-862,
|
|
6659
|
+
CVE-2026-47719,2026-06-08T23:06:40Z,"FUXA: Unauthenticated SSRF via Socket.IO DEVICE_WEBAPI_REQUEST and DEVICE_PROPERTY with response reading",fuxa-server,0,,1.1.14-1243,HIGH,CWE-918,
|
|
6660
|
+
CVE-2026-47720,2026-06-08T23:06:43Z,"FUXA has SQL Injection in its TDengine DAQ connector via backslash bypass of escapeTdString",fuxa-server,0,,1.1.14-1243,MODERATE,CWE-89,
|
|
6661
|
+
CVE-2026-47721,2026-06-08T23:07:02Z,"FUXA's scheduler API missing admin check enables operator-to-admin escalation via scheduled device actions",fuxa-server,0,,1.1.14-1243,MODERATE,CWE-862,
|
|
6662
|
+
CVE-2026-47759,2026-06-05T20:27:50Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes",tinymce,0,,,HIGH,CWE-79,
|
|
6663
|
+
CVE-2026-47759,2026-06-05T20:27:50Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes",tinymce,6.0.0,7.9.3,,HIGH,CWE-79,
|
|
6664
|
+
CVE-2026-47759,2026-06-05T20:27:50Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes",tinymce,8.0.0,8.5.1,,HIGH,CWE-79,
|
|
6665
|
+
CVE-2026-47760,2026-06-05T20:09:38Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs",tinymce,6.8.0,7.1.0,,HIGH,CWE-79,
|
|
6666
|
+
CVE-2026-47761,2026-06-05T20:29:43Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection",tinymce,0,,,HIGH,CWE-79,
|
|
6667
|
+
CVE-2026-47761,2026-06-05T20:29:43Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection",tinymce,6.0.0,7.9.3,,HIGH,CWE-79,
|
|
6668
|
+
CVE-2026-47761,2026-06-05T20:29:43Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection",tinymce,8.0.0,8.5.1,,HIGH,CWE-79,
|
|
6669
|
+
CVE-2026-47762,2026-06-05T20:29:07Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments",tinymce,0,,,HIGH,CWE-79,
|
|
6670
|
+
CVE-2026-47762,2026-06-05T20:29:07Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments",tinymce,6.0.0,7.9.3,,HIGH,CWE-79,
|
|
6671
|
+
CVE-2026-47762,2026-06-05T20:29:07Z,"TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments",tinymce,8.0.0,8.5.1,,HIGH,CWE-79,
|
|
6600
6672
|
CVE-2026-4800,2026-04-01T23:51:12Z,"lodash vulnerable to Code Injection via `_.template` imports key names",lodash,4.0.0,4.18.0,,HIGH,CWE-94,
|
|
6601
6673
|
CVE-2026-4800,2026-04-01T23:51:12Z,"lodash vulnerable to Code Injection via `_.template` imports key names",lodash-amd,4.0.0,4.18.0,,HIGH,CWE-94,
|
|
6602
6674
|
CVE-2026-4800,2026-04-01T23:51:12Z,"lodash vulnerable to Code Injection via `_.template` imports key names",lodash-es,4.0.0,4.18.0,,HIGH,CWE-94,
|
|
6603
6675
|
CVE-2026-4800,2026-04-01T23:51:12Z,"lodash vulnerable to Code Injection via `_.template` imports key names",lodash.template,4.0.0,4.18.0,,HIGH,CWE-94,
|
|
6676
|
+
CVE-2026-48007,2026-06-11T13:26:17Z,"Element Call reports full URLs of visited pages to analytics server","@element-hq/element-call-embedded",0.5.17,0.19.4,,HIGH,CWE-200,
|
|
6677
|
+
CVE-2026-48017,2026-06-05T16:39:38Z,"DbGate: Remote Code Execution via functionName injection in loadReader endpoint",dbgate-api,0,7.1.9,,HIGH,CWE-94,
|
|
6678
|
+
CVE-2026-48022,2026-06-11T13:27:05Z,"@hapi/wreck: Sensitive credential headers leak across cross-port and cross-scheme redirects",@hapi/wreck,0,18.1.2,,MODERATE,"CWE-200;CWE-319;CWE-346;CWE-522;CWE-940",
|
|
6679
|
+
CVE-2026-48032,2026-06-10T13:37:08Z,"@hulumi/policies bypasses IAM-role policy checks when the role trusts multiple OIDC providers",@hulumi/policies,0,1.4.0,,HIGH,CWE-697,
|
|
6680
|
+
CVE-2026-48033,2026-06-10T13:37:38Z,"@hulumi/policies bypasses policy packs with a forged Pulumi-URN logical name",@hulumi/policies,0,1.4.0,,HIGH,CWE-693,
|
|
6681
|
+
CVE-2026-48034,2026-06-10T13:38:15Z,"@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket",@hulumi/policies,0,1.4.0,,HIGH,CWE-284,
|
|
6682
|
+
CVE-2026-48035,2026-06-10T13:38:37Z,"@hulumi/baseline: AccountFoundation audit-delivery S3 bucket could be silently weakened",@hulumi/baseline,0,1.4.0,,HIGH,CWE-1059,
|
|
6683
|
+
CVE-2026-48036,2026-06-10T13:38:50Z,"@hulumi/drift: Drift classifier fails open on adapter errors and over-promotes Mixed verdicts",@hulumi/drift,0,1.4.0,,HIGH,CWE-755,
|
|
6684
|
+
CVE-2026-48037,2026-06-10T13:38:59Z,"@hulumi/baseline: AccountFoundation reuse paths silently downgrade GuardDuty / Security Hub posture",@hulumi/baseline,0,1.4.0,,MODERATE,CWE-693,
|
|
6685
|
+
CVE-2026-48038,2026-06-11T13:27:32Z,"joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas",joi,0,17.13.4,,MODERATE,CWE-248;CWE-400,
|
|
6686
|
+
CVE-2026-48038,2026-06-11T13:27:32Z,"joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas",joi,18.0.0,18.2.1,,MODERATE,CWE-248;CWE-400,
|
|
6687
|
+
CVE-2026-48049,2026-06-11T17:10:15Z,"@hapi/inert has a static-file confinement bypass via sibling-prefix path",@hapi/inert,4.0.0,7.1.1,,MODERATE,CWE-22,
|
|
6688
|
+
CVE-2026-48051,2026-06-10T13:39:10Z,"Papra HTTP redirect bypass can lead to SSRF via webhook delivery system",@papra/webhooks,0,0.3.3,,LOW,CWE-918,
|
|
6689
|
+
CVE-2026-48054,2026-06-11T13:27:24Z,"OpenZeppelin Contracts Wizard has Code Injection in Generated Hardhat and Foundry Tests via Unsanitized opts.name / opts.uri",@openzeppelin/wizard,0,0.10.9,,HIGH,CWE-94,
|
|
6690
|
+
CVE-2026-48063,2026-06-10T19:33:20Z,"Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload",@whiskeysockets/baileys,0,6.7.22,,CRITICAL,CWE-290;CWE-345;CWE-346,
|
|
6691
|
+
CVE-2026-48063,2026-06-10T19:33:20Z,"Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload",@whiskeysockets/baileys,7.0.0-rc.1,7.0.0-rc12,,CRITICAL,CWE-290;CWE-345;CWE-346,
|
|
6692
|
+
CVE-2026-48063,2026-06-10T19:33:20Z,"Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload",baileys,0,6.7.22,,CRITICAL,CWE-290;CWE-345;CWE-346,
|
|
6693
|
+
CVE-2026-48063,2026-06-10T19:33:20Z,"Baileys has message upsert / hist sync spoofing and app state corruption when using maliciously crafted protocolMessage payload",baileys,7.0.0-rc.1,7.0.0-rc12,,CRITICAL,CWE-290;CWE-345;CWE-346,
|
|
6694
|
+
CVE-2026-48068,2026-06-11T13:27:54Z,"@grpc/grpc-js: A malformed request can cause a server crash",@grpc/grpc-js,0,1.9.16,,HIGH,CWE-248,
|
|
6695
|
+
CVE-2026-48068,2026-06-11T13:27:54Z,"@grpc/grpc-js: A malformed request can cause a server crash",@grpc/grpc-js,1.10.0,1.10.12,,HIGH,CWE-248,
|
|
6696
|
+
CVE-2026-48068,2026-06-11T13:27:54Z,"@grpc/grpc-js: A malformed request can cause a server crash",@grpc/grpc-js,1.11.0,1.11.4,,HIGH,CWE-248,
|
|
6697
|
+
CVE-2026-48068,2026-06-11T13:27:54Z,"@grpc/grpc-js: A malformed request can cause a server crash",@grpc/grpc-js,1.12.0,1.12.7,,HIGH,CWE-248,
|
|
6698
|
+
CVE-2026-48068,2026-06-11T13:27:54Z,"@grpc/grpc-js: A malformed request can cause a server crash",@grpc/grpc-js,1.13.0,1.13.5,,HIGH,CWE-248,
|
|
6699
|
+
CVE-2026-48068,2026-06-11T13:27:54Z,"@grpc/grpc-js: A malformed request can cause a server crash",@grpc/grpc-js,1.14.0,1.14.4,,HIGH,CWE-248,
|
|
6700
|
+
CVE-2026-48069,2026-06-11T13:27:44Z,"@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash",@grpc/grpc-js,0,1.9.16,,HIGH,CWE-248;CWE-400,
|
|
6701
|
+
CVE-2026-48069,2026-06-11T13:27:44Z,"@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash",@grpc/grpc-js,1.10.0,1.10.12,,HIGH,CWE-248;CWE-400,
|
|
6702
|
+
CVE-2026-48069,2026-06-11T13:27:44Z,"@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash",@grpc/grpc-js,1.11.0,1.11.4,,HIGH,CWE-248;CWE-400,
|
|
6703
|
+
CVE-2026-48069,2026-06-11T13:27:44Z,"@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash",@grpc/grpc-js,1.12.0,1.12.7,,HIGH,CWE-248;CWE-400,
|
|
6704
|
+
CVE-2026-48069,2026-06-11T13:27:44Z,"@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash",@grpc/grpc-js,1.13.0,1.13.5,,HIGH,CWE-248;CWE-400,
|
|
6705
|
+
CVE-2026-48069,2026-06-11T13:27:44Z,"@grpc/grpc-js: An incoming malformed compressed message can cause a client or server crash",@grpc/grpc-js,1.14.0,1.14.4,,HIGH,CWE-248;CWE-400,
|
|
6706
|
+
CVE-2026-48121,2026-06-12T15:05:32Z,"LangGraph has NoSQL parameter injection in MongoDBSaver, allowing cross-tenant state access","@langchain/langgraph-checkpoint-mongodb",0,1.3.1,,MODERATE,CWE-943,
|
|
6707
|
+
CVE-2026-48128,2026-06-12T15:08:23Z,"Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step",budibase,0,3.39.0,,MODERATE,CWE-918,
|
|
6708
|
+
CVE-2026-48146,2026-06-12T15:08:28Z,"Budibase: SSRF via OAuth2 Config Validation — Missing fetchWithBlacklist Protection",@budibase/server,0,3.39.0,,HIGH,CWE-918,
|
|
6709
|
+
