Skip to main content

Nx

2 CVEs product

Monthly

CVE-2026-54753 MEDIUM PATCH This Month

Cross-origin information disclosure in the Nx monorepo graph server (versions 17.0.4 through 22.7.1) exposes the full project dependency graph and workspace metadata to any website a developer visits while `nx graph` is running locally. The server unconditionally broadcasts `Access-Control-Allow-Origin: *`, bypassing the browser Same-Origin Policy and allowing attacker-controlled JavaScript to silently read internal project structure. In rare cases, the `/help` endpoint - which executes a workspace-configured target command - creates a path to arbitrary command injection on the developer's machine. No public exploit or CISA KEV listing identified at time of analysis.

Command Injection Information Disclosure Nx
NVD GitHub
CVSS 3.1
5.9
EPSS
0.8%
CVE-2026-22923 HIGH This Week

Nx versions prior to V2512 contain an insufficient input validation flaw in the PDF export functionality that permits local attackers to corrupt internal data structures and achieve arbitrary code execution. An attacker with local file system access can exploit this vulnerability to manipulate the export process and gain code execution privileges. No patch is currently available for this vulnerability.

Buffer Overflow RCE Nx
NVD
CVSS 3.1
7.8
EPSS
0.0%
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Cross-origin information disclosure in the Nx monorepo graph server (versions 17.0.4 through 22.7.1) exposes the full project dependency graph and workspace metadata to any website a developer visits while `nx graph` is running locally. The server unconditionally broadcasts `Access-Control-Allow-Origin: *`, bypassing the browser Same-Origin Policy and allowing attacker-controlled JavaScript to silently read internal project structure. In rare cases, the `/help` endpoint - which executes a workspace-configured target command - creates a path to arbitrary command injection on the developer's machine. No public exploit or CISA KEV listing identified at time of analysis.

Command Injection Information Disclosure Nx
NVD GitHub
EPSS 0% CVSS 7.8
HIGH This Week

Nx versions prior to V2512 contain an insufficient input validation flaw in the PDF export functionality that permits local attackers to corrupt internal data structures and achieve arbitrary code execution. An attacker with local file system access can exploit this vulnerability to manipulate the export process and gain code execution privileges. No patch is currently available for this vulnerability.

Buffer Overflow RCE Nx
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy