Skip to main content

Node.js

1071 CVEs product

Monthly

CVE-2026-31828 npm HIGH PATCH This Week

Parse Server's LDAP authentication adapter fails to properly sanitize user input in Distinguished Names and group filters, allowing authenticated attackers to inject LDAP commands and bypass group-based access controls. This vulnerability enables privilege escalation for any valid LDAP user to gain membership in restricted groups, affecting deployments that rely on LDAP group policies for authorization. Patches are available in versions 9.5.2-alpha.13 and 8.6.26.

Node.js DNS LDAP Privilege Escalation Parse Server
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-31808 npm MEDIUM PATCH This Month

Denial of service in file-type library versions prior to 21.3.1 allows remote attackers to hang Node.js event loops by submitting malformed ASF (WMV/WMA) files that trigger infinite loops during file type detection. Applications using file-type to analyze untrusted input are vulnerable, with a minimal 55-byte payload sufficient to stall processing. No patch is currently available for affected Node.js and File Type products.

Node.js Denial Of Service File Type Red Hat
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-31800 npm CRITICAL PATCH Act Now

Parse Server has a third vulnerability with missing authorization enabling unauthorized operations.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-30972 npm HIGH PATCH This Week

Parse Server versions prior to 9.5.2-alpha.10 and 8.6.23 allow remote attackers to bypass rate limiting protections by submitting multiple requests within a single batch request, since batch processing routes requests internally and circumvents Express middleware controls. Deployments relying on built-in rate limiting are vulnerable to abuse and denial of service attacks. A patch is available in the specified versions.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30967 npm HIGH PATCH This Week

Parse Server versions prior to 9.5.2-alpha.9 and 8.6.22 fail to properly validate OAuth2 token ownership when the useridField option is not configured, allowing attackers with any valid token from the same provider to impersonate arbitrary users. This authentication bypass affects all Parse Server deployments using the generic OAuth2 adapter without the useridField setting. The vulnerability is resolved in patched versions 9.5.2-alpha.9 and 8.6.22.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-30966 npm CRITICAL PATCH Act Now

Parse Server has a CVSS 10.0 access control vulnerability enabling complete bypass of all data access restrictions.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-30965 npm CRITICAL PATCH Act Now

Parse Server has an incorrect authorization vulnerability enabling unauthorized data access across applications.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-30962 npm MEDIUM PATCH This Month

Parse Server versions prior to 9.5.2-alpha.6 and 8.6.19 allow authenticated users to bypass field protection checks by nesting query constraints within logical operators, enabling unauthorized extraction of protected field values. This vulnerability affects all Parse Server deployments with default protected fields, as the validation mechanism only inspects top-level query keys. A patch is available in the specified versions.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-30951 npm HIGH PATCH This Week

SQL injection in Sequelize prior to version 6.37.8 allows unauthenticated attackers to execute arbitrary SQL queries and extract sensitive data by manipulating JSON object keys in WHERE clause operations. The vulnerability stems from improper sanitization of cast type parameters in the _traverseJSON() function, which directly interpolates user-controlled input into CAST SQL statements. Node.js applications using affected Sequelize versions are at risk of complete database compromise.

Node.js SQLi Sequelize
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30949 npm HIGH PATCH This Week

Parse Server's Keycloak authentication adapter fails to validate the authorized party claim in access tokens, allowing tokens issued for one client application to authenticate users on another client within the same Keycloak realm. An authenticated attacker with valid credentials to any client application can exploit this to perform cross-application account takeover against Parse Server instances using Keycloak authentication in multi-client environments. A patch is available in versions 9.5.2-alpha.5 and 8.6.18.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-30948 npm MEDIUM PATCH This Month

Parse Server versions prior to 9.5.2-alpha.4 and 8.6.17 allow authenticated users to upload SVG files containing malicious JavaScript that executes in the server's origin context due to missing content security headers, enabling attackers to steal session tokens and compromise user accounts. All deployments with file upload enabled for authenticated users are vulnerable by default, as the file extension filter blocks HTML but not SVG files. A patch is available in the specified versions.

Node.js XSS Parse Server
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-30947 npm HIGH PATCH This Week

Parse Server versions prior to 9.5.2-alpha.3 and 8.6.16 fail to enforce class-level permissions on LiveQuery subscriptions, allowing unauthenticated attackers to subscribe to restricted data classes and receive real-time updates on all objects. This authorization bypass affects all deployments using LiveQuery with permission controls, exposing sensitive data to unauthorized subscribers. A patch is available in the mentioned versions.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30946 npm HIGH PATCH This Week

Parse-Server versions up to 9.5.2 is affected by allocation of resources without limits or throttling (CVSS 7.5).

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-28292 npm CRITICAL POC PATCH GHSA Act Now

simple-git Node.js library has a command injection vulnerability (EPSS with patch) enabling RCE when processing untrusted git operations.

Node.js RCE Command Injection Simple Git
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-30956 npm CRITICAL POC PATCH Act Now

OneUptime prior to 10.0.21 has a third authorization bypass enabling low-privileged users to access admin functions.

Authentication Bypass Privilege Escalation Information Disclosure Node.js Oneuptime
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-30941 npm HIGH PATCH This Week

NoSQL injection in Parse Server's password reset and email verification endpoints allows unauthenticated attackers to extract authentication tokens by injecting MongoDB query operators through the unvalidated token parameter. Affected deployments running MongoDB with these features enabled are vulnerable to email verification bypass and password reset token theft. The vulnerability is fixed in versions 8.6.14 and 9.5.2-alpha.1.

Node.js MongoDB SQLi Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30939 npm HIGH PATCH This Week

Unauthenticated attackers can crash Parse Server instances by invoking Cloud Function endpoints with prototype property names, triggering infinite recursion and process termination. Additionally, attackers can bypass validation checks using prototype pollution techniques to elicit HTTP 200 responses for non-existent functions. All Parse Server versions prior to 8.6.13 and 9.5.1-alpha.2 are affected when the Cloud Function endpoint is exposed.

Node.js Denial Of Service Parse Server
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-30938 npm MEDIUM PATCH This Month

Parse Server versions prior to 8.6.12 and 9.5.1-alpha.1 allow attackers to bypass the requestKeywordDenylist security control by nesting prohibited keywords within objects or arrays in request payloads, enabling injection of restricted data into applications. This logic flaw affects all Parse Server deployments since the denylist is enabled by default, and custom keyword restrictions configured by developers are equally vulnerable to the same bypassing technique. Attackers can exploit this to inject malicious content or bypass access controls on any Parse Server instance.

Node.js Parse Server
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-2741 Maven LOW PATCH Monitor

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 versions up to 14.14.0 is affected by path traversal.

Node.js Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-30925 npm HIGH PATCH This Week

Parse Server's LiveQuery feature is vulnerable to denial of service through malicious regex patterns that trigger catastrophic backtracking, freezing the Node.js event loop and rendering the entire server unresponsive to all clients. Attackers only require the publicly available application ID and JavaScript key to exploit this vulnerability on any Parse Server with LiveQuery enabled. Updates to versions 9.5.0-alpha.14 or 8.6.11 and later address this issue.

Node.js Parse Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30887 npm CRITICAL POC PATCH Act Now

OneUptime monitoring platform prior to 10.0.18 allows code injection (CVSS 9.9) enabling RCE through the monitoring configuration.

Node.js Oneuptime
NVD GitHub VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-31802 npm MEDIUM PATCH This Month

node-tar is a full-featured Tar for Node.js.

Node.js Path Traversal Tar Red Hat
NVD GitHub VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-30863 npm CRITICAL PATCH Act Now

Authentication bypass in Parse Server allows unauthenticated access to protected API endpoints. Parse Server is a popular open-source backend framework for mobile and web applications.