CVE-2026-48147,2026-06-12T18:23:41Z,"Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker ",@budibase/backend-core,0,3.35.4,,MODERATE,CWE-185;CWE-352,
|
|
6710
|
+
CVE-2026-48148,2026-06-12T18:27:45Z,"Budibase: Unvalidated VectorDB Host Parameter Enables SSRF",@budibase/server,0,3.35.3,,MODERATE,CWE-918,
|
|
6711
|
+
CVE-2026-48150,2026-06-12T18:28:26Z,"Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign",@budibase/server,0,3.39.0,,CRITICAL,CWE-915,
|
|
6712
|
+
CVE-2026-48151,2026-06-12T18:28:34Z,"Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema",@budibase/server,0,3.39.0,,HIGH,CWE-862,
|
|
6713
|
+
CVE-2026-48152,2026-06-12T18:28:40Z,"Budibase: Basic app users can exfiltrate stored REST datasource auth by rewriting datasource base URL",@budibase/server,0,3.39.0,,HIGH,CWE-863,
|
|
6604
6714
|
CVE-2026-48527,2026-05-29T14:07:51Z,"HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint",@haxtheweb/haxcms-nodejs,0,26.0.1,,HIGH,CWE-79,
|
|
6605
6715
|
CVE-2026-4867,2026-03-27T20:04:53Z,"path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters",path-to-regexp,0,0.1.13,,HIGH,CWE-1333,
|
|
6716
|
+
CVE-2026-49143,2026-06-03T21:39:32Z,"browserstack-runner vulnerable to Remote Code Execution via vm sandbox escape in _log HTTP handler",browserstack-runner,0,,0.9.5,HIGH,CWE-94,
|
|
6717
|
+
CVE-2026-49144,2026-06-03T21:38:40Z,"browserstack-runner has an unauthenticated arbitrary file read via path traversal in HTTP server",browserstack-runner,0,,0.9.5,HIGH,CWE-22,
|
|
6606
6718
|
CVE-2026-4923,2026-03-27T22:23:52Z,"path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards",path-to-regexp,8.0.0,8.4.0,,MODERATE,CWE-1333,
|
|
6607
6719
|
CVE-2026-4926,2026-03-27T22:23:27Z,"path-to-regexp vulnerable to Denial of Service via sequential optional groups",path-to-regexp,8.0.0,8.4.0,,HIGH,CWE-1333;CWE-400,
|
|
6720
|
+
CVE-2026-50287,2026-06-01T13:58:33Z,"@agenticmail/mcp Missing Authentication for Critical Function",@agenticmail/mcp,0,0.9.27,,HIGH,CWE-306,
|
|
6608
6721
|
CVE-2026-5323,2026-04-02T09:30:24Z,"a11y-mcp: Server-Side Request Forgery (SSRF) vulnerability in A11yServer function",a11y-mcp,0,1.0.5,,LOW,CWE-918,
|
|
6609
6722
|
CVE-2026-5327,2026-04-02T12:31:05Z,"fast-filesystem-mcp is vulnerable to command injection through handleGetDiskUsage function",fast-filesystem-mcp,0,,3.5.0,LOW,CWE-74,
|
|
6723
|
+
CVE-2026-53926,2026-06-05T16:43:09Z,"NocoDB: OAuth Tokens Persist Through Security Events",nocodb,0,2026.05.1,,MODERATE,CWE-613,
|
|
6610
6724
|
CVE-2026-5602,2026-04-06T00:30:24Z,"@nor2/heim-mcp vulnerable to command injection",@nor2/heim-mcp,0,,0.1.3,LOW,CWE-77,
|
|
6611
6725
|
CVE-2026-5603,2026-04-06T00:30:24Z,"@elgentos/magento2-dev-mcp vulnerable to command injection","@elgentos/magento2-dev-mcp",0,,1.0.2,LOW,CWE-77,
|
|
6612
6726
|
