|
8 | 8 |
|
9 | 9 | | Severity | v4 | v3 | v2 | v1 | |
10 | 10 | | -------- | --: | --: | --: | --: | |
11 | | -| critical | 0 | 0 | 0 | 0 | |
12 | | -| high | 0 | 0 | 0 | 4 | |
13 | | -| moderate | 0 | 0 | 0 | 1 | |
| 11 | +| critical | 0 | 1 | 0 | 0 | |
| 12 | +| high | 0 | 1 | 0 | 6 | |
| 13 | +| moderate | 0 | 2 | 0 | 9 | |
14 | 14 | | low | 0 | 0 | 0 | 0 | |
15 | 15 | | info | 0 | 0 | 0 | 0 | |
16 | 16 | | unknown | 0 | 0 | 0 | 0 | |
|
19 | 19 |
|
20 | 20 | | Package | Severity | CVE | Affected Versions | Description | |
21 | 21 | | -------------------- | -------- | ------------------- | ----------------- | --------------------------------------------------------------------------------- | |
| 22 | +| protobufjs | critical | CVE-2026-41242 | v3 | Arbitrary code execution in protobufjs | |
| 23 | +| basic-ftp | high | GHSA-6v7q-wjvx-w8wg | v1 | basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Exe | |
| 24 | +| basic-ftp | high | GHSA-rp42-5vxx-qpwr | v1 | basic-ftp vulnerable to denial of service via unbounded memory consumption in Cl | |
| 25 | +| fastify | high | CVE-2026-33806 | v3 | Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type He | |
22 | 26 | | lodash.pick | high | CVE-2020-8203 | v1 | Prototype Pollution in lodash | |
23 | 27 | | minimatch | high | CVE-2026-27903 | v1 | minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adja | |
24 | 28 | | minimatch | high | CVE-2026-27904 | v1 | minimatch ReDoS: nested \*() extglobs generate catastrophically backtracking regu | |
25 | 29 | | serialize-javascript | high | GHSA-5c6j-r48x-rmvq | v1 | Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.to | |
| 30 | +| axios | moderate | CVE-2025-62718 | v1 | Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF | |
| 31 | +| axios | moderate | CVE-2026-40175 | v1 | Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain | |
| 32 | +| dompurify | moderate | GHSA-39q2-94rc-95cp | v1 | DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit eva | |
| 33 | +| dompurify | moderate | CVE-2026-41240 | v1 | DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry | |
| 34 | +| dompurify | moderate | CVE-2026-41239 | v1 | DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode | |
| 35 | +| dompurify | moderate | CVE-2026-41238 | v1 | DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallbac | |
| 36 | +| follow-redirects | moderate | GHSA-r4q5-vmmm-2653 | v3, v1 | follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Ta | |
| 37 | +| hono | moderate | GHSA-458j-xx4x-4375 | v3 | hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SS | |
26 | 38 | | serialize-javascript | moderate | CVE-2026-34043 | v1 | Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like | |
| 39 | +| uuid | moderate | GHSA-w5hq-g745-h8pq | v1 | uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided | |
27 | 40 |
|
28 | 41 | ## 2. All Dependencies |
29 | 42 |
|
30 | 43 | ### Summary |
31 | 44 |
|
32 | 45 | | Severity | v4 | v3 | v2 | v1 | |
33 | 46 | | -------- | --: | --: | --: | --: | |
34 | | -| critical | 5 | 5 | 5 | 3 | |
35 | | -| high | 33 | 31 | 43 | 29 | |
36 | | -| moderate | 17 | 19 | 34 | 8 | |
| 47 | +| critical | 5 | 6 | 5 | 3 | |
| 48 | +| high | 39 | 34 | 45 | 31 | |
| 49 | +| moderate | 21 | 24 | 38 | 16 | |
37 | 50 | | low | 4 | 4 | 9 | 1 | |
38 | 51 | | info | 0 | 0 | 0 | 0 | |
39 | 52 | | unknown | 0 | 0 | 0 | 0 | |
|
47 | 60 | | handlebars | critical | CVE-2026-33937 | v4, v3, v2, v1 | Handlebars.js has JavaScript Injection via AST Type Confusion | |
48 | 61 | | locutus | critical | CVE-2026-25521 | v4, v3, v2, v1 | locutus is vulnerable to Prototype Pollution | |
49 | 62 | | locutus | critical | CVE-2026-32304 | v4, v3, v2, v1 | Locutus vulnerable to RCE via unsanitized input in create_function() | |
| 63 | +| protobufjs | critical | CVE-2026-41242 | v3 | Arbitrary code execution in protobufjs | |
50 | 64 | | @angular/common | high | CVE-2025-66035 | v1 | Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angula | |
51 | 65 | | @angular/compiler | high | CVE-2025-66412 | v1 | Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attribute | |
52 | 66 | | @angular/compiler | high | CVE-2026-22610 | v1 | Angular has XSS Vulnerability via Unsanitized SVG Script Attributes | |
|
56 | 70 | | @angular/core | high | CVE-2026-32635 | v1 | Angular vulnerable to XSS in i18n attribute bindings | |
57 | 71 | | @hono/node-server | high | CVE-2026-29087 | v2 | @hono/node-server has authorization bypass for protected static paths via encode | |
58 | 72 | | @xmldom/xmldom | high | CVE-2026-34601 | v4 | xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled | |
| 73 | +| @xmldom/xmldom | high | CVE-2026-41673 | v4 | xmldom: Uncontrolled recursion in XML serialization leads to DoS | |
| 74 | +| @xmldom/xmldom | high | CVE-2026-41674 | v4 | xmldom has XML injection through unvalidated DocumentType serialization | |
| 75 | +| @xmldom/xmldom | high | CVE-2026-41675 | v4 | xmldom has XML node injection through unvalidated processing instruction seriali | |
| 76 | +| @xmldom/xmldom | high | CVE-2026-41672 | v4 | xmldom has XML node injection through unvalidated comment serialization | |
59 | 77 | | axios | high | CVE-2026-25639 | v3, v2 | Axios is Vulnerable to Denial of Service via **proto** Key in mergeConfig | |
| 78 | +| basic-ftp | high | GHSA-6v7q-wjvx-w8wg | v4, v3, v2, v1 | basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Exe | |
| 79 | +| basic-ftp | high | GHSA-rp42-5vxx-qpwr | v4, v3, v2, v1 | basic-ftp vulnerable to denial of service via unbounded memory consumption in Cl | |
60 | 80 | | braces | high | CVE-2024-4068 | v3, v2, v1 | Uncontrolled resource consumption in braces | |
61 | 81 | | express-rate-limit | high | CVE-2026-30827 | v2 | express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting o | |
62 | 82 | | fast-xml-parser | high | CVE-2026-25128 | v4, v3, v2 | fast-xml-parser has RangeError DoS Numeric Entities Bug | |
63 | 83 | | fast-xml-parser | high | CVE-2026-26278 | v4, v3, v2 | fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansio | |
64 | 84 | | fast-xml-parser | high | CVE-2026-33036 | v4, v3, v2 | fast-xml-parser affected by numeric entity expansion bypassing all entity expans | |
| 85 | +| fastify | high | CVE-2026-33806 | v3 | Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type He | |
65 | 86 | | flatted | high | CVE-2026-32141 | v4, v3, v2 | flatted vulnerable to unbounded recursion DoS in parse() revive phase | |
66 | 87 | | flatted | high | CVE-2026-33228 | v4, v3, v2 | Prototype Pollution via parse() in NodeJS flatted | |
67 | 88 | | handlebars | high | CVE-2026-33938 | v4, v3, v2, v1 | Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @part | |
|
100 | 121 | | vite | high | CVE-2026-39363 | v1 | Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket | |
101 | 122 | | @hono/node-server | moderate | CVE-2026-39406 | v2 | @hono/node-server: Middleware bypass via repeated slashes in serveStatic | |
102 | 123 | | ajv | moderate | CVE-2025-69873 | v3, v2 | ajv has ReDoS when using `$data` option | |
103 | | -| axios | moderate | CVE-2026-39865 | v3, v2 | Axios HTTP/2 Session Cleanup State Corruption Vulnerability | |
| 124 | +| axios | moderate | CVE-2025-62718 | v4, v3, v2, v1 | Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF | |
| 125 | +| axios | moderate | CVE-2026-40175 | v4, v3, v2, v1 | Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain | |
104 | 126 | | brace-expansion | moderate | CVE-2026-33750 | v4, v3, v2 | brace-expansion: Zero-step sequence causes process hang and memory exhaustion | |
| 127 | +| dompurify | moderate | GHSA-39q2-94rc-95cp | v1 | DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit eva | |
| 128 | +| dompurify | moderate | CVE-2026-41240 | v1 | DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry | |
| 129 | +| dompurify | moderate | CVE-2026-41239 | v1 | DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode | |
| 130 | +| dompurify | moderate | CVE-2026-41238 | v1 | DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallbac | |
105 | 131 | | ejs | moderate | CVE-2024-33883 | v2 | ejs lacks certain pollution protection | |
106 | 132 | | esbuild | moderate | GHSA-67mh-4wv8-2f99 | v2 | esbuild enables any website to send any requests to the development server and r | |
107 | 133 | | fast-xml-parser | moderate | CVE-2026-33349 | v4, v3, v2 | Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evalua | |
| 134 | +| fast-xml-parser | moderate | CVE-2026-41650 | v4, v3, v2 | fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimi | |
108 | 135 | | file-type | moderate | CVE-2026-31808 | v4 | file-type affected by infinite loop in ASF parser on malformed input with zero-s | |
| 136 | +| follow-redirects | moderate | GHSA-r4q5-vmmm-2653 | v3, v1 | follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Ta | |
109 | 137 | | handlebars | moderate | CVE-2026-33916 | v4, v3, v2, v1 | Handlebars.js has Prototype Pollution Leading to XSS through Partial Template In | |
110 | 138 | | handlebars | moderate | GHSA-7rx3-28cr-v5wh | v4, v3, v2, v1 | Handlebars.js has a Prototype Method Access Control Gap via Missing \_\_lookupSett | |
111 | 139 | | hono | moderate | CVE-2026-29086 | v2 | Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in | |
|
116 | 144 | | hono | moderate | CVE-2026-39409 | v2 | Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses | |
117 | 145 | | hono | moderate | CVE-2026-39408 | v2 | Hono: Path traversal in toSSG() allows writing files outside the output director | |
118 | 146 | | hono | moderate | CVE-2026-39407 | v2 | Hono: Middleware bypass via repeated slashes in serveStatic | |
| 147 | +| hono | moderate | GHSA-458j-xx4x-4375 | v3, v2 | hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SS | |
119 | 148 | | js-yaml | moderate | CVE-2025-64718 | v2 | js-yaml has prototype pollution in merge (<<) | |
120 | 149 | | locutus | moderate | CVE-2026-33993 | v4, v3, v2, v1 | Locutus has Prototype Pollution via **proto** Key Injection in unserialize() | |
121 | 150 | | lodash | moderate | CVE-2026-2950 | v4, v3 | lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and | |
|
129 | 158 | | undici | moderate | CVE-2026-1525 | v4, v3, v2 | Undici has an HTTP Request/Response Smuggling issue | |
130 | 159 | | undici | moderate | CVE-2026-1527 | v4, v3, v2 | Undici has CRLF Injection in undici via `upgrade` option | |
131 | 160 | | undici | moderate | CVE-2026-2581 | v4, v3 | Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response | |
| 161 | +| uuid | moderate | GHSA-w5hq-g745-h8pq | v4, v3, v2, v1 | uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided | |
132 | 162 | | vite | moderate | CVE-2026-39365 | v1 | Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling | |
133 | 163 | | webpack | moderate | CVE-2024-43788 | v2 | Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to | |
134 | 164 | | webpack-dev-server | moderate | CVE-2025-30360 | v2 | webpack-dev-server users' source code may be stolen when they access a malicious | |
|
0 commit comments