Node.js Parse Server
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-30854 npm MEDIUM PATCH This Month

Parse Server versions 9.3.1-alpha.3 through 9.5.0-alpha.9 allow unauthenticated attackers to bypass GraphQL introspection restrictions by nesting __type queries within inline fragments, enabling unauthorized schema reconnaissance. An attacker can exploit this to enumerate available types and fields in the GraphQL API despite the graphQLPublicIntrospection control being disabled. The vulnerability affects Parse Server deployments running on Node.js and has been patched in version 9.5.0-alpha.10.

Node.js Parse Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-30850 npm MEDIUM PATCH This Month

Parse Server versions prior to 8.6.9 and 9.5.0-alpha.9 fail to enforce file access control triggers on the metadata endpoint, allowing unauthenticated attackers to retrieve sensitive file metadata that should be restricted. This bypass occurs because beforeFind and afterFind triggers are not invoked when accessing file metadata, circumventing security gates intended to protect file information. Affected organizations using Parse Server without the patched versions face unauthorized disclosure of file metadata.

Node.js Parse Server
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-30848 npm LOW PATCH Monitor

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. [CVSS 3.7 LOW]

Node.js Path Traversal
NVD GitHub
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-29786 npm HIGH POC PATCH This Week

Arbitrary file overwrite in node-tar before 7.5.10 lets a malicious tar archive write files outside the intended extraction directory on Windows by embedding a hardlink whose target uses a drive-relative path such as 'C:../target.txt'. The flaw triggers during ordinary tar.x() extraction, so any Node.js application that unpacks untrusted archives on Windows is exposed. Publicly available exploit code exists via the GitHub Security Advisory, though EPSS exploitation probability is very low (0.02%) and it is not listed in CISA KEV.

Node.js Tar Path Traversal
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-29784 npm HIGH PATCH This Week

Cross-site request forgery (CSRF) in Ghost CMS versions 5.101.6 through 6.19.2 permits attackers to reuse one-time codes across different login sessions via the /session/verify endpoint, potentially enabling account takeover through phishing attacks. The vulnerability affects Ghost deployments on Node.js and related platforms, requiring no user authentication but relying on user interaction. A patch is available in Ghost version 6.19.3 and later.

Node.js CSRF Ghost
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30827 npm HIGH POC PATCH This Week

express-rate-limit versions 8.0.0 through 8.3.0 (excluding patched versions) collapse all IPv4 client traffic into a single rate-limit bucket due to incorrect IPv6 subnet masking of IPv4-mapped addresses, allowing any client to trigger denial of service for all other IPv4 users by exhausting the shared limit. Public exploit code exists for this vulnerability, affecting Node.js applications using the vulnerable middleware versions. Organizations should upgrade to versions 8.0.2, 8.1.1, 8.2.2, or 8.3.0 immediately.

Node.js Express Rate Limit Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30835 npm MEDIUM PATCH This Month

Parse Server versions prior to 8.6.7 and 9.5.0-alpha.6 expose sensitive database information through unfiltered error responses when processing malformed regex queries. An unauthenticated attacker can craft specially crafted query parameters to leak database internals including error messages, cluster details, and topology information. Patches are available for affected versions.

Node.js Parse Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-30229 npm HIGH PATCH This Week

Improper authorization in Parse Server versions prior to 8.6.6 and 9.5.0-alpha.4 allows read-only master key holders to bypass access controls via the /loginAs endpoint and obtain valid session tokens for arbitrary users. An attacker with readOnlyMasterKey credentials can impersonate any user and gain full read and write access to their data. All Parse Server deployments utilizing readOnlyMasterKey functionality are affected, and no patch is currently available.

Node.js Parse Server
NVD GitHub
CVSS 3.1
7.2
EPSS
0.0%
CVE-2026-30228 npm MEDIUM PATCH This Month

Parse Server versions before 8.6.5 and 9.5.0-alpha.3 allow the readOnlyMasterKey to perform write and delete operations on files, violating the intended read-only access restriction. An authenticated attacker with the readOnlyMasterKey can upload arbitrary files or delete existing files via the Files API on affected deployments. No patch is currently available for this medium-severity vulnerability that impacts organizations using Parse Server with exposed file endpoints.

Node.js Parse Server
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2026-29182 npm HIGH PATCH This Week

Parse Server's readOnlyMasterKey incorrectly permits write operations on Cloud Hooks and Cloud Jobs despite being documented to deny mutations, allowing authenticated attackers with knowledge of the key to create, modify, and delete hooks or trigger jobs for potential data exfiltration. This vulnerability affects all Parse Server deployments using the readOnlyMasterKey option and has been patched in versions 8.6.4 and 9.4.1-alpha.3.

Node.js Parse Server
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-29087 npm HIGH PATCH This Week

@hono/node-server versions prior to 1.19.10 contain an authorization bypass in static file serving due to inconsistent URL decoding between routing middleware and file resolution logic. An unauthenticated remote attacker can bypass route-based access controls by crafting requests with encoded slashes (%2F) to access protected static resources that should be restricted by middleware. Organizations running affected versions should upgrade immediately as no workaround is available.

Node.js Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-29074 npm HIGH POC PATCH This Week

Denial of service in SVGO versions 2.1.0-2.8.0, 3.0.0-3.3.2, and before 4.0.1 allows unauthenticated attackers to crash the Node.js process through XML entity expansion attacks, with a minimal 811-byte payload triggering heap exhaustion. Public exploit code exists for this vulnerability, and no patch is currently available. Affected users of SVGO, Node.js, and Golang implementations should restrict input sources until updates are released.

Node.js Denial Of Service Svgo
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-28794 npm CRITICAL POC PATCH Act Now

Prototype pollution in oRPC before 1.13.6. PoC and patch available.

Node.js RCE Denial Of Service Authentication Bypass Deserialization +1
NVD GitHub
CVSS 3.1
9.8
EPSS
0.8%
CVE-2026-28456 npm HIGH PATCH This Week

Improper path validation in OpenClaw Gateway versions before 2026.2.14 enables authenticated administrators to achieve arbitrary code execution by manipulating hook module paths passed to dynamic imports. An attacker with configuration modification privileges can load and execute malicious local modules within the Node.js process, gaining full system compromise capabilities.

Node.js Openclaw
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-29053 npm HIGH PATCH This Week

Arbitrary code execution in Ghost CMS versions 0.7.2 through 6.19.0 allows authenticated attackers with theme upload privileges to execute malicious code on the server by crafting specially designed theme files. The vulnerability affects Ghost installations running on Node.js and requires high privileges to exploit, though successful attacks compromise complete server integrity with confidentiality, integrity, and availability impact. No patch is currently available for affected versions.

Node.js Ghost
NVD GitHub
CVSS 3.1
7.6
EPSS
0.1%
CVE-2025-68467 npm LOW PATCH Monitor

Dark Reader is an accessibility browser extension that makes web pages colors dark. The dynamic dark mode feature of the extension works by analyzing the colors of web pages found in CSS style sheet files. [CVSS 3.4 LOW]

Node.js Google Information Disclosure Chrome
NVD GitHub VulDB
CVSS 3.1
3.4
EPSS
0.0%
CVE-2026-3520 npm HIGH PATCH This Week

Denial of service in Multer (Express.js multipart/form-data middleware) before version 2.1.1 allows remote unauthenticated attackers to crash a Node.js application by sending specially malformed multipart requests that trigger uncontrolled recursion and stack overflow. Affecting one of the most widely used file-upload middlewares in the Node.js/Express ecosystem, the flaw carries a CVSS 4.0 base score of 8.7 with availability-only impact. There is no public exploit identified at time of analysis and the EPSS score is very low (0.06%, 18th percentile), but a vendor patch and Red Hat errata are available.