CVE-2026-5758,2026-04-15T18:31:58Z,"Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution",protocol-buffers-schema,0,3.6.1,,MODERATE,CWE-1321,
|
|
@@ -6642,6 +6756,7 @@ CVE-2026-8766,2026-05-18T00:31:36Z,"@kilocode/cli Vulnerable to Exposure of Sens
|
|
|
6642
6756
|
CVE-2026-8769,2026-05-18T00:31:37Z,"@ai-sdk/provider-utils has an Uncontrolled Resource Consumption issue",@ai-sdk/provider-utils,0,,3.0.97,LOW,CWE-400,
|
|
6643
6757
|
CVE-2026-8813,2026-05-29T17:58:37Z,"ExifReader is vulnerable to denial of service via crafted ICC `mluc` tag",exifreader,2.10.0,4.39.0,,HIGH,CWE-1284,
|
|
6644
6758
|
CVE-2026-8814,2026-05-29T17:52:26Z,"ExifReader is vulnerable to denial of service via unbounded decompression of image metadata",exifreader,4.20.0,4.39.0,,MODERATE,CWE-409,
|
|
6759
|
+
CVE-2026-9277,2026-06-09T14:27:15Z,"shell-quote quote() does not escape newlines in object .op values",shell-quote,1.1.0,1.8.4,,CRITICAL,CWE-77;CWE-78,
|
|
6645
6760
|
GHSA-224h-p7p5-rh85,2020-09-01T17:32:26Z,"Directory Traversal in wenluhong1",wenluhong1,0.0.0,,,HIGH,CWE-22,
|
|
6646
6761
|
GHSA-224p-v68g-5g8f,2025-08-26T18:45:55Z,"GraphQL Armor Max-Depth Plugin Bypass via fragment caching","@escape.tech/graphql-armor-max-depth",0,2.4.2,,MODERATE,CWE-400,
|
|
6647
6762
|
GHSA-226w-6hhj-69hp,2020-09-03T19:06:52Z,"Malicious Package in cal_rd",cal_rd,0.0.0,,,CRITICAL,CWE-506,
|
|
@@ -7424,6 +7539,7 @@ GHSA-g74r-ffvr-5q9f,2019-06-03T17:26:44Z,"Memory Exposure in concat-stream",conc
|
|
|
7424
7539
|
GHSA-g753-jx37-7xwh,2020-06-30T16:05:08Z,"ECDSA signature vulnerability of Minerva timing attack in jsrsasign",jsrsasign,4.0.0,8.0.13,,MODERATE,CWE-362,
|
|
7425
7540
|
GHSA-g7h8-p22m-2rvx,2020-09-04T15:08:46Z,"Prototype Pollution in flat-wrap",flat-wrap,0.0.0,,,HIGH,CWE-1321,
|
|
7426
7541
|
GHSA-g7mw-5cq6-fv82,2020-09-02T21:20:40Z,"Cross-Site Scripting in wangeditor",wangeditor,0,,,HIGH,CWE-79,
|
|
7542
|
+
GHSA-g7r4-m6w7-qqqr,2026-06-12T20:08:53Z,"esbuild allows arbitrary file read when running the development server on Windows",esbuild,0.27.3,0.28.1,,LOW,CWE-22,
|
|
7427
7543
|
GHSA-g839-vp47-wgh8,2026-03-21T03:31:15Z,"Duplicate Advisory: OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress",openclaw,0,,2026.2.24,MODERATE,CWE-863,
|
|
7428
7544
|
GHSA-g86v-f9qv-rh6m,2026-03-31T23:58:43Z,"OpenClaw SSRF guard misses four IPv6 special-use ranges",openclaw,0,2026.3.28,,LOW,CWE-918,
|
|
7429
7545
|
GHSA-g8jc-mm3c-cwhj,2020-09-02T20:31:06Z,"Malicious Package in reques",reques,0,,,CRITICAL,CWE-506,
|
|
@@ -7468,6 +7584,7 @@ GHSA-gqqj-85qm-8qhf,2026-04-16T22:47:40Z,"Paperclip: codex_local inherited ChatG
|
|
|
7468
7584
|
GHSA-gr4j-r575-g665,2020-08-25T14:04:47Z,"Cross-Site Scripting in highcharts",highcharts,0,7.2.2,,HIGH,CWE-79,
|
|
7469
7585
|
