Node.js

Prototype pollution in LangSmith JavaScript/TypeScript SDK (langsmith) versions prior to 0.5.18 allows remote attackers to pollute Object.prototype via the createAnonymizer() API by supplying malicious constructor.prototype keys, bypassing an incomplete __proto__ filter. The vulnerability affects all objects in the Node.js process and can lead to information disclosure and integrity violations. No public exploit code or active exploitation has been confirmed at time of analysis.

Remote code execution affects Axios HTTP client library versions prior to 1.15.0 via gadget chain escalation of prototype pollution vulnerabilities in third-party dependencies. Unauthenticated network attackers can exploit this chaining mechanism to achieve full remote code execution or cloud compromise through AWS IMDSv2 bypass. Critical severity (CVSS 10.0) with scope change indicates containment boundary violation. No public exploit identified at time of analysis.

Arbitrary code execution in OpenClaw versions prior to 2026.3.24 enables local attackers to execute malicious code during npm package installation by crafting a malicious .npmrc file that overrides the git executable. When npm install runs in the staged package directory with git dependencies, the attacker-controlled .npmrc configuration triggers execution of arbitrary programs specified by the attacker. Exploitation requires user interaction to install the malicious plugin or hook locally. No public exploit identified at time of analysis.

Server-side request forgery (SSRF) in OpenClaw's assertPublicHostname handler (src/agents/tools/web-fetch.ts) allows remote attackers to craft requests that bypass hostname validation and reach internal or restricted systems. Affected versions up to 2026.1.26 are vulnerable; the attack requires high complexity but publicly available exploit code exists. Vendor-released patch version 2026.1.29 (commit b623557a2ec7e271bda003eb3ac33fbb2e218505) resolves the issue.

Remote code execution in Hashgraph Guardian ≤3.5.0 enables authenticated Standard Registry users to execute arbitrary JavaScript through unsandboxed Function() constructor in Custom Logic policy block worker. Attackers can import Node.js modules to read container files, extract environment credentials (RSA private keys, JWT signing keys, API tokens), and forge authentication tokens for privilege escalation to administrator access. Requires low-privilege authentication (PR:L). No public exploit identified at time of analysis.

Denial of service in fast-jwt 5.0.0 through 6.2.0 allows authenticated remote attackers with user interaction to cause significant CPU consumption via crafted JWT tokens that trigger catastrophic backtracking in regular expression evaluation when the allowedAud verification option is configured with a regex pattern. The vulnerability exploits attacker-controlled aud claims evaluated against user-supplied regexes, resulting in ReDoS (regular expression denial of service). Vendor-released patch available in version 6.2.1.

fast-jwt before 6.2.1 fails to properly validate JWTs when RegExp modifiers with stateful behavior (/g for global matching and /y for sticky matching) are used in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options. This causes valid authentication tokens to be rejected in an alternating 50% failure pattern due to RegExp state persistence across verification calls, degrading availability of JWT-protected services without compromising token security itself. The vulnerability is fixed in version 6.2.1.

Hostname normalization bypass in Axios (JavaScript HTTP client) versions prior to 1.15.0 allows unauthenticated remote attackers to circumvent NO_PROXY configuration rules and force HTTP requests through configured proxies. Attackers can exploit malformed loopback addresses (localhost. with trailing dot, [::1] IPv6 literals) to bypass proxy restrictions and conduct Server-Side Request Forgery (SSRF) attacks against protected internal services. Publicly available exploit code exists. Affects all Axios implementations in Node.js and browser environments with NO_PROXY configurations.

Mattermost Plugins versions 2.1.3.0 and earlier allow remote attackers without authentication to cause denial of service through memory exhaustion by sending oversized JSON payloads to the /changes webhook endpoint. The vulnerability stems from a lack of request body size validation, enabling attackers to exhaust server memory and crash the service. CVSS is 3.7 (low severity) with low exploitability complexity, and no public exploit or active exploitation has been confirmed.

Mattermost Plugins versions 2.3.1 and earlier allow unauthenticated remote attackers to trigger denial of service by sending oversized JSON payloads to the /lifecycle webhook endpoint, causing memory exhaustion due to missing request body size validation. CVSS 3.7 reflects low severity despite network accessibility; EPSS and active exploitation status not independently confirmed from available data.

Command injection in awwaiid mcp-server-taskwarrior up to version 1.0.1 allows local authenticated attackers to execute arbitrary system commands via manipulation of the Identifier argument in the server.setRequestHandler function of index.ts. Publicly available exploit code exists, and the vendor has released a patched version following responsible disclosure practices. This is a locally-exploitable vulnerability requiring authenticated access with moderate CVSS severity (5.3), but the presence of public exploit code and low attack complexity elevates practical risk.

Server-Side Request Forgery (SSRF) in atototo api-lab-mcp versions up to 0.2.1 allows unauthenticated remote attackers to manipulate source/url parameters in analyze_api_spec, generate_test_scenarios, and test_http_endpoint functions within the HTTP interface (http-server.ts). Exploitation permits unauthorized requests to internal or external resources, potentially exposing sensitive data, bypassing access controls, or conducting port scanning. Publicly available exploit code exists. Vendor has not responded to early disclosure (GitHub issue #4).

rrweb-snapshot before v2.0.0-alpha.18 contains a reflected cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript or HTML in a victim's browser context through a crafted payload. The vulnerability requires user interaction (clicking a malicious link) and affects client-side snapshot capture functionality. Publicly available exploit code exists according to CISA SSVC assessment, though active exploitation has not been confirmed at time of analysis.

Command injection in basic-ftp npm package v5.2.0 allows unauthenticated remote attackers to inject arbitrary FTP protocol commands via CRLF sequences in file path parameters. Affected methods include cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). Inadequate input sanitization in protectWhitespace() combined with direct socket writes enables attackers to split single FTP commands into multiple commands, leading to unauthorized file deletion, directory manipulation, file exfiltration, or session hijacking. Vendor-released patch available in version 5.2.1. No public exploit identified at time of analysis. EPSS unavailable.

Path traversal in liquidjs 10.25.0 allows local file disclosure when renderFile() or parseFile() receives absolute paths or traversal sequences, despite the root parameter being documented as a sandbox boundary. An attacker controlling template filenames passed to these APIs can read arbitrary files accessible to the Node.js process, such as /etc/hosts or sensitive configuration files. The vulnerability affects liquidjs versions prior to 10.25.5; a vendor-released patch is available. No public exploit code or active exploitation has been identified at the time of analysis.

Authentication bypass in LobeHub webapi allows unauthenticated attackers to forge X-lobe-chat-auth headers using a publicly disclosed XOR key, gaining unauthorized access to protected routes including chat, model listing, and image generation endpoints. The vulnerability affects LobeHub versions up to 2.1.47 and has a confirmed proof-of-concept; however, the CVSS vector indicates PR:L (low privilege required), suggesting the advertised attack may require some initial authentication. Vendor-released patch version 2.1.48 is available.

The replace filter in LiquidJS (Node.js npm package) fails to correctly account for memory usage when memoryLimit is enabled, allowing remote attackers to bypass DoS protections with approximately 2,500x memory amplification by crafting templates where the replace operation produces quadratically larger output than the charged memory cost. Deployments with memoryLimit explicitly configured to protect against untrusted template input can suffer out-of-memory crashes; patch available in v10.25.3.

Denial of service in Axios HTTP/2 client before version 1.13.2 allows unauthenticated remote attackers to crash Node.js applications through malicious HTTP/2 server responses that trigger state corruption during concurrent session closures. The vulnerability exploits a control flow error in session cleanup logic with high attack complexity, making real-world exploitation require specific server-side conditions but posing significant risk to applications relying on HTTP/2.

IPv4 access control bypass in Hono middleware allows IPv4-mapped IPv6 addresses (e.g., ::ffff:127.0.0.1) to bypass IPv4-based ipRestriction() rules due to failure to canonicalize addresses before matching. Denied IPv4 clients can circumvent access restrictions in Node.js dual-stack environments by presenting as IPv6-formatted addresses, and legitimate IPv4 clients may be incorrectly rejected when allowlists are used. No public exploit code identified at time of analysis, but the vulnerability enables straightforward authentication bypass with minimal complexity.

Remote code execution in SiYuan Electron desktop client (prior to version 3.6.4) allows authenticated attackers to execute arbitrary code on victim systems through maliciously crafted notes synced across workspaces. The vulnerability chains a stored XSS flaw in table caption rendering with insecure Electron configuration (nodeIntegration enabled, contextIsolation disabled), elevating DOM-based script injection to full Node.js API access. No public exploit identified at time of analysis, though the attack vector is well-documented in the GitHub security advisory. CVSS 9.0 reflects the scope change and high impact across confidentiality, integrity, and availability.

Parse Server versions prior to 9.8.0-alpha.7 and 8.6.75 expose protected session fields to authenticated users via the GET /sessions/me endpoint, bypassing the protectedFields server configuration that should restrict access to sensitive data. An authenticated attacker can retrieve their own session's protected fields in a single request, whereas the equivalent GET /sessions and GET /sessions/:objectId endpoints correctly enforce field-level access controls. This information disclosure vulnerability affects any Parse Server deployment where administrators have configured protected fields on the _Session class and expects those fields to remain confidential from users.

Parse Server versions prior to 9.8.0-alpha.6 and 8.6.74 leak valid usernames through timing side-channel attacks on the login endpoint, allowing unauthenticated attackers to enumerate existing user accounts by measuring response latency differences between non-existent users and incorrect password attempts. The vulnerability exploits inadequate constant-time comparison in password verification, enabling account enumeration without authentication and with moderate attack complexity.

Regular Expression Denial of Service (ReDoS) in @hapi/content npm package versions through 6.0.0 allows unauthenticated remote attackers to crash Node.js processes via a single HTTP request containing maliciously crafted Content-Type or Content-Disposition header values. Three regular expressions used for header parsing contain catastrophic backtracking patterns that can consume unbounded CPU resources. Vendor-released patch available via GitHub (PR #38). No public exploit code identified at time of analysis, though the attack vector is straightforward for any attacker with HTTP request capabilities.

SandboxJS versions 0.8.35 and below allow untrusted sandboxed code to leak internal interpreter scope objects through the `new` operator, exposing raw Prop wrappers that reference the host's global variable storage (scope.allVars). An attacker controlling code execution within the sandbox can extract this scope object and modify variables in the sandbox hierarchy, though prototype chain and code evaluation remain protected. Vendor-released patch available; no active KEV status or public exploit code confirmed.

Denial of service in @nyariv/sandboxjs through unbounded recursion in the parser allows remote attackers to crash Node.js processes by submitting deeply nested expressions (approximately 2000 nested parentheses or brackets), triggering a RangeError that terminates the application. All public API methods (Sandbox.parse, Sandbox.compile, Sandbox.compileAsync, Sandbox.compileExpression, Sandbox.compileExpressionAsync) are vulnerable with no input validation or depth limiting. A proof-of-concept demonstrating the crash exists; no public active exploitation has been reported at the time of analysis.

Sandbox escape in SandboxJS npm package allows unauthenticated remote attackers to mutate host JavaScript global objects (Math, JSON, etc.) and persist malicious code across sandbox instances. The vulnerability bypasses intended global-write protections by exploiting an exposed constructor callable path (this.constructor.call), enabling arbitrary property injection into host runtime globals. Exploitation probability is HIGH (EPSS not available for recent CVE), with publicly available exploit code demonstrating both immediate host contamination and cross-execution persistence. Critical impact: attacker-controlled globals can hijack application control flow when host code consumes mutated built-ins, escalating to arbitrary command execution when chained with application sinks like execSync().

Path traversal in Budibase plugin upload endpoint allows Global Builders to delete arbitrary directories and write files to any accessible filesystem path. Affecting all versions prior to 3.33.4, attackers with high privileges (Global Builder role) can exploit unsanitized filename handling in POST /api/plugin/upload to execute directory traversal attacks remotely with low complexity. CVSS 8.7 (High) with scope change indicates potential container escape or cross-tenant impact. No public exploit identified at time of analysis, though the attack vector is straightforward given the documented path traversal mechanism.

Context isolation bypass in Electron applications enables privilege escalation when VideoFrame objects are bridged to the main world. Attackers with XSS capabilities can leverage improperly bridged WebCodecs API VideoFrame objects to escape the isolated context and access Node.js APIs exposed in preload scripts. CVSS 8.4 (High) with network attack vector requiring high complexity and user interaction. No public exploit identified at time of analysis, though proof-of-concept development is feasible given the detailed vendor disclosure.

Electron's nodeIntegrationInWorker webPreference fails to properly isolate Node.js integration in worker contexts across certain process-sharing configurations, allowing workers in frames explicitly configured with nodeIntegrationInWorker: false to unexpectedly gain Node.js capabilities. Only applications that explicitly enable nodeIntegrationInWorker are affected. The vulnerability carries a CVSS score of 6.8 and permits information disclosure and code execution in affected contexts, with no public exploit identified at time of analysis.

Supply chain compromise of @usebruno/cli (Bruno API testing tool) deployed a cross-platform Remote Access Trojan via malicious axios dependency versions 1.14.1 and 0.30.4 on npm during a 3-hour window (00:21-03:30 UTC, March 31, 2026). Unauthenticated remote attackers gained full system compromise including credential exfiltration and persistent RAT installation on affected developer workstations. No public exploit code required as the malicious payload executed automatically via npm postinstall scripts. CVSS 9.8 Critical rating reflects network-accessible attack requiring no authentication or user interaction. Vendor-released patch available (PR #7632) pins axios to safe versions; compromised packages removed from npm registry. Organizations using Bruno CLI must assume breach during the attack window and initiate incident response procedures including credential rotation and system forensics.

Remote code execution in Replicator npm package version 1.0.5 allows unauthenticated attackers to execute arbitrary code by supplying malicious serialized objects that the library deserializes without validation. Applications using Replicator to process untrusted input are vulnerable to immediate compromise; no public exploit code availability or active exploitation status is confirmed at time of analysis, but the unauthenticated attack vector and ease of object deserialization attacks suggest practical exploitability.

File Browser's self-registration mechanism grants arbitrary shell command execution to unauthenticated attackers when administrators enable signup alongside server-side execution. The signupHandler inherits Execute permissions and Commands lists from default user templates but only strips Admin privileges, allowing newly registered users to immediately execute arbitrary commands via WebSocket with the process's full privileges. Vendor patch available. EPSS data not provided, but the specific configuration requirement (signup + enableExec + Execute in defaults) significantly narrows the attack surface despite the network-accessible, unauthenticated attack vector (CVSS 8.1 High). No confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis beyond the detailed proof-of-concept in the advisory.

Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to execute arbitrary code with full operating system privileges through CORS misconfiguration. A malicious website can inject JavaScript into the Electron-based application's Node.js context via the permissive API (Access-Control-Allow-Origin: * with Access-Control-Allow-Private-Network: true), which executes with OS-level access when the user next opens SiYuan's interface. No public exploit identified at time of analysis, though CVSS 9.6 (Critical) reflects network-accessible attack vector with low complexity requiring only user interaction (visiting malicious site while SiYuan runs). EPSS data not provided, but the combination of Electron framework exploitation, RCE impact, and trivial attack complexity suggests elevated real-world risk for desktop users.

Parse Server versions prior to 8.6.71 and 9.7.1-alpha.1 allow HTTP Range requests to bypass the afterFind trigger and its validators when downloading files from streaming-capable storage adapters like GridFS, enabling unauthorized access to protected files that should be restricted by authentication or authorization logic. This authentication bypass affects all deployments using affected versions with file protection policies enforced via afterFind triggers.