Node.js Denial Of Service Multer
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-3304 npm HIGH PATCH This Week

Denial of service in Multer (the Express/Node.js multipart/form-data middleware) before version 2.1.0 lets remote attackers exhaust server resources by submitting malformed multipart requests, crashing or hanging the upload-handling process. The flaw scores CVSS 4.0 8.7 with an availability-only impact and requires no authentication or user interaction; no public exploit has been identified at time of analysis and EPSS rates near-term exploitation probability very low (0.06%, 17th percentile). A vendor patch (2.1.0) is available and Red Hat has shipped errata, but no workaround exists.

Node.js Denial Of Service Multer
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-2359 npm HIGH PATCH This Week

Denial of service in Multer (Express.js multipart/form-data middleware) before version 2.1.0 lets remote unauthenticated attackers exhaust server resources by abruptly dropping the connection mid file-upload, leaving allocated resources unreleased. The flaw maps to CWE-772 (missing release of resource) and carries a CVSS 4.0 base score of 8.7 driven entirely by availability impact. There is no public exploit identified at time of analysis and the EPSS probability is very low (0.06%), but a fixed release (2.1.0) is available and no workarounds exist.

Node.js Denial Of Service File Upload Multer
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.1%
CVE-2026-27959 npm HIGH POC PATCH This Week

Host header injection in Koa's ctx.hostname API (versions prior to 2.16.4 and 3.1.2) allows remote attackers to inject arbitrary hostnames through malformed Host headers containing @ symbols, affecting applications that use this API for security-sensitive operations like URL generation, password reset links, and email verification. Public exploit code exists for this vulnerability. Applications relying on ctx.hostname for routing decisions or generating user-facing URLs are at risk of credential theft, account compromise, and phishing attacks.

Node.js Koa Code Injection
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27903 npm HIGH POC PATCH This Week

Minimatch versions before 3.1.3 through 10.2.3 suffer from catastrophic backtracking in glob pattern matching when processing multiple GLOBSTAR segments, allowing attackers who control glob patterns to trigger exponential time complexity and cause denial of service. Public exploit code exists for this vulnerability, and affected Node.js applications using vulnerable Minimatch versions are at immediate risk. No patch is currently available, requiring users to upgrade to patched versions or implement input validation as a mitigation.

Node.js Minimatch Red Hat
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27818 npm HIGH PATCH This Week

Improper input validation in TerriaJS-Server versions before 4.0.3 allows unauthenticated remote attackers to bypass domain allowlist restrictions and proxy requests to arbitrary domains. This vulnerability affects Node.js deployments of TerriaJS and could enable attackers to access restricted resources or perform server-side request forgery attacks. A patch is available in version 4.0.3 and later.

Node.js Terriajs Server
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-27804 npm CRITICAL PATCH Act Now

Weak cryptographic algorithm in Parse Server before 8.6.3/9.1.1-alpha.4 allows attackers to bypass security mechanisms. Patch available.

Node.js Parse Server
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-27577 npm CRITICAL PATCH Act Now

Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path through the expression engine. Patch available.

RCE Code Injection Command Injection Node.js N8n
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
CVE-2026-27699 npm CRITICAL POC PATCH Act Now

Path traversal in basic-ftp Node.js FTP client library before 5.2.0 allows malicious FTP servers to write files outside the intended download directory. PoC and patch available.

Node.js Path Traversal Basic Ftp Red Hat Suse
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-69985 npm CRITICAL POC Act Now

Authentication bypass in FUXA SCADA/HMI system 1.2.8 and prior leading to Remote Code Execution. Unauthenticated attackers can execute arbitrary code on industrial control HMI systems. EPSS 0.64% with PoC available.

Node.js RCE Authentication Bypass Fuxa
NVD GitHub Exploit-DB VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-27574 npm CRITICAL POC PATCH Act Now

Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.

Node.js Redis Oneuptime
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-27492 npm MEDIUM PATCH This Month

Email content leakage in Lettermint Node.js SDK versions 1.5.0 and below allows local authenticated users to intercept sensitive email data when a single client instance sends multiple messages, as email properties are not properly cleared between sends. Applications using transactional email flows with reused client instances risk exposing recipient addresses and message content to unintended parties. The vulnerability has been patched in version 1.5.1.

Node.js Lettermint
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-26980 npm CRITICAL POC PATCH GHSA Act Now

SQL injection in Ghost CMS versions 3.24.0 through 6.19.0 allows unauthenticated attackers to read arbitrary database data. Patch available.

Node.js SQLi
NVD GitHub Exploit-DB VulDB
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-26960 npm HIGH POC PATCH This Week

Path traversal in node-tar versions 7.5.7 and earlier allows local attackers to read and write arbitrary files outside the extraction directory by crafting malicious tar archives containing hardlinks that bypass extraction path validation. Public exploit code exists for this vulnerability, which affects default extraction configurations in Node.js and related Tar implementations. The vulnerability has been patched in node-tar 7.5.8.

D-Link Node.js Tar Red Hat Suse
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-26974 npm CRITICAL PATCH Act Now

Code inclusion from untrusted source in Slyde presentation tool 0.0.4 and below. Automatically imports plugin files. Patch available.

Node.js Slyde
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-26323 npm HIGH PATCH This Week

Arbitrary command execution in OpenClaw versions 2026.1.8 through 2026.2.13 allows attackers to execute shell commands when developers or CI systems run the update-clawtributors.ts maintenance script on repositories containing malicious commit metadata. The vulnerability stems from unsanitized interpolation of git author emails into shell commands via execSync, exploitable only by those with access to the development environment or source repository. Version 2026.2.14 patches the issue.

Node.js Github Command Injection AI / ML Openclaw
NVD GitHub
CVSS 3.1
8.8
EPSS
0.2%
CVE-2026-26318 npm HIGH POC PATCH This Week

Command injection in systeminformation versions before 5.31.0 allows local attackers with user privileges to execute arbitrary system commands through unsanitized output parsing in the versions() function. Public exploit code exists for this vulnerability, which provides complete system compromise capabilities including information disclosure, modification, and denial of service. Upgrade to version 5.31.0 or later to remediate.

Node.js Command Injection Systeminformation
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-26280 npm HIGH POC PATCH This Week

Command injection in the systeminformation Node.js library (versions prior to 5.30.8) lets attackers run arbitrary OS commands on Linux hosts through the wifiNetworks() function. While the iface argument is sanitized on the first call, the setTimeout retry path (triggered when the initial scan returns no results) re-invokes getWifiNetworkListIw() with the original unsanitized value, which reaches execSync('iwlist <iface> scan'). Any application that forwards user-controlled input to si.wifiNetworks() can be coerced into executing commands with the Node.js process privileges; publicly available exploit code exists, though EPSS risk is low (0.08%, 24th percentile) and it is not on the CISA KEV list.

Node.js Command Injection Systeminformation
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-56647 npm MEDIUM PATCH This Month

farmfe/core versions up to 1.7.6 contains a vulnerability that allows attackers to surveil developers running Farm who visit their webpage and steal source code th (CVSS 6.5).

Node.js
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2391 npm LOW POC PATCH Monitor

### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. [CVSS 3.7 LOW]

Node.js Denial Of Service
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-26021 npm CRITICAL POC PATCH Act Now

Prototype pollution in set-in npm package allows modification of Object prototype. PoC and patch available.

Node.js Set In
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-25931 HIGH This Week

Arbitrary code execution in vscode-spell-checker prior to v4.5.4 allows attackers to execute malicious Node.js code by placing a crafted .cspell.config.js file in an untrusted workspace, since the extension fails to validate VS Code's workspace-trust state before loading configuration files. An attacker can exploit this by tricking users into opening a malicious workspace, resulting in code execution with the privileges of the extension host process.

Node.js
NVD GitHub
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-25639 npm HIGH POC PATCH MAL This Week

Axios versions up to 0.30.3 is affected by improper check for unusual or exceptional conditions (CVSS 7.5).