GHSA-gr4j-r575-g665,2020-08-25T14:04:47Z,"Cross-Site Scripting in highcharts",highcharts,8.0.0,8.1.1,,HIGH,CWE-79,
|
|
7470
7586
|
GHSA-gv2f-q4wp-fvh5,2026-04-24T00:31:51Z,"Duplicate Advisory: OpenClaw: CLI Remote Onboarding Persists Unauthenticated Discovery Endpoint and Exfiltrates Gateway Credentials",openclaw,0,2026.3.28,,HIGH,CWE-346,
|
|
7587
|
+
GHSA-gv7w-rqvm-qjhr,2026-06-12T20:08:59Z,"esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY",esbuild,0.17.0,0.28.1,,HIGH,CWE-426;CWE-494,
|
|
7471
7588
|
GHSA-gvff-25cc-4f66,2020-09-03T17:15:56Z,"Path Traversal in restify-swagger-jsdoc",restify-swagger-jsdoc,0,3.2.1,,HIGH,CWE-22,
|
|
7472
7589
|
GHSA-gvm7-8fq3-qjj2,2020-09-03T19:43:18Z,"Malicious Package in bs85",bs85,0.0.0,,,CRITICAL,CWE-506,
|
|
7473
7590
|
GHSA-gw32-9rmw-qwww,2026-01-16T21:02:56Z,"svelte is vulnerable to XSS with textarea bind:value",svelte,3.0.0,3.59.2,,HIGH,CWE-79,
|
|
@@ -7601,6 +7718,7 @@ GHSA-jmqm-f2gx-4fjv,2020-07-07T18:59:10Z,"Sensitive information exposure through
|
|
|
7601
7718
|
GHSA-jp4j-q5fc-58gv,2026-03-31T23:58:08Z,"OpenClaw's Discord component interaction ingress skips guild/channel policy enforcement",openclaw,2026.2.14,2026.3.28,,MODERATE,CWE-862,
|
|
7602
7719
|
GHSA-jp99-5h8w-gmxc,2020-09-04T15:03:13Z,"Sandbox Breakout / Arbitrary Code Execution in @zhaoyao91/eval-in-vm",@zhaoyao91/eval-in-vm,0.0.0,,,CRITICAL,,
|
|
7603
7720
|
GHSA-jp9g-5x75-ccp8,2020-09-02T21:34:30Z,"Malicious Package in colro-name",colro-name,0,,,CRITICAL,CWE-506,
|
|
7721
|
+
GHSA-jpvj-wpmj-h7rv,2026-06-04T19:37:04Z,"Supply chain compromise via malicious @cap-js/openapi",@cap-js/openapi,1.4.1,1.4.2,,CRITICAL,CWE-506,
|
|
7604
7722
|
GHSA-jq4x-98m3-ggq6,2026-03-02T22:32:23Z,"OpenClaw Canvas Path Traversal Information Disclosure Vulnerability",openclaw,0,2026.2.21,,HIGH,CWE-22,
|
|
7605
7723
|
GHSA-jqjg-v355-hr9q,2020-09-03T22:11:02Z,"Malicious Package in buffer-xop",buffer-xop,0.0.0,,,CRITICAL,CWE-506,
|
|
7606
7724
|
GHSA-jqpf-vj28-9v7r,2026-03-19T03:30:57Z,"Duplicate Advisory: Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch",openclaw,2026.2.22,,2026.2.23,HIGH,CWE-863,
|
|
@@ -7629,8 +7747,6 @@ GHSA-m5ch-gx8g-rg73,2020-09-02T15:43:53Z,"Remote Code Execution in pomelo-monito
|
|
|
7629
7747
|
GHSA-m5j2-r859-r5cv,2026-05-11T18:31:46Z,"Duplicate Advisory: OpenClaw: Isolated cron awareness events were recorded as trusted system events",openclaw,0,2026.4.20,,MODERATE,CWE-345,
|
|
7630
7748
|
GHSA-m5jp-p3r5-mfqp,2026-04-10T00:30:30Z,"Duplicate Advisory: OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`",openclaw,0,,2026.3.24,MODERATE,CWE-648;CWE-863,
|
|
7631
7749
|
GHSA-m5p4-7wf9-6w99,2020-09-01T21:10:53Z,"Malicious Package in regenrator",regenrator,0,,,CRITICAL,CWE-506,
|
|
7632
|
-
GHSA-m5qc-5hw7-8vg7,2025-04-02T15:04:58Z,"image-size Denial of Service via Infinite Loop during Image Processing",image-size,1.1.0,1.2.1,,HIGH,CWE-770,
|
|
7633
|
-
GHSA-m5qc-5hw7-8vg7,2025-04-02T15:04:58Z,"image-size Denial of Service via Infinite Loop during Image Processing",image-size,2.0.0,2.0.2,,HIGH,CWE-770,
|
|
7634
7750
|
GHSA-m69h-jm2f-2pv8,2026-03-13T20:54:30Z,"OpenClaw: Feishu reaction events could bypass group authorization and mention gating",openclaw,0,2026.3.12,,MODERATE,CWE-285;CWE-863,
|
|
7635
7751
|
GHSA-m6q2-9pfm-2wvr,2020-09-03T17:02:49Z,"Malicious Package in wallet-address-vaildator",wallet-address-vaildator,0.0.0,,,CRITICAL,CWE-506,
|
|
7636
7752
|
GHSA-m6w8-fq7v-ph4m,2022-01-13T16:09:36Z,"GovernorCompatibilityBravo incorrect ABI encoding may lead to unexpected behavior","@openzeppelin/contracts-upgradeable",4.3.0,4.4.2,,MODERATE,,
|
|
@@ -8153,7 +8269,7 @@ GHSA-xrr6-6ww3-f3qm,2020-09-02T21:25:58Z,"Sandbox Breakout / Arbitrary Code Exec
|
|
|
8153
8269
|
GHSA-xrrg-wfwc-c7r3,2020-09-04T15:33:52Z,"Malicious Package in bictoin-ops",bictoin-ops,0.0.0,,,CRITICAL,CWE-506,
|
|
8154
8270
|
GHSA-xv3q-jrmm-4fxv,2023-04-18T22:28:02Z,"Authentication Bypass in @strapi/plugin-users-permissions","@strapi/plugin-users-permissions",3.2.1,4.6.0,,HIGH,,
|
|
8155
8271
|
GHSA-xv56-3wq5-9997,2026-01-13T19:57:06Z,"Renovate vulnerable to arbitrary command injection via kustomize manager and malicious helm repository",renovate,39.218.0,40.33.0,,MODERATE,CWE-77,
|
|
8156
|
-
GHSA-xvp7-8vm8-xfxx,2025-10-20T17:55:59Z,"Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers",@actual-app/sync-server,0
|
|
8272
|
+
GHSA-xvp7-8vm8-xfxx,2025-10-20T17:55:59Z,"Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers",@actual-app/sync-server,0,25.11.0,,MODERATE,CWE-209;CWE-215;CWE-219,
|
|
8157
8273
|
GHSA-xw79-hhv6-578c,2020-09-11T21:16:59Z,"Cross-Site Scripting in serve",serve,0,10.0.2,,HIGH,CWE-79,
|
|
8158
8274
|
GHSA-xwcj-hwhf-h378,2026-03-16T20:40:13Z,"OpenClaw Telegram media fetch errors exposed bot tokens in logged file URLs",openclaw,0,2026.3.13,,MODERATE,CWE-532,
|
|
8159
8275
|
GHSA-xwqw-rf2q-xmhf,2020-09-01T21:23:38Z,"Cross-Site Scripting in buefy",buefy,0,0.7.2,,HIGH,CWE-79,
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@openrewrite/recipes-nodejs",
|
|
3
|
-
"version": "0.46.
|
|
3
|
+
"version": "0.46.2",
|
|
4
4
|
"license": "Moderne Proprietary",
|
|
5
5
|
"description": "OpenRewrite recipes for Node.js library migrations.",
|
|
6
6
|
"homepage": "https://github.com/moderneinc/rewrite-node",
|
|
@@ -25,7 +25,7 @@
|
|
|
25
25
|
"ci:test": "jest"
|
|
26
26
|
},
|
|
27
27
|
"dependencies": {
|
|
28
|
-
"@openrewrite/rewrite": "^8.
|
|
28
|
+
"@openrewrite/rewrite": "^8.86.0-20260617-083043",
|
|
29
29
|
"mutative": "^1.1.0",
|
|
30
30
|
"semver": "^7.7.3"
|
|
31
31
|
},
|