|
8 | 8 |
|
9 | 9 | | Severity | v4 | v3 | v2 | v1 | |
10 | 10 | | -------- | --: | --: | --: | --: | |
11 | | -| critical | 0 | 1 | 0 | 0 | |
12 | | -| high | 0 | 1 | 0 | 6 | |
13 | | -| moderate | 0 | 2 | 0 | 9 | |
| 11 | +| critical | 0 | 0 | 0 | 0 | |
| 12 | +| high | 0 | 0 | 0 | 6 | |
| 13 | +| moderate | 0 | 0 | 0 | 10 | |
14 | 14 | | low | 0 | 0 | 0 | 0 | |
15 | 15 | | info | 0 | 0 | 0 | 0 | |
16 | 16 | | unknown | 0 | 0 | 0 | 0 | |
|
19 | 19 |
|
20 | 20 | | Package | Severity | CVE | Affected Versions | Description | |
21 | 21 | | -------------------- | -------- | ------------------- | ----------------- | --------------------------------------------------------------------------------- | |
22 | | -| protobufjs | critical | CVE-2026-41242 | v3 | Arbitrary code execution in protobufjs | |
23 | 22 | | basic-ftp | high | GHSA-6v7q-wjvx-w8wg | v1 | basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Exe | |
24 | | -| basic-ftp | high | GHSA-rp42-5vxx-qpwr | v1 | basic-ftp vulnerable to denial of service via unbounded memory consumption in Cl | |
25 | | -| fastify | high | CVE-2026-33806 | v3 | Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type He | |
| 23 | +| basic-ftp | high | CVE-2026-41324 | v1 | basic-ftp vulnerable to denial of service via unbounded memory consumption in Cl | |
26 | 24 | | lodash.pick | high | CVE-2020-8203 | v1 | Prototype Pollution in lodash | |
27 | 25 | | minimatch | high | CVE-2026-27903 | v1 | minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adja | |
28 | 26 | | minimatch | high | CVE-2026-27904 | v1 | minimatch ReDoS: nested \*() extglobs generate catastrophically backtracking regu | |
|
33 | 31 | | dompurify | moderate | CVE-2026-41240 | v1 | DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry | |
34 | 32 | | dompurify | moderate | CVE-2026-41239 | v1 | DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode | |
35 | 33 | | dompurify | moderate | CVE-2026-41238 | v1 | DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallbac | |
36 | | -| follow-redirects | moderate | GHSA-r4q5-vmmm-2653 | v3, v1 | follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Ta | |
37 | | -| hono | moderate | GHSA-458j-xx4x-4375 | v3 | hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SS | |
| 34 | +| follow-redirects | moderate | GHSA-r4q5-vmmm-2653 | v1 | follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Ta | |
| 35 | +| postcss | moderate | CVE-2026-41305 | v1 | PostCSS has XSS via Unescaped </style> in its CSS Stringify Output | |
38 | 36 | | serialize-javascript | moderate | CVE-2026-34043 | v1 | Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like | |
39 | 37 | | uuid | moderate | GHSA-w5hq-g745-h8pq | v1 | uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided | |
40 | 38 |
|
|
44 | 42 |
|
45 | 43 | | Severity | v4 | v3 | v2 | v1 | |
46 | 44 | | -------- | --: | --: | --: | --: | |
47 | | -| critical | 5 | 6 | 5 | 3 | |
48 | | -| high | 39 | 34 | 45 | 31 | |
49 | | -| moderate | 21 | 24 | 38 | 16 | |
| 45 | +| critical | 5 | 5 | 5 | 3 | |
| 46 | +| high | 36 | 33 | 45 | 31 | |
| 47 | +| moderate | 22 | 23 | 39 | 17 | |
50 | 48 | | low | 4 | 4 | 9 | 1 | |
51 | 49 | | info | 0 | 0 | 0 | 0 | |
52 | 50 | | unknown | 0 | 0 | 0 | 0 | |
|
60 | 58 | | handlebars | critical | CVE-2026-33937 | v4, v3, v2, v1 | Handlebars.js has JavaScript Injection via AST Type Confusion | |
61 | 59 | | locutus | critical | CVE-2026-25521 | v4, v3, v2, v1 | locutus is vulnerable to Prototype Pollution | |
62 | 60 | | locutus | critical | CVE-2026-32304 | v4, v3, v2, v1 | Locutus vulnerable to RCE via unsanitized input in create_function() | |
63 | | -| protobufjs | critical | CVE-2026-41242 | v3 | Arbitrary code execution in protobufjs | |
64 | 61 | | @angular/common | high | CVE-2025-66035 | v1 | Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angula | |
65 | 62 | | @angular/compiler | high | CVE-2025-66412 | v1 | Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attribute | |
66 | 63 | | @angular/compiler | high | CVE-2026-22610 | v1 | Angular has XSS Vulnerability via Unsanitized SVG Script Attributes | |
|
69 | 66 | | @angular/core | high | CVE-2026-27970 | v1 | Angular i18n vulnerable to Cross-Site Scripting | |
70 | 67 | | @angular/core | high | CVE-2026-32635 | v1 | Angular vulnerable to XSS in i18n attribute bindings | |
71 | 68 | | @hono/node-server | high | CVE-2026-29087 | v2 | @hono/node-server has authorization bypass for protected static paths via encode | |
72 | | -| @xmldom/xmldom | high | CVE-2026-34601 | v4 | xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled | |
73 | 69 | | @xmldom/xmldom | high | CVE-2026-41673 | v4 | xmldom: Uncontrolled recursion in XML serialization leads to DoS | |
74 | 70 | | @xmldom/xmldom | high | CVE-2026-41674 | v4 | xmldom has XML injection through unvalidated DocumentType serialization | |
75 | 71 | | @xmldom/xmldom | high | CVE-2026-41675 | v4 | xmldom has XML node injection through unvalidated processing instruction seriali | |
76 | 72 | | @xmldom/xmldom | high | CVE-2026-41672 | v4 | xmldom has XML node injection through unvalidated comment serialization | |
| 73 | +| @xmldom/xmldom | high | CVE-2026-34601 | v4 | xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled | |
77 | 74 | | axios | high | CVE-2026-25639 | v3, v2 | Axios is Vulnerable to Denial of Service via **proto** Key in mergeConfig | |
78 | 75 | | basic-ftp | high | GHSA-6v7q-wjvx-w8wg | v4, v3, v2, v1 | basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Exe | |
79 | | -| basic-ftp | high | GHSA-rp42-5vxx-qpwr | v4, v3, v2, v1 | basic-ftp vulnerable to denial of service via unbounded memory consumption in Cl | |
| 76 | +| basic-ftp | high | CVE-2026-41324 | v4, v3, v2, v1 | basic-ftp vulnerable to denial of service via unbounded memory consumption in Cl | |
80 | 77 | | braces | high | CVE-2024-4068 | v3, v2, v1 | Uncontrolled resource consumption in braces | |
81 | 78 | | express-rate-limit | high | CVE-2026-30827 | v2 | express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting o | |
82 | 79 | | fast-xml-parser | high | CVE-2026-25128 | v4, v3, v2 | fast-xml-parser has RangeError DoS Numeric Entities Bug | |
83 | 80 | | fast-xml-parser | high | CVE-2026-26278 | v4, v3, v2 | fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansio | |
84 | 81 | | fast-xml-parser | high | CVE-2026-33036 | v4, v3, v2 | fast-xml-parser affected by numeric entity expansion bypassing all entity expans | |
85 | | -| fastify | high | CVE-2026-33806 | v3 | Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type He | |
86 | 82 | | flatted | high | CVE-2026-32141 | v4, v3, v2 | flatted vulnerable to unbounded recursion DoS in parse() revive phase | |
87 | 83 | | flatted | high | CVE-2026-33228 | v4, v3, v2 | Prototype Pollution via parse() in NodeJS flatted | |
88 | 84 | | handlebars | high | CVE-2026-33938 | v4, v3, v2, v1 | Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @part | |
|
110 | 106 | | svgo | high | CVE-2026-29074 | v4, v3, v2, v1 | SVGO DoS through entity expansion in DOCTYPE (Billion Laughs) | |
111 | 107 | | tar | high | CVE-2026-24842 | v1 | node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Trave | |
112 | 108 | | tar | high | CVE-2026-23745 | v1 | node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Ins | |
113 | | -| tar | high | CVE-2026-26960 | v4, v1 | Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in no | |
114 | | -| tar | high | CVE-2026-29786 | v4, v1 | tar has Hardlink Path Traversal via Drive-Relative Linkpath | |
115 | | -| tar | high | CVE-2026-31802 | v4, v1 | node-tar Symlink Path Traversal via Drive-Relative Linkpath | |
| 109 | +| tar | high | CVE-2026-26960 | v1 | Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in no | |
| 110 | +| tar | high | CVE-2026-29786 | v1 | tar has Hardlink Path Traversal via Drive-Relative Linkpath | |
| 111 | +| tar | high | CVE-2026-31802 | v1 | node-tar Symlink Path Traversal via Drive-Relative Linkpath | |
116 | 112 | | tar | high | CVE-2026-23950 | v1 | Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on | |
117 | 113 | | undici | high | CVE-2026-1528 | v4, v3, v2 | Undici: Malicious WebSocket 64-bit length overflows parser and crashes the clien | |
118 | 114 | | undici | high | CVE-2026-1526 | v4, v3, v2 | Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompre | |
|
133 | 129 | | fast-xml-parser | moderate | CVE-2026-33349 | v4, v3, v2 | Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evalua | |
134 | 130 | | fast-xml-parser | moderate | CVE-2026-41650 | v4, v3, v2 | fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimi | |
135 | 131 | | file-type | moderate | CVE-2026-31808 | v4 | file-type affected by infinite loop in ASF parser on malformed input with zero-s | |
136 | | -| follow-redirects | moderate | GHSA-r4q5-vmmm-2653 | v3, v1 | follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Ta | |
| 132 | +| follow-redirects | moderate | GHSA-r4q5-vmmm-2653 | v1 | follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Ta | |
137 | 133 | | handlebars | moderate | CVE-2026-33916 | v4, v3, v2, v1 | Handlebars.js has Prototype Pollution Leading to XSS through Partial Template In | |
138 | 134 | | handlebars | moderate | GHSA-7rx3-28cr-v5wh | v4, v3, v2, v1 | Handlebars.js has a Prototype Method Access Control Gap via Missing \_\_lookupSett | |
139 | 135 | | hono | moderate | CVE-2026-29086 | v2 | Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in | |
140 | 136 | | hono | moderate | CVE-2026-29085 | v2 | Hono Vulnerable to SSE Control Field Injection via CR/LF in writeSSE() | |
141 | 137 | | hono | moderate | GHSA-v8w9-8mx6-g223 | v2 | Hono vulnerable to Prototype Pollution possible through **proto** key allowed in | |
142 | 138 | | hono | moderate | GHSA-26pp-8wgv-hjvm | v2 | Hono missing validation of cookie name on write path in setCookie() | |
143 | 139 | | hono | moderate | CVE-2026-39410 | v2 | Hono: Non-breaking space prefix bypass in cookie name handling in getCookie() | |
144 | | -| hono | moderate | CVE-2026-39409 | v2 | Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses | |
145 | 140 | | hono | moderate | CVE-2026-39408 | v2 | Hono: Path traversal in toSSG() allows writing files outside the output director | |
146 | 141 | | hono | moderate | CVE-2026-39407 | v2 | Hono: Middleware bypass via repeated slashes in serveStatic | |
147 | | -| hono | moderate | GHSA-458j-xx4x-4375 | v3, v2 | hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SS | |
| 142 | +| hono | moderate | GHSA-458j-xx4x-4375 | v2 | hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SS | |
| 143 | +| hono | moderate | CVE-2026-39409 | v2 | Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses | |
148 | 144 | | js-yaml | moderate | CVE-2025-64718 | v2 | js-yaml has prototype pollution in merge (<<) | |
149 | 145 | | locutus | moderate | CVE-2026-33993 | v4, v3, v2, v1 | Locutus has Prototype Pollution via **proto** Key Injection in unserialize() | |
150 | 146 | | lodash | moderate | CVE-2026-2950 | v4, v3 | lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and | |
151 | 147 | | micromatch | moderate | CVE-2024-4067 | v3, v2, v1 | Regular Expression Denial of Service (ReDoS) in micromatch | |
152 | 148 | | nanoid | moderate | CVE-2024-55565 | v2 | Predictable results in nanoid generation when given non-integer values | |
153 | 149 | | path-to-regexp | moderate | CVE-2026-4923 | v2 | path-to-regexp vulnerable to Regular Expression Denial of Service via multiple w | |
| 150 | +| postcss | moderate | CVE-2026-41305 | v4, v3, v2, v1 | PostCSS has XSS via Unescaped </style> in its CSS Stringify Output | |
154 | 151 | | qs | moderate | CVE-2025-15284 | v2 | qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion | |
155 | 152 | | serialize-javascript | moderate | CVE-2026-34043 | v4, v3, v2, v1 | Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like | |
156 | 153 | | serialize-javascript | moderate | CVE-2024-11831 | v2 | Cross-site Scripting (XSS) in serialize-javascript | |
|
0 commit comments