Node.js Denial Of Service Axios
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1615 npm HIGH PATCH This Week

Remote code execution in the jsonpath npm package (versions <1.2.0) allows unauthenticated attackers to execute arbitrary JavaScript code by injecting malicious JSON Path expressions. The vulnerability stems from unsafe evaluation through the static-eval module, which processes user-supplied JSON Path input without proper sanitization. All query methods (.query, .nodes, .paths, .value, .parent, .apply) are affected. While EPSS scoring indicates relatively low widespread exploitation probability (0.09%, 26th percentile), multiple vendor patches from Red Hat and SUSE confirm the severity, and publicly available exploit code exists (CVSS E:P). This represents critical risk for Node.js applications processing untrusted JSON Path expressions, with potential for both server-side RCE and browser-based XSS depending on execution context.

Node.js RCE XSS Code Injection
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.1%
CVE-2026-25651 npm MEDIUM POC PATCH This Month

Client-certificate-auth middleware for Node.js versions 0.2.1 and 0.3.0 fails to validate the Host header when redirecting HTTP requests to HTTPS, enabling attackers to craft malicious redirects that direct users to arbitrary domains. Public exploit code exists for this open redirect vulnerability, and no patch is currently available for affected versions.

Node.js TLS Open Redirect Client Certificate Auth
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-25547 npm PATCH Monitor

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the...

Node.js Denial Of Service
NVD GitHub VulDB
EPSS
0.0%
CVE-2026-25053 npm CRITICAL PATCH Act Now

n8n has a command injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary OS commands through workflow definitions.

RCE Command Injection Information Disclosure Node.js AI / ML +1
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-25049 npm CRITICAL POC PATCH Act Now

n8n workflow automation platform has an authenticated code execution vulnerability (CVSS 9.9) through improper runtime behavior modification, enabling server takeover.

RCE Command Injection Code Injection Node.js AI / ML +1
NVD GitHub
CVSS 3.1
9.9
EPSS
0.0%
CVE-2025-61917 npm HIGH PATCH This Week

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. [CVSS 7.7 HIGH]

Node.js Information Disclosure N8n
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-25224 npm LOW PATCH Monitor

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in...

Node.js Denial Of Service
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-25223 npm HIGH PATCH This Week

Fastify versions before 5.7.2 allow attackers to bypass request body validation by injecting a tab character into the Content-Type header, enabling malicious payloads to reach application logic without validation checks. This remote attack requires no authentication and affects Node.js applications using vulnerable Fastify versions. A patch is available in version 5.7.2 and later.

Node.js Fastify Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-24040 npm MEDIUM POC PATCH This Month

jsPDF versions prior to 4.1.0 contain a race condition in the addJS method where a shared module-scoped variable is overwritten during concurrent PDF generation, causing JavaScript payloads and embedded data intended for one user to be included in another user's generated PDF. This cross-user data leakage primarily affects server-side Node.js deployments handling simultaneous requests, allowing attackers to access sensitive information leaked across user sessions. Public exploit code exists for this vulnerability.

Node.js Race Condition Jspdf Red Hat
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25153 npm HIGH PATCH This Week

Arbitrary Python code execution in Backstage's @backstage/plugin-techdocs-node (versions < 1.13.11 and = 1.14.0) lets a contributor who can add or edit a repository's mkdocs.yml inject a malicious MkDocs `hooks` directive that runs on the TechDocs build server whenever TechDocs is configured with `runIn: local`. The flaw also affects documentation built in CI/CD via @techdocs/cli, which bundles the same package. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but the CVSS of 8.8 reflects full host compromise of the build environment.

Python Node.js Docker Backstage Code Injection +1
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-25152 npm MEDIUM PATCH This Month

Backstage TechDocs plugin versions prior to 1.13.11 and 1.14.1 contain a path traversal vulnerability that allows authenticated attackers to read arbitrary files from the host filesystem when the local generator is enabled. The vulnerability stems from insufficient symlink validation during the documentation build process, enabling attackers to embed sensitive file contents into generated HTML accessible to documentation viewers. Organizations using `techdocs.generator.runIn: local` with untrusted documentation sources are at risk until patching to the fixed versions.

Node.js Docker Path Traversal Backstage Red Hat
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25047 npm HIGH POC PATCH This Week

Deephas versions up to 1.0.7 is affected by improperly controlled modification of object prototype attributes (prototype pollution) (CVSS 8.8).

Node.js Deephas
NVD GitHub Exploit-DB VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-57283 npm HIGH PATCH This Week

The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js. [CVSS 7.8 HIGH]

Node.js Command Injection Browserstack Local Code Injection RCE
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-24842 npm HIGH POC PATCH This Week

node-tar before version 7.5.7 contains a path traversal vulnerability where inconsistent path resolution between validation and execution logic allows attackers to bypass security checks and create hardlinks to arbitrary files outside the intended extraction directory. Public exploit code exists for this vulnerability, affecting Node.js applications that process untrusted TAR archives. An attacker can craft a malicious TAR file to write to sensitive locations on the system.

Node.js Path Traversal Tar
NVD GitHub VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-24910 MEDIUM This Month

Bun versions prior to 1.3.5 allow attackers to bypass the trusted dependencies allowlist by creating non-npm packages with names matching legitimate packages, enabling potential code execution through dependency confusion attacks. This local vulnerability affects systems using Bun's package management where an attacker can craft malicious packages with identical names to trusted dependencies. No patch is currently available for affected Node.js and GitHub integrations.

Node.js Github
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2026-24131 npm MEDIUM POC PATCH This Month

pnpm versions before 10.28.2 fail to validate the `directories.bin` field during package processing, allowing malicious packages to use path traversal (e.g., `../../../../tmp`) to escape the package root and chmod 755 files at arbitrary locations on Unix-like systems. Public exploit code exists for this vulnerability. The issue affects Linux, macOS, and Node.js environments but not Windows due to platform-specific protections.

Linux Windows macOS Node.js Pnpm +2
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-24056 npm MEDIUM POC PATCH This Month

pnpm versions prior to 10.28.2 fail to properly constrain symlink resolution when installing file: and git: dependencies, allowing malicious packages to copy sensitive files from the host system into node_modules and leak credentials. This affects developers using local file dependencies and CI/CD pipelines installing git-based packages, with public exploit code available. The vulnerability enables theft of credentials from locations like ~/.ssh/id_rsa and ~/.npmrc by exploiting symlinks to absolute paths outside the package root.

Node.js Pnpm Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23890 npm MEDIUM POC PATCH This Month

Pnpm versions up to 10.28.1 contains a vulnerability that allows attackers to overwriting config files, scripts, or other sensitive files (CVSS 6.5).

Node.js Path Traversal Pnpm Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23889 npm MEDIUM POC PATCH This Month

Path traversal in pnpm's tarball extraction on Windows allows attackers to write files outside the intended package directory by exploiting incomplete path normalization that fails to block backslash-based traversal sequences. Public exploit code exists for this vulnerability, which affects Windows developers and CI/CD pipelines (GitHub Actions, Azure DevOps) and could result in overwriting sensitive configuration files like .npmrc or build configurations. A patch is available in pnpm version 10.28.1 and later.

Windows Node.js Azure Github Path Traversal +2
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23888 npm MEDIUM POC PATCH This Month

Path traversal in pnpm's binary fetcher (versions prior to 10.28.1) allows attackers to write files outside the intended extraction directory through malicious ZIP entries or crafted prefix values, potentially overwriting critical configuration files and scripts on affected systems. All pnpm users installing packages with binary assets are vulnerable, particularly those in CI/CD pipelines or with custom Node.js binary configurations. Public exploit code exists for this medium-severity vulnerability.

Node.js Path Traversal Pnpm Red Hat Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22709 npm CRITICAL POC PATCH Act Now

Sandbox escape in vm2 Node.js sandbox before 3.10.2 via Promise.prototype.then/catch callback sanitization bypass. PoC and patch available.