Parse Server versions prior to 8.6.70 and 9.7.0-alpha.18 allow authenticated users with find class-level permissions to bypass protectedFields restrictions on LiveQuery subscriptions by submitting array-like objects with numeric keys instead of proper arrays in $or, $and, or $nor operators. This enables information disclosure through a binary oracle attack that reveals whether protected fields match attacker-supplied values. The vulnerability requires prior authentication and find-level access but no user interaction, affecting all deployments of vulnerable Parse Server versions.

Authenticated users in Parse Server prior to versions 8.6.69 and 9.7.0-alpha.14 can bypass immutability protections on session fields by submitting null values in PUT requests to the session update endpoint, allowing indefinite session validity and circumventing configured session expiration policies. The vulnerability requires valid authentication credentials to exploit and has been patched in the specified versions.

GraphQL query complexity validator in Parse Server allows remote denial-of-service via crafted queries with binary fan-out fragment spreads, blocking the Node.js event loop for seconds with a single unauthenticated request. Parse Server versions prior to 8.6.68 and 9.7.0-alpha.12 are affected when requestComplexity.graphQLDepth or requestComplexity.graphQLFields options are enabled. EPSS data not provided; no public exploit identified at time of analysis. CVSS 8.2 (High) reflects network-accessible attack with low complexity requiring no privileges, causing high availability impact.

Parse Server Cloud Function validator bypass allows unauthenticated remote attackers to execute protected server-side functions by exploiting prototype chain traversal. Attackers append 'prototype.constructor' to Cloud Function URLs to circumvent access controls (requireUser, requireMaster, custom validators), enabling unauthorized execution of backend business logic. Affects Parse Server versions prior to 8.6.67 and 9.7.0-alpha.11. No public exploit identified at time of analysis, though the attack vector is network-accessible with low complexity (CVSS:4.0 AV:N/AC:L/PR:N). The vulnerability stems from inconsistent prototype chain resolution between handler and validator stores (CWE-863: Incorrect Authorization).

Uncaught TypeError in Node.js HTTP server crashes applications when clients send specially crafted `__proto__` headers and code accesses `req.headersDistinct`. The exception occurs synchronously in a property getter, bypassing standard error handling mechanisms and causing immediate service disruption. Affects Node.js versions 20.x, 22.x, 24.x, and 25.x with CVSS 7.5 (High). EPSS data not available; no public exploit identified at time of analysis, though exploitation requires only sending a malformed HTTP header with no authentication (CVSS:3.0/AV:N/AC:L/PR:N/UI:N).

Unix Domain Socket operations in Node.js 25.x bypass permission model enforcement, allowing local processes to create IPC endpoints and communicate with other processes when run with --permission flag but without --allow-net. An authenticated local attacker can establish inter-process communication channels that circumvent the intended network isolation boundary, resulting in information disclosure and potential privilege escalation within the same host. No public exploit code identified at time of analysis, though the vulnerability affects an experimental permission enforcement feature.

Node.js Permission Model enforcement in versions 20.x, 22.x, 24.x, and 25.x fails to validate read permissions for fs.realpathSync.native(), allowing local authenticated processes running under --permission with restricted --allow-fs-read to enumerate filesystem paths, check file existence, and resolve symlink targets outside permitted directories. This information disclosure vulnerability bypasses sandbox restrictions intentionally configured by administrators and affects multiple stable and current Node.js release series.

Denial of service in Node.js 20.x, 22.x, 24.x, and 25.x via predictable hash collisions in V8's string hashing mechanism allows unauthenticated remote attackers to degrade process performance by crafting requests with specially-crafted JSON payloads that trigger collision cascades in the internal string table. CVSS 5.9 (moderate severity, high attack complexity). No public exploit code or active exploitation confirmed at time of analysis.

Node.js versions 20.x, 22.x, 24.x, and 25.x use non-constant-time comparison for HMAC signature verification, allowing remote attackers to infer valid HMAC values through timing oracle attacks. The vulnerability leaks information proportional to matching bytes and requires high-resolution timing measurement capability, making exploitation feasible in controlled network conditions. CVSS 5.9 (confidentiality impact only); no public exploit identified at time of analysis.

Memory leak in Node.js HTTP/2 servers allows remote unauthenticated attackers to exhaust server memory by sending crafted WINDOW_UPDATE frames on stream 0 that exceed the maximum flow control window value. Affected versions include Node.js 20, 22, 24, and 25. While the server correctly responds with a GOAWAY frame, the Http2Session object fails to be cleaned up, leading to denial of service through resource exhaustion. No public exploit code identified at time of analysis.

Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated low-privilege attackers to escape Node.js vm sandbox and execute arbitrary commands as root inside Docker containers. The vulnerability exploits exposed WritableWorkerStdio stream objects in the sandbox console to traverse the prototype chain, access the host-realm Function constructor, load unrestricted Node.js modules (child_process), and spawn system commands. Confirmed exploited with reverse shell access, database credential theft (DB_PASSWORD, INIT_ROOT_PASSWORD), and arbitrary filesystem operations. EPSS data not available; public exploit code exists with detailed proof-of-concept demonstrating root shell access in nocobase/nocobase:latest Docker image. Critical 10.0 CVSS score reflects network-exploitable, low-complexity attack with complete confidentiality, integrity, and availability impact plus scope change (container escape implications).