Node.js Vm2
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-59472 npm MEDIUM PATCH This Month

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. [CVSS 5.9 MEDIUM]

Node.js Denial Of Service Next.Js Red Hat Vercel
NVD GitHub
CVSS 3.1
5.9
EPSS
0.1%
CVE-2020-36956 MEDIUM POC This Month

Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. [CVSS 6.4 MEDIUM]

Node.js XSS
NVD GitHub Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-0775 HIGH PATCH This Week

npm cli contains an insecure module loading mechanism that enables local privilege escalation on Node.js installations. An attacker with low-privileged code execution can exploit this flaw to gain elevated privileges and execute arbitrary code with target user permissions. No patch is currently available for this vulnerability.

Node.js Privilege Escalation RCE
NVD VulDB
CVSS 3.1
7.0
EPSS
0.0%
CVE-2026-21637 HIGH PATCH This Week

Node.js TLS servers using PSK or ALPN callbacks are vulnerable to denial of service when these callbacks throw unhandled synchronous exceptions during the TLS handshake. Remote attackers can exploit this by sending specially crafted TLS handshake requests to trigger resource exhaustion or process crashes, either through immediate termination or silent file descriptor leaks. No patch is currently available for this vulnerability.

Node.js TLS Denial Of Service Node.Js Red Hat +1
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-21636 CRITICAL PATCH Act Now

Node.js has a CVSS 10.0 permission model bypass that allows Unix Domain Socket connections to completely bypass network restrictions when --allow-net is configured.

Node.js Privilege Escalation Node.Js Red Hat Suse
NVD
CVSS 3.1
10.0
EPSS
0.0%
CVE-2025-59466 HIGH PATCH This Week

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. [CVSS 7.5 HIGH]

Node.js Denial Of Service Node.Js Red Hat Suse
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-59465 HIGH PATCH This Week

A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. [CVSS 7.5 HIGH]

Node.js Denial Of Service Node Js
NVD HeroDevs VulDB
CVSS 3.1
7.5
EPSS
0.1%
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Parse Server's LDAP authentication adapter fails to properly sanitize user input in Distinguished Names and group filters, allowing authenticated attackers to inject LDAP commands and bypass group-based access controls. This vulnerability enables privilege escalation for any valid LDAP user to gain membership in restricted groups, affecting deployments that rely on LDAP group policies for authorization. Patches are available in versions 9.5.2-alpha.13 and 8.6.26.

Node.js DNS LDAP +2
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Denial of service in file-type library versions prior to 21.3.1 allows remote attackers to hang Node.js event loops by submitting malformed ASF (WMV/WMA) files that trigger infinite loops during file type detection. Applications using file-type to analyze untrusted input are vulnerable, with a minimal 55-byte payload sufficient to stall processing. No patch is currently available for affected Node.js and File Type products.

Node.js Denial Of Service File Type +1
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Parse Server has a third vulnerability with missing authorization enabling unauthorized operations.

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Parse Server versions prior to 9.5.2-alpha.10 and 8.6.23 allow remote attackers to bypass rate limiting protections by submitting multiple requests within a single batch request, since batch processing routes requests internally and circumvents Express middleware controls. Deployments relying on built-in rate limiting are vulnerable to abuse and denial of service attacks. A patch is available in the specified versions.

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Parse Server versions prior to 9.5.2-alpha.9 and 8.6.22 fail to properly validate OAuth2 token ownership when the useridField option is not configured, allowing attackers with any valid token from the same provider to impersonate arbitrary users. This authentication bypass affects all Parse Server deployments using the generic OAuth2 adapter without the useridField setting. The vulnerability is resolved in patched versions 9.5.2-alpha.9 and 8.6.22.

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Parse Server has a CVSS 10.0 access control vulnerability enabling complete bypass of all data access restrictions.

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Parse Server has an incorrect authorization vulnerability enabling unauthorized data access across applications.

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Parse Server versions prior to 9.5.2-alpha.6 and 8.6.19 allow authenticated users to bypass field protection checks by nesting query constraints within logical operators, enabling unauthorized extraction of protected field values. This vulnerability affects all Parse Server deployments with default protected fields, as the validation mechanism only inspects top-level query keys. A patch is available in the specified versions.

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

SQL injection in Sequelize prior to version 6.37.8 allows unauthenticated attackers to execute arbitrary SQL queries and extract sensitive data by manipulating JSON object keys in WHERE clause operations. The vulnerability stems from improper sanitization of cast type parameters in the _traverseJSON() function, which directly interpolates user-controlled input into CAST SQL statements. Node.js applications using affected Sequelize versions are at risk of complete database compromise.

Node.js SQLi Sequelize
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Parse Server's Keycloak authentication adapter fails to validate the authorized party claim in access tokens, allowing tokens issued for one client application to authenticate users on another client within the same Keycloak realm. An authenticated attacker with valid credentials to any client application can exploit this to perform cross-application account takeover against Parse Server instances using Keycloak authentication in multi-client environments. A patch is available in versions 9.5.2-alpha.5 and 8.6.18.

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Parse Server versions prior to 9.5.2-alpha.4 and 8.6.17 allow authenticated users to upload SVG files containing malicious JavaScript that executes in the server's origin context due to missing content security headers, enabling attackers to steal session tokens and compromise user accounts. All deployments with file upload enabled for authenticated users are vulnerable by default, as the file extension filter blocks HTML but not SVG files. A patch is available in the specified versions.

Node.js XSS Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Parse Server versions prior to 9.5.2-alpha.3 and 8.6.16 fail to enforce class-level permissions on LiveQuery subscriptions, allowing unauthenticated attackers to subscribe to restricted data classes and receive real-time updates on all objects. This authorization bypass affects all deployments using LiveQuery with permission controls, exposing sensitive data to unauthorized subscribers. A patch is available in the mentioned versions.

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Parse-Server versions up to 9.5.2 is affected by allocation of resources without limits or throttling (CVSS 7.5).

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

simple-git Node.js library has a command injection vulnerability (EPSS with patch) enabling RCE when processing untrusted git operations.

Node.js RCE Command Injection +1
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

OneUptime prior to 10.0.21 has a third authorization bypass enabling low-privileged users to access admin functions.

Authentication Bypass Privilege Escalation Information Disclosure +2
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

NoSQL injection in Parse Server's password reset and email verification endpoints allows unauthenticated attackers to extract authentication tokens by injecting MongoDB query operators through the unvalidated token parameter. Affected deployments running MongoDB with these features enabled are vulnerable to email verification bypass and password reset token theft. The vulnerability is fixed in versions 8.6.14 and 9.5.2-alpha.1.

Node.js MongoDB SQLi +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unauthenticated attackers can crash Parse Server instances by invoking Cloud Function endpoints with prototype property names, triggering infinite recursion and process termination. Additionally, attackers can bypass validation checks using prototype pollution techniques to elicit HTTP 200 responses for non-existent functions. All Parse Server versions prior to 8.6.13 and 9.5.1-alpha.2 are affected when the Cloud Function endpoint is exposed.

Node.js Denial Of Service Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Parse Server versions prior to 8.6.12 and 9.5.1-alpha.1 allow attackers to bypass the requestKeywordDenylist security control by nesting prohibited keywords within objects or arrays in request payloads, enabling injection of restricted data into applications. This logic flaw affects all Parse Server deployments since the denylist is enabled by default, and custom keyword restrictions configured by developers are equally vulnerable to the same bypassing technique. Attackers can exploit this to inject malicious content or bypass access controls on any Parse Server instance.

Node.js Parse Server
NVD GitHub VulDB
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 versions up to 14.14.0 is affected by path traversal.

Node.js Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Parse Server's LiveQuery feature is vulnerable to denial of service through malicious regex patterns that trigger catastrophic backtracking, freezing the Node.js event loop and rendering the entire server unresponsive to all clients. Attackers only require the publicly available application ID and JavaScript key to exploit this vulnerability on any Parse Server with LiveQuery enabled. Updates to versions 9.5.0-alpha.14 or 8.6.11 and later address this issue.

Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

OneUptime monitoring platform prior to 10.0.18 allows code injection (CVSS 9.9) enabling RCE through the monitoring configuration.

Node.js Oneuptime
NVD GitHub VulDB
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

node-tar is a full-featured Tar for Node.js.

Node.js Path Traversal Tar +1
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Authentication bypass in Parse Server allows unauthenticated access to protected API endpoints. Parse Server is a popular open-source backend framework for mobile and web applications.

Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Parse Server versions 9.3.1-alpha.3 through 9.5.0-alpha.9 allow unauthenticated attackers to bypass GraphQL introspection restrictions by nesting __type queries within inline fragments, enabling unauthorized schema reconnaissance. An attacker can exploit this to enumerate available types and fields in the GraphQL API despite the graphQLPublicIntrospection control being disabled. The vulnerability affects Parse Server deployments running on Node.js and has been patched in version 9.5.0-alpha.10.

Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Parse Server versions prior to 8.6.9 and 9.5.0-alpha.9 fail to enforce file access control triggers on the metadata endpoint, allowing unauthenticated attackers to retrieve sensitive file metadata that should be restricted. This bypass occurs because beforeFind and afterFind triggers are not invoked when accessing file metadata, circumventing security gates intended to protect file information. Affected organizations using Parse Server without the patched versions face unauthorized disclosure of file metadata.

Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. [CVSS 3.7 LOW]

Node.js Path Traversal
NVD GitHub
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

Arbitrary file overwrite in node-tar before 7.5.10 lets a malicious tar archive write files outside the intended extraction directory on Windows by embedding a hardlink whose target uses a drive-relative path such as 'C:../target.txt'. The flaw triggers during ordinary tar.x() extraction, so any Node.js application that unpacks untrusted archives on Windows is exposed. Publicly available exploit code exists via the GitHub Security Advisory, though EPSS exploitation probability is very low (0.02%) and it is not listed in CISA KEV.

Node.js Tar Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Cross-site request forgery (CSRF) in Ghost CMS versions 5.101.6 through 6.19.2 permits attackers to reuse one-time codes across different login sessions via the /session/verify endpoint, potentially enabling account takeover through phishing attacks. The vulnerability affects Ghost deployments on Node.js and related platforms, requiring no user authentication but relying on user interaction. A patch is available in Ghost version 6.19.3 and later.

Node.js CSRF Ghost
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

express-rate-limit versions 8.0.0 through 8.3.0 (excluding patched versions) collapse all IPv4 client traffic into a single rate-limit bucket due to incorrect IPv6 subnet masking of IPv4-mapped addresses, allowing any client to trigger denial of service for all other IPv4 users by exhausting the shared limit. Public exploit code exists for this vulnerability, affecting Node.js applications using the vulnerable middleware versions. Organizations should upgrade to versions 8.0.2, 8.1.1, 8.2.2, or 8.3.0 immediately.

Node.js Express Rate Limit Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Parse Server versions prior to 8.6.7 and 9.5.0-alpha.6 expose sensitive database information through unfiltered error responses when processing malformed regex queries. An unauthenticated attacker can craft specially crafted query parameters to leak database internals including error messages, cluster details, and topology information. Patches are available for affected versions.

Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Improper authorization in Parse Server versions prior to 8.6.6 and 9.5.0-alpha.4 allows read-only master key holders to bypass access controls via the /loginAs endpoint and obtain valid session tokens for arbitrary users. An attacker with readOnlyMasterKey credentials can impersonate any user and gain full read and write access to their data. All Parse Server deployments utilizing readOnlyMasterKey functionality are affected, and no patch is currently available.

Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Parse Server versions before 8.6.5 and 9.5.0-alpha.3 allow the readOnlyMasterKey to perform write and delete operations on files, violating the intended read-only access restriction. An authenticated attacker with the readOnlyMasterKey can upload arbitrary files or delete existing files via the Files API on affected deployments. No patch is currently available for this medium-severity vulnerability that impacts organizations using Parse Server with exposed file endpoints.

Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Parse Server's readOnlyMasterKey incorrectly permits write operations on Cloud Hooks and Cloud Jobs despite being documented to deny mutations, allowing authenticated attackers with knowledge of the key to create, modify, and delete hooks or trigger jobs for potential data exfiltration. This vulnerability affects all Parse Server deployments using the readOnlyMasterKey option and has been patched in versions 8.6.4 and 9.4.1-alpha.3.

Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

@hono/node-server versions prior to 1.19.10 contain an authorization bypass in static file serving due to inconsistent URL decoding between routing middleware and file resolution logic. An unauthenticated remote attacker can bypass route-based access controls by crafting requests with encoded slashes (%2F) to access protected static resources that should be restricted by middleware. Organizations running affected versions should upgrade immediately as no workaround is available.

Node.js Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Denial of service in SVGO versions 2.1.0-2.8.0, 3.0.0-3.3.2, and before 4.0.1 allows unauthenticated attackers to crash the Node.js process through XML entity expansion attacks, with a minimal 811-byte payload triggering heap exhaustion. Public exploit code exists for this vulnerability, and no patch is currently available. Affected users of SVGO, Node.js, and Golang implementations should restrict input sources until updates are released.

Node.js Denial Of Service Svgo
NVD GitHub VulDB
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Prototype pollution in oRPC before 1.13.6. PoC and patch available.

Node.js RCE Denial Of Service +3
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Improper path validation in OpenClaw Gateway versions before 2026.2.14 enables authenticated administrators to achieve arbitrary code execution by manipulating hook module paths passed to dynamic imports. An attacker with configuration modification privileges can load and execute malicious local modules within the Node.js process, gaining full system compromise capabilities.

Node.js Openclaw
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Arbitrary code execution in Ghost CMS versions 0.7.2 through 6.19.0 allows authenticated attackers with theme upload privileges to execute malicious code on the server by crafting specially designed theme files. The vulnerability affects Ghost installations running on Node.js and requires high privileges to exploit, though successful attacks compromise complete server integrity with confidentiality, integrity, and availability impact. No patch is currently available for affected versions.

Node.js Ghost
NVD GitHub
EPSS 0% CVSS 3.4
LOW PATCH Monitor

Dark Reader is an accessibility browser extension that makes web pages colors dark. The dynamic dark mode feature of the extension works by analyzing the colors of web pages found in CSS style sheet files. [CVSS 3.4 LOW]

Node.js Google Information Disclosure +1
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in Multer (Express.js multipart/form-data middleware) before version 2.1.1 allows remote unauthenticated attackers to crash a Node.js application by sending specially malformed multipart requests that trigger uncontrolled recursion and stack overflow. Affecting one of the most widely used file-upload middlewares in the Node.js/Express ecosystem, the flaw carries a CVSS 4.0 base score of 8.7 with availability-only impact. There is no public exploit identified at time of analysis and the EPSS score is very low (0.06%, 18th percentile), but a vendor patch and Red Hat errata are available.

Node.js Denial Of Service Multer
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in Multer (the Express/Node.js multipart/form-data middleware) before version 2.1.0 lets remote attackers exhaust server resources by submitting malformed multipart requests, crashing or hanging the upload-handling process. The flaw scores CVSS 4.0 8.7 with an availability-only impact and requires no authentication or user interaction; no public exploit has been identified at time of analysis and EPSS rates near-term exploitation probability very low (0.06%, 17th percentile). A vendor patch (2.1.0) is available and Red Hat has shipped errata, but no workaround exists.

Node.js Denial Of Service Multer
NVD GitHub VulDB
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Denial of service in Multer (Express.js multipart/form-data middleware) before version 2.1.0 lets remote unauthenticated attackers exhaust server resources by abruptly dropping the connection mid file-upload, leaving allocated resources unreleased. The flaw maps to CWE-772 (missing release of resource) and carries a CVSS 4.0 base score of 8.7 driven entirely by availability impact. There is no public exploit identified at time of analysis and the EPSS probability is very low (0.06%), but a fixed release (2.1.0) is available and no workarounds exist.

Node.js Denial Of Service File Upload +1
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Host header injection in Koa's ctx.hostname API (versions prior to 2.16.4 and 3.1.2) allows remote attackers to inject arbitrary hostnames through malformed Host headers containing @ symbols, affecting applications that use this API for security-sensitive operations like URL generation, password reset links, and email verification. Public exploit code exists for this vulnerability. Applications relying on ctx.hostname for routing decisions or generating user-facing URLs are at risk of credential theft, account compromise, and phishing attacks.

Node.js Koa Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Minimatch versions before 3.1.3 through 10.2.3 suffer from catastrophic backtracking in glob pattern matching when processing multiple GLOBSTAR segments, allowing attackers who control glob patterns to trigger exponential time complexity and cause denial of service. Public exploit code exists for this vulnerability, and affected Node.js applications using vulnerable Minimatch versions are at immediate risk. No patch is currently available, requiring users to upgrade to patched versions or implement input validation as a mitigation.

Node.js Minimatch Red Hat
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Improper input validation in TerriaJS-Server versions before 4.0.3 allows unauthenticated remote attackers to bypass domain allowlist restrictions and proxy requests to arbitrary domains. This vulnerability affects Node.js deployments of TerriaJS and could enable attackers to access restricted resources or perform server-side request forgery attacks. A patch is available in version 4.0.3 and later.

Node.js Terriajs Server
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Weak cryptographic algorithm in Parse Server before 8.6.3/9.1.1-alpha.4 allows attackers to bypass security mechanisms. Patch available.

Node.js Parse Server
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

Additional expression evaluation exploits in n8n before 2.10.1/2.9.3/1.123.22. Fourth distinct code execution path through the expression engine. Patch available.

RCE Code Injection Command Injection +2
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Path traversal in basic-ftp Node.js FTP client library before 5.2.0 allows malicious FTP servers to write files outside the intended download directory. PoC and patch available.

Node.js Path Traversal Basic Ftp +2
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC Act Now

Authentication bypass in FUXA SCADA/HMI system 1.2.8 and prior leading to Remote Code Execution. Unauthenticated attackers can execute arbitrary code on industrial control HMI systems. EPSS 0.64% with PoC available.

Node.js RCE Authentication Bypass +1
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.

Node.js Redis Oneuptime
NVD GitHub
EPSS 0% CVSS 4.7
MEDIUM PATCH This Month

Email content leakage in Lettermint Node.js SDK versions 1.5.0 and below allows local authenticated users to intercept sensitive email data when a single client instance sends multiple messages, as email properties are not properly cleared between sends. Applications using transactional email flows with reused client instances risk exposing recipient addresses and message content to unintended parties. The vulnerability has been patched in version 1.5.1.

Node.js Lettermint
NVD GitHub
EPSS 0% CVSS 9.4
CRITICAL POC PATCH Act Now

SQL injection in Ghost CMS versions 3.24.0 through 6.19.0 allows unauthenticated attackers to read arbitrary database data. Patch available.

Node.js SQLi
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 7.1
HIGH POC PATCH This Week

Path traversal in node-tar versions 7.5.7 and earlier allows local attackers to read and write arbitrary files outside the extraction directory by crafting malicious tar archives containing hardlinks that bypass extraction path validation. Public exploit code exists for this vulnerability, which affects default extraction configurations in Node.js and related Tar implementations. The vulnerability has been patched in node-tar 7.5.8.

D-Link Node.js Tar +2
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Code inclusion from untrusted source in Slyde presentation tool 0.0.4 and below. Automatically imports plugin files. Patch available.

Node.js Slyde
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary command execution in OpenClaw versions 2026.1.8 through 2026.2.13 allows attackers to execute shell commands when developers or CI systems run the update-clawtributors.ts maintenance script on repositories containing malicious commit metadata. The vulnerability stems from unsanitized interpolation of git author emails into shell commands via execSync, exploitable only by those with access to the development environment or source repository. Version 2026.2.14 patches the issue.

Node.js Github Command Injection +2
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Command injection in systeminformation versions before 5.31.0 allows local attackers with user privileges to execute arbitrary system commands through unsanitized output parsing in the versions() function. Public exploit code exists for this vulnerability, which provides complete system compromise capabilities including information disclosure, modification, and denial of service. Upgrade to version 5.31.0 or later to remediate.

Node.js Command Injection Systeminformation
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

Command injection in the systeminformation Node.js library (versions prior to 5.30.8) lets attackers run arbitrary OS commands on Linux hosts through the wifiNetworks() function. While the iface argument is sanitized on the first call, the setTimeout retry path (triggered when the initial scan returns no results) re-invokes getWifiNetworkListIw() with the original unsanitized value, which reaches execSync('iwlist <iface> scan'). Any application that forwards user-controlled input to si.wifiNetworks() can be coerced into executing commands with the Node.js process privileges; publicly available exploit code exists, though EPSS risk is low (0.08%, 24th percentile) and it is not on the CISA KEV list.

Node.js Command Injection Systeminformation
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

farmfe/core versions up to 1.7.6 contains a vulnerability that allows attackers to surveil developers running Farm who visit their webpage and steal source code th (CVSS 6.5).

Node.js
NVD GitHub
EPSS 0% CVSS 3.7
LOW POC PATCH Monitor

### Summary The `arrayLimit` option in qs does not enforce limits for comma-separated values when `comma: true` is enabled, allowing attackers to cause denial-of-service via memory exhaustion. [CVSS 3.7 LOW]

Node.js Denial Of Service
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Prototype pollution in set-in npm package allows modification of Object prototype. PoC and patch available.

Node.js Set In
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Arbitrary code execution in vscode-spell-checker prior to v4.5.4 allows attackers to execute malicious Node.js code by placing a crafted .cspell.config.js file in an untrusted workspace, since the extension fails to validate VS Code's workspace-trust state before loading configuration files. An attacker can exploit this by tricking users into opening a malicious workspace, resulting in code execution with the privileges of the extension host process.

Node.js
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Axios versions up to 0.30.3 is affected by improper check for unusual or exceptional conditions (CVSS 7.5).

Node.js Denial Of Service Axios
NVD GitHub
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Remote code execution in the jsonpath npm package (versions <1.2.0) allows unauthenticated attackers to execute arbitrary JavaScript code by injecting malicious JSON Path expressions. The vulnerability stems from unsafe evaluation through the static-eval module, which processes user-supplied JSON Path input without proper sanitization. All query methods (.query, .nodes, .paths, .value, .parent, .apply) are affected. While EPSS scoring indicates relatively low widespread exploitation probability (0.09%, 26th percentile), multiple vendor patches from Red Hat and SUSE confirm the severity, and publicly available exploit code exists (CVSS E:P). This represents critical risk for Node.js applications processing untrusted JSON Path expressions, with potential for both server-side RCE and browser-based XSS depending on execution context.

Node.js RCE XSS +1
NVD GitHub VulDB
EPSS 0% CVSS 6.1
MEDIUM POC PATCH This Month

Client-certificate-auth middleware for Node.js versions 0.2.1 and 0.3.0 fails to validate the Host header when redirecting HTTP requests to HTTPS, enabling attackers to craft malicious redirects that direct users to arbitrary domains. Public exploit code exists for this open redirect vulnerability, and no patch is currently available for affected versions.

Node.js TLS Open Redirect +1
NVD GitHub
EPSS 0%
PATCH Monitor

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the...