Denial of service in Node.js url.format() function allows authenticated remote attackers to crash Node.js processes by supplying malformed internationalized domain names (IDNs) with invalid characters, triggering an assertion failure in native code. CVSS 5.7 (medium severity) with EPSS exploitation probability not independently confirmed. No public exploit code or CISA KEV status identified at time of analysis, but the simplicity of triggering the crash via a standard library function poses moderate real-world risk to production Node.js applications handling untrusted URL input.

Command injection in nektos/act (GitHub Actions local runner) allows attackers to execute arbitrary code by embedding deprecated workflow commands in untrusted input. Act versions prior to 0.2.86 unconditionally process ::set-env:: and ::add-path:: commands that GitHub Actions disabled in 2020, enabling PATH hijacking and environment variable injection when workflows echo PR titles, branch names, or commit messages. Publicly available exploit code exists with working proof-of-concept demonstrating NODE_OPTIONS and LD_PRELOAD injection vectors. This creates a critical supply chain risk where workflows safe on GitHub Actions become exploitable when developers test them locally with act.

Path traversal in @mobilenext/mobile-mcp npm package allows remote attackers to write arbitrary files on the host system through unvalidated file path parameters. The mobile_save_screenshot and mobile_start_screen_recording tools accept user-controlled saveTo and output parameters that are passed directly to Node.js filesystem operations without sanitization, enabling attackers to overwrite critical system files (e.g., ~/.bashrc, ~/.ssh/authorized_keys) via prompt injection attacks. Affects versions prior to 0.0.49. Publicly available exploit code exists (functional Python PoC provided in disclosure). EPSS data not available, but the combination of network attack vector, low complexity (CVSS AC:L), and weaponized exploit code warrants immediate patching for systems running this MCP server.

The Handlebars npm package precompiler (bin/handlebars) allows arbitrary JavaScript injection through unsanitized string concatenation in four distinct code paths: template filenames, namespace option (-n), CommonJS path option (-c), and AMD path option (-h). Attackers who can control template filenames or CLI arguments can inject code that executes when the generated JavaScript bundle is loaded in Node.js or browser environments. Publicly available exploit code exists with multiple proof-of-concept vectors demonstrated, including file system manipulation via require('fs'). CVSS 8.3 reflects local attack vector requiring low privileges and user interaction, with changed scope allowing high confidentiality, integrity, and availability impact.

Handlebars.js template engine crashes Node.js processes when compiling templates containing unregistered decorator syntax (e.g., {{*n}}), enabling single-request denial-of-service attacks against applications that accept user-supplied templates. The vulnerability affects the npm package handlebars (pkg:npm/handlebars) and has CVSS score 7.5 (AV:N/AC:L/PR:N/UI:N). A functional proof-of-concept demonstrating the crash exists in the public advisory, confirming exploit code is publicly available. No active exploitation (CISA KEV) has been reported at time of analysis.

Remote code execution in Handlebars templating engine (npm package) allows unauthenticated attackers to execute arbitrary JavaScript on Node.js servers by exploiting the @partial-block mechanism when combined with vulnerable helper functions. The attack overwrites @partial-block with a malicious Handlebars AST that is dynamically compiled and executed during template rendering. A working proof-of-concept exists demonstrating exploitation via the commonly-used handlebars-helpers package. Vendor-released patch is available in Handlebars version 4.7.9.

Prototype pollution in locutus npm package version 2.0.39 through 3.0.24 allows remote attackers to bypass `Object.prototype` pollution guards via a crafted query string passed to the `parse_str` function, enabling authentication bypass, denial of service, or remote code execution in chained attack scenarios where `RegExp.prototype.test` has been previously compromised. Publicly available exploit code exists demonstrating the vulnerability; vendor-released patch available in version 3.0.25.

Prototype pollution in the locutus npm package's unserialize() function allows remote attackers to inject arbitrary properties into deserialized objects by crafting malicious PHP-serialized payloads containing __proto__ keys, enabling authorization bypass, property propagation attacks, and denial of service via method override. The vulnerability affects locutus versions prior to 3.0.25; publicly available exploit code exists demonstrating property injection, for-in propagation to real own properties, and built-in method disruption.

The digitalbazaar/forge npm package accepts forged Ed25519 signatures due to missing scalar canonicalization checks, allowing authentication and authorization bypass in applications that rely on signature uniqueness. All versions since Ed25519 implementation are affected (confirmed through version 1.3.3), identified as pkg:npm/node-forge. Publicly available exploit code exists with a complete proof-of-concept demonstrating how attackers can create multiple valid signatures for the same message by adding the group order L to the scalar component S, bypassing deduplication, replay protection, and signed-object canonicalization checks. The vendor has released a patch via commit bdecf11571c9f1a487cc0fe72fe78ff6dfa96b85.

Signature forgery in node-forge npm package (all versions through v1.3.3) allows remote attackers to bypass RSASSA PKCS#1 v1.5 signature verification for RSA keys using low public exponent (e=3). Attackers can construct Bleichenbacher-style forged signatures by injecting malicious ASN.1 content within DigestInfo structures and exploiting missing padding length validation, enabling authentication bypass in systems relying on forge for cryptographic verification. Proof-of-concept code demonstrates successful forgery against forge while OpenSSL correctly rejects the same signature. CVSS score 7.5 (High) with network attack vector, low complexity, and no privileges required. No public exploit identified at time of analysis beyond the research POC.

The node-forge cryptographic library for Node.js suffers from a complete Denial of Service condition when the BigInteger.modInverse() function receives zero as input, causing an infinite loop that consumes 100% CPU and blocks the event loop indefinitely. All versions of node-forge (npm package) are affected, impacting applications that process untrusted cryptographic parameters through DSA/ECDSA signature verification or custom modular arithmetic operations. CVSS 7.5 (High severity) reflects network-reachable, unauthenticated exploitation with no user interaction required. A working proof-of-concept exists demonstrating the vulnerability triggers within 5 seconds. Vendor patch is available via GitHub commit 9bb8d67b99d17e4ebb5fd7596cd699e11f25d023.

Prototype pollution in convict npm package version 6.2.4 allows attackers to bypass previous security fixes and pollute Object.prototype through crafted input that manipulates String.prototype.startsWith. The vulnerability affects applications processing untrusted input via convict.set() and can lead to authentication bypass, denial of service, or remote code execution if polluted properties reach dangerous sinks like eval or child_process. A working proof-of-concept exploit demonstrating the bypass technique exists in the advisory.

Prototype pollution in Mozilla's node-convict configuration library allows attackers to inject properties into Object.prototype via two unguarded code paths: config.load()/loadFile() methods that fail to filter forbidden keys during recursive merge operations, and schema initialization accepting constructor.prototype.* keys during default-value propagation. Applications using node-convict (pkg:npm/convict) that process untrusted configuration data face impacts ranging from authentication bypass to remote code execution depending on how polluted properties propagate through the application. This represents an incomplete fix for prior prototype pollution issues (GHSA-44fc-8fm5-q62h), with no public exploit identified at time of analysis.

srvx's FastURL pathname parser on Node.js can be bypassed to circumvent route-based middleware (authentication guards, rate limiters) when absolute URIs with non-standard schemes are sent in raw HTTP requests. An attacker sending a crafted request like `GET file://hehe?/internal/run HTTP/1.1` can cause the router to match a different pathname than what downstream middleware sees after a deoptimization occurs, allowing access to protected endpoints. This affects srvx versions prior to 0.11.13, requires direct HTTP request capability (not browser-accessible), and has a CVSS score of 4.8 with medium complexity attack requirements. No public exploit identified at time of analysis.

Remote command execution can be achieved by low-privileged authenticated users (ProjectMember role) in OneUptime monitoring platform versions prior to 10.0.35 by exploiting incomplete sandbox restrictions in Synthetic Monitor Playwright script execution. Attackers can traverse the unblocked _browserType and launchServer properties via page.context().browser()._browserType.launchServer() to spawn arbitrary processes on the Probe container or host. A proof-of-concept exploit exists per SSVC framework data, and the vulnerability carries a CVSS score of 9.9 with Critical severity due to scope change and total technical impact.

picomatch, a widely-used Node.js glob pattern matching library, contains a Regular Expression Denial of Service (ReDoS) vulnerability when processing crafted extglob patterns such as '+(a|aa)' or nested patterns like '+(+(a))'. The vulnerability affects picomatch versions prior to 4.0.4, 3.0.2, and 2.3.2 (tracked via CPE pkg:npm/picomatch) and allows unauthenticated remote attackers to cause multi-second event-loop blocking with relatively short inputs, resulting in application-wide denial of service. Patches are available from the vendor, and while no KEV listing or EPSS score is provided in the data, the CVSS score of 7.5 (High) reflects the network-accessible, low-complexity attack vector requiring no privileges or user interaction.

YAML parsing in Node.js and Apple products fails to enforce recursion depth limits, allowing an attacker to trigger a stack overflow with minimal input (2-10 KB of nested flow sequences) that crashes the application with an uncaught RangeError. Applications relying solely on YAML-specific exception handling may fail to catch this error, potentially leading to process termination or service disruption. A patch is available for affected versions.

LiquidJS template engine version 10.24.0 and earlier contains a denial-of-service vulnerability in the replace_first filter that enables 625,000:1 memory amplification by exploiting JavaScript's $& backreference pattern. The memoryLimit security control is bypassed because only input strings are charged while exponentially amplified outputs (up to 312.5 MB from 1 byte input) remain unaccounted. Demonstrated proof-of-concept shows 20 concurrent requests cause complete service unavailability for 29 seconds with legitimate user requests delayed by 10.9 seconds. A patch is available via GitHub commit 35d523026345d80458df24c72e653db78b5d061d.

LiquidJS versions 10.24.x and earlier contain a memory limit bypass vulnerability that allows unauthenticated attackers to crash Node.js processes through a single malicious template. By exploiting reverse range expressions to drive the memory counter negative, attackers can allocate unlimited memory and trigger a V8 Fatal error that terminates the entire process, causing complete denial of service. A detailed proof-of-concept exploit is publicly available demonstrating the full attack chain from bypass to process crash.

An information disclosure vulnerability exists in n8n workflow automation software when Task Runners are enabled, allowing authenticated users with workflow creation or modification permissions to allocate uninitialized memory buffers through the JavaScript Task Runner. These buffers may contain residual data from the same Node.js process including secrets, tokens, and data from prior requests, leading to sensitive information exposure. This vulnerability requires CVE-2026-27496 has a CVSS 4.0 score of 7.1 with high confidentiality impact and affects npm package installations of n8n.

The pdf-image npm package through version 2.0.0 contains an OS command injection vulnerability in the pdfFilePath parameter. Attackers can exploit this remotely without authentication by injecting malicious commands through file path inputs that are passed unsafely to shell commands via child_process.exec(). A proof-of-concept exploit is publicly available on GitHub (zebbernCVE/CVE-2026-26830), significantly increasing exploitation risk.

The node-tesseract-ocr npm package versions through 2.2.1 contains a critical OS command injection vulnerability in the recognize() function where file path parameters are concatenated into shell commands without sanitization before being passed to child_process.exec(). Attackers can achieve complete remote code execution with no authentication required. A proof-of-concept exploit exists at the GitHub repository linked in references (zebbernCVE/CVE-2026-26832), indicating active research into this vulnerability.

Parse Server versions prior to 8.6.61 and 9.6.0-alpha.55 expose sensitive authentication credentials to authenticated users via the GET /users/me endpoint, including MFA TOTP secrets and recovery codes that should be sanitized. An attacker who obtains a valid user session token can extract these MFA secrets to bypass multi-factor authentication indefinitely and gain unauthorized access to accounts. No CVSS score or EPSS data is currently available, but the vulnerability has confirmed patches available in stable and alpha releases.

Parse Server versions prior to 8.6.60 and 9.6.0-alpha.54 contain a race condition vulnerability that allows attackers to reuse single-use MFA recovery codes an unlimited number of times through concurrent login requests. An attacker with knowledge of a user's password and possession of one valid recovery code can bypass the intended single-use restriction by sending multiple authentication attempts simultaneously within milliseconds, effectively defeating the multi-factor authentication protection mechanism. This vulnerability is tracked as CWE-367 (TOCTOU race condition) and has been patched in the aforementioned versions with fixes available via pull requests 10275 and 10276.

Parse Server versions prior to 8.6.59 and 9.6.0-alpha.53 contain a SQL injection vulnerability in PostgreSQL aggregate operations that allows attackers with master key access to execute arbitrary SQL statements, escalating from application-level administrator privileges to database-level access. Only PostgreSQL-backed Parse Server deployments are affected; MongoDB deployments are not vulnerable. No CVSS score or EPSS data is currently available, and no KEV or active exploitation reports have been confirmed at this time.

An unauthenticated denial-of-service vulnerability exists in Parse Server versions prior to 8.6.58 and 9.6.0-alpha.52, where attackers can submit authentication requests with arbitrary, unconfigured provider names to trigger expensive unindexed database queries. Each malicious request causes a full collection scan on the user database, and since these requests can be parallelized, an attacker can rapidly exhaust database resources and degrade service availability. The vulnerability requires no authentication or special privileges, making it trivial to exploit at scale, and patches are available in the referenced versions.

Vikunja Desktop (Electron wrapper) versions 0.21.0 through 2.1.x contain a critical remote code execution vulnerability caused by enabled Node.js integration combined with missing navigation controls. An attacker who is a legitimate user on a shared Vikunja instance can inject a malicious hyperlink into user-generated content (task descriptions, comments, project descriptions) that, when clicked by a victim using Vikunja Desktop, causes arbitrary code execution with the victim's OS user privileges. A proof-of-concept demonstrating command execution via a simple HTML link has been documented, and the vulnerability affects all Desktop users on affected versions.

The Vikunja Desktop Electron wrapper enables Node.js integration in the renderer process without proper context isolation or sandboxing, allowing any cross-site scripting vulnerability in the web frontend to escalate directly to remote code execution on the victim's machine. Vikunja versions 0.21.0 through 2.1.x are affected, as confirmed by CPE cpe:2.3:a:go-vikunja:vikunja. An attacker exploiting an XSS flaw gains full access to Node.js APIs and the underlying operating system, making this a critical privilege escalation from web-based XSS to system-level RCE.

A regex-based bypass vulnerability in the @dicebear/converter npm package allows attackers to circumvent SVG dimension sanitization by injecting decoy <svg tags in XML constructs. Applications using @dicebear/converter on Node.js to process untrusted SVG input are vulnerable to denial of service through unbounded memory allocation when rendering malformed SVGs. The CVSS score of 7.5 reflects the high availability impact with network-accessible attack vector requiring no authentication or user interaction.

Node.js applications using Effect library versions 3.19.15 and earlier with @effect/rpc 0.72.1 and @effect/platform 0.94.2 are vulnerable to context confusion due to improper AsyncLocalStorage handling in the MixedScheduler, allowing attackers to access sensitive data from other concurrent requests through race conditions. An attacker can exploit the batching mechanism to read or modify context belonging to different requests processed in the same microtask cycle, potentially leading to data leakage between users in multi-tenant environments. No patch is currently available.

Uptime Kuma versions 1.23.0 through 2.2.0 contain an incomplete Server-Side Template Injection (SSTI) vulnerability in the LiquidJS templating engine that allows authenticated attackers to read arbitrary files from the server. A prior fix (GHSA-vffh-c9pq-4crh) attempted to restrict file path access through three mitigation options (root, relativeReference, dynamicPartials), but this fix only blocks quoted paths; attackers can bypass the mitigation by using unquoted absolute paths like /etc/passwd that successfully resolve through the require.resolve() fallback mechanism in liquid.node.js. The vulnerability requires low privileges (authenticated access) but can result in high confidentiality impact, making it a notable information disclosure risk for self-hosted monitoring deployments.

Path traversal in ApostropheCMS import-export module allows authenticated users with content modification permissions to write files outside the intended export directory via malicious archive entries containing directory traversal sequences. An attacker with editor-level access can exploit this vulnerability to overwrite arbitrary files on the system with CVSS 9.9 critical severity. No patch is currently available for this vulnerability affecting Node.js environments.

A specially crafted Socket.IO packet can cause the server to allocate unbounded memory by waiting for and buffering a large number of binary attachments, leading to denial of service through memory exhaustion. The vulnerability affects socket.io-parser versions across multiple major releases (v2.x, v3.x, and v4.x) used by Socket.IO server and client implementations. No EPSS score or KEV listing is available, but patches have been released by the vendor.

SiYuan's Bazaar marketplace fails to sanitize package metadata (displayName, description) before rendering in the Electron desktop application, allowing stored XSS that escalates to arbitrary remote code execution. Any SiYuan user (versions ≤3.5.9) who browses the Bazaar will automatically execute attacker-controlled code with full OS-level privileges when a malicious package card renders-no installation or user interaction required. A functional proof-of-concept exists demonstrating command execution via img onerror handlers, and this vulnerability is actively tracked in GitHub's advisory database (GHSA-mvpm-v6q4-m2pf), making it a critical supply-chain risk to the SiYuan user community.

SiYuan's Bazaar (community package marketplace) fails to sanitize HTML in package README files during rendering, allowing stored XSS that escalates to remote code execution due to unsafe Electron configuration. An attacker can submit a malicious package with embedded JavaScript in the README that executes with full Node.js access when any user views the package details in the Bazaar. This affects SiYuan versions 3.5.9 and earlier across Windows, macOS, and Linux, with a CVSS score of 9.6 and multiple real-world exploitation vectors including data theft, reverse shells, and persistent backdoors.

CVE-2026-32256 is a security vulnerability (CVSS 7.5). High severity vulnerability requiring prompt remediation.

Node.js authentication bypass allows unauthenticated account creation when empty authData objects bypass credential validation, enabling attackers to establish authenticated sessions without providing required usernames or passwords. This affects applications where anonymous registration is disabled but authentication checks fail to properly validate the authData parameter. The vulnerability is fixed by treating empty authData as absent data and enforcing mandatory credential validation during user registration.

A bypass vulnerability in fast-xml-parser allows attackers to circumvent entity expansion limits through numeric character references (&#NNN;) and standard XML entities, causing denial of service via excessive memory allocation and CPU consumption. The vulnerability affects fast-xml-parser versions 5.x through 5.5.5, completely bypassing security controls added in the previous CVE-2026-26278 fix. A proof-of-concept demonstrates that even with strict limits configured (maxTotalExpansions=10), an attacker can inject 100,000+ numeric entities to consume hundreds of megabytes of memory.

SiYuan's mobile file tree fails to sanitize notebook names in WebSocket rename events, allowing authenticated users to inject arbitrary HTML and JavaScript that executes in other clients' browsers. When combined with Electron's insecure configuration (nodeIntegration enabled, contextIsolation disabled), this stored XSS escalates to remote code execution with full Node.js privileges on affected desktop and mobile clients. The vulnerability affects users with notebook rename permissions across Docker, Node.js, Python, and Apple platforms.

SandboxJS 0.8.34 contains a race condition where a shared global tick state allows concurrent sandboxes to interfere with each other's execution quotas during timer callback compilation. An attacker in a multi-tenant environment can exploit this to bypass resource limits and exhaust CPU/memory on the host system. A patch is available.

Command injection in bazinga012 mcp_code_executor up to version 0.3.0 allows local attackers with user-level privileges to execute arbitrary commands through the installDependencies function in src/index.ts. Public exploit code exists for this vulnerability, affecting Python and Node.js environments. A patch is available and should be applied to remediate this local privilege escalation risk.

Parse Server versions prior to 8.6.40 and 9.6.0-alpha.14 contain an authentication bypass vulnerability in their GraphQL WebSocket subscription endpoint that circumvents Express middleware security controls. An unauthenticated attacker can connect directly to the WebSocket endpoint to execute arbitrary GraphQL operations, perform schema introspection despite disabled public introspection, and send complex queries that bypass rate limiting and complexity validation. This is a network-accessible vulnerability requiring no authentication that exposes sensitive schema information and enables potential denial-of-service attacks.

LibreChat versions prior to 0.8.3-rc1 contain a Denial of Service vulnerability in the DELETE /api/convos endpoint where authenticated attackers can crash the Node.js server process by sending malformed requests lacking the required req.body.arg parameter. The vulnerability exploits improper destructuring without validation, causing an unhandled TypeError that bypasses Express middleware and triggers process.exit(1), resulting in complete service unavailability. No evidence of active exploitation in the wild or public POC has been identified at this time.

create_function() sandbox bypass via unsanitized args passed to Function constructor. PoC available.

Node.js Undici's response deduplication feature accumulates response bodies in memory instead of streaming them, allowing remote attackers to trigger denial of service through large or concurrent responses from untrusted endpoints. Applications using the deduplicate() interceptor are vulnerable to out-of-memory crashes when processing large or chunked responses. No patch is currently available.