Node.js Denial Of Service
NVD GitHub VulDB
EPSS 0% CVSS 9.9
CRITICAL PATCH Act Now

n8n has a command injection vulnerability (CVSS 9.9) allowing authenticated users to execute arbitrary OS commands through workflow definitions.

RCE Command Injection Information Disclosure +3
NVD GitHub
EPSS 0% CVSS 9.9
CRITICAL POC PATCH Act Now

n8n workflow automation platform has an authenticated code execution vulnerability (CVSS 9.9) through improper runtime behavior modification, enabling server takeover.

RCE Command Injection Code Injection +3
NVD GitHub
EPSS 0% CVSS 7.7
HIGH PATCH This Week

n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. [CVSS 7.7 HIGH]

Node.js Information Disclosure N8n
NVD GitHub
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in...

Node.js Denial Of Service
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Fastify versions before 5.7.2 allow attackers to bypass request body validation by injecting a tab character into the Content-Type header, enabling malicious payloads to reach application logic without validation checks. This remote attack requires no authentication and affects Node.js applications using vulnerable Fastify versions. A patch is available in version 5.7.2 and later.

Node.js Fastify Authentication Bypass
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM POC PATCH This Month

jsPDF versions prior to 4.1.0 contain a race condition in the addJS method where a shared module-scoped variable is overwritten during concurrent PDF generation, causing JavaScript payloads and embedded data intended for one user to be included in another user's generated PDF. This cross-user data leakage primarily affects server-side Node.js deployments handling simultaneous requests, allowing attackers to access sensitive information leaked across user sessions. Public exploit code exists for this vulnerability.

Node.js Race Condition Jspdf +1
NVD GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Arbitrary Python code execution in Backstage's @backstage/plugin-techdocs-node (versions < 1.13.11 and = 1.14.0) lets a contributor who can add or edit a repository's mkdocs.yml inject a malicious MkDocs `hooks` directive that runs on the TechDocs build server whenever TechDocs is configured with `runIn: local`. The flaw also affects documentation built in CI/CD via @techdocs/cli, which bundles the same package. EPSS is very low (0.02%, 6th percentile) and there is no public exploit identified at time of analysis, but the CVSS of 8.8 reflects full host compromise of the build environment.

Python Node.js Docker +3
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Backstage TechDocs plugin versions prior to 1.13.11 and 1.14.1 contain a path traversal vulnerability that allows authenticated attackers to read arbitrary files from the host filesystem when the local generator is enabled. The vulnerability stems from insufficient symlink validation during the documentation build process, enabling attackers to embed sensitive file contents into generated HTML accessible to documentation viewers. Organizations using `techdocs.generator.runIn: local` with untrusted documentation sources are at risk until patching to the fixed versions.

Node.js Docker Path Traversal +2
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

Deephas versions up to 1.0.7 is affected by improperly controlled modification of object prototype attributes (prototype pollution) (CVSS 8.8).

Node.js Deephas
NVD GitHub Exploit-DB VulDB
EPSS 0% CVSS 7.8
HIGH PATCH This Week

The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js. [CVSS 7.8 HIGH]

Node.js Command Injection Browserstack Local +2
NVD GitHub VulDB
EPSS 0% CVSS 8.2
HIGH POC PATCH This Week

node-tar before version 7.5.7 contains a path traversal vulnerability where inconsistent path resolution between validation and execution logic allows attackers to bypass security checks and create hardlinks to arbitrary files outside the intended extraction directory. Public exploit code exists for this vulnerability, affecting Node.js applications that process untrusted TAR archives. An attacker can craft a malicious TAR file to write to sensitive locations on the system.

Node.js Path Traversal Tar
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM This Month

Bun versions prior to 1.3.5 allow attackers to bypass the trusted dependencies allowlist by creating non-npm packages with names matching legitimate packages, enabling potential code execution through dependency confusion attacks. This local vulnerability affects systems using Bun's package management where an attacker can craft malicious packages with identical names to trusted dependencies. No patch is currently available for affected Node.js and GitHub integrations.

Node.js Github
NVD
EPSS 0% CVSS 5.5
MEDIUM POC PATCH This Month

pnpm versions before 10.28.2 fail to validate the `directories.bin` field during package processing, allowing malicious packages to use path traversal (e.g., `../../../../tmp`) to escape the package root and chmod 755 files at arbitrary locations on Unix-like systems. Public exploit code exists for this vulnerability. The issue affects Linux, macOS, and Node.js environments but not Windows due to platform-specific protections.

Linux Windows macOS +4
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

pnpm versions prior to 10.28.2 fail to properly constrain symlink resolution when installing file: and git: dependencies, allowing malicious packages to copy sensitive files from the host system into node_modules and leak credentials. This affects developers using local file dependencies and CI/CD pipelines installing git-based packages, with public exploit code available. The vulnerability enables theft of credentials from locations like ~/.ssh/id_rsa and ~/.npmrc by exploiting symlinks to absolute paths outside the package root.

Node.js Pnpm Red Hat +1
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Pnpm versions up to 10.28.1 contains a vulnerability that allows attackers to overwriting config files, scripts, or other sensitive files (CVSS 6.5).

Node.js Path Traversal Pnpm +2
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Path traversal in pnpm's tarball extraction on Windows allows attackers to write files outside the intended package directory by exploiting incomplete path normalization that fails to block backslash-based traversal sequences. Public exploit code exists for this vulnerability, which affects Windows developers and CI/CD pipelines (GitHub Actions, Azure DevOps) and could result in overwriting sensitive configuration files like .npmrc or build configurations. A patch is available in pnpm version 10.28.1 and later.

Windows Node.js Azure +4
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM POC PATCH This Month

Path traversal in pnpm's binary fetcher (versions prior to 10.28.1) allows attackers to write files outside the intended extraction directory through malicious ZIP entries or crafted prefix values, potentially overwriting critical configuration files and scripts on affected systems. All pnpm users installing packages with binary assets are vulnerable, particularly those in CI/CD pipelines or with custom Node.js binary configurations. Public exploit code exists for this medium-severity vulnerability.

Node.js Path Traversal Pnpm +2
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Sandbox escape in vm2 Node.js sandbox before 3.10.2 via Promise.prototype.then/catch callback sanitization bypass. PoC and patch available.

Node.js Vm2
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. [CVSS 5.9 MEDIUM]

Node.js Denial Of Service Next.Js +2
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM POC This Month

Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the 'path' parameter. [CVSS 6.4 MEDIUM]

Node.js XSS
NVD GitHub Exploit-DB
EPSS 0% CVSS 7.0
HIGH PATCH This Week

npm cli contains an insecure module loading mechanism that enables local privilege escalation on Node.js installations. An attacker with low-privileged code execution can exploit this flaw to gain elevated privileges and execute arbitrary code with target user permissions. No patch is currently available for this vulnerability.

Node.js Privilege Escalation RCE
NVD VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Node.js TLS servers using PSK or ALPN callbacks are vulnerable to denial of service when these callbacks throw unhandled synchronous exceptions during the TLS handshake. Remote attackers can exploit this by sending specially crafted TLS handshake requests to trigger resource exhaustion or process crashes, either through immediate termination or silent file descriptor leaks. No patch is currently available for this vulnerability.

Node.js TLS Denial Of Service +3
NVD
EPSS 0% CVSS 10.0
CRITICAL PATCH Act Now

Node.js has a CVSS 10.0 permission model bypass that allows Unix Domain Socket connections to completely bypass network restrictions when --allow-net is configured.

Node.js Privilege Escalation Node.Js +2
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncaughtException')`, the process terminates, making the crash unrecoverable. [CVSS 7.5 HIGH]

Node.js Denial Of Service Node.Js +2
NVD
EPSS 0% CVSS 7.5
HIGH PATCH This Week

A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. [CVSS 7.5 HIGH]

Node.js Denial Of Service Node Js
NVD HeroDevs VulDB
Prev Page 5 of 12 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy