CVE-2026-35411
published 2026-04-06CVE-2026-35411: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect…
PriorityP420medium4.3CVSS 3.1
AVNACLPRNUIRSUCNILAN
EPSS
0.26%
16.9th percentile
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a crafted URL, they are presented with the legitimate Directus 2FA setup page. After completing the setup process, the application redirects the user to the attacker-controlled URL specified in the redirect parameter without any validation. This vulnerability could be used in phishing attacks targeting Directus administrators, as the initial interaction occurs on a trusted domain. This vulnerability is fixed in 11.16.1.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| directus | directus | < 11.16.1 | 11.16.1 |
| directus | directus | >= 0 < 11.16.1 | 11.16.1 |
| monospace | directus | < 11.16.1 | 11.16.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Directus: Open Redirect in Admin 2FA Setup Page
ghsa·2026-04-04
CVE-2026-35411 [MEDIUM] CWE-601 Directus: Open Redirect in Admin 2FA Setup Page
Directus: Open Redirect in Admin 2FA Setup Page
### Summary
Directus is vulnerable to an Open Redirect via the redirect query parameter on the `/admin/tfa-setup` page. When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a crafted URL, they are presented with the legitimate Directus 2FA setup page. After completing the setup process, the application redirects the user to the attacker-controlled URL specified in the `redirect` parameter without any validation.
This vulnerability could be used in phishing attacks targeting Directus administrators, as the initial interaction occurs on a trusted domain.
### Credits
Discovered by Neo by ProjectDiscovery (https://neo.projectdiscovery.io/)
OSV
Directus: Open Redirect in Admin 2FA Setup Page
osv·2026-04-04
CVE-2026-35411 [MEDIUM] Directus: Open Redirect in Admin 2FA Setup Page
Directus: Open Redirect in Admin 2FA Setup Page
### Summary
Directus is vulnerable to an Open Redirect via the redirect query parameter on the `/admin/tfa-setup` page. When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a crafted URL, they are presented with the legitimate Directus 2FA setup page. After completing the setup process, the application redirects the user to the attacker-controlled URL specified in the `redirect` parameter without any validation.
This vulnerability could be used in phishing attacks targeting Directus administrators, as the initial interaction occurs on a trusted domain.
### Credits
Discovered by Neo by ProjectDiscovery (https://neo.projectdiscovery.io/)
No detection rules found.
No public exploits indexed.
Wiz
GHSA-w3hv-x4fp-6h6j Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-w3hv-x4fp-6h6j Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-w3hv-x4fp-6h6j :
JavaScript vulnerability analysis and mitigation
## Impact
Origin
ws://localhost:3000/ws
SameSite=Lax
packages/server/src/ws-bridge.ts:80-91
req.headers.origin
## Patches
req.headers.origin
const origin = req.headers.origin || "";
if (origin && !origin.includes("localhost") && !origin.includes("127.0.0.1")) {
ws.close(4003, "Invalid origin");
return;
}
## Workarounds
127.0.0.1
--allow-network
## Resources
CWE-346: Origin Validation Error
packages/server/src/ws-bridge.ts
Source : NVD
## 7.1
Score
Published March 25, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploita
Wiz
CVE-2026-34373 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-34373 [MEDIUM] CVE-2026-34373 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34373 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypasses origin restrictions that operators configure to control which websites can interact with the Parse Server API. The REST API correctly enforces the configured allowOrigin restriction. This issue has been patched in versions 8.6.66 and 9.7.0-alpha.10.
Source : NVD
## 5.3
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA
Wiz
CVE-2026-34076 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.4
CVE-2026-34076 [HIGH] CVE-2026-34076 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34076 :
JavaScript vulnerability analysis and mitigation
Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. This issue has been patched in @clerk/hono version 0.1.5, @clerk/express version 2.0.7, @clerk/backend version 3.2.3, and @clerk/fastify version 3.1.5.
Source : NVD
## 7.4
S
Wiz
CVE-2026-2739 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-2739 [MEDIUM] CVE-2026-2739 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2739 :
JavaScript vulnerability analysis and mitigation
This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.
Source : NVD
## 5.5
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-influxdb
grafana-loki
Sources
NVD
Chainguard Has Fix Added at: Mar 02, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Feb 21
Wiz
CVE-2026-1527 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.6
CVE-2026-1527 [MEDIUM] CVE-2026-1527 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1527 :
JavaScript vulnerability analysis and mitigation
ImpactWhen an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:
Inject arbitrary HTTP headers
connection: upgrade\r\nupgrade: ${upgrade}\r\n
}
Source : NVD
## 4.6
Score
Published March 12, 2026
Severity MEDIUM
CNA Score 4.6
Affected Technologies
JavaScript
Node.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
renovate
kibana-9.2
Sources
NVD
Chainguard Has Fix Added at: Mar 19, 2026
Debian 12, 13 Severity MEDIUM No Fix Added at: Mar 13, 2026
Debian 14 S
Wiz
GHSA-wr4h-v87w-p3r7 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-wr4h-v87w-p3r7 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-wr4h-v87w-p3r7 :
JavaScript vulnerability analysis and mitigation
## Summary
serveStatic()
%2e%2e
## Details
src/utils/static.ts
const originalId = decodeURI(withLeadingSlash(withoutTrailingSlash(event.url.pathname)));
FastURL
URL
FastURL
.
..
%2e
/%2e%2e/
event.url.pathname
/%2e%2e/
URL
/
..
serveStatic()
decodeURI()
%2e
.
/../
../
getMeta()
getContents()
../
## Vulnerability chain
1. Attacker sends: GET /%2e%2e/%2e%2e/%2e%2e/etc/passwd
2. FastURL.pathname: /%2e%2e/%2e%2e/%2e%2e/etc/passwd (raw, no normalization)
3. decodeURI(): /../../../etc/passwd (%2e decoded to .)
4. getMeta(id): id = "/../../../etc/passwd" (no traversal check)
5. path.join(root,id): /etc/passwd (.. resolved by OS)
6. Response: contents of /etc/passwd
## PoC
server.ts
im
Wiz
GHSA-8wc6-vgrq-x6cf Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
[HIGH] GHSA-8wc6-vgrq-x6cf Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-8wc6-vgrq-x6cf :
JavaScript vulnerability analysis and mitigation
When Renovate spawns child processes, their access to environment variables is filtered to an allowlist, to prevent unauthorized access to privileged credentials that the Renovate process has access to.
Since 42.68.1 (2025-12-30), this filtering had been inadvertently removed , and so any child processes spawned from these versions will have had access to any environment variables that Renovate has access to.
This could lead to insider attackers and outside attackers being able to exflitrate secrets from the Renovate deployment.
It is recommended to rotate (+ revoke) any credentials that Renovate has access to, in case any spawned child processes have attempted to exfiltrate any secrets.
## Impact
npm install
Wiz
CVE-2026-25544 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-25544 [CRITICAL] CVE-2026-25544 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25544 :
JavaScript vulnerability analysis and mitigation
Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0.
Source : NVD
## 9.8
Score
Published February 6, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.1
Exploitation Probability (EPSS) N/A
Aff
Wiz
CVE-2026-32731 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-32731 [CRITICAL] CVE-2026-32731 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32731 :
JavaScript vulnerability analysis and mitigation
@apostrophecms/import-export
extract()
gzip.js
fs.createWriteStream(path.join(exportPath, header.name))
path.join()
../
../../evil.js
.tar.gz
@apostrophecms/import-export
Source : NVD
## 9.9
Score
Published March 18, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@apostrophecms/import-export
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exp
Wiz
CVE-2026-33864 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-33864 [MEDIUM] CVE-2026-33864 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33864 :
JavaScript vulnerability analysis and mitigation
## Summary
Object.prototype
String.prototype
## Details
startsWith()
## PoC
## Steps to reproduce
npm install
Run the following code snippet:
String.prototype.startsWith = () => false;
const convict = require('convict');
let obj = {};
const config = convict(obj);
console.log({}.polluted);
config.set('constructor.prototype.polluted', 'yes');
console.log({}.polluted); // prints yes -> the patch is bypassed and prototype pollution occurred
## Expected behavior
Prototype pollution should be prevented and {} should not gain new properties.
This should be printed on the console:
undefined
undefined OR throw an Error
## Actual behavior
Object.prototype
undefined
yes
## Impact
convict.set
Authentic
Wiz
CVE-2026-32237 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.4
CVE-2026-32237 [MEDIUM] CVE-2026-32237 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32237 :
JavaScript vulnerability analysis and mitigation
Backstage is an open framework for building developer portals. Prior to 3.1.5, authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured scaffolder.defaultEnvironment.secrets are affected. This is patched in @backstage/plugin-scaffolder-backend version 3.1.5.
Source : NVD
## 6.5
Score
Published March 12, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabilit
Wiz
CVE-2026-35042 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35042 [HIGH] CVE-2026-35042 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35042 :
JavaScript vulnerability analysis and mitigation
fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, fast-jwt does not validate the crit (Critical) Header Parameter defined in RFC 7515 §4.1.11. When a JWS token contains a crit array listing extensions that fast-jwt does not understand, the library accepts the token instead of rejecting it. This violates the MUST requirement in the RFC.
Source : NVD
## 7.5
Score
Published April 6, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fast-jwt
Sources
NV
Wiz
CVE-2026-32774 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-32774 [MEDIUM] CVE-2026-32774 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32774 :
JavaScript vulnerability analysis and mitigation
Vulnogram 1.0.0 contains a stored cross-site scripting vulnerability in comment hypertext handling that allows attackers to inject malicious scripts. Remote attackers can inject XSS payloads through comments to execute arbitrary JavaScript in victims' browsers.
Source : NVD
## 5.3
Score
Published March 16, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
vulnogram
Sources
NVD
npm Severity MEDIUM No Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized vi
Wiz
CVE-2026-26954 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-26954 [CRITICAL] CVE-2026-26954 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26954 :
JavaScript vulnerability analysis and mitigation
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.34, it is possible to obtain arrays containing Function, which allows escaping the sandbox. Given an array containing Function, and Object.fromEntries, it is possible to construct {[p]: Function} where p is any constructible property. This vulnerability is fixed in 0.8.34.
Source : NVD
## 10
Score
Published March 13, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@nyariv/sandboxjs
Sources
NVD
npm Severity CRITI
Wiz
CVE-2026-33060 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33060 [MEDIUM] CVE-2026-33060 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33060 :
JavaScript vulnerability analysis and mitigation
CKAN MCP Server is a tool for querying CKAN open data portals. Versions prior to 0.4.85 provide tools including ckan_package_search and sparql_query that accept a base_url parameter, making HTTP requests to arbitrary endpoints without restriction. A CKAN portal client has no legitimate reason to contact cloud metadata or internal network services. There is no URL validation on base_url parameter. No private IP blocking (RFC 1918, link-local 169.254.x.x), no cloud metadata blocking. The sparql_query and ckan_datastore_search_sql tools also accept arbitrary base URLs and expose injection surfaces. An attack can lead to internal network scanning, cloud metadata theft (IAM credentials via IMDS at 169.254.169.254), potential
Wiz
CVE-2026-34725 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-34725 [HIGH] CVE-2026-34725 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34725 :
JavaScript vulnerability analysis and mitigation
DbGate is cross-platform database manager. From version 7.0.0 to before version 7.1.5, a stored XSS vulnerability exists in DbGate because attacker-controlled SVG icon strings are rendered as raw HTML without sanitization. In the web UI this allows script execution in another user's browser; in the Electron desktop app this can escalate to local code execution because Electron is configured with nodeIntegration: true and contextIsolation: false. This issue has been patched in version 7.1.5.
Source : NVD
## 8.2
Score
Published April 2, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation
Wiz
CVE-2026-30848 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-30848 [MEDIUM] CVE-2026-30848 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30848 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.8 and 9.5.0-alpha.8, the PagesRouter static file serving route is vulnerable to a path traversal attack that allows unauthenticated reading of files outside the configured pagesPath directory. The boundary check uses a string prefix comparison without enforcing a directory separator boundary. An attacker can use path traversal sequences to access files in sibling directories whose names share the same prefix as the pages directory (e.g. pages-secret starts with pages). This issue has been patched in versions 8.6.8 and 9.5.0-alpha.8.
Source : NVD
## 6.3
Score
Published March 7, 2026
Severit
Wiz
CVE-2026-33895 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33895 [HIGH] CVE-2026-33895 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33895 :
JavaScript vulnerability analysis and mitigation
node-forge
S >= L
S + L
crypto.verify
S + L
Source : NVD
## 7.5
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
argo-workflows-3.7
argo-workflows-fips-3.6
Sources
NVD
Chainguard Has Fix Added at: Apr 02, 2026
npm Severity HIGH Has Fix Added at: Mar 29, 2026
MinimOS Severity HIGH Has Fix Added at: Apr 05, 2026
Red Hat 8, 9, 10 Severity HIGH No Fix Added at: Mar 29, 2026
Wolfi Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessme
Wiz
CVE-2026-30837 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-30837 [HIGH] CVE-2026-30837 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30837 :
JavaScript vulnerability analysis and mitigation
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Prior to 1.4.26 , t.String({ format: 'url' }) is vulnerable to ReDoS. Repeating a partial url format (protocol and hostname) multiple times cause regex to slow down significantly. This vulnerability is fixed in 1.4.26.
Source : NVD
## 7.5
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
elysia
Sources
NVD
npm Severity HIGH Ha
Wiz
GHSA-393c-p46r-7c95 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-393c-p46r-7c95 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-393c-p46r-7c95 :
JavaScript vulnerability analysis and mitigation
## Summary
Critical vulnerabilities were identified in the Directus file management API that allow unauthorized manipulation of file storage paths and metadata. These issues enable attackers to overwrite files belonging to other users, write files outside intended storage boundaries via path traversal, and potentially achieve remote code execution under certain conditions.
## Details
filename_disk
POST /files
PATCH /files/{id}
../
filename_disk
filename_disk
uploaded_by
## Impact
Unauthorized File Overwrite : Attackers can replace legitimate files with malicious content, creating significant risk of malware propagation and data corruption.
Storage Boundary Bypass : Files can be written to arbitrary
Wiz
CVE-2026-27971 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-27971 [CRITICAL] CVE-2026-27971 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27971 :
JavaScript vulnerability analysis and mitigation
Qwik is a performance focused javascript framework. qwik <=1.19.0 is vulnerable to RCE due to an unsafe deserialization vulnerability in the server$ RPC mechanism that allows any unauthenticated user to execute arbitrary code on the server with a single HTTP request. Affects any deployment where require() is available at runtime. This vulnerability is fixed in 1.19.1.
Source : NVD
## 9.2
Score
Published March 3, 2026
Severity CRITICAL
CNA Score 9.2
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 96.1
Exploitation Probability (EPSS) 24.4
Affected packages and libraries
@builder.io/q
Wiz
GHSA-w2fm-25vw-vh7f Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-w2fm-25vw-vh7f Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-w2fm-25vw-vh7f :
JavaScript vulnerability analysis and mitigation
mcp-handler
@modelcontextprotocol/sdk
StreamableHTTPServerTransport
mcp-handler
@modelcontextprotocol/sdk
## Impact
mcp-handler
@modelcontextprotocol/sdk
## Patches
[email protected]
@modelcontextprotocol/sdk@>=1.26.0
## Workarounds
@modelcontextprotocol/sdk
>=1.26.0
mcp-handler
McpServer
Source : NVD
## 7.1
Score
Published April 1, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mcp-handler
Sources
NVD
npm Severity HIGH Has Fix Added at: Apr 02, 2026
Wiz
CVE-2026-26278 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-26278 [HIGH] CVE-2026-26278 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26278 :
JavaScript vulnerability analysis and mitigation
processEntities: false
Source : NVD
## 7.5
Score
Published February 19, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
kibana-9.2
langfuse-2
Sources
NVD
Chainguard Has Fix Added at: Feb 20, 2026
Echo Severity HIGH No Fix Added at: Feb 20, 2026
npm Severity HIGH Has Fix Added at: Feb 18, 2026
MinimOS Severity HIGH Has Fix Added at: Feb 20, 2026
Wolfi Has Fix Added at: Feb 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you
Wiz
CVE-2026-0933 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-0933 [HIGH] CVE-2026-0933 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0933 :
JavaScript vulnerability analysis and mitigation
wrangler pages deploy
--commit-hash
--commit-hash
git show -s --format=%B ${commitHash}
wrangler pages deploy
--commit-hash parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:
Run any shell command.
Exfiltrate environment variables.
Compromise the CI runner to install backdoors or modify build artifacts.
Credits Disclosed responsibly by kny4hacker.
Mitigation
Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher.
Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher.
Users on Wrangler v2 (EOL) should upgrade to a supported major version.
Source : NVD
## 7.7
Score
Published January 20, 2026
Severity HIGH
CNA Scor
Wiz
CVE-2026-26801 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-26801 [HIGH] CVE-2026-26801 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26801 :
JavaScript vulnerability analysis and mitigation
Server-Side Request Forgery (SSRF) vulnerability in pdfmake versions 0.3.0-beta.2 through 0.3.5 allows a remote attacker to obtain sensitive information via the src/URLResolver.js component. The fix was released in version 0.3.6 which introduces the setUrlAccessPolicy() method allowing server operators to define URL access rules. A warning is now logged when pdfmake is used server-side without a policy configured.
Source : NVD
## 7.5
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.5
Exploitation Probability (EPSS) N/A
Affe
Wiz
CVE-2026-23967 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-23967 [HIGH] CVE-2026-23967 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23967 :
JavaScript vulnerability analysis and mitigation
sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature malleability vulnerability exists in the SM2 signature verification logic of the sm-crypto library prior to version 0.3.14. An attacker can derive a new valid signature for a previously signed message from an existing signature. Version 0.3.14 patches the issue.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sm-crypt
Wiz
CVE-2026-23950 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-23950 [HIGH] CVE-2026-23950 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23950 :
JavaScript vulnerability analysis and mitigation
path-reservations
ß
ss
PathReservations
NFD
ß
ss
ß
ss
PathReservations
path-reservations.js
NFKD
toLocaleLowerCase('en')
toLocaleUpperCase('en')
node-tar
SymbolicLink
Source : NVD
## 5.9
Score
Published January 20, 2026
Severity MEDIUM
CNA Score 8.8
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nodejs:24::nodejs-devel
argo-workflows-fips-3.7
Sources
NVD
Alpine 3.10, 3.11, 3.12, 3.13, 3.14, 3.15, 3.16, 3.17, 3.18, 3.19, 3.20, 3.21, 3.22, 3.23, edge Severity MEDIUM No Fix Added at: F
Wiz
CVE-2026-27193 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-27193 [HIGH] CVE-2026-27193 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27193 :
JavaScript vulnerability analysis and mitigation
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, all HTTP request headers are stored in the session cookie, which is signed but not encrypted, exposing internal proxy/gateway headers to clients. The OAuth service stores the complete headers object in the session, then the session is persisted using cookie-session, which base64-encodes the data. While the cookie is signed to prevent tampering, the contents are readable by anyone by simply decoding the base64 value. Under specific deployment configurations (e.g., behind reverse proxies or API gateways), this can lead to exposure of sensitive internal infrastructure details such as API k
Wiz
CVE-2025-61140 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-61140 [CRITICAL] CVE-2025-61140 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61140 :
JavaScript vulnerability analysis and mitigation
The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution.
Source : NVD
## 9.8
Score
Published January 28, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
JavaScript
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
golang-github-prometheus-alertmanager
golang-github-prometheus-promu
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Feb 02, 2026
Nix Severity CRITICAL No Fix Added at: Feb 11, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on w
Wiz
CVE-2026-27837 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-27837 [MEDIUM] CVE-2026-27837 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27837 :
JavaScript vulnerability analysis and mitigation
7d3aee1
__proto__
dottie.set()
dottie.transform()
Source : NVD
## 9.8
Score
Published February 26, 2026
Severity CRITICAL
CNA Score 6.3
Affected Technologies
JavaScript
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
sgx-common
sgx-libs
Sources
NVD
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 02, 2026
Debian 14 Severity CRITICAL Has Fix Added at: Mar 02, 2026
Echo Severity CRITICAL No Fix Added at: Mar 02, 2026
npm Severity MEDIUM Has Fix Added at: Mar 02, 2026
Red Hat 9, 10 Severity MEDIUM No Fix Added at:
Wiz
CVE-2026-30939 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-30939 [HIGH] CVE-2026-30939 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30939 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.13 and 9.5.1-alpha.2, an unauthenticated attacker can crash the Parse Server process by calling a Cloud Function endpoint with a prototype property name as the function name. The server recurses infinitely, causing a call stack size error that terminates the process. Other prototype property names bypass Cloud Function dispatch validation and return HTTP 200 responses, even though no such Cloud Functions are defined. The same applies to dot-notation traversal. All Parse Server deployments that expose the Cloud Function endpoint are affected. This vulnerability is fixed in 8.6.13 and 9.5.1-alpha.2.
Source
Wiz
CVE-2026-28793 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.4
CVE-2026-28793 [HIGH] CVE-2026-28793 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28793 :
JavaScript vulnerability analysis and mitigation
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory. When running tinacms dev, the CLI starts a local HTTP server (default port 4001) exposing endpoints such as /media/list/ , /media/upload/ , and /media/*. These endpoints process user-controlled path segments using decodeURI() and path.join() without validating that the resolved path remains within the configured media directory. This vulnerability is fixed in 2.1.8.
Source : NVD
## 8.4
Score
Published March 12, 2026
Severity HIGH
CNA Score 8.4
Aff
Wiz
CVE-2025-57283 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2025-57283 [HIGH] CVE-2025-57283 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-57283 :
JavaScript vulnerability analysis and mitigation
The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js.
Source : NVD
## 7.8
Score
Published January 28, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
browserstack-local
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Jan 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wh
Wiz
CVE-2026-27942 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-27942 [LOW] CVE-2026-27942 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27942 :
JavaScript vulnerability analysis and mitigation
preserveOrder:true
preserveOrder:false
Source : NVD
## 2.7
Score
Published February 26, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
kibana-8.19
kibana-9.2
Sources
NVD
Chainguard Has Fix Added at: Mar 02, 2026
Echo Severity HIGH No Fix Added at: Mar 02, 2026
npm Severity LOW Has Fix Added at: Mar 02, 2026
MinimOS Severity HIGH Has Fix Added at: Mar 09, 2026
Wolfi Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in y
Wiz
CVE-2026-33287 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33287 [HIGH] CVE-2026-33287 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33287 :
JavaScript vulnerability analysis and mitigation
replace_first
String.prototype.replace()
$&
memoryLimit
memoryLimit
Source : NVD
## 7.5
Score
Published March 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
liquidjs
Sources
NVD
npm Severity HIGH No Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA
Wiz
CVE-2026-22809 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.4
CVE-2026-22809 [MEDIUM] CVE-2026-22809 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22809 :
JavaScript vulnerability analysis and mitigation
tarteaucitron.js is a compliant and accessible cookie banner. Prior to 1.29.0, a Regular Expression Denial of Service (ReDoS) vulnerability was identified in tarteaucitron.js in the handling of the issuu_id parameter. This vulnerability is fixed in 1.29.0.
Source : NVD
## 4.4
Score
Published January 13, 2026
Severity MEDIUM
CNA Score 4.4
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
tarteaucitronjs
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Jan 14, 2026
## Get a CVE risk assessment
Get a prioriti
Wiz
CVE-2026-23522 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.7
CVE-2026-23522 [LOW] CVE-2026-23522 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23522 :
JavaScript vulnerability analysis and mitigation
knowledgeBase.removeFilesFromKnowledgeBase
userId
Source : NVD
## 3.7
Score
Published January 19, 2026
Severity LOW
CNA Score 3.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@lobehub/chat
Sources
NVD
npm Severity LOW No Fix Added at: Jan 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has
Wiz
CVE-2025-67750 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.4
CVE-2025-67750 [HIGH] CVE-2025-67750 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67750 :
JavaScript vulnerability analysis and mitigation
Lightning Flow Scanner provides a A CLI plugin, VS Code Extension and GitHub Action for analysis and optimization of Salesforce Flows. Versions 6.10.5 and below allow a maliciously crafted flow metadata file to cause arbitrary JavaScript execution during scanning. The APIVersion rule uses new Function() to evaluate expression strings, enabling an attacker to supply a malicious expression within rule configuration or crafted flow metadata. This could compromise developer machines, CI runners, or editor environments. This issue is fixed in version 6.10.6.
Source : NVD
## 8.4
Score
Published December 12, 2025
Severity HIGH
CNA Score 8.4
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit
Wiz
CVE-2026-23736 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2026-23736 [HIGH] CVE-2026-23736 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23736 :
JavaScript vulnerability analysis and mitigation
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, due to improper input validation, a malicious object key can lead to prototype pollution during JSON deserialization. This vulnerability affects only JSON deserialization functionality. This issue is fixed in version 1.4.1.
Source : NVD
## 9.8
Score
Published January 21, 2026
Severity CRITICAL
CNA Score 7.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 43.1
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
seroval
Sources
N
Wiz
CVE-2026-27192 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-27192 [HIGH] CVE-2026-27192 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27192 :
JavaScript vulnerability analysis and mitigation
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. In versions 5.0.39 and below, origin validation uses startsWith() for comparison, allowing attackers to bypass the check by registering a domain that shares a common prefix with an allowed origin.The getAllowedOrigin() function checks if the Referer header starts with any allowed origin, and this comparison is insufficient as it only validates the prefix. This is exploitable when the origins array is configured and an attacker registers a domain starting with an allowed origin string (e.g., https://target.com.attacker.com bypasses https://target.com ). On its own, tokens are still redirected to a configured origin.
Wiz
CVE-2026-32308 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-32308 [HIGH] CVE-2026-32308 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32308 :
JavaScript vulnerability analysis and mitigation
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the Markdown viewer component renders Mermaid diagrams with securityLevel: "loose" and injects the SVG output via innerHTML. This configuration explicitly allows interactive event bindings in Mermaid diagrams, enabling XSS through Mermaid's click directive which can execute arbitrary JavaScript. Any field that renders markdown (incident descriptions, status page announcements, monitor notes) is vulnerable. This vulnerability is fixed in 10.0.23.
Source : NVD
## 7.6
Score
Published March 13, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Dat
Wiz
CVE-2026-33468 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-33468 [HIGH] CVE-2026-33468 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33468 :
JavaScript vulnerability analysis and mitigation
DefaultQueryCompiler.sanitizeStringLiteral()
'
''
NO_BACKSLASH_ESCAPES
ImmediateValueTransformer
CreateIndexBuilder.where()
CreateViewBuilder.as()
Source : NVD
## 8.1
Score
Published March 26, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
JavaScript
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
langfuse-2
langfuse-3
Sources
NVD
Chainguard Has Fix Added at: Apr 02, 2026
npm Severity HIGH Has Fix Added at: Mar 21, 2026
Wolfi Has Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of C
Wiz
CVE-2026-25581 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-25581 [MEDIUM] CVE-2026-25581 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25581 :
JavaScript vulnerability analysis and mitigation
SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then it's possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. This vulnerability is fixed in 3.2.1.
Source : NVD
## 5.4
Score
Published February 6, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
sceditor
Sources
NVD
npm Severity MEDIUM H
Wiz
CVE-2026-26316 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-26316 [HIGH] CVE-2026-26316 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26316 :
JavaScript vulnerability analysis and mitigation
127.0.0.1
::1
::ffff:127.0.0.1
Source : NVD
## 7.5
Score
Published February 19, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@openclaw/bluebubbles
openclaw
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 18, 2026
Homebrew Severity HIGH Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Wiz
CVE-2026-25762 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-25762 [HIGH] CVE-2026-25762 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25762 :
JavaScript vulnerability analysis and mitigation
AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a denial of service (DoS) vulnerability exists in the multipart file handling logic of @adonisjs/bodyparser. When processing file uploads, the multipart parser may accumulate an unbounded amount of data in memory while attempting to detect file types, potentially leading to excessive memory consumption and process termination. This issue has been patched in versions 10.1.3 and 11.0.0-next.9.
Source : NVD
## 7.5
Score
Published February 6, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabil
Wiz
CVE-2026-32635 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-32635 [HIGH] CVE-2026-32635 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32635 :
JavaScript vulnerability analysis and mitigation
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to 22.0.0-next.3, 21.2.4, 20.3.18, and 19.2.20, a Cross-Site Scripting (XSS) vulnerability has been identified in the Angular runtime and compiler. It occurs when the application uses a security-sensitive attribute (for example href on an anchor tag) together with Angular's ability to internationalize attributes. Enabling internationalization for the sensitive attribute by adding i18n- name bypasses Angular's built-in sanitization mechanism, which when combined with a data binding to untrusted user-generated data can allow an attacker to inject a malicious script. This vulnerability i
Wiz
CVE-2026-23889 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-23889 [MEDIUM] CVE-2026-23889 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23889 :
JavaScript vulnerability analysis and mitigation
./
.\
.npmrc
Source : NVD
## 6.5
Score
Published January 26, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pnpm
Sources
NVD
Alpine 3.21, 3.22, 3.23, edge Severity MEDIUM No Fix Added at: Jan 29, 2026
Chainguard Has Fix Added at: Jan 27, 2026
npm Severity MEDIUM Has Fix Added at: Jan 27, 2026
Homebrew Severity MEDIUM Has Fix Added at: Jan 29, 2026
MinimOS Severity MEDIUM Has Fix Added at: Jan 29, 2026
Nix Severity MEDIUM Has Fix Added at: Jan 29, 2026
Wolfi Ha
Wiz
CVE-2026-3520 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-3520 [HIGH] CVE-2026-3520 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3520 :
JavaScript vulnerability analysis and mitigation
multipart/form-data
Source : NVD
## 8.7
Score
Published March 4, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
librechat
redisinsight
Sources
NVD
Chainguard Has Fix Added at: Mar 08, 2026
npm Severity HIGH Has Fix Added at: Mar 08, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Comp
Wiz
CVE-2026-23527 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-23527 [HIGH] CVE-2026-23527 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23527 :
JavaScript vulnerability analysis and mitigation
H3 is a minimal H(TTP) framework built for high performance and portability. Prior to 1.15.5, there is a critical HTTP Request Smuggling vulnerability. readRawBody is doing a strict case-sensitive check for the Transfer-Encoding header. It explicitly looks for "chunked", but per the RFC, this header should be case-insensitive. This vulnerability is fixed in 1.15.5.
Source : NVD
## 9.8
Score
Published January 15, 2026
Severity CRITICAL
CNA Score 8.9
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
h3
Sour
Wiz
CVE-2026-26830 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-26830 [CRITICAL] CVE-2026-26830 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26830 :
JavaScript vulnerability analysis and mitigation
pdf-image (npm package) through version 2.0.0 allows OS command injection via the pdfFilePath parameter. The constructGetInfoCommand and constructConvertCommandForPage functions use util.format() to interpolate user-controlled file paths into shell command strings that are executed via child_process.exec()
Source : NVD
## 9.8
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 73.8
Exploitation Probability (EPSS) 0.8
Affected packages and libraries
pdf-image
Sources
NVD
npm Severity CRITICAL No Fix Added at: Mar 29, 2026
Wiz
GHSA-53p3-c7vp-4mcc Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-53p3-c7vp-4mcc Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-53p3-c7vp-4mcc :
JavaScript vulnerability analysis and mitigation
## Impact
application/x-trix-document
StringPiece.fromJSON
href
javascript:
## Patches
Update Recommendation: Users should upgrade to Trix editor version 2.1.18 or later.
## References
The XSS vulnerability was responsibly reported by Hackerone researcher newbiefromcoma .
Source : NVD
## 2.1
Score
Published March 29, 2026
Severity LOW
CNA Score N/A
Affected Technologies
JavaScript
Ruby
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
action_text-trix
trix
Sources
NVD
RubyGems Severity LOW Has Fix Added at: Mar 29, 2026
np
Wiz
CVE-2025-68157 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.7
CVE-2025-68157 [LOW] CVE-2025-68157 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68157 :
JavaScript vulnerability analysis and mitigation
Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0.
Source
Wiz
CVE-2026-32098 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-32098 [MEDIUM] CVE-2026-32098 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32098 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.9 and 8.6.35, an attacker can exploit LiveQuery subscriptions to infer the values of protected fields without directly receiving them. By subscribing with a WHERE clause that references a protected field (including via dot-notation or $regex), the attacker can observe whether LiveQuery events are delivered for matching objects. This creates a boolean oracle that leaks protected field values. The attack affects any class that has both protectedFields configured in Class-Level Permissions and LiveQuery enabled. This vulnerability is fixed in 9.6.0-alpha.9 and 8.6.35.
Source : NVD
## 6.9
Score
Wiz
GHSA-fr4j-65pv-gjjj Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-fr4j-65pv-gjjj Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-fr4j-65pv-gjjj :
JavaScript vulnerability analysis and mitigation
## Summary
packageName
npm
npm install
## Details
updateCmd
quote
shlex
## PoC
Create a git repo with the following content:
renovate.json5
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
customDatasources: {
always: {
defaultRegistryUrlTemplate: "https://docs.renovatebot.com/search/search_index.json",
transformTemplates: ['{"releases":[{"version":"11.1.0"}]}'],
},
},
packageRules: [
{
// Target of the day
matchManagers: ["npm"],
// Provide a command in the package name
overridePackageName: "; kill 1; echo ",
// Override the datasource to prevent a lookup failure
overrideDatasource: "custom.always",
},
],
}
package.json
{
"name": "renovate-aci-4",
"version": "0.0.1",
"dependencies"
Wiz
CVE-2026-32230 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-32230 [MEDIUM] CVE-2026-32230 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32230 :
JavaScript vulnerability analysis and mitigation
Uptime Kuma is an open source, self-hosted monitoring tool. From 2.0.0 to 2.1.3 , the GET /api/badge/:id/ping/:duration? endpoint in server/routers/api-router.js does not verify that the requested monitor belongs to a public group. All other badge endpoints check AND public = 1 in their SQL query before returning data. The ping endpoint skips this check entirely, allowing unauthenticated users to extract average ping/response time data for private monitors. This vulnerability is fixed in 2.2.0.
Source : NVD
## 5.3
Score
Published March 12, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Explo
Wiz
CVE-2026-1615 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-1615 [CRITICAL] CVE-2026-1615 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1615 :
JavaScript vulnerability analysis and mitigation
Versions of the package jsonpath before 1.2.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation of user-supplied JSON Path expressions. The library relies on the static-eval module to process JSON Path input, which is not designed to handle untrusted data safely. An attacker can exploit this vulnerability by supplying a malicious JSON Path expression that, when evaluated, executes arbitrary JavaScript code, leading to Remote Code Execution in Node.js environments or Cross-site Scripting (XSS) in browser contexts. This affects all methods that evaluate JSON Paths against objects, including .query, .nodes, .paths, .value, .parent, and .apply.
Source : NVD
## 9.2
Score
Published February 9, 2026
Severi
Wiz
CVE-2026-33326 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.1
CVE-2026-33326 [LOW] CVE-2026-33326 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33326 :
JavaScript vulnerability analysis and mitigation
Keystone is a content management system for Node.js. Prior to version 6.5.2, {field}.isFilterable access control can be bypassed in findMany queries by passing a cursor. This can be used to confirm the existence of records by protected field values. The fix for CVE-2025-46720 (field-level isFilterable bypass for update and delete mutations) added checks to the where parameter in update and delete mutations however the cursor parameter in findMany was not patched and accepts the same UniqueWhere input type. This issue has been patched in version 6.5.2.
Source : NVD
## 4.3
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
Wiz
CVE-2026-25893 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-25893 [CRITICAL] CVE-2026-25893 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25893 :
JavaScript vulnerability analysis and mitigation
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to gain administrative access via the heartbeat refresh API and execute arbitrary code on the server. This issue has been patched in FUXA version 1.2.10.
Source : NVD
## 10
Score
Published February 9, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
fuxa-server
Sources
NVD
npm Severity CRITICAL
Wiz
GHSA-87v3-4cfp-cm76 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-87v3-4cfp-cm76 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-87v3-4cfp-cm76 :
JavaScript vulnerability analysis and mitigation
## Summary
@pdfme/schemas
container.innerHTML = value
## Details
packages/schemas/src/graphics/svg.ts
ui
innerHTML
readOnly: true
// svg.ts, line 81-94 (non-editable rendering path)
} else {
if (!value) return;
if (!isValidSVG(value)) {
rootElement.appendChild(createErrorElm());
return;
}
container.innerHTML = value; //
DOMParser
onload
onerror
onclick
onbegin
onend
isValidSVG()
innerHTML
## Attack Vectors
## 1. Malicious Template (readOnly SVG schema)
content
## 2. Application-Supplied Inputs + Viewer
innerHTML
## Proof of Concept
Loading the following template into a pdfme Form or Viewer component triggers JavaScript execution:
{
"basePdf": { "width": 210, "height": 297, "padd
Wiz
CVE-2026-25128 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-25128 [HIGH] CVE-2026-25128 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25128 :
JavaScript vulnerability analysis and mitigation
�
�
Source : NVD
## 7.5
Score
Published January 30, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
kibana-9.0
langfuse-2
Sources
NVD
Chainguard Has Fix Added at: Feb 04, 2026
npm Severity HIGH Has Fix Added at: Jan 31, 2026
MinimOS Severity HIGH Has Fix Added at: Mar 02, 2026
Wolfi Has Fix Added at: Feb 04, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relat
Wiz
CVE-2026-3419 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-3419 [MEDIUM] CVE-2026-3419 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3419 :
JavaScript vulnerability analysis and mitigation
Content-Type
When regex-based content-type parsers are in use (a documented Fastify feature), the malformed value is matched against registered parsers using the full string including the trailing garbage. This means a request with an invalid content-type may be routed to and processed by a parser it should never have reached.
Impact:
An attacker can send requests with RFC-invalid Content-Type headers that bypass validity checks, reach content-type parser matching, and be processed by the server. Requests that should be rejected at the validation stage are instead handled as if the content-type were valid.
Workarounds:
Deploy a WAF rule to protect against this
Fix:
The fix is available starting with v5.8.1.
Source
Wiz
CVE-2026-25957 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-25957 [MEDIUM] CVE-2026-25957 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25957 :
JavaScript vulnerability analysis and mitigation
Cube is a semantic layer for building data applications. From 1.1.17 to before 1.5.13 and 1.4.2, it is possible to make the entire Cube API unavailable by submitting a specially crafted request to a Cube API endpoint. This vulnerability is fixed in 1.5.13 and 1.4.2.
Source : NVD
## 6.5
Score
Published February 9, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@cubejs-backend/server-core
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Feb 10, 2026
## Get a CVE risk asses
Wiz
CVE-2026-32106 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.7
CVE-2026-32106 [MEDIUM] CVE-2026-32106 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32106 :
JavaScript vulnerability analysis and mitigation
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the REST API createUser endpoint uses string-based rank checks that only block creating owner accounts, while the Dashboard API uses indexOf-based rank comparison that prevents creating users at or above your own rank. This inconsistency allows an admin to create additional admin accounts via the REST API, enabling privilege proliferation and persistence. This vulnerability is fixed in 0.4.3.
Source : NVD
## 7.2
Score
Published March 11, 2026
Severity HIGH
CNA Score 4.7
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploita
Wiz
CVE-2026-25940 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-25940 [HIGH] CVE-2026-25940 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25940 :
JavaScript vulnerability analysis and mitigation
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.2.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following property, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim hovers over the radio option. The vulnerability has been fixed in [email protected] . As a workaround, sanitize user input before passing it to the vulnerable API members.
Source : NVD
## 8.1
Score
Published February 19, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Ex
Wiz
CVE-2026-4258 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-4258 [MEDIUM] CVE-2026-4258 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4258 :
JavaScript vulnerability analysis and mitigation
All versions of the package sjcl are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(). An attacker can recover a victim's ECDH private key by sending crafted off-curve public keys and observing ECDH outputs. The dhJavaEc() function directly returns the raw x-coordinate of the scalar multiplication result (no hashing), providing a plaintext oracle without requiring any decryption feedback.
Source : NVD
## 7.7
Score
Published March 17, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Perc
Wiz
CVE-2026-25521 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-25521 [CRITICAL] CVE-2026-25521 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25521 :
JavaScript vulnerability analysis and mitigation
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39.
Source : NVD
## 9.4
Score
Published February 4, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2026-33349 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-33349 [MEDIUM] CVE-2026-33349 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33349 :
JavaScript vulnerability analysis and mitigation
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.
Wiz
CVE-2026-27210 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-27210 [MEDIUM] CVE-2026-27210 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27210 :
JavaScript vulnerability analysis and mitigation
Pannellum is a lightweight, free, and open source panorama viewer for the web. In versions 3.5.0 through 2.5.6, the hot spot attributes configuration property allowed any attribute to be set, including HTML event handler attributes, allowing for potential XSS attacks. This affects websites hosting the standalone viewer HTML file and any other use of untrusted JSON config files (bypassing the protections of the escapeHTML parameter). As certain events fire without any additional user interaction, visiting a standalone viewer URL that points to a malicious config file — without additional user interaction — is sufficient to trigger the vulnerability and execute arbitrary JavaScript code, which can, for example, replace th
Wiz
CVE-2026-33768 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-33768 [MEDIUM] CVE-2026-33768 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33768 :
JavaScript vulnerability analysis and mitigation
Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and x_astro_path query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel's platform-level path restrictions entirely. The override preserves the original HTTP method and body, so this isn't limited to GET. POST, PUT, DELETE all land on the rewritten path. A Firewall rule blocking /admin/* does nothing when the request comes in as POST /api/health?x_astro_path=/admin/delete-user. This issue has been patched in version 10.0.2.
Source : NVD
## 9.1
Score
Published March 24, 2026
Severity CRITIC
Wiz
CVE-2026-22818 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-22818 [HIGH] CVE-2026-22818 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22818 :
JavaScript vulnerability analysis and mitigation
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the algorithm specified in the JWT header to influence signature verification when the selected JWK did not explicitly define an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. The JWK/JWKS JWT verification middleware has been updated to require an explicit allowlist of asymmetric algorithms when verifying tokens. The middleware no longer derives the verification algorithm from untrusted JWT header values. This vulnerability is fixed in 4.11.4.
Source : NVD
## 6.5
Score
P
Wiz
CVE-2026-33421 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-33421 [HIGH] CVE-2026-33421 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33421 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.53 and 9.6.0-alpha.42, Parse Server's LiveQuery WebSocket interface does not enforce Class-Level Permission (CLP) pointer permissions (readUserFields and pointerFields). Any authenticated user can subscribe to LiveQuery events and receive real-time updates for all objects in classes protected by pointer permissions, regardless of whether the pointer fields on those objects point to the subscribing user. This bypasses the intended read access control, allowing unauthorized access to potentially sensitive data that is correctly restricted via the REST API. This issue has been patched in versions 8.
Wiz
GHSA-hqf9-8xv5-x8xw Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-hqf9-8xv5-x8xw Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-hqf9-8xv5-x8xw :
JavaScript vulnerability analysis and mitigation
## Impact
ERC7984
euint64
_mint
wrap
onTransferReceived
ERC7984ERC20Wrapper
_mint
rate()
0.3.1
## Patches
0.3.1
Source : NVD
## 6.6
Score
Published January 5, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@openzeppelin/confidential-contracts
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Jan 06, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Relate
Wiz
CVE-2026-31988 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-31988 [MEDIUM] CVE-2026-31988 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31988 :
JavaScript vulnerability analysis and mitigation
yauzl (aka Yet Another Unzip Library) version 3.2.0 for Node.js contains an off-by-one error in the NTFS extended timestamp extra field parser within the getLastModDate() function. The while loop condition checks cursor < data.length + 4 instead of cursor + 4 <= data.length, allowing readUInt16LE() to read past the buffer boundary. A remote attacker can cause a denial of service (process crash via ERR_OUT_OF_RANGE exception) by sending a crafted zip file with a malformed NTFS extra field. This affects any Node.js application that processes zip file uploads and calls entry.getLastModDate() on parsed entries. Fixed in version 3.2.1.
Source : NVD
## 6.9
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 6.9
Wiz
CVE-2025-67364 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-67364 [HIGH] CVE-2025-67364 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67364 :
JavaScript vulnerability analysis and mitigation
fast-filesystem-mcp version 3.4.0 contains a critical path traversal vulnerability in its file operation tools including fast_read_file. This vulnerability arises from improper path validation that fails to resolve symbolic links to their actual physical paths. The safePath and isPathAllowed functions use path.resolve() which does not handle symlinks, allowing attackers to bypass directory access restrictions by creating symlinks within allowed directories that point to restricted system paths. When these symlinks are accessed through valid path references, the validation checks are circumvented, enabling access to unauthorized files.
Source : NVD
## 7.5
Score
Published January 7, 2026
Severity HIGH
CNA Score 7.
Wiz
GHSA-c7w3-x93f-qmm8 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-c7w3-x93f-qmm8 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-c7w3-x93f-qmm8 :
JavaScript vulnerability analysis and mitigation
## Summary
envelope
sendMail()
size
\r\n
MAIL FROM
RCPT TO
## Details
lib/smtp-connection/index.js
envelope.size
MAIL FROM
if (this._envelope.size && this._supportedExtensions.includes('SIZE')) {
args.push('SIZE=' + this._envelope.size);
}
This contrasts with other envelope parameters in the same function that ARE properly sanitized:
from
to
[\r\n<>]
dsn.ret
dsn.envid
dsn.orcpt
encodeXText()
size
MimeNode.setEnvelope()
lib/mime-node/index.js
const standardFields = ['to', 'cc', 'bcc', 'from'];
Object.keys(envelope).forEach(key => {
if (!standardFields.includes(key)) {
this._envelope[key] = envelope[key];
}
});
_sendCommand()
\r\n
size
MAIL FROM
from
to
size
envelope
size
sendMail(
Wiz
CVE-2026-32944 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-32944 [HIGH] CVE-2026-32944 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32944 :
JavaScript vulnerability analysis and mitigation
requestComplexity.queryDepth
Source : NVD
## 8.7
Score
Published March 18, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
parse-server
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 17, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
C
Wiz
CVE-2026-26833 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-26833 [CRITICAL] CVE-2026-26833 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26833 :
JavaScript vulnerability analysis and mitigation
thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping.
Source : NVD
## 9.8
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 62.2
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
thumbler
Sources
NVD
npm Severity CRITICAL No Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioriti
Wiz
CVE-2026-2950 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-2950 [MEDIUM] CVE-2026-2950 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2950 :
JavaScript vulnerability analysis and mitigation
Impact:
Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg ) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.
The issue permits deletion of prototype properties but does not allow overwriting their original behavior.
Patches:
This issue is patched in 4.18.0.
Workarounds:
None. Upgrade to the patched version.
Source : NVD
## 6.5
Score
Published March 31, 2026
S
Wiz
CVE-2026-22032 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-22032 [MEDIUM] CVE-2026-22032 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22032 :
JavaScript vulnerability analysis and mitigation
RelayState
Source : NVD
## 6.1
Score
Published January 8, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@directus/api
directus
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Jan 07, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CV
Wiz
GHSA-gjjc-pcwp-c74m Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-gjjc-pcwp-c74m Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-gjjc-pcwp-c74m :
JavaScript vulnerability analysis and mitigation
## Summary
The WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client request body during verification. This violates the WebAuthn specification ( W3C Web Authentication Level 2, §13.4.3 ) and allows an attacker who has obtained a valid WebAuthn assertion (e.g., via XSS, MitM, or log exposure) to replay it indefinitely, completely bypassing the second-factor authentication.
## Details
generateAuthenticationOptions()
Common/Server/Services/UserWebAuthnService.ts
expectedChallenge
Authentication.ts:1042
// App/FeatureSet/Identity/API/Authentication.ts:1041-1049
} else if (verifyWebAuthn) {
con
Wiz
GHSA-w48f-fwg7-ww6p Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-w48f-fwg7-ww6p Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-w48f-fwg7-ww6p :
JavaScript vulnerability analysis and mitigation
## Summary
@stablelib/cbor
__proto__
## Details
{}
obj["__proto__"]
__proto__
null
"__proto__"
{ isAdmin: true }
__proto__
## PoC
import { decode } from "@stablelib/cbor";
// CBOR:
// {
// "__proto__": { "isAdmin": true }
// }
//
// a1 map(1)
// 69 text(9)
// "__proto__"
// a1 map(1)
// 67 text(7)
// "isAdmin"
// f5 true
const payload = new Uint8Array([
0xa1,
0x69, 0x5f, 0x5f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x5f, 0x5f,
0xa1,
0x67, 0x69, 0x73, 0x41, 0x64, 0x6d, 0x69, 0x6e,
0xf5
]);
const obj = decode(payload);
console.log(Object.hasOwn(obj, "isAdmin")); // false
console.log(obj.isAdmin); // true
console.log(Object.getPrototypeOf(obj).isAdmin); // true
## Impact
Any application that decodes untrus
Wiz
CVE-2026-29063 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-29063 [HIGH] CVE-2026-29063 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29063 :
JavaScript vulnerability analysis and mitigation
Immutable.js provides many Persistent Immutable data structures. Prior to versions 3.8.3, 4.3.7, and 5.1.5, Prototype Pollution is possible in immutable via the mergeDeep(), mergeDeepWith(), merge(), Map.toJS(), and Map.toObject() APIs. This issue has been patched in versions 3.8.3, 4.3.7, and 5.1.5.
Source : NVD
## 8.7
Score
Published March 6, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
gjs-devel
grafana-elasticsearch
Sources
NVD
Chainguard Has Fix Added at: Ma
Wiz
CVE-2026-22785 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-22785 [CRITICAL] CVE-2026-22785 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22785 :
JavaScript vulnerability analysis and mitigation
orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Prior to 7.18.0, the MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to "break out" of the string literal and inject arbitrary code. This vulnerability is fixed in 7.18.0.
Source : NVD
## 9.3
Score
Published January 12, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.4
Exploitation Probability (EP
Wiz
GHSA-fpg4-jhqr-589c Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-fpg4-jhqr-589c Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-fpg4-jhqr-589c :
JavaScript vulnerability analysis and mitigation
form
files.length
experimental.remoteFunctions: true
form
files
Source : NVD
## 1.7
Score
Published February 28, 2026
Severity LOW
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@sveltejs/kit
Sources
NVD
npm Severity LOW Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
Wiz
GHSA-fp4x-ggrf-wmc6 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-fp4x-ggrf-wmc6 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-fp4x-ggrf-wmc6 :
JavaScript vulnerability analysis and mitigation
## Summary
redirectBack()
Referer
Location
//
Location
## Details
src/utils/response.ts:89-97
export function redirectBack(
event: H3Event,
opts: { fallback?: string; status?: number; allowQuery?: boolean } = {},
): HTTPResponse {
const referer = event.req.headers.get("referer");
let location = opts.fallback ?? "/";
if (referer && URL.canParse(referer)) {
const refererURL = new URL(referer);
if (refererURL.origin === event.url.origin) {
// BUG: pathname can be "//evil.com/path" which browsers interpret
// as a protocol-relative URL
location = refererURL.pathname + (opts.allowQuery ? refererURL.search : "");
}
}
return redirect(location, opts.status);
}
The root cause is a discrepancy between how the WHA
Wiz
GHSA-gw32-9rmw-qwww Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-gw32-9rmw-qwww Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-gw32-9rmw-qwww :
JavaScript vulnerability analysis and mitigation
## Summary
## Details
...
## PoC
Put this in a server-side-rendered Svelte component:
let value = `test'">alert('BIM');`;
## Impact
Only affects SSR
Source : NVD
## 8.4
Score
Published January 16, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
svelte
Sources
NVD
npm Severity HIGH Has Fix Added at: Jan 18, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## R
Wiz
CVE-2025-70949 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-70949 [HIGH] CVE-2025-70949 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-70949 :
JavaScript vulnerability analysis and mitigation
An observable timing discrepancy in @perfood/couch-auth v0.26.0 allows attackers to access sensitive information via a timing side-channel.
Source : NVD
## 7.5
Score
Published March 5, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@perfood/couch-auth
Sources
NVD
npm Severity HIGH No Fix Added at: Mar 08, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vuln
Wiz
CVE-2026-27119 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-27119 [MEDIUM] CVE-2026-27119 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27119 :
JavaScript vulnerability analysis and mitigation
svelte performance oriented web framework. From 5.39.3, <=5.51.4, in certain circumstances, the server-side rendering output of an element does not properly escape its content, potentially allowing HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.
Source : NVD
## 5.1
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
JavaScript
Linux Fedora
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pgadmin4-langpack-ja
pgadmin4-langpack-ru
Sources
NVD
npm
Wiz
CVE-2026-2327 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2026-2327 [MEDIUM] CVE-2026-2327 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2327 :
JavaScript vulnerability analysis and mitigation
Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.
Source : NVD
## 5.5
Score
Published February 12, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
kibana-8.19
Wiz
CVE-2026-25546 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.8
CVE-2026-25546 [HIGH] CVE-2026-25546 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25546 :
JavaScript vulnerability analysis and mitigation
Godot MCP is a Model Context Protocol (MCP) server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input (e.g., projectPath) directly to exec(), which spawns a shell. An attacker could inject shell metacharacters like $(command) or &calc to execute arbitrary commands with the privileges of the MCP server process. This affects any tool that accepts projectPath, including create_scene, add_node, load_sprite, and others. This issue has been patched in version 0.1.1.
Source : NVD
## 7.8
Score
Published February 4, 2026
Severity HIGH
CNA Score 7.8
Affected Technologies
Wiz
CVE-2026-34573 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-34573 [HIGH] CVE-2026-34573 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34573 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out fragment spreads. A single unauthenticated request can block the Node.js event loop for seconds, denying service to all concurrent users. This only affects deployments that have enabled the requestComplexity.graphQLDepth or requestComplexity.graphQLFields configuration options. This issue has been patched in versions 8.6.68 and 9.7.0-alpha.12.
Source : NVD
## 8.2
Score
Published March 31, 2026
Severity HIGH
CNA Score 8.2
Affected Techn
Wiz
CVE-2026-26280 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.4
CVE-2026-26280 [HIGH] CVE-2026-26280 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26280 :
JavaScript vulnerability analysis and mitigation
wifiNetworks()
lib/wifi.js
wifiNetworks()
iface
setTimeout
getWifiNetworkListIw(iface)
iface
execSync('iwlist ${iface} scan')
si.wifiNetworks()
Source : NVD
## 7.8
Score
Published February 19, 2026
Severity HIGH
CNA Score 8.4
Affected Technologies
JavaScript
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10
Exploitation Probability (EPSS) N/A
Affected packages and libraries
kibana-9.3
systeminformation
Sources
NVD
Chainguard Has Fix Added at: Feb 20, 2026
npm Severity HIGH Has Fix Added at: Feb 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you c
Wiz
CVE-2025-68457 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 0.6
CVE-2025-68457 [LOW] CVE-2025-68457 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68457 :
JavaScript vulnerability analysis and mitigation
javascript:
data-href
href
Source : NVD
## 0.6
Score
Published December 19, 2025
Severity LOW
CNA Score 0.6
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
orejime
Sources
NVD
npm Severity LOW Has Fix Added at: Dec 22, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-
Wiz
CVE-2026-34750 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-34750 [MEDIUM] CVE-2026-34750 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34750 :
JavaScript vulnerability analysis and mitigation
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3, the client-upload signed-URL endpoints for S3, GCS, Azure, and R2 did not properly sanitize filenames. An attacker could craft filenames to escape the intended storage location. This issue has been patched in version 3.78.0 for @payloadcms/storage-azure, @payloadcms/storage-gcs, @payloadcms/storage-r2, and @payloadcms/storage-s3.
Source : NVD
## 6.5
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/
Wiz
CVE-2026-33323 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-33323 [MEDIUM] CVE-2026-33323 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33323 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.51 and 9.6.0-alpha.40, the Pages route and legacy PublicAPI route for resending email verification links return distinguishable responses depending on whether the provided username exists and has an unverified email. This allows an unauthenticated attacker to enumerate valid usernames by observing different redirect targets. The existing emailVerifySuccessOnInvalidEmail configuration option, which is enabled by default and protects the API route against this, did not apply to these routes. This issue has been patched in versions 8.6.51 and 9.6.0-alpha.40.
Source : NVD
## 6.3
Score
Published
Wiz
CVE-2026-30827 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-30827 [HIGH] CVE-2026-30827 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30827 :
JavaScript vulnerability analysis and mitigation
express-rate-limit is a basic rate-limiting middleware for Express. In versions starting from 8.0.0 and prior to versions 8.0.2, 8.1.1, 8.2.2, and 8.3.0, the default keyGenerator in express-rate-limit applies IPv6 subnet masking (/56 by default) to all addresses that net.isIPv6() returns true for. This includes IPv4-mapped IPv6 addresses (::ffff:x.x.x.x), which Node.js returns as request.ip on dual-stack servers. Because the first 80 bits of all IPv4-mapped addresses are zero, a /56 (or any /32 to /80) subnet mask produces the same network key (::/56) for every IPv4 client. This collapses all IPv4 traffic into a single rate-limit bucket: one client exhausting the limit causes HTTP 429 for all other IPv4 clients. This is
Wiz
CVE-2026-22610 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2026-22610 [HIGH] CVE-2026-22610 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22610 :
JavaScript vulnerability analysis and mitigation
Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior to versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0, a cross-site scripting (XSS) vulnerability has been identified in the Angular Template Compiler. The vulnerability exists because Angular’s internal sanitization schema fails to recognize the href and xlink:href attributes of SVG elements as a Resource URL context. This issue has been patched in versions 19.2.18, 20.3.16, 21.0.7, and 21.1.0-rc.0.
Source : NVD
## 8.5
Score
Published January 10, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA
Wiz
GHSA-8g29-8xwr-qmhr Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-8g29-8xwr-qmhr Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-8g29-8xwr-qmhr :
JavaScript vulnerability analysis and mitigation
## Impact
JSON.parse(env.adapterConfig)
Record
packages/server/src/grpc-service.ts:415
reconnectOrProvision
packages/server/src/grpc-service.ts:482
stopEnvironment
packages/server/src/grpc-service.ts:498
destroyEnvironment
## Patches
Fix: Wrap in try-catch and return a meaningful gRPC error:
let config: Record;
try {
config = JSON.parse(env.adapterConfig) as Record;
} catch {
throw new ConnectError("Invalid adapter configuration", Code.Internal);
}
## Workarounds
Ensure database integrity. Back up the SQLite database regularly.
## Resources
CWE-754: Improper Check for Unusual or Exceptional Conditions
packages/server/src/grpc-service.ts
Source : NVD
## 2.1
Score
Published March 25, 2026
Wiz
CVE-2026-32094 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-32094 [MEDIUM] CVE-2026-32094 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32094 :
JavaScript vulnerability analysis and mitigation
Shescape is a simple shell escape library for JavaScript. Prior to 2.1.10, Shescape#escape() does not escape square-bracket glob syntax for Bash, BusyBox sh, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like secret[12] to expand into multiple filesystem matches instead of a single literal argument, turning one argument into multiple trusted-pathname matches. This vulnerability is fixed in 2.1.10.
Source : NVD
## 6.9
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Prob
Wiz
CVE-2026-30241 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-30241 [LOW] CVE-2026-30241 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30241 :
JavaScript vulnerability analysis and mitigation
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.8.0, Mercurius fails to enforce the configured queryDepth limit on GraphQL subscription queries received over WebSocket connections. The depth check is correctly applied to HTTP queries and mutations, but subscription queries are parsed and executed without invoking the depth validation. This allows a remote client to submit arbitrarily deeply nested subscription queries over WebSocket, bypassing the intended depth restriction. On schemas with recursive types, this can lead to denial of service through exponential data resolution on each subscription event. This issue has been patched in version 16.8.0.
Source : NVD
## 2.7
Score
Published March 6, 202
Wiz
CVE-2026-35408 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-35408 [HIGH] CVE-2026-35408 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35408 :
JavaScript vulnerability analysis and mitigation
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus's Single Sign-On (SSO) login pages lacked a Cross-Origin-Opener-Policy (COOP) HTTP response header. Without this header, a malicious cross-origin window that opens the Directus login page retains the ability to access and manipulate the window object of that page. An attacker can exploit this to intercept and redirect the OAuth authorization flow to an attacker-controlled OAuth client, causing the victim to unknowingly grant access to their authentication provider account (e.g. Google, Discord). This vulnerability is fixed in 11.17.0.
Source : NVD
## 8.7
Score
Published April 6, 2026
Severity HIGH
CNA Scor
Wiz
CVE-2026-35209 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-35209 [HIGH] CVE-2026-35209 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35209 :
JavaScript vulnerability analysis and mitigation
defu()
__proto__
_defu
Object.assign({}, defaults)
Object.assign
__proto__
[[Prototype]]
__proto__
for...in
Object.assign({}, defaults)
{ ...defaults }
[[DefineOwnProperty]]
__proto__
Source : NVD
## 7.5
Score
Published April 6, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
defu
jitsucom-jitsu
Sources
NVD
Chainguard Has Fix Added at: Apr 06, 2026
npm Severity HIGH Has Fix Added at: Apr 05, 2026
MinimOS Severity HIGH Has Fix Added at: Apr 06, 2026
Wolfi
Wiz
CVE-2025-69985 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-69985 [CRITICAL] CVE-2025-69985 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69985 :
JavaScript vulnerability analysis and mitigation
FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP "Referer" header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server's host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary Node.js code on the server.
Source : NVD
## 9.8
Score
Published February 24, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
Wiz
CVE-2026-27121 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-27121 [MEDIUM] CVE-2026-27121 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27121 :
JavaScript vulnerability analysis and mitigation
svelte performance oriented web framework. Versions of svelte prior to 5.51.5 are vulnerable to cross-site scripting (XSS) during server-side rendering. When using spread syntax to render attributes from untrusted data, event handler properties are included in the rendered HTML output. If an application spreads user-controlled or external data as element attributes, an attacker can inject malicious event handlers that execute in victims' browsers. This vulnerability is fixed in 5.51.5.
Source : NVD
## 5.1
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Explo
Wiz
CVE-2026-22597 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.0
CVE-2026-22597 [LOW] CVE-2026-22597 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22597 :
JavaScript vulnerability analysis and mitigation
Ghost is a Node.js content management system. In versions 5.38.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost’s media inliner mechanism allows staff users in possession of a valid authentication token for the Ghost Admin API to exfiltrate data from internal systems via SSRF. This issue has been patched in versions 5.130.6 and 6.11.0.
Source : NVD
## 2
Score
Published January 10, 2026
Severity LOW
CNA Score 2.0
Affected Technologies
JavaScript
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ghost
Sources
NVD
npm
Wiz
CVE-2026-33732 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-33732 [MEDIUM] CVE-2026-33732 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33732 :
JavaScript vulnerability analysis and mitigation
FastURL
file://
FastURL
URL
/
Source : NVD
## 6.5
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
srvx
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
Wiz
CVE-2025-59057 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2025-59057 [HIGH] CVE-2025-59057 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59057 :
JavaScript vulnerability analysis and mitigation
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode ( ) or Data Mode (createBrowserRouter/ ). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0.
Source : NVD
## 7.6
Score
Published January 10, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
JavaScript
React Router
Has Public Exploit Ye
Wiz
GHSA-c8m8-3jcr-6rj5 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-c8m8-3jcr-6rj5 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-c8m8-3jcr-6rj5 :
JavaScript vulnerability analysis and mitigation
frangoteam751
secretCode
secretCode
Source : NVD
## 8.1
Score
Published March 7, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@frangoteam/fuxa
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 08, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Wiz
CVE-2026-31938 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-31938 [CRITICAL] CVE-2026-31938 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31938 :
JavaScript vulnerability analysis and mitigation
options
output
Source : NVD
## 6.1
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 9.6
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
opensearch-dashboards-2
opensearch-dashboards-2-fips
Sources
NVD
Chainguard Has Fix Added at: Mar 20, 2026
npm Severity CRITICAL Has Fix Added at: Mar 17, 2026
Wolfi Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaSc
Wiz
CVE-2026-27148 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-27148 [HIGH] CVE-2026-27148 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27148 :
JavaScript vulnerability analysis and mitigation
Storybook is a frontend workshop for building user interface components and pages in isolation. Prior to versions 7.6.23, 8.6.17, 9.1.19, and 10.2.10, the WebSocket functionality in Storybook's dev server, used to create and update stories, is vulnerable to WebSocket hijacking. This vulnerability only affects the Storybook dev server; production builds are not impacted. Exploitation requires a developer to visit a malicious website while their local Storybook dev server is running. Because the WebSocket connection does not validate the origin of incoming connections, a malicious site can silently send WebSocket messages to the local instance without any further user interaction. If the Storybook dev server is intentiona
Wiz
CVE-2026-3125 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-3125 [HIGH] CVE-2026-3125 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3125 :
JavaScript vulnerability analysis and mitigation
A Server-Side Request Forgery (SSRF) vulnerability was identified in the @opennextjs/cloudflare package, resulting from a path normalization bypass in the /cdn-cgi/image/ handler.The @opennextjs/cloudflare worker template includes a /cdn-cgi/image/ handler intended for development use only. In production, Cloudflare's edge intercepts /cdn-cgi/image/ requests before they reach the Worker. However, by substituting a backslash for a forward slash (/cdn-cgi\image/ instead of /cdn-cgi/image/), an attacker can bypass edge interception and have the request reach the Worker directly. The JavaScript URL class then normalizes the backslash to a forward slash, causing the request to match the handler and trigger an unvalidated fetc
Wiz
CVE-2026-30863 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-30863 [CRITICAL] CVE-2026-30863 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30863 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.10 and 9.5.0-alpha.11, the Google, Apple, and Facebook authentication adapters use JWT verification to validate identity tokens. When the adapter's audience configuration option is not set (clientId for Google/Apple, appIds for Facebook), JWT verification silently skips audience claim validation. This allows an attacker to use a validly signed JWT issued for a different application to authenticate as any user on the target Parse Server. This issue has been patched in versions 8.6.10 and 9.5.0-alpha.11.
Source : NVD
## 9.3
Score
Published March 7, 2026
Severity CRITICAL
CNA Score 9.3
Affe
Wiz
CVE-2025-66648 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-66648 [HIGH] CVE-2025-66648 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66648 :
JavaScript vulnerability analysis and mitigation
6.1.1
vega.expressionInterpreter
Source : NVD
## 6.1
Score
Published January 5, 2026
Severity MEDIUM
CNA Score 7.2
Affected Technologies
JavaScript
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
vega.js
vega-functions
Sources
NVD
Debian 12, 13, 14 Severity MEDIUM No Fix Added at: Jan 11, 2026
Echo Severity MEDIUM No Fix Added at: Jan 11, 2026
npm Severity HIGH Has Fix Added at: Jan 06, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what'
Wiz
CVE-2026-35039 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-35039 [CRITICAL] CVE-2026-35039 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35039 :
JavaScript vulnerability analysis and mitigation
fast-jwt provides fast JSON Web Token (JWT) implementation. From 0.0.1 to before 6.1.0, setting up a custom cacheKeyBuilder method which does not properly create unique keys for different tokens can lead to cache collisions. This could cause tokens to be mis-identified during the verification process leading to valid tokens returning claims from different valid tokens and users being mis-identified as other users based on the wrong token.
Source : NVD
## 9.1
Score
Published April 6, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.1
Exploitation P
Wiz
CVE-2026-30967 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-30967 [HIGH] CVE-2026-30967 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30967 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.9. and 8.6.22, the OAuth2 authentication adapter, when configured without the useridField option, only verifies that a token is active via the provider's token introspection endpoint, but does not verify that the token belongs to the user identified by authData.id. An attacker with any valid OAuth2 token from the same provider can authenticate as any other user. This affects any Parse Server deployment that uses the generic OAuth2 authentication adapter (configured with oauth2: true) without setting the useridField option. This vulnerability is fixed in 9.5.2-alpha.9. and 8.6.22.
Source : NVD
#
Wiz
CVE-2026-30945 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-30945 [HIGH] CVE-2026-30945 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30945 :
JavaScript vulnerability analysis and mitigation
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the DELETE /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user with editor privileges or above to revoke API tokens belonging to any other user, including admin and owner accounts. The handler accepts tokenID and userID directly from the request payload without verifying token ownership, caller identity, or role hierarchy. This enables targeted denial of service against critical integrations and automations. This vulnerability is fixed in 0.4.0.
Source : NVD
## 7.1
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CI
Wiz
CVE-2026-27608 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-27608 [CRITICAL] CVE-2026-27608 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27608 :
JavaScript vulnerability analysis and mitigation
POST /apps/:appId/agent
agent
readOnlyMasterKey
agent
agent
Source : NVD
## 9.3
Score
Published February 25, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
parse-dashboard
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component n
Wiz
CVE-2026-4923 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-4923 [HIGH] CVE-2026-4923 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4923 :
JavaScript vulnerability analysis and mitigation
Impact:
When using multiple wildcards, combined with at least one parameter, a regular expression can be generated that is vulnerable to ReDoS. This backtracking vulnerability requires the second wildcard to be somewhere other than the end of the path.
Unsafe examples:
/*foo-*bar-:baz
/*a-:b-*c-:d
/x/*a-:b/*c/y
Safe examples:
/*foo-:bar
/*foo-:bar-*baz
Patches:
Upgrade to version 8.4.0.
Workarounds:
If you are using multiple wildcard parameters, you can check the regex output with a tool such as https://makenowjust-labs.github.io/recheck/playground/ to confirm whether a path is vulnerable.
Source : NVD
## 5.9
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
JavaScript
Wiz
CVE-2026-0540 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-0540 [MEDIUM] CVE-2026-0540 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0540 :
JavaScript vulnerability analysis and mitigation
DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.
Source : NVD
## 5.3
Score
Published March 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.9
Expl
Wiz
CVE-2026-4599 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-4599 [MEDIUM] CVE-2026-4599 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4599 :
JavaScript vulnerability analysis and mitigation
Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recover the private key by exploiting the incorrect compareTo checks that accept out-of-range candidates and thus bias DSA nonces during signature generation.
Source : NVD
## 9.3
Score
Published March 23, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Exploitation Probability (EPSS) N/A
Affected packages an
Wiz
CVE-2026-25150 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-25150 [CRITICAL] CVE-2026-25150 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25150 :
JavaScript vulnerability analysis and mitigation
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like proto , constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service. This issue has been patched in version 1.19.0.
Source : NVD
## 10
Score
Published February 3, 2026
Severity CRITICAL
CNA Score 9.3
Affected Techno
Wiz
CVE-2026-32878 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-32878 [MEDIUM] CVE-2026-32878 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32878 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.20 and 8.6.44, an attacker can bypass the default request keyword denylist protection and the class-level permission for adding fields by sending a crafted request that exploits prototype pollution in the deep copy mechanism. This allows injecting fields into class schemas that have field addition locked down, and can cause permanent schema type conflicts that cannot be resolved even with the master key. In 9.6.0-alpha.20 and 8.6.44, the vulnerable third-party deep copy library has been replaced with a built-in deep clone mechanism that handles prototype properties safely, allowing the existing de
Wiz
CVE-2026-32630 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-32630 [MEDIUM] CVE-2026-32630 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32630 :
JavaScript vulnerability analysis and mitigation
file-type detects the file type of a file, stream, or data. From 20.0.0 to 21.3.1, a crafted ZIP file can trigger excessive memory growth during type detection in file-type when using fileTypeFromBuffer(), fileTypeFromBlob(), or fileTypeFromFile(). The ZIP inflate output limit is enforced for stream-based detection, but not for known-size inputs. As a result, a small compressed ZIP can cause file-type to inflate and process a much larger payload while probing ZIP-based formats such as OOXML. This vulnerability is fixed in 21.3.2.
Source : NVD
## 5.3
Score
Published March 16, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KE
Wiz
CVE-2025-67731 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2025-67731 [HIGH] CVE-2025-67731 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67731 :
JavaScript vulnerability analysis and mitigation
Servify Express is a Node.js package to start an Express server and log the port it's running on. Prior to 1.2, the Express server used express.json() without a size limit, which could allow attackers to send extremely large request bodies. This can cause excessive memory usage, degraded performance, or process crashes, resulting in a Denial of Service (DoS). Any application using the JSON parser without limits and exposed to untrusted clients is affected. The issue is not a flaw in Express itself, but in configuration. This issue is fixed in version 1.2. To work around, consider adding a limit option to the JSON parser, rate limiting at the application or reverse-proxy level, rejecting unusually large requests before p
Wiz
CVE-2025-66456 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-66456 [CRITICAL] CVE-2025-66456 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66456 :
JavaScript vulnerability analysis and mitigation
mergeDeep
__proto__ prop
__proto__ key
Source : NVD
## 9.1
Score
Published December 9, 2025
Severity CRITICAL
CNA Score 9.1
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 36.1
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
elysia
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Dec 09, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Wiz
CVE-2026-29783 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-29783 [HIGH] CVE-2026-29783 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29783 :
JavaScript vulnerability analysis and mitigation
The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent (e.g., via prompt injection through repository files, MCP server responses, or user instructions) can exploit bash parameter transformation operators to execute hidden commands, bypassing the safety assessment that classifies commands as "read-only." This has been patched in version 0.0.423.
The vulnerability stems from how the CLI's shell safety assessment evaluates commands before execution. The safety layer parses and classifies shell commands as either read-only (safe) or write-capable (
Wiz
CVE-2026-31868 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-31868 [MEDIUM] CVE-2026-31868 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31868 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.4 and 8.6.30, an attacker can upload a file with a file extension or content type that is not blocked by the default configuration of the Parse Server fileUpload.fileExtensions option. The file can contain malicious code, for example JavaScript in an SVG or XHTML file. When the file is accessed via its URL, the browser renders the file and executes the malicious code in the context of the Parse Server domain. This is a stored Cross-Site Scripting (XSS) vulnerability that can be exploited to steal session tokens, redirect users, or perform actions on behalf of other users. Affected file extensions
Wiz
CVE-2026-27829 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-27829 [MEDIUM] CVE-2026-27829 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27829 :
JavaScript vulnerability analysis and mitigation
image.domains
image.remotePatterns
inferSize
image.domains
image.remotePatterns
inferSize
image.domains
image.remotePatterns
Source : NVD
## 7.2
Score
Published February 26, 2026
Severity HIGH
CNA Score 6.5
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@astrojs/node
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnera
Wiz
CVE-2026-24888 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-24888 [MEDIUM] CVE-2026-24888 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24888 :
JavaScript vulnerability analysis and mitigation
makerjs.extendObject
hasOwnProperty()
Source : NVD
## 9.8
Score
Published January 28, 2026
Severity CRITICAL
CNA Score 6.5
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 64.3
Exploitation Probability (EPSS) 0.5
Affected packages and libraries
makerjs
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Jan 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Pu
Wiz
CVE-2026-35412 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-35412 [MEDIUM] CVE-2026-35412 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35412 :
JavaScript vulnerability analysis and mitigation
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus' TUS resumable upload endpoint (/files/tus) allows any authenticated user with basic file upload permissions to overwrite arbitrary existing files by UUID. The TUS controller performs only collection-level authorization checks, verifying the user has some permission on directus_files, but never validates item-level access to the specific file being replaced. As a result, row-level permission rules (e.g., "users can only update their own files") are completely bypassed via the TUS path while being correctly enforced on the standard REST upload path. This vulnerability is fixed in 11.16.1.
Source : NVD
## 7.1
S
Wiz
CVE-2026-29074 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-29074 [HIGH] CVE-2026-29074 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29074 :
JavaScript vulnerability analysis and mitigation
SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files. From version 2.1.0 to before version 2.8.1, from version 3.0.0 to before version 3.3.3, and before version 4.0.1, SVGO accepts XML with custom entities, without guards against entity expansion or recursion. This can result in a small XML file (811 bytes) stalling the application and even crashing the Node.js process with JavaScript heap out of memory. This issue has been patched in versions 2.8.1, 3.3.3, and 4.0.1.
Source : NVD
## 7.5
Score
Published March 6, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N
Wiz
CVE-2025-67490 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-67490 [MEDIUM] CVE-2025-67490 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67490 :
JavaScript vulnerability analysis and mitigation
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. When using versions 4.11.0 through 4.11.2 and 4.12.0, simultaneous requests on the same client may result in improper lookups in the TokenRequestCache for the request results. This issue is fixed in versions 4.11.2 and 4.12.1.
Source : NVD
## 5.4
Score
Published December 10, 2025
Severity MEDIUM
CNA Score 5.4
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@auth0/nextjs-auth0
Sources
NVD
npm Severity MEDIUM Has F
Wiz
CVE-2026-34156 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-34156 [CRITICAL] CVE-2026-34156 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34156 :
JavaScript vulnerability analysis and mitigation
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside a Node.js vm sandbox with a custom require allowlist (controlled by WORKFLOW_SCRIPT_MODULES env var). However, the console object passed into the sandbox context exposes host-realm WritableWorkerStdio stream objects via console._stdout and console._stderr. An authenticated attacker can traverse the prototype chain to escape the sandbox and achieve Remote Code Execution as root. This issue has been patched in version 2.0.28.
Source : NVD
## 9.9
Score
Published March 31, 2026
Severity CRITICAL
CNA Score 9.9
Wiz
CVE-2026-30587 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-30587 [HIGH] CVE-2026-30587 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30587 :
JavaScript vulnerability analysis and mitigation
Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags
Source : NVD
## 8.7
Score
Published March 25, 2026
Severity HIGH
CNA Score 5.4
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2026-28292 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-28292 [CRITICAL] CVE-2026-28292 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28292 :
JavaScript vulnerability analysis and mitigation
simple-git
Source : NVD
## 9.8
Score
Published March 10, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
grafana-prometheus
openclaw
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Mar 11, 2026
MinimOS Severity CRITICAL Has Fix Added at: Mar 12, 2026
Red Hat 8, 9 Severity HIGH No Fix Added at: Mar 12, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rela
Wiz
CVE-2026-25958 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-25958 [HIGH] CVE-2026-25958 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25958 :
JavaScript vulnerability analysis and mitigation
Cube is a semantic layer for building data applications. From 0.27.19 to before 1.5.13, 1.4.2, and 1.0.14, it is possible to make a specially crafted request with a valid API token that leads to privilege escalation. This vulnerability is fixed in 1.5.13, 1.4.2, and 1.0.14.
Source : NVD
## 7.7
Score
Published February 9, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@cubejs-backend/server-core
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 10, 2026
## Get a CVE risk a
Wiz
GHSA-5mx2-2mgw-x8rm Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-5mx2-2mgw-x8rm Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5mx2-2mgw-x8rm :
JavaScript vulnerability analysis and mitigation
## Summary
BlueBubbles webhook auth in the optional beta iMessage plugin allowed a passwordless fallback path. In some reverse-proxy/local routing setups, this could allow unauthenticated webhook events.
## Affected Component and Scope
extensions/bluebubbles
Scope: only deployments using the optional BlueBubbles plugin where webhook password auth was not configured for incoming webhook events
## Affected Packages / Versions
openclaw/openclaw
2026.2.19-2
=2026.2.21
## Details
The vulnerable implementation had multiple auth branches, including a passwordless fallback with loopback/proxy heuristics.
The fix now uses one authentication codepath:
channels.bluebubbles.password
webhook target matching i
Wiz
GHSA-g9jg-w8vm-g96v Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-g9jg-w8vm-g96v Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-g9jg-w8vm-g96v :
JavaScript vulnerability analysis and mitigation
## Impact
The Trix editor, in versions prior to 2.1.16, is vulnerable to XSS attacks through attachment payloads.
An attacker could inject malicious code into a data-trix-attachment attribute that, when rendered as HTML and clicked on, could execute arbitrary JavaScript code within the context of the user's session, potentially leading to unauthorized actions being performed or sensitive information being disclosed.
## Patches
Update Recommendation: Users should upgrade to Trix editor version 2.1.16 or later.
## Resources
The XSS vulnerability was reported by HackerOne researcher michaelcheers .
Source : NVD
## 4.6
Score
Published December 31, 2025
Severity MEDIUM
CNA Score N/A
Affected Technolog
Wiz
CVE-2026-26063 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-26063 [HIGH] CVE-2026-26063 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26063 :
JavaScript vulnerability analysis and mitigation
CediPay is a crypto-to-fiat app for the Ghanaian market. A vulnerability in CediPay prior to version 1.2.3 allows attackers to bypass input validation in the transaction API. The issue has been fixed in version 1.2.3. If upgrading is not immediately possible, restrict API access to trusted networks or IP ranges; enforce strict input validation at the application layer; and/or monitor transaction logs for anomalies or suspicious activity. These mitigations reduce exposure but do not fully eliminate the vulnerability.
Source : NVD
## 8.8
Score
Published February 19, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA K
Wiz
CVE-2026-33036 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33036 [HIGH] CVE-2026-33036 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33036 :
JavaScript vulnerability analysis and mitigation
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like A can force ~147MB of memory alloc
Wiz
GHSA-r5h9-vjqc-hq3r Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-r5h9-vjqc-hq3r Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-r5h9-vjqc-hq3r :
JavaScript vulnerability analysis and mitigation
## Summary
actor.name
## Details
actor.id
actor.name
## Affected Packages / Versions
@openclaw/nextcloud-talk
= 2026.2.6
openclaw
@openclaw/nextcloud-talk
## Fix Commit(s)
6b4b6049b47c3329a7014509594647826669892d
## Timeline
Introduced: 660f87278c9f292061e097441e0b10c20d62b31b (2026-01-20)
Fixed in repo: 6b4b6049b47c3329a7014509594647826669892d (2026-02-04 UTC)
First fixed tag containing the change: v2026.2.3
@openclaw/nextcloud-talk
2026.2.6
## Mitigation
@openclaw/nextcloud-talk
>= 2026.2.6
## Release Process Note
The patched version range is set to the first npm release that contains the fix. Once you are ready, you can publish this advisory without additional version edits.
Th
Wiz
GHSA-33hq-fvwr-56pm Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-33hq-fvwr-56pm Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-33hq-fvwr-56pm :
JavaScript vulnerability analysis and mitigation
uneval
stringify
uneval
stringify
Source : NVD
## 1.7
Score
Published February 19, 2026
Severity LOW
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
devalue
Sources
NVD
npm Severity LOW Has Fix Added at: Feb 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publishe
Wiz
CVE-2026-34210 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.0
CVE-2026-34210 [MEDIUM] CVE-2026-34210 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34210 :
JavaScript vulnerability analysis and mitigation
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt token against a new challenge, and the server would accept the replayed Stripe PaymentIntent as a new successful payment without actually charging the customer again. This allowed an attacker to pay once and consume unlimited resources by replaying the credential. This issue has been patched in version 0.4.11.
Source : NVD
## 6
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 6.0
Affected Technologies
JavaScript
Has Public Exploi
Wiz
CVE-2026-27118 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-27118 [MEDIUM] CVE-2026-27118 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27118 :
JavaScript vulnerability analysis and mitigation
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Versions of @sveltejs/adapter-vercel prior to 6.3.2 are vulnerable to cache poisoning. An internal query parameter intended for Incremental Static Regeneration (ISR) is accessible on all routes, allowing an attacker to cause sensitive user-specific responses to be cached and served to other users. Successful exploitation requires a victim to visit an attacker-controlled link while authenticated. Existing deployments are protected by Vercel's WAF, but users should upgrade as soon as possible. This vulnerability is fixed in 6.3.2.
Source : NVD
## 5.3
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.3
Aff
Wiz
CVE-2026-30921 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-30921 [CRITICAL] CVE-2026-30921 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30921 :
JavaScript vulnerability analysis and mitigation
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.20, OneUptime Synthetic Monitors allow low-privileged project users to submit custom Playwright code that is executed on the oneuptime-probe service. In the current implementation, this untrusted code is run inside Node's vm and is given live host Playwright objects such as browser and page. This creates a distinct server-side RCE primitive: the attacker does not need the classic this.constructor.constructor(...) sandbox escape. Instead, the attacker can directly use the injected Playwright browser object to reach browser.browserType().launch(...) and spawn an arbitrary executable on the probe host/container. This vulnerability is fixed i
Wiz
CVE-2025-69873 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.9
CVE-2025-69873 [LOW] CVE-2025-69873 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69873 :
JavaScript vulnerability analysis and mitigation
ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is
Wiz
CVE-2026-31840 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-31840 [CRITICAL] CVE-2026-31840 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31840 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.2 and 8.6.28, an attacker can use a dot-notation field name in combination with the sort query parameter to inject SQL into the PostgreSQL database through an improper escaping of sub-field values in dot-notation queries. The vulnerability may also affect queries that use dot-notation field names with the distinct and where query parameters. This vulnerability only affects deployments using a PostgreSQL database. This vulnerability is fixed in 9.6.0-alpha.2 and 8.6.28.
Source : NVD
## 9.3
Score
Published March 11, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
JavaScript
Has
Wiz
CVE-2026-34532 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-34532 [CRITICAL] CVE-2026-34532 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34532 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator access controls by appending "prototype.constructor" to the function name in the URL. When a Cloud Function handler is declared using the function keyword and its validator is a plain object or arrow function, the trigger store traversal resolves the handler through its own prototype chain while the validator store fails to mirror this traversal, causing all access control enforcement to be skipped. This allows unauthenticated callers to invoke Cloud Functions that are meant to be protected by validators such as requireUser, r
Wiz
CVE-2026-33311 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.7
CVE-2026-33311 [MEDIUM] CVE-2026-33311 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33311 :
JavaScript vulnerability analysis and mitigation
backgroundColor
fontFamily
textColor
createAvatar()
Content-Type: image/svg+xml
createAvatar()
Source : NVD
## 4.7
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 4.7
Affected Technologies
JavaScript
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dicebear
@dicebear/core
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 20, 2026
Homebrew Severity MEDIUM Has Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wha
Wiz
GHSA-96qw-h329-v5rg Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-96qw-h329-v5rg Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-96qw-h329-v5rg :
JavaScript vulnerability analysis and mitigation
## Summary
process.env
EnvironmentPlugin
process.env.VARIABLE_NAME
## Impact
Any environment variable in the build environment that is referenced in client-side code (including third-party dependencies) is embedded directly into the JavaScript bundle. This includes:
DATABASE_URL
AWS_SECRET_ACCESS_KEY
RAILS_MASTER_KEY
STRIPE_SECRET_KEY
TWILIO_AUTH_TOKEN
Any other secrets present in the build environment
Severity : Critical - secrets are exposed in publicly accessible JavaScript files.
## Root Cause
The original code used:
new webpack.EnvironmentPlugin(process.env)
process.env.SECRET_KEY
## Patches
NODE_ENV
RAILS_ENV
WEBPACK_SERVE
## Workarounds
If developers cannot upgrade immediately:
Wiz
CVE-2026-32101 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-32101 [HIGH] CVE-2026-32101 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32101 :
JavaScript vulnerability analysis and mitigation
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.3.1, the S3 storage manager's isAuthorized() function is declared async (returns Promise ) but is called without await in both the POST and PUT handlers. Since a Promise object is always truthy in JavaScript, !isAuthorized(type) always evaluates to false, completely bypassing the authorization check. Any authenticated user with the lowest visitor role can upload, delete, rename, and list all files in the S3 bucket. This vulnerability is fixed in 0.3.1.
Source : NVD
## 6.3
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 7.6
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
Wiz
CVE-2026-22814 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-22814 [HIGH] CVE-2026-22814 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22814 :
JavaScript vulnerability analysis and mitigation
@adonisjs/lucid is an SQL ORM for AdonisJS built on top of Knex. Prior to 21.8.2 and 22.0.0-next.6, there is a Mass Assignment vulnerability in AdonisJS Lucid which may allow a remote attacker who can influence data that is passed into Lucid model assignments to overwrite the internal ORM state. This may lead to logic bypasses and unauthorized record modification within a table or model. This affects @adonisjs/lucid through version 21.8.1 and 22.x pre-release versions prior to 22.0.0-next.6. This has been patched in @adonisjs/lucid versions 21.8.2 and 22.0.0-next.6.
Source : NVD
## 8.2
Score
Published January 13, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA
Wiz
CVE-2026-32728 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-32728 [HIGH] CVE-2026-32728 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32728 :
JavaScript vulnerability analysis and mitigation
;charset=utf-8
Content-Type
Content-Type
xsd
rng
rdf
rdf+xml
owl
mathml
mathml+xml
fileUpload.fileExtensions
fileUpload.fileExtensions
Source : NVD
## 8.3
Score
Published March 18, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
parse-server
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 17, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript v
Wiz
GHSA-pgx6-7jcq-2qff Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-pgx6-7jcq-2qff Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-pgx6-7jcq-2qff :
JavaScript vulnerability analysis and mitigation
## Summary
getB64BasePdf
@pdfme/common
fetch()
basePdf
window
basePdf
## Details
packages/common/src/helper.ts:130-141
getB64BasePdf
data:application/pdf;
window
fetch()
// packages/common/src/helper.ts:130-141
export const getB64BasePdf = async (
customPdf: ArrayBuffer | Uint8Array | string,
): Promise => {
if (
typeof customPdf === 'string' &&
!customPdf.startsWith('data:application/pdf;') &&
typeof window !== 'undefined'
) {
const response = await fetch(customPdf); // .attacker.com
## Recommended Fix
getB64BasePdf
fetch()
// packages/common/src/helper.ts
const BLOCKED_HOSTNAME_PATTERNS = [
/^localhost$/i,
/^127\./,
/^10\./,
/^172\.(1[6-9]|2\d|3[01])\./,
/^192\.168\./,
/^169\.254\./,
/^0\./,
Wiz
CVE-2025-68272 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68272 [HIGH] CVE-2025-68272 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68272 :
JavaScript vulnerability analysis and mitigation
/signalk/v1/access/requests
Source : NVD
## 7.5
Score
Published January 1, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
signalk-server
Sources
NVD
npm Severity HIGH Has Fix Added at: Jan 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published dat
Wiz
CVE-2025-68278 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2025-68278 [HIGH] CVE-2025-68278 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68278 :
JavaScript vulnerability analysis and mitigation
Tina is a headless content management system. In tinacms prior to version 3.1.1, tinacms uses the gray-matter package in an insecure way allowing attackers that can control the content of the processed markdown files, e.g., blog posts, to execute arbitrary code. tinacms version 3.1.1, @tinacms/cli version 2.0.4, and @tinacms/graphql version 2.0.3 contain a fix for the issue.
Source : NVD
## 7.3
Score
Published December 18, 2025
Severity HIGH
CNA Score 7.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@tinacms
Wiz
GHSA-3hfp-gqgh-xc5g Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-3hfp-gqgh-xc5g Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-3hfp-gqgh-xc5g :
JavaScript vulnerability analysis and mitigation
## Impact
axios
[email protected]
@lightdash/cli
^1.12.0
@lightdash/cli
>= 0.1800.0, < 0.2695.1
sfrclak[.]com
142.11.206.73:8000
## Patches
@lightdash/[email protected]
npm install -g @lightdash/[email protected]
If users had installed the compromised version, they should check for RAT artifacts before and after upgrading:
/Library/Caches/com.apple.act.mond
%PROGRAMDATA%\wt.exe
/tmp/ld.py
## Workarounds
If users cannot upgrade immediately, they can force a safe axios resolution after installing the CLI:
npm install -g [email protected] --force
Alternatively, if users are building a Docker image or using a lockfile, they should ensure their resolved axios version is not 1.14.1 or 0.30.4:
npm ls axios
Wiz
CVE-2026-4602 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-4602 [MEDIUM] CVE-2026-4602 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4602 :
JavaScript vulnerability analysis and mitigation
Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent.
Source : NVD
## 7.7
Score
Published March 23, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
jsrsasign
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 31, 2026
## Get
Wiz
CVE-2026-33011 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-33011 [HIGH] CVE-2026-33011 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33011 :
JavaScript vulnerability analysis and mitigation
Nest is a framework for building scalable Node.js server-side applications. In versions 11.1.15 and below, a NestJS application using @nestjs/platform-fastify GET middleware can be bypassed because Fastify automatically redirects HEAD requests to the corresponding GET handlers (if they exist). As a result: middleware will be completely skipped, the HTTP response won't include a body (since the response is truncated when redirecting a HEAD request to a GET handler), and the actual handler will still be executed. This issue is fixed in version 11.1.16.
Source : NVD
## 8.7
Score
Published March 20, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
NixOS
Has Public Exploit No
Has CISA KEV Exploi
Wiz
CVE-2026-30870 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-30870 [MEDIUM] CVE-2026-30870 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30870 :
JavaScript vulnerability analysis and mitigation
PowerSync Service is the server-side component of the PowerSync sync engine. In version 1.20.0, when using new sync streams with config.edition: 3, certain subquery filters were ignored when determining which data to sync to users. Depending on the sync stream configuration, this could result in authenticated users syncing data that should have been restricted. Only queries that gate synchronization using subqueries without partitioning the result set are affected. This vulnerability is fixed in 1.20.1.
Source : NVD
## 6.5
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/
Wiz
CVE-2026-32236 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-32236 [MEDIUM] CVE-2026-32236 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32236 :
JavaScript vulnerability analysis and mitigation
Backstage is an open framework for building developer portals. Prior to 0.27.1, a Server-Side Request Forgery (SSRF) vulnerability exists in @backstage/plugin-auth-backend when auth.experimentalClientIdMetadataDocuments.enabled is set to true. The CIMD
metadata fetch validates the initial client_id hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict allowedClientIdPatterns to specific trusted domains are not affected.
Wiz
CVE-2026-23634 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-23634 [MEDIUM] CVE-2026-23634 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23634 :
JavaScript vulnerability analysis and mitigation
Pepr is a type safe K8s middleware. Prior to 1.0.5 , Pepr defaults to a cluster-admin RBAC configuration and does not explicitly force or enforce least-privilege guidance for module authors. The default behavior exists to make the “getting started” experience smooth: new users can experiment with Pepr and create resources dynamically without needing to pre-configure RBAC. This vulnerability is fixed in 1.0.5.
Source : NVD
## 4.3
Score
Published January 16, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.3
Exploitation Probability (EPSS) N/A
Affect
Wiz
CVE-2026-27959 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-27959 [HIGH] CVE-2026-27959 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27959 :
JavaScript vulnerability analysis and mitigation
ctx.hostname
@
ctx.hostname
evil[.]com
ctx.hostname
Source : NVD
## 7.5
Score
Published February 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
koa
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has
Wiz
CVE-2026-35442 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-35442 [MEDIUM] CVE-2026-35442 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35442 :
JavaScript vulnerability analysis and mitigation
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, aggregate functions (min, max) applied to fields with the conceal special type incorrectly return raw database values instead of the masked placeholder. When combined with groupBy, any authenticated user with read access to the affected collection can extract concealed field values, including static API tokens and two-factor authentication secrets from directus_users. This vulnerability is fixed in 11.17.0.
Source : NVD
## 8.1
Score
Published April 6, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Wiz
CVE-2026-27638 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.7
CVE-2026-27638 [MEDIUM] CVE-2026-27638 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27638 :
JavaScript vulnerability analysis and mitigation
/sync/*
Source : NVD
## 5.7
Score
Published February 26, 2026
Severity MEDIUM
CNA Score 5.7
Affected Technologies
JavaScript
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@actual-app/sync-server
actual
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 02, 2026
Homebrew Severity HIGH Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Tec
Wiz
CVE-2026-25155 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-25155 [MEDIUM] CVE-2026-25155 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25155 :
JavaScript vulnerability analysis and mitigation
Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0.
Source : NVD
## 7.1
Score
Published February 3, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@builder.io/qwik-city
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Feb 04, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs
Wiz
GHSA-ccgf-5rwj-j3hv Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
[HIGH] GHSA-ccgf-5rwj-j3hv Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-ccgf-5rwj-j3hv :
JavaScript vulnerability analysis and mitigation
## Summary
_constructor-name_
new Function()
## Affected versions
telejson
= 6.0.0
## Details
parse()
_constructor-name_
new Function()
telejson.parse()
postMessage
new Function()
src/index.ts
if (isObject(value) && value['_constructor-name_']) {
const name = value['_constructor-name_'];
if (name !== 'Object') {
const Fn = new Function(`return function ${name}(){}`)();
Object.setPrototypeOf(value, new Fn());
}
src/index.ts
if (isObject(value) && value['_constructor-name_'] && options.allowFunction) {
const name = value['_constructor-name_'];
if (name !== 'Object') {
const Fn = new Function(`return function ${name.replace(/[\W_]+/g, '')}(){}`)();
Object.setPrototypeOf(value, new Fn());
}
new Fu
Wiz
CVE-2026-3449 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-3449 [MEDIUM] CVE-2026-3449 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3449 :
JavaScript vulnerability analysis and mitigation
Versions of the package @tootallnate/once before 3.0.1 are vulnerable to Incorrect Control Flow Scoping in promise resolving when AbortSignal option is used. The Promise remains in a permanently pending state after the signal is aborted, causing any await or .then() usage to hang indefinitely. This can cause a control-flow leak that can lead to stalled requests, blocked workers, or degraded application availability.
Source : NVD
## 4.8
Score
Published March 3, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.2
Exploitation Probability (EPSS) N
Wiz
CVE-2026-33142 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-33142 [CRITICAL] CVE-2026-33142 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33142 :
JavaScript vulnerability analysis and mitigation
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the fix for CVE-2026-32306 (ClickHouse SQL injection via aggregate query parameters) added column name validation to the _aggregateBy method but did not apply the same validation to three other query construction paths in StatementGenerator. The toSortStatement, toSelectStatement, and toGroupByStatement methods accept user-controlled object keys from API request bodies and interpolate them as ClickHouse Identifier parameters without verifying they correspond to actual model columns. ClickHouse Identifier parameters are substituted directly into queries without escaping, so an attacker who can reach any analytics list or aggreg
Wiz
CVE-2026-27125 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-27125 [MEDIUM] CVE-2026-27125 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27125 :
JavaScript vulnerability analysis and mitigation
svelte performance oriented web framework. Prior to 5.51.5, in server-side rendering, attribute spreading on elements (e.g. ) enumerates inherited properties from the object's prototype chain rather than only own properties. In environments where Object.prototype has already been polluted — a precondition outside of Svelte's control — this can cause unexpected attributes to appear in SSR output or cause SSR to throw errors. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.
Source : NVD
## 5.3
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due
Wiz
CVE-2026-33951 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-33951 [MEDIUM] CVE-2026-33951 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33951 :
JavaScript vulnerability analysis and mitigation
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.1, the SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns user-controlled input to the server configuration. As a result, attackers can influence which GPS, AIS, or other sensor data sources are trusted by the system. The changes are immediately applied and persisted to disk, allowing the manipulation to survive server restarts. This issue has been patched in version 2.24.0-beta.1.
Source : NVD
Wiz
CVE-2026-33894 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33894 [HIGH] CVE-2026-33894 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33894 :
JavaScript vulnerability analysis and mitigation
node-forge
Source : NVD
## 7.5
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
node-forge
opensearch-dashboards-3
Sources
NVD
Chainguard Has Fix Added at: Apr 02, 2026
npm Severity HIGH Has Fix Added at: Mar 29, 2026
MinimOS Severity HIGH Has Fix Added at: Apr 05, 2026
Red Hat 8, 9, 10 Severity HIGH No Fix Added at: Mar 29, 2026
Wolfi Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your c
Wiz
GHSA-3f44-xw83-3pmg Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-3f44-xw83-3pmg Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-3f44-xw83-3pmg :
JavaScript vulnerability analysis and mitigation
## Summary
repository
helmv3
helm registry login
## Details
Chart.yaml
repository
quote
shlex
## PoC
Create a git repo with the following content:
renovate.json5
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
customDatasources: {
always: {
defaultRegistryUrlTemplate: "https://docs.renovatebot.com/search/search_index.json",
transformTemplates: ['{"releases":[{"version":"99999.0.0"}]}'],
},
},
// Register any credentials to make the manager attempt to use basic auth for the Helm registry
hostRules: [
{
matchHost: "charts.bitnami.com",
username: "un",
password: "pw",
},
],
packageRules: [
{
// Target of the day
matchManagers: ["helmv3"],
// Don't consult the actual bitnami repo
regist
Wiz
CVE-2025-15536 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2025-15536 [MEDIUM] CVE-2025-15536 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15536 :
JavaScript vulnerability analysis and mitigation
A weakness has been identified in BYVoid OpenCC up to 1.1.9. This vulnerability affects the function opencc::MaxMatchSegmentation of the file src/MaxMatchSegmentation.cpp. This manipulation causes heap-based buffer overflow. The attack is restricted to local execution. The exploit has been made available to the public and could be used for attacks. Patch name: 345c9a50ab07018f1b4439776bad78a0d40778ec. To fix this issue, it is recommended to deploy a patch.
Source : NVD
## 4.8
Score
Published January 18, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
JavaScript
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Per
Wiz
CVE-2026-31901 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-31901 [MEDIUM] CVE-2026-31901 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31901 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.34 and 9.6.0-alpha.8, the email verification endpoint (/verificationEmailRequest) returns distinct error responses depending on whether an email address belongs to an existing user, is already verified, or does not exist. An attacker can send requests with different email addresses and observe the error codes to determine which email addresses are registered in the application. This is a user enumeration vulnerability that affects any Parse Server deployment with email verification enabled (verifyUserEmails: true). This vulnerability is fixed in 8.6.34 and 9.6.0-alpha.8.
Source : NVD
## 6.3
Score
Pu
Wiz
CVE-2026-27610 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2026-27610 [HIGH] CVE-2026-27610 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27610 :
JavaScript vulnerability analysis and mitigation
ConfigKeyCache
agent
Source : NVD
## 7
Score
Published February 25, 2026
Severity HIGH
CNA Score 7.0
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
parse-dashboard
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE
Wiz
CVE-2026-1664 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-1664 [MEDIUM] CVE-2026-1664 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1664 :
JavaScript vulnerability analysis and mitigation
Summary
createHeaderBasedEmailResolver()
Message-ID
References
Root cause
createHeaderBasedEmailResolver()
Impact
Insecure Direct Object Reference (IDOR) in email routing lets an attacker steer inbound mail to arbitrary Agent instances via spoofed Message-ID.
Mitigation:
PR: https://github.com/cloudflare/agents/blob/main/docs/email.md ] provides the necessary architectural context for coding agents to mitigate the issue by refactoring the resolver to enforce strict identity boundaries.
Agents-sdk users should upgrade to [email protected]
Source : NVD
## 6.9
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA K
Wiz
CVE-2026-4600 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-4600 [MEDIUM] CVE-2026-4600 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4600 :
JavaScript vulnerability analysis and mitigation
Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that X509.verifySignature() accepts by supplying malicious domain parameters such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash.
Source : NVD
## 9.1
Score
Published March 23, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Perc
Wiz
CVE-2026-27595 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-27595 [CRITICAL] CVE-2026-27595 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27595 :
JavaScript vulnerability analysis and mitigation
/apps/:appId/agent
readOnlyMasterKey
Source : NVD
## 9.9
Score
Published February 25, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
parse-dashboard
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Ha
Wiz
CVE-2026-33989 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-33989 [HIGH] CVE-2026-33989 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33989 :
JavaScript vulnerability analysis and mitigation
@mobilenext/mobile-mcp
mobile_save_screenshot
mobile_start_screen_recording
saveTo
output
Source : NVD
## 6.5
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 8.1
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@mobilenext/mobile-mcp
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Sc
Wiz
CVE-2026-30952 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-30952 [HIGH] CVE-2026-30952 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30952 :
JavaScript vulnerability analysis and mitigation
liquidjs is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.0, the layout, render, and include tags allow arbitrary file access via absolute paths (either as string literals or through Liquid variables, the latter require dynamicPartials: true, which is the default). This poses a security risk when malicious users are allowed to control the template content or specify the filepath to be included as a Liquid variable. This vulnerability is fixed in 10.25.0.
Source : NVD
## 8.7
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date
Wiz
CVE-2026-25918 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-25918 [MEDIUM] CVE-2026-25918 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25918 :
JavaScript vulnerability analysis and mitigation
unity-cli is a command line utility for the Unity Game Engine. Prior to 1.8.2 , the sign-package command in @rage-against-the-pixel/unity-cli logs sensitive credentials in plaintext when the --verbose flag is used. Command-line arguments including --email and --password are output via JSON.stringify without sanitization, exposing secrets to shell history, CI/CD logs, and log aggregation systems. This vulnerability is fixed in 1.8.2.
Source : NVD
## 5.9
Score
Published February 9, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.9
Exploitation Probab
Wiz
CVE-2026-24006 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-24006 [HIGH] CVE-2026-24006 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24006 :
JavaScript vulnerability analysis and mitigation
depthLimit
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
seroval
Sources
NVD
npm Severity HIGH Has Fix Added at: Jan 23, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35442
HIGH
8.
Wiz
CVE-2026-0969 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-0969 [HIGH] CVE-2026-0969 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0969 :
JavaScript vulnerability analysis and mitigation
The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content. This vulnerability, CVE-2026-0969, is fixed in next-mdx-remote 6.0.0.
Source : NVD
## 8.8
Score
Published February 12, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Exploitation Probability (EPSS) N/A
Affected packages and libraries
next-mdx-remote
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you c
Wiz
CVE-2026-35410 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-35410 [MEDIUM] CVE-2026-35410 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35410 :
JavaScript vulnerability analysis and mitigation
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, an open redirect vulnerability exists in the login redirection logic. The isLoginRedirectAllowed function fails to correctly identify certain malformed URLs as external, allowing attackers to bypass redirect allow-list validation and redirect users to arbitrary external domains upon successful authentication. This vulnerability is fixed in 11.16.1.
Source : NVD
## 6.1
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Exploitati
Wiz
CVE-2026-33331 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-33331 [HIGH] CVE-2026-33331 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33331 :
JavaScript vulnerability analysis and mitigation
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.9, a stored cross-site scripting (XSS) vulnerability exists in the OpenAPI documentation generation of orpc. If an attacker can control any field within the OpenAPI specification (such as info.description), they can break out of the JSON context and execute arbitrary JavaScript when a user views the generated API documentation. This issue has been patched in version 1.13.9.
Source : NVD
## 6.1
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 8.2
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Explo
Wiz
CVE-2026-24842 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-24842 [HIGH] CVE-2026-24842 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24842 :
JavaScript vulnerability analysis and mitigation
node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue.
Source : NVD
## 8.2
Score
Published January 28, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.6
Exploitation P
Wiz
CVE-2026-25938 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.5
CVE-2026-25938 [CRITICAL] CVE-2026-25938 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25938 :
JavaScript vulnerability analysis and mitigation
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through 1.2.10, an authentication bypass vulnerability in FUXA allows an unauthenticated, remote attacker to execute arbitrary code on the server when the Node-RED plugin is enabled. This has been patched in FUXA version 1.2.11.
Source : NVD
## 9.5
Score
Published February 9, 2026
Severity CRITICAL
CNA Score 9.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
fuxa-server
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Fe
Wiz
CVE-2026-25755 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-25755 [HIGH] CVE-2026-25755 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25755 :
JavaScript vulnerability analysis and mitigation
addJS
addJS
Source : NVD
## 8.8
Score
Published February 19, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
JavaScript
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
opensearch-dashboards-2
opensearch-dashboards-2-fips
Sources
NVD
Chainguard Has Fix Added at: Feb 24, 2026
npm Severity HIGH Has Fix Added at: Feb 20, 2026
Wolfi Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript v
Wiz
CVE-2026-24767 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2026-24767 [MEDIUM] CVE-2026-24767 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24767 :
JavaScript vulnerability analysis and mitigation
uploadViaURL
HEAD
Source : NVD
## 6.4
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nocodb
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Jan 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-3
Wiz
CVE-2026-33508 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-33508 [HIGH] CVE-2026-33508 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33508 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.56 and 9.6.0-alpha.45, Parse Server's LiveQuery component does not enforce the requestComplexity.queryDepth configuration setting when processing WebSocket subscription requests. An attacker can send a subscription with deeply nested logical operators, causing excessive recursion and CPU consumption that degrades or disrupts service availability. This issue has been patched in versions 8.6.56 and 9.6.0-alpha.45.
Source : NVD
## 8.2
Score
Published March 24, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release
Wiz
CVE-2026-32598 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-32598 [MEDIUM] CVE-2026-32598 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32598 :
JavaScript vulnerability analysis and mitigation
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.24, the password reset flow logs the complete password reset URL — containing the plaintext reset token — at INFO log level, which is enabled by default in production. Anyone with access to application logs (log aggregation, Docker logs, Kubernetes pod logs) can intercept reset tokens and perform account takeover on any user. This vulnerability is fixed in 10.0.24.
Source : NVD
## 6.9
Score
Published March 13, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.2
Exploi
Wiz
CVE-2026-32304 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-32304 [HIGH] CVE-2026-32304 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32304 :
JavaScript vulnerability analysis and mitigation
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to 3.0.14, the create_function(args, code) function passes both parameters directly to the Function constructor without any sanitization, allowing arbitrary code execution. This is distinct from CVE-2026-29091 which was call_user_func_array using eval() in v2.x. This finding affects create_function using new Function() in v3.x. This vulnerability is fixed in 3.0.14.
Source : NVD
## 9.8
Score
Published March 13, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentil
Wiz
CVE-2026-33397 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-33397 [MEDIUM] CVE-2026-33397 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33397 :
JavaScript vulnerability analysis and mitigation
@angular/ssr
///
\
X-Forwarded-Prefix
Location
/\
//
Vary: X-Forwarded-Prefix
X-Forwarded-Prefix
server.ts
Source : NVD
## 6.9
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@angular/ssr
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Wiz
CVE-2026-23957 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-23957 [HIGH] CVE-2026-23957 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23957 :
JavaScript vulnerability analysis and mitigation
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0
and below, overriding encoded array lengths by replacing them with an excessively large value causes the deserialization process to significantly increase processing time. This issue has been fixed in version 1.4.1.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
seroval
Sources
NVD
npm Severity HIGH Has
Wiz
CVE-2026-24125 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-24125 [MEDIUM] CVE-2026-24125 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24125 :
JavaScript vulnerability analysis and mitigation
Tina is a headless content management system. Prior to 2.1.2, TinaCMS allows users to create, update, and delete content documents using relative file paths (relativePath, newRelativePath) via GraphQL mutations. Under certain conditions, these paths are combined with the collection path using path.join() without validating that the resolved path remains within the collection root directory. Because path.join() does not prevent directory traversal, paths containing ../ sequences can escape the intended directory boundary. This vulnerability is fixed in 2.1.2.
Source : NVD
## 6.3
Score
Published March 12, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Ex
Wiz
CVE-2026-34767 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-34767 [MEDIUM] CVE-2026-34767 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34767 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.3, 40.8.3, and 41.0.3, apps that register custom protocol handlers via protocol.handle() / protocol.registerSchemesAsPrivileged() or modify response headers via webRequest.onHeadersReceived may be vulnerable to HTTP response header injection if attacker-controlled input is reflected into a response header name or value. An attacker who can influence a header value may be able to inject additional response headers, affecting cookies, content security policy, or cross-origin access controls. Apps that do not reflect external input into response headers are not affected. This issue has been
Wiz
GHSA-xjr7-3c3g-m763 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
[HIGH] GHSA-xjr7-3c3g-m763 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-xjr7-3c3g-m763 :
JavaScript vulnerability analysis and mitigation
## Summary
depName
gleam
gleam deps update
## Details
gleam.toml
packagesToUpdate
quote
shlex
## PoC
Create a git repo with the following content:
renovate.json5
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
customDatasources: {
always: {
defaultRegistryUrlTemplate: "https://docs.renovatebot.com/search/search_index.json",
transformTemplates: ['{"releases":[{"version":"99999.0.0"}]}'],
},
},
packageRules: [
{
// Target of the day
matchManagers: ["gleam"],
// Trick the manager in believing there's a new version
overrideDatasource: "custom.always",
},
],
}
gleam.toml
name = "renovate-aci-2"
version = "0.0.1"
[dependencies]
"|| kill 1" = "0.1.0"
manifest.toml
non-empty file
kill
Wiz
GHSA-89v5-38xr-9m4j Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-89v5-38xr-9m4j Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-89v5-38xr-9m4j :
JavaScript vulnerability analysis and mitigation
## Summary
Postiz has multiple SSRF vulnerabilities where user-provided URLs are fetched server-side without any IP validation or SSRF protection.
## Vulnerable Code
## 1. Webhook Send Endpoint (Most Critical)
apps/backend/src/api/routes/webhooks.controller.ts
async sendWebhook(@Body() body: any, @Query('url') url: string) {
try {
await fetch(url, { // No URL validation
method: 'POST',
body: JSON.stringify(body),
headers: { 'Content-Type': 'application/json' },
});
} catch (err) { }
return { send: true };
}
Accepts arbitrary URL via query parameter and fetches directly.
## 2. Stored Webhook Delivery
apps/orchestrator/src/activities/post.activity.ts
async sendWebhooks(postId: string, orgId: string, in
Wiz
GHSA-3m3q-x3gj-f79x Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-3m3q-x3gj-f79x Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-3m3q-x3gj-f79x :
JavaScript vulnerability analysis and mitigation
## Affected Packages / Versions
This issue affects the optional voice-call plugin only. It is not enabled by default; it only applies to installations where the plugin is installed and enabled.
@openclaw/voice-call
= 2026.2.3
@clawdbot/voice-call
<= 2026.1.24
@openclaw/voice-call
## Summary
In certain reverse-proxy / forwarding setups, webhook verification can be bypassed if untrusted forwarded headers are accepted.
## Impact
An external party may be able to send voice-call webhook requests that are accepted as valid, which can result in spoofed webhook events being processed.
## Root Cause
Forwarded
X-Forwarded-*
## Resolution
Forwarded
X-Forwarded-*
## Fix Commit(s)
a749db9820eb6d6224
Wiz
CVE-2026-22803 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-22803 [HIGH] CVE-2026-22803 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22803 :
JavaScript vulnerability analysis and mitigation
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. From 2.49.0 to 2.49.4, the experimental form remote function uses a binary data format containing a representation of submitted form data. A specially-crafted payload can cause the server to allocate a large amount of memory, causing DoS via memory exhaustion. This vulnerability is fixed in 2.49.5.
Source : NVD
## 8.2
Score
Published January 15, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.1
Exploitation Probability (EPSS) N/A
Affected package
Wiz
CVE-2026-32248 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-32248 [CRITICAL] CVE-2026-32248 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32248 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.12 and 8.6.38, an unauthenticated attacker can take over any user account that was created with an authentication provider that does not validate the format of the user identifier (e.g. anonymous authentication). By sending a crafted login request, the attacker can cause the server to perform a pattern-matching query instead of an exact-match lookup, allowing the attacker to match an existing user and obtain a valid session token for that user's account. Both MongoDB and PostgreSQL database backends are affected. Any Parse Server deployment that allows anonymous authentication (enabled by default)
Wiz
GHSA-rxrv-835q-v5mh Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-rxrv-835q-v5mh Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-rxrv-835q-v5mh :
JavaScript vulnerability analysis and mitigation
## Summary
A Prototype Pollution vulnerability exists in the the npm package locutus (>2.0.12). Despite a previous fix that attempted to mitigate Prototype Pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue was fixed in version 2.0.39.
## Details
The vulnerability resides in line 77 to 79 of https://github.com/locutusjs/locutus/blob/main/src/php/strings/parse_str.js where includes() function is used to check whether user provided input contain forbidden strings.
## PoC
## Steps to reproduce
Install latest version of locutus using npm install or cloning from git
Run the following code
Wiz
CVE-2026-34766 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.3
CVE-2026-34766 [LOW] CVE-2026-34766 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34766 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, the select-usb-device event callback did not validate the chosen device ID against the filtered list that was presented to the handler. An app whose handler could be influenced to select a device ID outside the filtered set would grant access to a device that did not match the renderer's requested filters or was listed in exclusionFilters. The WebUSB security blocklist remained enforced regardless, so security-sensitive devices on the blocklist were not affected. The practical impact is limited to apps with unusual device-selection logic. This issue has been
Wiz
CVE-2026-32770 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-32770 [MEDIUM] CVE-2026-32770 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32770 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.19 and 8.6.43, a remote attacker can crash the Parse Server by subscribing to a LiveQuery with an invalid regular expression pattern. The server process terminates when the invalid pattern reaches the regex engine during subscription matching, causing denial of service for all connected clients. The fix in 9.6.0-alpha.19 and 8.6.43 validates regular expression patterns at subscription time, rejecting invalid patterns before they are stored. Additionally, a defense-in-depth try-catch prevents any subscription matching error from crashing the server process. As a workaround, disable LiveQuery if it
Wiz
CVE-2026-30226 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-30226 [MEDIUM] CVE-2026-30226 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30226 :
JavaScript vulnerability analysis and mitigation
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. In devalue v5.6.3 and earlier, devalue.parse and devalue.unflatten were susceptible to prototype pollution via maliciously crafted payloads. Successful exploitation could lead to Denial of Service (DoS) or type confusion. This vulnerability is fixed in 5.6.4.
Source : NVD
## 6.3
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 31.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
de
Wiz
CVE-2026-1526 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-1526 [HIGH] CVE-2026-1526 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1526 :
JavaScript vulnerability analysis and mitigation
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer witho
Wiz
CVE-2026-21884 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-21884 [HIGH] CVE-2026-21884 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21884 :
JavaScript vulnerability analysis and mitigation
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode ( ) or Data Mode (createBrowserRouter/ ) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.
Source : NVD
## 8.2
Score
Published January 10, 2026
Severity HIGH
CNA Score 8.2
Affected Technologie
Wiz
CVE-2026-33538 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-33538 [HIGH] CVE-2026-33538 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33538 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.58 and 9.6.0-alpha.52, an unauthenticated attacker can cause denial of service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources. This issue has been patched in versions 8.6.58 and 9.6.0-alpha.52.
Source : NVD
## 8.7
Score
Published March 24, 2026
Severity HIGH
CNA Score 8.7
Affe
Wiz
CVE-2026-34604 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-34604 [HIGH] CVE-2026-34604 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34604 :
JavaScript vulnerability analysis and mitigation
Tina is a headless content management system. Prior to version 2.2.2, @tinacms/graphql uses string-based path containment checks in FilesystemBridge. That blocks plain ../ traversal, but it does not resolve symlink or junction targets. If a symlink/junction already exists under the allowed content root, a path like content/posts/pivot/owned.md is still considered "inside" the base even though the real filesystem target can be outside it. As a result, FilesystemBridge.get(), put(), delete(), and glob() can operate on files outside the intended root. This issue has been patched in version 2.2.2.
Source : NVD
## 7.1
Score
Published April 1, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
JavaScript
Has Pu
Wiz
CVE-2025-67716 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.7
CVE-2025-67716 [MEDIUM] CVE-2025-67716 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67716 :
JavaScript vulnerability analysis and mitigation
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions 4.9.0 through 4.12.1 contain an input-validation flaw in the returnTo parameter, which could allow attackers to inject unintended OAuth query parameters into the Auth0 authorization request. Successful exploitation may result in tokens being issued with unintended parameters. This issue is fixed in version 4.13.0.
Source : NVD
## 5.7
Score
Published December 11, 2025
Severity MEDIUM
CNA Score 5.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.4
Exploitation Probability (EPSS)
Wiz
CVE-2026-24766 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2026-24766 [MEDIUM] CVE-2026-24766 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24766 :
JavaScript vulnerability analysis and mitigation
/api/v2/meta/connection/test
Source : NVD
## 4.9
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 38.6
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
nocodb
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Jan 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
Wiz
CVE-2026-23515 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-23515 [CRITICAL] CVE-2026-23515 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23515 :
JavaScript vulnerability analysis and mitigation
Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0.
Source : NVD
## 8.8
Score
Published February 2, 2026
Severity HIGH
CNA Score 9.9
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exp
Wiz
CVE-2025-67438 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2025-67438 [MEDIUM] CVE-2025-67438 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67438 :
JavaScript vulnerability analysis and mitigation
A Stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information, including the user's session cookies.
Source : NVD
## 6.1
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@sync-in/server
Sources
NVD
npm Severity MEDIUM
Wiz
CVE-2026-27903 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-27903 [HIGH] CVE-2026-27903 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27903 :
JavaScript vulnerability analysis and mitigation
matchOne()
**
n
k
minimatch()
minimatch()
Source : NVD
## 7.5
Score
Published February 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
code-server
serve
Sources
NVD
Chainguard Has Fix Added at: Mar 02, 2026
Debian 11, 12, 13, 14 Severity HIGH No Fix Added at: Mar 02, 2026
Echo Severity HIGH No Fix Added at: Mar 02, 2026
npm Severity HIGH Has Fix Added at: Mar 02, 2026
MinimOS Severity HIGH Has Fix Added at: Mar 02, 2026
Red Hat 8, 9, 10 Severity MEDIUM
Wiz
CVE-2025-61686 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-61686 [CRITICAL] CVE-2025-61686 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-61686 :
JavaScript vulnerability analysis and mitigation
React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to cause the session to try to read/write from a location outside the specified session file directory. The success of the attack would depend on the permissions of the web server process to access those files. Read files cannot be returned directly to the attacker. Session file reads would only succeed if the file matched the expected session file format. If the file matched the
Wiz
CVE-2026-34775 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-34775 [MEDIUM] CVE-2026-34775 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34775 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0, the nodeIntegrationInWorker webPreference was not correctly scoped in all configurations. In certain process-sharing scenarios, workers spawned in frames configured with nodeIntegrationInWorker: false could still receive Node.js integration. Apps are only affected if they enable nodeIntegrationInWorker. Apps that do not use nodeIntegrationInWorker are not affected. This issue has been patched in versions 38.8.6, 39.8.4, 40.8.4, and 41.0.0.
Source : NVD
## 6.8
Score
Published April 4, 2026
Severity MEDIUM
CNA Score 6.8
Affected Technologies
JavaScript
Has
Wiz
CVE-2026-24048 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.5
CVE-2026-24048 [LOW] CVE-2026-24048 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24048 :
JavaScript vulnerability analysis and mitigation
FetchUrlReader
backend.reading.allow
@backstage/backend-defaults
backend.reading.allow
Source : NVD
## 3.5
Score
Published January 21, 2026
Severity LOW
CNA Score 3.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@backstage/backend-defaults
Sources
NVD
npm Severity LOW Has Fix Added at: Jan 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Scor
Wiz
CVE-2025-65110 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-65110 [HIGH] CVE-2025-65110 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-65110 :
JavaScript vulnerability analysis and mitigation
vega
vega
vega.View
window
JSON
[email protected]
[email protected]
vega
vega.View
Source : NVD
## 9.3
Score
Published January 5, 2026
Severity CRITICAL
CNA Score 8.1
Affected Technologies
JavaScript
Linux Debian
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
vega.js
vega-selections
Sources
NVD
Debian 12, 13, 14 Severity CRITICAL No Fix Added at: Jan 11, 2026
Echo Severity CRITICAL No Fix Added at: Jan 11, 2026
npm Severity HIGH Has Fix Added at: Jan 06, 2026
## Get a CVE risk assessment
Get a prioritized view of C
Wiz
CVE-2026-25547 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-25547 [CRITICAL] CVE-2026-25547 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25547 :
JavaScript vulnerability analysis and mitigation
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
Source : NVD
## 9.2
Score
Published February 4, 2026
Severity CRITICAL
CNA Score 9.2
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CIS
Wiz
CVE-2026-2391 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-2391 [MEDIUM] CVE-2026-2391 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2391 :
JavaScript vulnerability analysis and mitigation
## Summary
arrayLimit
comma: true
## Details
comma
true
?param=a,b,c
['a', 'b', 'c']
arrayLimit
parseArrayValue
Vulnerable code (lib/parse.js: lines ~40-50):
if (val && typeof val === 'string' && options.comma && val.indexOf(',') > -1) {
return val.split(',');
}
if (options.throwOnLimitExceeded && currentArrayLength >= options.arrayLimit) {
throw new RangeError('Array limit exceeded. Only ' + options.arrayLimit + ' element' + (options.arrayLimit === 1 ? '' : 's') + ' allowed in an array.');
}
return val;
split(',')
utils.combine
?param=,,,,,,,,...
arrayLimit
a[0]=
a[]=
## PoC
Test 1 - Basic bypass:
npm install qs
const qs = require('qs');
const payload = 'a=' + ','.repeat(25); // 26 elements
Wiz
CVE-2026-31861 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-31861 [HIGH] CVE-2026-31861 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31861 :
JavaScript vulnerability analysis and mitigation
Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, The /api/user/git-config endpoint constructs shell commands by interpolating user-supplied gitName and gitEmail values into command strings passed to child_process.exec(). The input is placed within double quotes and only " is escaped, but backticks (`), $() command substitution, and \ sequences are all interpreted within double-quoted strings in bash. This allows authenticated attackers to execute arbitrary OS commands via the git configuration endpoint. This vulnerability is fixed in 1.24.0.
Source : NVD
## 8.7
Score
Published March 11, 2026
Severity HIGH
CNA Score 8.7
Affected Techno
Wiz
CVE-2026-28397 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-28397 [MEDIUM] CVE-2026-28397 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28397 :
JavaScript vulnerability analysis and mitigation
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, comments rendered via v-html without sanitization enable stored XSS. This issue has been patched in version 0.301.3.
Source : NVD
## 5.3
Score
Published March 2, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nocodb
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 04, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploita
Wiz
CVE-2026-24472 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-24472 [MEDIUM] CVE-2026-24472 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24472 :
JavaScript vulnerability analysis and mitigation
Cache-Control: private
Cache-Control: no-store
Source : NVD
## 5.3
Score
Published January 27, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
langfuse-3
langfuse-fips-3
Sources
NVD
Chainguard Has Fix Added at: Feb 08, 2026
npm Severity MEDIUM Has Fix Added at: Jan 28, 2026
Wolfi Has Fix Added at: Feb 15, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related J
Wiz
CVE-2026-26185 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-26185 [MEDIUM] CVE-2026-26185 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26185 :
JavaScript vulnerability analysis and mitigation
Directus is a real-time API and App dashboard for managing SQL database content. Before 11.14.1, a timing-based user enumeration vulnerability exists in the password reset functionality. When an invalid reset_url parameter is provided, the response time differs by approximately 500ms between existing and non-existing users, enabling reliable user enumeration. This vulnerability is fixed in 11.14.1.
Source : NVD
## 5.3
Score
Published February 12, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.2
Exploitation Probability (EPSS) N/A
Affected package
Wiz
CVE-2026-22819 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-22819 [MEDIUM] CVE-2026-22819 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22819 :
JavaScript vulnerability analysis and mitigation
Outray openSource ngrok alternative. Prior to 0.1.5, this vulnerability allows a user i.e a free plan user to get more than the desired subdomains due to lack of db transaction lock mechanisms in main/apps/web/src/routes/api/$orgSlug/subdomains/index.ts. This vulnerability is fixed in 0.1.5.
Source : NVD
## 3.1
Score
Published January 14, 2026
Severity LOW
CNA Score 5.9
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
outray
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Jan 14, 2026
## Get a CVE risk a
Wiz
CVE-2026-30854 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-30854 [MEDIUM] CVE-2026-30854 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30854 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. From version 9.3.1-alpha.3 to before version 9.5.0-alpha.10, when graphQLPublicIntrospection is disabled, __type queries nested inside inline fragments (e.g. ... on Query { __type(name:"User") { name } }) bypass the introspection control, allowing unauthenticated users to perform type reconnaissance. __schema introspection is not affected. This issue has been patched in version 9.5.0-alpha.10.
Source : NVD
## 6.9
Score
Published March 7, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploi
Wiz
CVE-2026-25152 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-25152 [MEDIUM] CVE-2026-25152 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25152 :
JavaScript vulnerability analysis and mitigation
techdocs.generator.runIn: local
@backstage/plugin-techdocs-node
runIn: docker
app-config.yaml
Source : NVD
## 6.5
Score
Published January 30, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@backstage/plugin-techdocs-node
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Feb 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Wiz
CVE-2026-22037 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.4
CVE-2026-22037 [HIGH] CVE-2026-22037 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22037 :
JavaScript vulnerability analysis and mitigation
/%61dmin
/admin
Source : NVD
## 8.4
Score
Published January 19, 2026
Severity HIGH
CNA Score 8.4
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@fastify/express
Sources
NVD
npm Severity HIGH Has Fix Added at: Jan 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-20
Wiz
CVE-2026-2293 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-2293 [HIGH] CVE-2026-2293 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2293 :
JavaScript vulnerability analysis and mitigation
A NestJS application using @nestjs/platform-fastify can allow bypass of authentication/authorization middleware when Fastify path-normalization options are enabled.
This issue affects nest.Js: 11.1.13.
Source : NVD
## 8.2
Score
Published February 27, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 45.7
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
@nestjs/platform-fastify
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus
Wiz
CVE-2026-30948 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-30948 [HIGH] CVE-2026-30948 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30948 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.4 and 8.6.17, a stored cross-site scripting (XSS) vulnerability allows any authenticated user to upload an SVG file containing JavaScript. The file is served inline with Content-Type: image/svg+xml and without protective headers, causing the browser to execute embedded scripts in the Parse Server origin. This can be exploited to steal session tokens from localStorage and achieve account takeover. The default fileExtensions option blocks HTML file extensions but does not block SVG, which is a well-known XSS vector. All Parse Server deployments where file upload is enabled for authenticated users (t
Wiz
CVE-2026-26960 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-26960 [HIGH] CVE-2026-26960 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26960 :
JavaScript vulnerability analysis and mitigation
node-tar is a full-featured Tar for Node.js. When using default options in versions 7.5.7 and below, an attacker-controlled archive can create a hardlink inside the extraction directory that points to a file outside the extraction root, enabling arbitrary file read and write as the extracting user. Severity is high because the primitive bypasses path protections and turns archive extraction into a direct filesystem access primitive. This issue has been fixed in version 7.5.8.
Source : NVD
## 7.1
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation P
Wiz
CVE-2025-66457 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-66457 [HIGH] CVE-2025-66457 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66457 :
JavaScript vulnerability analysis and mitigation
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.17 and below are subject to arbitrary code execution from cookie config. When dynamic cookies are enabled (e.g. there an existing cookie schema), the cookie config is injected into the compiled route without first being sanitised. Availability of this exploit is generally low, but when combined with GHSA-hxj9-33pp-j2cc, it allows for a full RCE chain. An attack requires write access to either the Elysia app's source code (in which case the vulnerability is meaningless) or write access to the cookie config (perhaps where it is assumed to be provisioned by the environment). This issu
Wiz
CVE-2026-32242 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-32242 [CRITICAL] CVE-2026-32242 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32242 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.11 and 8.6.37, Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy. Deployments that configure multiple OAuth2 providers via the oauth2: true flag are affected. This vulnerability is fixed in 9.6.0-alpha.11 and 8.
Wiz
CVE-2026-24398 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-24398 [MEDIUM] CVE-2026-24398 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24398 :
JavaScript vulnerability analysis and mitigation
IPV4_REGEX
convertIPv4ToBinary
src/utils/ipaddr.ts
Source : NVD
## 6.5
Score
Published January 27, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
hono
langfuse-3
Sources
NVD
Chainguard Has Fix Added at: Feb 08, 2026
npm Severity MEDIUM Has Fix Added at: Jan 28, 2026
Wolfi Has Fix Added at: Feb 15, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScr
Wiz
CVE-2026-32886 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-32886 [HIGH] CVE-2026-32886 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32886 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.24 and 8.6.47, remote clients can crash the Parse Server process by calling a cloud function endpoint with a crafted function name that traverses the JavaScript prototype chain of a registered cloud function handler, causing a stack overflow. The fix in versions 9.6.0-alpha.24 and 8.6.47 restricts property lookups during cloud function name resolution to own properties only, preventing prototype chain traversal from stored function handlers. There is no known workaround.
Source : NVD
## 8.2
Score
Published March 18, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
Has P
Wiz
CVE-2026-22817 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-22817 [HIGH] CVE-2026-22817 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22817 :
JavaScript vulnerability analysis and mitigation
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.11.4, there is a flaw in Hono’s JWK/JWKS JWT verification middleware allowed the JWT header’s alg value to influence signature verification when the selected JWK did not explicitly specify an algorithm. This could enable JWT algorithm confusion and, in certain configurations, allow forged tokens to be accepted. As part of this fix, the JWT middleware now requires the alg option to be explicitly specified. This prevents algorithm confusion by ensuring that the verification algorithm is not derived from untrusted JWT header values. This vulnerability is fixed in 4.11.4.
Source : NVD
## 6.5
Score
Published January 13, 202
Wiz
CVE-2026-28791 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.4
CVE-2026-28791 [HIGH] CVE-2026-28791 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28791 :
JavaScript vulnerability analysis and mitigation
Tina is a headless content management system. Prior to 2.1.7, a path traversal vulnerability exists in the TinaCMS development server's media upload handler. The code at media.ts joins user-controlled path segments using path.join() without validating that the resulting path stays within the intended media directory. This allows writing files to arbitrary locations on the filesystem. This vulnerability is fixed in 2.1.7.
Source : NVD
## 7.4
Score
Published March 12, 2026
Severity HIGH
CNA Score 7.4
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.1
Exploitation Probability (EPSS) 0
Wiz
GHSA-vr6p-vq2p-6j74 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2025-55182 [CRITICAL] GHSA-vr6p-vq2p-6j74 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-vr6p-vq2p-6j74 :
JavaScript vulnerability analysis and mitigation
## Withdrawn Advisory
This advisory has been withdrawn because LikeC4 isn’t impacted by CVE-2025-55182 because it doesn’t ship React. React is a peer dependency.
## Original Description
LikeC4 uses React and Next.js: which contain known RCE vulnerabilities, as seen in CVE-2025-55182.
[2025-12-15] Edit: the last fixes published by React were not thorough, a new set of fix releases completes the mitigation; see https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components
Source : NVD
## 10
Score
Published December 15, 2025
Severity CRITICAL
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/
Wiz
CVE-2026-25223 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-25223 [HIGH] CVE-2026-25223 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25223 :
JavaScript vulnerability analysis and mitigation
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (\t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2.
Source : NVD
## 7.5
Score
Published February 3, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability
Wiz
CVE-2026-25574 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-25574 [MEDIUM] CVE-2026-25574 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25574 :
JavaScript vulnerability analysis and mitigation
Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0.
Source : NVD
## 5.4
Score
Published February 6, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CIS
Wiz
CVE-2026-30938 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-30938 [MEDIUM] CVE-2026-30938 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30938 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.12 and 9.5.1-alpha.1, the requestKeywordDenylist security control can be bypassed by placing any nested object or array before a prohibited keyword in the request payload. This is caused by a logic bug that stops scanning sibling keys after encountering the first nested value. Any custom requestKeywordDenylist entries configured by the developer are equally by-passable using the same technique. All Parse Server deployments are affected. The requestKeywordDenylist is enabled by default. This vulnerability is fixed in 8.6.12 and 9.5.1-alpha.1. Use a Cloud Code beforeSave trigger to validate incoming data fo
Wiz
GHSA-7q9x-8g6p-3x75 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-7q9x-8g6p-3x75 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-7q9x-8g6p-3x75 :
JavaScript vulnerability analysis and mitigation
## Impact
renderPairingPage()
error
const errorHtml = error ? `${error}` : "";
renderAuthorizePage()
escapeHtml()
packages/server/src/index.ts:64-89
renderPairingPage()
packages/server/src/index.ts:130
renderAuthorizePage()
escapeHtml()
## Patches
escapeHtml()
const errorHtml = error ? `${escapeHtml(error)}` : "";
## Workarounds
No workaround needed — all current callers pass hardcoded strings.
## Resources
CWE-79: Improper Neutralization of Input During Web Page Generation
packages/server/src/index.ts
Source : NVD
## 2.3
Score
Published March 25, 2026
Severity LOW
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date
Wiz
CVE-2026-34221 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-34221 [HIGH] CVE-2026-34221 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34221 :
JavaScript vulnerability analysis and mitigation
MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, a prototype pollution vulnerability exists in the Utils.merge helper used internally by MikroORM when merging object structures. The function did not prevent special keys such as proto , constructor, or prototype, allowing attacker-controlled input to modify the JavaScript object prototype when merged. This issue has been patched in versions 6.6.10 and 7.0.6.
Source : NVD
## 8.3
Score
Published March 31, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploit
Wiz
CVE-2026-2178 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-2178 [MEDIUM] CVE-2026-2178 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2178 :
JavaScript vulnerability analysis and mitigation
A vulnerability was found in r-huijts xcode-mcp-server up to f3419f00117aa9949e326f78cc940166c88f18cb. This affects the function registerXcodeTools of the file src/tools/xcode/index.ts of the component run_lldb. The manipulation of the argument args results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The patch is identified as 11f8d6bacadd153beee649f92a78a9dad761f56f. Applying a patch is advised to resolve this issue.
Source : NVD
## 5.3
Score
Published February 8, 2026
Severity
Wiz
CVE-2026-2229 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-2229 [HIGH] CVE-2026-2229 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2229 :
JavaScript vulnerability analysis and mitigation
ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
The isValidClientWind
Wiz
CVE-2026-29185 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-29185 [LOW] CVE-2026-29185 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29185 :
JavaScript vulnerability analysis and mitigation
Backstage is an open framework for building developer portals. Prior to version 1.20.1, a vulnerability in the SCM URL parsing used by Backstage integrations allowed path traversal sequences in encoded form to be included in file paths. When these URLs were processed by integration functions that construct API URLs, the traversal segments could redirect requests to unintended SCM provider API endpoints using the configured server-side integration credentials. This issue has been patched in version 1.20.1.
Source : NVD
## 2.7
Score
Published March 7, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Wiz
CVE-2026-29085 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-29085 [MEDIUM] CVE-2026-29085 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29085 :
JavaScript vulnerability analysis and mitigation
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using streamSSE() in Streaming Helper, the event, id, and retry fields were not validated for carriage return (\r) or newline (\n) characters. Because the SSE protocol uses line breaks as field delimiters, this could allow injection of additional SSE fields within the same event frame if untrusted input was passed into these fields. This issue has been patched in version 4.12.4.
Source : NVD
## 6.5
Score
Published March 4, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Ex
Wiz
CVE-2025-68475 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-68475 [HIGH] CVE-2025-68475 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68475 :
JavaScript vulnerability analysis and mitigation
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2, a Regular Expression Denial of Service (ReDoS) vulnerability exists in Fedify's document loader. The HTML parsing regex at packages/fedify/src/runtime/docloader.ts:259 contains nested quantifiers that cause catastrophic backtracking when processing maliciously crafted HTML responses. This issue has been patched in versions 1.6.13, 1.7.14, 1.8.15, and 1.9.2.
Source : NVD
## 7.5
Score
Published December 22, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due D
Wiz
CVE-2026-32234 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-32234 [MEDIUM] CVE-2026-32234 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32234 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.10 and 8.6.36, an attacker with access to the master key can inject malicious SQL via crafted field names used in query constraints when Parse Server is configured with PostgreSQL as the database. The field name in a $regex query operator is passed to PostgreSQL using unparameterized string interpolation, allowing the attacker to manipulate the SQL query. While the master key controls what can be done through the Parse Server abstraction layer, this SQL injection bypasses Parse Server entirely and operates at the database level. This vulnerability only affects Parse Server deployments using Postgr
Wiz
CVE-2026-22686 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-22686 [CRITICAL] CVE-2026-22686 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22686 :
JavaScript vulnerability analysis and mitigation
Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.7.0, there is a critical sandbox escape vulnerability in enclave-vm that allows untrusted, sandboxed JavaScript code to execute arbitrary code in the host Node.js runtime. When a tool invocation fails, enclave-vm exposes a host-side Error object to sandboxed code. This Error object retains its host realm prototype chain, which can be traversed to reach the host Function constructor. An attacker can intentionally trigger a host error, then climb the prototype chain. Using the host Function constructor, arbitrary JavaScript can be compiled and executed in the host context, fully bypassing the sandbox and granting access to sensiti
Wiz
CVE-2026-25228 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.0
CVE-2026-25228 [MEDIUM] CVE-2026-25228 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25228 :
JavaScript vulnerability analysis and mitigation
Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server's applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3.
Source : NVD
## 4.3
Score
Published February 2, 2026
Severity MEDIUM
CNA Score 5.0
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA
Wiz
CVE-2026-25894 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.5
CVE-2026-25894 [CRITICAL] CVE-2026-25894 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25894 :
JavaScript vulnerability analysis and mitigation
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when authentication is enabled, but the administrator JWT secret is not configured. This issue has been patched in FUXA version 1.2.10.
Source : NVD
## 9.5
Score
Published February 9, 2026
Severity CRITICAL
CNA Score 9.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.9
Exploitation Probability (EPSS) 0.1
Affected
Wiz
CVE-2025-15265 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-15265 [MEDIUM] CVE-2025-15265 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15265 :
JavaScript vulnerability analysis and mitigation
An SSR XSS exists in async hydration when attacker‑controlled keys are passed to hydratable. The key is embedded inside a to terminate the script and inject arbitrary JavaScript. This enables remote script execution in users' browsers, with potential for session theft and account compromise.
This issue affects Svelte: from 5.46.0 before 5.46.3.
Source : NVD
## 5.3
Score
Published January 15, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Linux Fedora
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pgadmin4-langpack-fr
pg
Wiz
CVE-2026-28360 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-28360 [LOW] CVE-2026-28360 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28360 :
JavaScript vulnerability analysis and mitigation
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, shared view passwords were stored in plaintext in the database and compared using direct string equality. This issue has been patched in version 0.301.3.
Source : NVD
## 2.7
Score
Published March 2, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nocodb
Sources
NVD
npm Severity LOW Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so y
Wiz
CVE-2026-2359 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-2359 [HIGH] CVE-2026-2359 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2359 :
JavaScript vulnerability analysis and mitigation
multipart/form-data
Source : NVD
## 8.7
Score
Published February 27, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
librechat
redisinsight
Sources
NVD
Chainguard Has Fix Added at: Mar 08, 2026
npm Severity HIGH Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
C
Wiz
GHSA-v3rj-xjv7-4jmq Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-v3rj-xjv7-4jmq Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-v3rj-xjv7-4jmq :
JavaScript vulnerability analysis and mitigation
## Summary
An attacker can send a maliciously crafted TOML to cause the parser to crash, because of a stack overflow caused by thousands of consecutive commented lines.
The library uses recursion internally while parsing to skip over commented lines, which can be exploited to crash an application that is processing arbitrary TOML documents.
## Proof of concept
require("smol-toml").parse('# comment\n'.repeat(8000) + 'key = "value"')
## Impact
Applications which parse arbitrary TOML documents may suffer availability issues if they receive malicious input. If uncaught, the crash may cause the application itself to crash. The impact is deemed minor, as the function is already likely to throw errors on invalid
Wiz
CVE-2025-66402 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2025-66402 [HIGH] CVE-2025-66402 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66402 :
JavaScript vulnerability analysis and mitigation
Misskey is an open source, federated social media platform. Starting in version 13.0.0-beta.16 and prior to version 2025.12.0, an actor who does not have permission to view favorites or clips can can export the posts and view the contents. Version 2025.12.0 fixes the issue.
Source : NVD
## 7.1
Score
Published December 16, 2025
Severity HIGH
CNA Score 7.1
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
misskey-js
Sources
NVD
npm Severity HIGH Has Fix Added at: Dec 16, 2025
## Get a CVE risk assessment
Ge
Wiz
CVE-2026-34752 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-34752 [HIGH] CVE-2026-34752 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34752 :
JavaScript vulnerability analysis and mitigation
Haraka is a Node.js mail server. Prior to version 3.1.4, sending an email with proto : as a header name crashes the Haraka worker process. This issue has been patched in version 3.1.4.
Source : NVD
## 8.7
Score
Published April 2, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12
Exploitation Probability (EPSS) N/A
Affected packages and libraries
haraka
Sources
NVD
npm Severity HIGH Has Fix Added at: Apr 02, 2026
Homebrew Severity HIGH Has Fix Added at: Apr 06, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in you
Wiz
CVE-2026-34774 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-34774 [HIGH] CVE-2026-34774 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34774 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 39.8.1, 40.7.0, and 41.0.0, apps that use offscreen rendering and allow child windows via window.open() may be vulnerable to a use-after-free. If the parent offscreen WebContents is destroyed while a child window remains open, subsequent paint frames on the child dereference freed memory, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering (webPreferences.offscreen: true) and their setWindowOpenHandler permits child windows. Apps that do not use offscreen rendering, or that deny child windows, are not affected. This issue has been patched in versions
Wiz
CVE-2026-34217 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-34217 [MEDIUM] CVE-2026-34217 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34217 :
JavaScript vulnerability analysis and mitigation
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, a scope modification vulnerability exists in @nyariv/sandboxjs. The vulnerability allows untrusted sandboxed code to leak internal interpreter objects through the new operator, exposing sandbox scope objects in the scope hierarchy to untrusted code; an unexpected and undesired exploit. While this could allow modifying scopes inside the sandbox, code evaluation remains sandboxed and prototypes remain protected throughout the execution. This vulnerability is fixed in 0.8.36.
Source : NVD
## 6.9
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release
Wiz
CVE-2026-34224 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.1
CVE-2026-34224 [LOW] CVE-2026-34224 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34224 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery codes and SMS one-time passwords, allowing session persistence even after the legitimate user revokes detected sessions. This issue has been patched in versions 8.6.64 and 9.7.0-alpha.8.
Source : NVD
## 2.1
Score
Published March 31, 2026
Severity LOW
CNA Score 2.1
Affected Technologie
Wiz
CVE-2026-31871 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-31871 [CRITICAL] CVE-2026-31871 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31871 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.5 and 8.6.31, a SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The sub-key name is interpolated directly into SQL string literals without escaping. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL via a crafted sub-key name containing single quotes, potentially executing commands or reading data from the database, bypassing CLPs and ACLs. Only Postgres deployments are affected. This vulnerability is fixed in 9.6.0-alpha.5 and 8.6.
Wiz
CVE-2026-32943 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2026-32943 [LOW] CVE-2026-32943 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32943 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.28 and 8.6.48, the password reset mechanism does not enforce single-use guarantees for reset tokens. When a user requests a password reset, the generated token can be consumed by multiple concurrent requests within a short time window. An attacker who has intercepted a password reset token can race the legitimate user's password reset request, causing both requests to succeed. This may result in the legitimate user believing their password was changed successfully while the attacker's password takes effect instead. All Parse Server deployments that use the password reset feature are affected. Star
Wiz
CVE-2026-25148 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-25148 [MEDIUM] CVE-2026-25148 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25148 :
JavaScript vulnerability analysis and mitigation
Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js' server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim's browser in the context of the affected origin. This issue has been patched in version 1.19.0.
Source : NVD
## 5.3
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.7
Exploitatio
Wiz
CVE-2025-14505 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.6
CVE-2025-14505 [MEDIUM] CVE-2025-14505 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14505 :
JavaScript vulnerability analysis and mitigation
The ECDSA implementation of the Elliptic package generates incorrect signatures if an interim value of 'k' (as computed based on step 3.2 of RFC 6979 https://datatracker.ietf.org/doc/html/rfc6979 ) has leading zeros and is susceptible to cryptanalysis, which can lead to secret key exposure. This happens, because the byte-length of 'k' is incorrectly computed, resulting in its getting truncated during the computation. Legitimate transactions or communications will be broken as a result. Furthermore, due to the nature of the fault, attackers could–under certain conditions–derive the secret key, if they could get their hands on both a faulty signature generated by a vulnerable version of Elliptic and a correct signature fo
Wiz
CVE-2026-25041 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-25041 [HIGH] CVE-2026-25041 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25041 :
JavaScript vulnerability analysis and mitigation
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.23.22 and earlier, the PostgreSQL integration constructs shell commands using user-controlled configuration values (database name, host, password, etc.) without proper sanitization. The password and other connection parameters are directly interpolated into a shell command. This affects packages/server/src/integrations/postgres.ts.
Source : NVD
## 8.6
Score
Published March 9, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.7
Exploitation Probability (EPSS
Wiz
CVE-2026-34772 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-34772 [MEDIUM] CVE-2026-34772 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34772 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, apps that allow downloads and programmatically destroy sessions may be vulnerable to a use-after-free. If a session is torn down while a native save-file dialog is open for a download, dismissing the dialog dereferences freed memory, which may lead to a crash or memory corruption. Apps that do not destroy sessions at runtime, or that do not permit downloads, are not affected. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8.
Source : NVD
## 5.8
Score
Published April 4, 2026
Severity MEDIUM
CNA Score 5.8
Affected Tech
Wiz
GHSA-pfq2-hh62-7m96 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
[HIGH] GHSA-pfq2-hh62-7m96 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-pfq2-hh62-7m96 :
JavaScript vulnerability analysis and mitigation
## Summary
distributionUrl
gradle/wrapper/gradle-wrapper.properties
## Details
When Renovate handles Gradle Wrapper artifacts, it may run a wrapper update command such as:
./gradlew :wrapper --gradle-distribution-url
/bin/sh -c ...
distributionUrl
$(...)
URISyntaxException
allowScripts
gradle-wrapper.properties
Renovate must be configured to process Gradle Wrapper updates/artifacts for that repository (default behavior for the Gradle Wrapper manager).
## PoC
gradlew
gradlew.bat
gradle/wrapper/gradle-wrapper.jar
gradle/wrapper/gradle-wrapper.properties
distributionUrl
gradle-wrapper.properties
$(...)
Run Renovate against the repository.
URISyntaxException
/tmp/passwd_dump
/etc/passwd
#
Wiz
CVE-2026-22812 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-22812 [HIGH] CVE-2026-22812 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22812 :
JavaScript vulnerability analysis and mitigation
OpenCode is an open source AI coding agent. Prior to 1.0.216, OpenCode automatically starts an unauthenticated HTTP server that allows any local process (or any website via permissive CORS) to execute arbitrary shell commands with the user's privileges. This vulnerability is fixed in 1.0.216.
Source : NVD
## 8.8
Score
Published January 12, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
JavaScript
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 87.7
Exploitation Probability (EPSS) 3.5
Affected packages and libraries
opencode-ai
opencode
Sources
NVD
npm Severity HIGH Has Fix Added at: Jan 14, 2
Wiz
CVE-2026-27122 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-27122 [MEDIUM] CVE-2026-27122 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27122 :
JavaScript vulnerability analysis and mitigation
svelte performance oriented web framework. Prior to 5.51.5, when using in server-side rendering, the provided tag name is not validated or sanitized before being emitted into the HTML output. If the tag string contains unexpected characters, it can result in HTML injection in the SSR output. Client-side rendering is not affected. This vulnerability is fixed in 5.51.5.
Source : NVD
## 5.1
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
svelte
Wiz
CVE-2026-24771 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.7
CVE-2026-24771 [MEDIUM] CVE-2026-24771 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24771 :
JavaScript vulnerability analysis and mitigation
ErrorBoundary
Source : NVD
## 4.7
Score
Published January 27, 2026
Severity MEDIUM
CNA Score 4.7
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
hono
langfuse-3
Sources
NVD
Chainguard Has Fix Added at: Feb 08, 2026
npm Severity MEDIUM Has Fix Added at: Jan 28, 2026
Wolfi Has Fix Added at: Feb 15, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severit
Wiz
CVE-2026-27606 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-27606 [HIGH] CVE-2026-27606 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27606 :
JavaScript vulnerability analysis and mitigation
../
Source : NVD
## 8.8
Score
Published February 25, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 51.4
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
grafana
golang-github-prometheus-promu
Sources
NVD
Chainguard Has Fix Added at: Mar 03, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 02, 2026
Debian 14 Severity CRITICAL Has Fix Added at: Mar 02, 2026
Echo Severity CRITICAL No Fix Added at: Mar 02, 2026
npm Severity HIGH Has Fix Added at: Mar 02, 2026
Homebrew Severity CRITICAL Has Fix Added at:
Wiz
CVE-2026-4800 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-4800 [HIGH] CVE-2026-4800 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4800 :
JavaScript vulnerability analysis and mitigation
Impact:
The fix for CVE-2021-23337 ( https://github.com/advisories/GHSA-35jh-r3h4-6jhm ) added validation for the variable option in _.template but did not apply the same validation to options.imports key names. Both paths flow into the same Function() constructor sink.
When an application passes untrusted input as options.imports key names, an attacker can inject default-parameter expressions that execute arbitrary code at template compilation time.
Additionally, _.template uses assignInWith to merge imports, which enumerates inherited properties via for..in. If Object.prototype has been polluted by any other vector, the polluted keys are copied into the imports object and passed to Function().
Patches:
Users shoul
Wiz
GHSA-36j9-mx87-2cff Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-36j9-mx87-2cff Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-36j9-mx87-2cff :
JavaScript vulnerability analysis and mitigation
## Summary
depName
hermit
./hermit install
./hermit uninstall
## Details
packagesToInstall
packagesToUninstall
quote
shlex
quote
shlex
## PoC
Create a git repo with the following content:
renovate.json5
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
customDatasources: {
always: {
defaultRegistryUrlTemplate: "https://docs.renovatebot.com/search/search_index.json",
transformTemplates: ['{"releases":[{"version":"99999.0.0"}]}'],
},
},
packageRules: [
{
// Target of the day
matchManagers: ["hermit"],
// Trick the manager in believing there's a new version
overrideDatasource: "custom.always",
},
],
}
bin/hermit
#!/bin/bash
# # THIS FILE IS GENERATED; DO NOT MODIFY
set -eo pipefail
Wiz
CVE-2026-28398 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-28398 [MEDIUM] CVE-2026-28398 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28398 :
JavaScript vulnerability analysis and mitigation
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, user-controlled content in comments and rich text cells was rendered via v-html without sanitization, enabling stored XSS. This issue has been patched in version 0.301.3.
Source : NVD
## 5.3
Score
Published March 2, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nocodb
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 04, 2026
## Get a CVE risk assessment
Get a prioritized view of
Wiz
CVE-2026-25587 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-25587 [CRITICAL] CVE-2026-25587 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25587 :
JavaScript vulnerability analysis and mitigation
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it's prototype can be obtained via Map.prototype. By overwriting Map.prototype.has the sandbox can be escaped. This vulnerability is fixed in 0.8.29.
Source : NVD
## 10
Score
Published February 6, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@nyariv/sandboxjs
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Feb 08, 2026
## Get a CVE risk assessment
Get a prioritized view
Wiz
CVE-2026-4603 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-4603 [MEDIUM] CVE-2026-4603 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4603 :
JavaScript vulnerability analysis and mitigation
Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide “invalid key” errors by supplying a JWK whose modulus decodes to zero.
Source : NVD
## 5.1
Score
Published March 23, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1
Exploitation Probability (EPSS) N/A
Affected packages an
Wiz
CVE-2026-34778 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-34778 [MEDIUM] CVE-2026-34778 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34778 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, a service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript() and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered and use the result of webContents.executeJavaScript() (or webFrameMain.executeJavaScript()) in security-sensitive decisions. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.
Source : NVD
## 5.9
Score
Published April 4, 2026
Severity MEDIUM
CNA
Wiz
GHSA-38cw-85xc-xr9x Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-38cw-85xc-xr9x Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-38cw-85xc-xr9x :
JavaScript vulnerability analysis and mitigation
## Summary
@veramo/data-store
column
order
## Details
packages/data-store/src/data-store-orm.ts
decorateQB()
function decorateQB(
qb: SelectQueryBuilder,
tableName: string,
input: FindArgs,
): SelectQueryBuilder {
if (input?.skip) qb = qb.offset(input.skip)
if (input?.take) qb = qb.limit(input.take)
if (input?.order) {
for (const item of input.order) {
qb = qb.addSelect(
qb.connection.driver.escape(tableName) + '.' + qb.connection.driver.escape(item.column),
item.column,
)
qb = qb.orderBy(qb.connection.driver.escape(item.column), item.direction)
}
}
return qb
}
Root Cause:
item.column
addSelect()
TCredentialColumns = 'context' | 'type' | ...
FindArgs
TypeORM inserts the alias directly into the SQL q
Wiz
CVE-2026-23965 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-23965 [HIGH] CVE-2026-23965 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23965 :
JavaScript vulnerability analysis and mitigation
sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A signature forgery vulnerability exists in the SM2 signature verification logic of sm-crypto prior to version 0.4.0. Under default configurations, an attacker can forge valid signatures for arbitrary public keys. If the message space contains sufficient redundancy, the attacker can fix the prefix of the message associated with the forged signature to satisfy specific formatting requirements. Version 0.4.0 patches the issue.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date
Wiz
CVE-2026-4598 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-4598 [MEDIUM] CVE-2026-4598 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4598 :
JavaScript vulnerability analysis and mitigation
Versions of the package jsrsasign before 11.1.1 are vulnerable to Infinite loop via the bnModInverse function in ext/jsbn2.js when the BigInteger.modInverse implementation receives zero or negative inputs, allowing an attacker to hang the process permanently by supplying such crafted values (e.g., modInverse(0, m) or modInverse(-1, m)).
Source : NVD
## 7.7
Score
Published March 23, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
jsrsasign
Sources
NVD
npm Severity HIGH Has Fix
Wiz
CVE-2026-31865 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-31865 [MEDIUM] CVE-2026-31865 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31865 :
JavaScript vulnerability analysis and mitigation
__proto__
Source : NVD
## 5.3
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
elysia
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 17, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35442
HIGH
Wiz
CVE-2026-27738 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-27738 [MEDIUM] CVE-2026-27738 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27738 :
JavaScript vulnerability analysis and mitigation
X-Forwarded-Prefix
X-Forwarded-Prefix
X-Forwarded-Prefix
X-Forwarded-Prefix
server.ts
Source : NVD
## 6.9
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@angular/ssr
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Techn
Wiz
CVE-2026-2130 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-2130 [MEDIUM] CVE-2026-2130 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2130 :
JavaScript vulnerability analysis and mitigation
A vulnerability was determined in BurtTheCoder mcp-maigret up to 1.0.12. This affects an unknown part of the file src/index.ts of the component search_username. Executing a manipulation of the argument Username can lead to command injection. The attack may be launched remotely. Upgrading to version 1.0.13 is able to mitigate this issue. This patch is called b1ae073c4b3e789ab8de36dc6ca8111ae9399e7a. Upgrading the affected component is advised.
Source : NVD
## 5.3
Score
Published February 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 45.1
Exploitat
Wiz
CVE-2026-28361 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2026-28361 [MEDIUM] CVE-2026-28361 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28361 :
JavaScript vulnerability analysis and mitigation
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the MCP token service did not validate token ownership, allowing a Creator within the same base to read, regenerate, or delete another user's MCP tokens if the token ID was known. This issue has been patched in version 0.301.3.
Source : NVD
## 4.9
Score
Published March 2, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nocodb
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 03, 2026
Wiz
CVE-2025-68130 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2025-68130 [HIGH] CVE-2025-68130 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68130 :
JavaScript vulnerability analysis and mitigation
@trpc/server
formDataToObject
Object.prototype
experimental_caller
experimental_nextAppDirCaller
Source : NVD
## 8.5
Score
Published December 16, 2025
Severity HIGH
CNA Score 8.5
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@trpc/server
langfuse-2
Sources
NVD
Chainguard Has Fix Added at: Dec 21, 2025
npm Severity HIGH Has Fix Added at: Dec 17, 2025
Wolfi Has Fix Added at: Dec 21, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exp
Wiz
CVE-2026-32103 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.8
CVE-2026-32103 [MEDIUM] CVE-2026-32103 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32103 :
JavaScript vulnerability analysis and mitigation
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the POST /studiocms_api/dashboard/create-reset-link endpoint allows any authenticated user with admin privileges to generate a password reset token for any other user, including the owner account. The handler verifies that the caller is an admin but does not enforce role hierarchy, nor does it validate that the target userId matches the caller's identity. Combined with the POST /studiocms_api/dashboard/reset-password endpoint, this allows a complete account takeover of the highest-privileged account in the system. This vulnerability is fixed in 0.4.3.
Source : NVD
## 7.2
Score
Published March 11, 2026
Severity H
Wiz
CVE-2026-24131 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.7
CVE-2026-24131 [MEDIUM] CVE-2026-24131 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24131 :
JavaScript vulnerability analysis and mitigation
directories.bin
path.join()
"directories": {"bin": "../../../../tmp"}
fixBin
EXECUTABLE_SHEBANG_SUPPORTED
Source : NVD
## 6.7
Score
Published January 26, 2026
Severity MEDIUM
CNA Score 6.7
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pnpm
Sources
NVD
Alpine 3.21, 3.22, 3.23, edge Severity MEDIUM No Fix Added at: Jan 29, 2026
Chainguard Has Fix Added at: Jan 27, 2026
npm Severity MEDIUM Has Fix Added at: Jan 27, 2026
Homebrew Severity MEDIUM Has Fix Added at: Jan 29, 2026
MinimOS Severity ME
Wiz
GHSA-mwv9-gp5h-frr4 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-mwv9-gp5h-frr4 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-mwv9-gp5h-frr4 :
JavaScript vulnerability analysis and mitigation
devalue.parse
devalue.unflatten
__proto__
JSON.parse
const result = devalue.parse(/* input creating an object with a __proto__ property */);
const target = {};
Object.assign(target, result); // target's prototype is now polluted
Source : NVD
## 2.7
Score
Published March 12, 2026
Severity LOW
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
devalue
Sources
NVD
npm Severity LOW Has Fix Added at: Mar 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so y
Wiz
CVE-2026-35441 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-35441 [HIGH] CVE-2026-35441 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35441 :
JavaScript vulnerability analysis and mitigation
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints (/graphql and /graphql/system) did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large number of independent complex database queries concurrently, multiplying database load linearly with the number of aliases. The existing token limit on GraphQL queries still permitted enough aliases for significant resource exhaustion, while the relational depth limit applied per alias without reducing the total number executed. Rate limiti
Wiz
CVE-2026-23888 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-23888 [MEDIUM] CVE-2026-23888 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23888 :
JavaScript vulnerability analysis and mitigation
../
extractAllTo
BinaryResolution.prefix
../../evil
targetDir
Source : NVD
## 6.5
Score
Published January 26, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pnpm
Sources
NVD
Alpine 3.21, 3.22, 3.23, edge Severity MEDIUM No Fix Added at: Jan 29, 2026
Chainguard Has Fix Added at: Jan 27, 2026
npm Severity MEDIUM Has Fix Added at: Jan 27, 2026
Homebrew Severity MEDIUM Has Fix Added at: Jan 29, 2026
MinimOS Severity MEDIUM Has Fix Added at: Jan 29, 2026
Nix Sever
Wiz
GHSA-qr2g-p6q7-w82m Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-qr2g-p6q7-w82m Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-qr2g-p6q7-w82m :
JavaScript vulnerability analysis and mitigation
## Impact
A security vulnerability exists in outdated versions of the x402 SDK.
This vulnerability does not affect users' private keys, smart contracts, or funds.
The issue impacts resource servers accepting payments on Solana when the facilitator is running a vulnerable version of the x402 SDK.
## Who Should Take Action
Facilitators that process payments on Solana must upgrade the x402 SDK to the patched versions listed below.
Clients are not required to upgrade.
Resource servers are not required to upgrade unless they operate their own facilitator (self-facilitate).
## Patches
Please update to the following package versions:
Npm: @x402/svm >= 2.6.0
Pypi: x402 >= 2.3.0
Go: x402 >= 2.5.0
Source : NVD
Wiz
CVE-2026-32306 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-32306 [CRITICAL] CVE-2026-32306 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32306 :
JavaScript vulnerability analysis and mitigation
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.23, the telemetry aggregation API accepts user-controlled aggregationType, aggregateColumnName, and aggregationTimestampColumnName parameters and interpolates them directly into ClickHouse SQL queries via the .append() method (documented as "trusted SQL"). There is no allowlist, no parameterized query binding, and no input validation. An authenticated user can inject arbitrary SQL into ClickHouse, enabling full database read (including telemetry data from all tenants), data modification, and potential remote code execution via ClickHouse table functions. This vulnerability is fixed in 10.0.23.
Source : NVD
## 9.9
Score
Published Mar
Wiz
CVE-2026-27191 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.4
CVE-2026-27191 [HIGH] CVE-2026-27191 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27191 :
JavaScript vulnerability analysis and mitigation
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. Versions 5.0.39 and below the redirect query parameter is appended to the base origin without validation, allowing attackers to steal access tokens via URL authority injection. This leads to full account takeover, as the attacker obtains the victim's access token and can impersonate them. The application constructs the final redirect URL by concatenating the base origin with the user-supplied redirect parameter. This is exploitable when the origins array is configured and origin values do not end with /. An attacker can supply @attacker.com as the redirect value results in https://[email protected]#access_toke
Wiz
GHSA-9r75-g2cr-3h76 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-9r75-g2cr-3h76 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-9r75-g2cr-3h76 :
JavaScript vulnerability analysis and mitigation
createWebhook()
token
/.well-known/workflow/v1/webhook/{token}
## Impact
An attacker who guesses a webhook token can resume the associated workflow with an attacker-controlled HTTP request body, potentially triggering downstream side effects such as API calls, database writes, or deployments.
## Fix
token
createWebhook()
Runs created with versions prior to 4.2.0-beta.64, that are 1) still active (i.e. running), and 2) have open hooks, are still susceptible to this vulnerability. If users suspect the hook tokens are predictable or leaked - consider cancelling those runs and restarting them on the latest patch.
## Workarounds
token
createWebhook()
createWebhook()
createHook()
resumeHook()
createW
Wiz
CVE-2026-30944 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-30944 [HIGH] CVE-2026-30944 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30944 :
JavaScript vulnerability analysis and mitigation
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.0, the /studiocms_api/dashboard/api-tokens endpoint allows any authenticated user (at least Editor) to generate API tokens for any other user, including owner and admin accounts. The endpoint fails to validate whether the requesting user is authorized to create tokens on behalf of the target user ID, resulting in a full privilege escalation. This vulnerability is fixed in 0.4.0.
Source : NVD
## 8.8
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability
Wiz
CVE-2024-43035 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2024-43035 [MEDIUM] CVE-2024-43035 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2024-43035 :
JavaScript vulnerability analysis and mitigation
Fonoster 0.5.5 before 0.6.1 allows ../ directory traversal to read arbitrary files via the /sounds/:file or /tts/:file VoiceServer endpoint. This occurs in serveFiles in mods/voice/src/utils.ts. NOTE: serveFiles exists in 0.5.5 but not in the next release, 0.6.1.
Source : NVD
## 5.8
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 5.8
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 56
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
@fonoster/voice
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 08, 2026
## Get a CVE risk assessment
Get a prio
Wiz
CVE-2025-13465 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2025-13465 [MEDIUM] CVE-2025-13465 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13465 :
JavaScript vulnerability analysis and mitigation
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior.
This issue is patched on 4.17.23
Source : NVD
## 6.9
Score
Published January 21, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ipa-server-trust-ad
python3-jupytex
Wiz
CVE-2026-32104 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-32104 [MEDIUM] CVE-2026-32104 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32104 :
JavaScript vulnerability analysis and mitigation
StudioCMS is a server-side-rendered, Astro native, headless content management system. Prior to 0.4.3, the updateUserNotifications endpoint accepts a user ID from the request payload and uses it to update that user's notification preferences. It checks that the caller is logged in but never verifies that the caller owns the target account (id !== userData.user.id). Any authenticated visitor can modify notification preferences for any user, including disabling admin notifications to suppress detection of malicious activity. This vulnerability is fixed in 0.4.3.
Source : NVD
## 5.4
Score
Published March 11, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV
Wiz
GHSA-mfg5-7q5g-f37j Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-mfg5-7q5g-f37j Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-mfg5-7q5g-f37j :
JavaScript vulnerability analysis and mitigation
## Summary
@openclaw/voice-call
openclaw
## Affected Packages / Versions
openclaw
<= 2026.2.21-2
2026.2.22
@openclaw/voice-call
<= 2026.2.21
2026.2.22
## Technical Details
shouldAcceptStream()
start
## Impact
Availability risk in deployments where the media-stream endpoint is reachable and streaming is enabled. Under sustained abuse, this could consume connection-related resources and degrade service for legitimate streams.
## Remediation
The fix adds layered controls in the media-stream path:
start
global pending-connection cap
per-IP pending-connection cap
total open media-stream connection cap
safer upgrade-path parsing in the webhook server
## Fix Commit(s)
1d8968c8a821ff1a05c2
Wiz
CVE-2026-33128 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33128 [HIGH] CVE-2026-33128 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33128 :
JavaScript vulnerability analysis and mitigation
H3 is a minimal H(TTP) framework. In versions prior to 1.15.6 and between 2.0.0 through 2.0.1-rc.14, createEventStream is vulnerable to Server-Sent Events (SSE) injection due to missing newline sanitization in formatEventStreamMessage() and formatEventStreamComment(). An attacker who controls any part of an SSE message field (id, event, data, or comment) can inject arbitrary SSE events to connected clients. This issue is fixed in versions 1.15.6 and 2.0.1-rc.15.
Source : NVD
## 10
Score
Published March 20, 2026
Severity CRITICAL
CNA Score 7.5
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Perce
Wiz
GHSA-5j35-xr4g-vwf4 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-5j35-xr4g-vwf4 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5j35-xr4g-vwf4 :
JavaScript vulnerability analysis and mitigation
## Impact
HttpOnly; SameSite=Lax; Path=/
Secure
127.0.0.1
--allow-network
0.0.0.0
packages/server/src/session.ts:76
; Secure
## Patches
; Secure
--allow-network
const securePart = isHttps ? "; Secure" : "";
return `${SESSION_COOKIE_NAME}=${cookieValue}; HttpOnly; SameSite=Lax; Path=/${securePart}; Max-Age=${maxAge}`;
## Workarounds
--allow-network
## Resources
OWASP: Secure Cookie Attribute
packages/server/src/session.ts
Source : NVD
## 2.3
Score
Published March 25, 2026
Severity LOW
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploita
Wiz
CVE-2026-33950 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33950 [CRITICAL] CVE-2026-33950 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33950 :
JavaScript vulnerability analysis and mitigation
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0-beta.4, there is a privilege escalation vulnerability by Admin Role Injection via /enableSecurity. An unauthenticated attacker can gain full Administrator access to the SignalK server at any time, allowing them to modify sensitive vessel routing data, alter server configurations, and access restricted endpoints. This issue has been patched in version 2.24.0-beta.4.
Source : NVD
## 9.4
Score
Published April 2, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentil
Wiz
CVE-2026-31802 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-31802 [HIGH] CVE-2026-31802 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31802 :
JavaScript vulnerability analysis and mitigation
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extraction directory by using a drive-relative symlink target such as C:../../../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This vulnerability is fixed in 7.5.11.
Source : NVD
## 8.2
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nodejs:24::v8-12.4-devel
tar
Wiz
CVE-2026-34770 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2026-34770 [HIGH] CVE-2026-34770 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34770 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, apps that use the powerMonitor module may be vulnerable to a use-after-free. After the native PowerMonitor object is garbage-collected, the associated OS-level resources (a message window on Windows, a shutdown handler on macOS) retain dangling references. A subsequent session-change event (Windows) or system shutdown (macOS) dereferences freed memory, which may lead to a crash or memory corruption. All apps that access powerMonitor events (suspend, resume, lock-screen, etc.) are potentially affected. The issue is not directly renderer-controllable. This iss
Wiz
CVE-2025-69970 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-69970 [CRITICAL] CVE-2025-69970 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69970 :
JavaScript vulnerability analysis and mitigation
FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation.
Source : NVD
## 9.3
Score
Published February 3, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
Wiz
CVE-2026-33769 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.9
CVE-2026-33769 [LOW] CVE-2026-33769 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33769 :
JavaScript vulnerability analysis and mitigation
Astro is a web framework. From version 2.10.10 to before version 5.18.1, this issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. This issue has been patched in version 5.18.1.
Source : NVD
## 2.9
Score
Published March 24, 2026
Severity LOW
CNA Score 2.9
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV
Wiz
CVE-2025-68620 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2025-68620 [CRITICAL] CVE-2025-68620 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68620 :
JavaScript vulnerability analysis and mitigation
serverevents=all
ACCESS_REQUEST
startServerEvents
app.lastServerEvents
allow_readonly
/signalk/v1/access/requests/:id
queryRequest
Source : NVD
## 9.1
Score
Published January 1, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
signalk-server
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Jan 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScri
Wiz
CVE-2026-25141 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-25141 [CRITICAL] CVE-2026-25141 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25141 :
JavaScript vulnerability analysis and mitigation
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes ('), double quotes (") and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as !+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Ver
Wiz
CVE-2026-33409 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2026-33409 [HIGH] CVE-2026-33409 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33409 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.52 and 9.6.0-alpha.41, an authentication bypass vulnerability allows an attacker to log in as any user who has linked a third-party authentication provider, without knowing the user's credentials. The attacker only needs to know the user's provider ID to gain full access to their account, including a valid session token. This affects Parse Server deployments where the server option allowExpiredAuthDataToken is set to true. The default value is false. This issue has been patched in versions 8.6.52 and 9.6.0-alpha.41.
Source : NVD
## 7
Score
Published March 24, 2026
Severity HIGH
CNA Score
Wiz
CVE-2026-30830 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.1
CVE-2026-30830 [LOW] CVE-2026-30830 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30830 :
JavaScript vulnerability analysis and mitigation
Defuddle cleans up HTML pages. Prior to version 0.9.0, the _findContentBySchemaText method in src/defuddle.ts interpolates image src and alt attributes directly into an HTML string without escaping. An attacker can use a " in the alt attribute to break out of the attribute context and inject event handler. This issue has been patched in version 0.9.0.
Source : NVD
## 2.1
Score
Published March 7, 2026
Severity LOW
CNA Score 2.1
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
defuddle
Sources
NVD
npm Severity
Wiz
CVE-2026-25651 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-25651 [MEDIUM] CVE-2026-25651 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25651 :
JavaScript vulnerability analysis and mitigation
client-certificate-auth is middleware for Node.js implementing client SSL certificate authentication/authorization. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains. This vulnerability is fixed in 1.0.0.
Source : NVD
## 6.1
Score
Published February 6, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.6
Exploitation Probability (EPSS) N/A
Affected pac
Wiz
CVE-2026-27818 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-27818 [HIGH] CVE-2026-27818 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27818 :
JavaScript vulnerability analysis and mitigation
proxyableDomains
Source : NVD
## 8.7
Score
Published February 26, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
terriajs-server
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-20
Wiz
CVE-2025-69206 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2025-69206 [MEDIUM] CVE-2025-69206 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69206 :
JavaScript vulnerability analysis and mitigation
Hemmelig is a messing app with with client-side encryption and self-destructing messages. Prior to version 7.3.3, a Server-Side Request Forgery (SSRF) filter bypass vulnerability exists in the webhook URL validation of the Secret Requests feature. The application attempts to block internal/private IP addresses but can be bypassed using DNS rebinding or open redirect services. This allows an authenticated user to make the server initiate HTTP requests to internal network resources. Version 7.3.3 contains a patch for the issue.
Source : NVD
## 4.3
Score
Published December 29, 2025
Severity MEDIUM
CNA Score 4.3
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Dat
Wiz
CVE-2026-25047 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-25047 [CRITICAL] CVE-2026-25047 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25047 :
JavaScript vulnerability analysis and mitigation
deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8.
Source : NVD
## 9.4
Score
Published January 29, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
deephas
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Jan 30, 2026
## Get a CVE risk asses
Wiz
CVE-2026-31800 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-31800 [HIGH] CVE-2026-31800 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31800 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.12 and 8.6.25, the _GraphQLConfig and _Audience internal classes can be read, modified, and deleted via the generic /classes/_GraphQLConfig and /classes/_Audience REST API routes without master key authentication. This bypasses the master key enforcement that exists on the dedicated /graphql-config and /push_audiences endpoints. An attacker can read, modify and delete GraphQL configuration and push audience data. This vulnerability is fixed in 9.5.2-alpha.12 and 8.6.25.
Source : NVD
## 8.8
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
JavaScript
Has Pu
Wiz
GHSA-6475-r3vj-m8vf Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-6475-r3vj-m8vf Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-6475-r3vj-m8vf :
JavaScript vulnerability analysis and mitigation
CVSSv3.1 Rating: 3.7 (LOW)
Summary
This notification is related to the use of specific values for the region input field when calling AWS services. An actor with access to the environment in which the SDK is used could set the region input field to an invalid value.
A defense-in-depth enhancement has been implemented in the AWS SDK for JavaScript v3 (versions 3.723.0 and later). This enhancement validates that a region used to construct an endpoint URL is a valid host label. The change was released on November 15, 2025. This advisory is informational to help customers understand their responsibilities regarding configuration security.
Impact
Customer applications could be configured to improperly route AWS API call
Wiz
CVE-2026-32732 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-32732 [MEDIUM] CVE-2026-32732 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32732 :
JavaScript vulnerability analysis and mitigation
Lean 4 VS Code Extension is a Visual Studio Code extension for the Lean 4 proof assistant. Projects that use @leanprover/unicode-input-component are vulnerable to an XSS exploit in 0.1.9 of the package and lower. The component re-inserted text in the input element back into the input element as unescaped HTML. The issue has been resolved in 0.2.0.
Source : NVD
Published March 16, 2026
Severity NONE
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@leanprover/unicode-input-component
Sources
NVD
npm S
Wiz
GHSA-qq9g-96v4-m3cj Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-qq9g-96v4-m3cj Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-qq9g-96v4-m3cj :
JavaScript vulnerability analysis and mitigation
## Summary
@pdfme/schemas
innerHTML
## Details
packages/schemas/src/select/index.ts
ui
const options = Array.isArray(schema.options) ? schema.options : [];
selectElement.innerHTML = options
.map(
(option) =>
`${option}`,
)
.join('');
option
schema.options
"
&
">
value
## Proof of Concept
Loading the following template into a pdfme Form or Designer component triggers JavaScript execution:
{
"basePdf": { "width": 210, "height": 297, "padding": [20, 20, 20, 20] },
"schemas": [[
{
"name": "malicious_select",
"type": "select",
"content": "Normal",
"options": [
"Normal",
"\">"
],
"position": { "x": 20, "y": 20 },
"width": 80,
"height": 10
}
]]
}
selectElement.innerHTML
## Attack Vectors
option
Wiz
CVE-2026-23947 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-23947 [CRITICAL] CVE-2026-23947 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23947 :
JavaScript vulnerability analysis and mitigation
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions prior to 7.19.0 until 8.0.2 are vulnerable to arbitrary code execution in environments consuming generated clients. This issue is similar in nature to CVE-2026-22785, but affects a different code path in @orval/core that was not addressed by CVE-2026-22785's fix. The vulnerability allows untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript code into generated clients via the x-enumDescriptions field, which is embedded without proper escaping in getEnumImplementation(). I have confirmed that the injection occurs during const enum generation and results in executable code within the gener
Wiz
CVE-2026-29045 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-29045 [HIGH] CVE-2026-29045 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29045 :
JavaScript vulnerability analysis and mitigation
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using serveStatic together with route-based middleware protections (e.g. app.use('/admin/*', ...)), inconsistent URL decoding allowed protected static resources to be accessed without authorization. The router used decodeURI, while serveStatic used decodeURIComponent. This mismatch allowed paths containing encoded slashes (%2F) to bypass middleware protections while still resolving to the intended filesystem path. This issue has been patched in version 4.12.4.
Source : NVD
## 9.8
Score
Published March 4, 2026
Severity CRITICAL
CNA Score 7.5
Affected Technologies
JavaScript
Wolfi
Has Public Expl
Wiz
CVE-2026-27795 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.1
CVE-2026-27795 [MEDIUM] CVE-2026-27795 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27795 :
JavaScript vulnerability analysis and mitigation
RecursiveUrlLoader
@langchain/community
@langchain/community
Location
redirect: "manual"
Location
validateSafeUrl()
Source : NVD
## 4.1
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 4.1
Affected Technologies
JavaScript
MinimOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Exploitation Probability (EPSS) N/A
Affected packages and libraries
kibana-9.2
@langchain/community
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 02, 2026
MinimOS Severity MEDIUM Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on wh
Wiz
CVE-2026-26118 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-26118 [HIGH] CVE-2026-26118 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26118 :
JavaScript vulnerability analysis and mitigation
Server-side request forgery (ssrf) in Azure MCP Server allows an authorized attacker to elevate privileges over a network.
Source : NVD
## 8.8
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
JavaScript
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@azure/mcp
msmcp-azure
Sources
NVD
NuGet Severity HIGH Has Fix Added at: Mar 12, 2026
npm Severity HIGH Has Fix Added at: Mar 13, 2026
pip Severity HIGH Has Fix Added at: Mar 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in y
Wiz
CVE-2026-31882 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-31882 [HIGH] CVE-2026-31882 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31882 :
JavaScript vulnerability analysis and mitigation
Dagu is a workflow engine with a built-in Web user interface. Prior to 2.2.4, when Dagu is configured with HTTP Basic authentication (DAGU_AUTH_MODE=basic), all Server-Sent Events (SSE) endpoints are accessible without any credentials. This allows unauthenticated attackers to access real-time DAG execution data, workflow configurations, execution logs, and queue status — bypassing the authentication that protects the REST API. The buildStreamAuthOptions() function builds authentication options for SSE/streaming endpoints. When the auth mode is basic, it returns an auth.Options struct with BasicAuthEnabled: true but AuthRequired defaults to false (Go zero value). The authentication middleware at internal/service/frontend
Wiz
CVE-2026-29792 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-29792 [CRITICAL] CVE-2026-29792 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29792 :
JavaScript vulnerability analysis and mitigation
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, an unauthenticated attacker can send a crafted GET request directly to /oauth/:provider/callback with a forged profile in the query string. The OAuth service's authentication payload has a fallback chain that reaches params.query (the raw request query) when Grant's session/state responses are empty. Since the attacker never initiated an OAuth authorize flow, Grant has no session to work with and produces no response, so the fallback fires. The forged profile then drives entity lookup and JWT minting. The attacker gets a valid access token for an existing user without ever contacting the
Wiz
CVE-2026-34776 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-34776 [MEDIUM] CVE-2026-34776 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34776 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, on macOS and Linux, apps that call app.requestSingleInstanceLock() were vulnerable to an out-of-bounds heap read when parsing a crafted second-instance message. Leaked memory could be delivered to the app's second-instance event handler. This issue is limited to processes running as the same user as the Electron app. Apps that do not call app.requestSingleInstanceLock() are not affected. Windows is not affected by this issue. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.
Source : NVD
## 5.3
Score
Published April 4, 2026
Severity
Wiz
CVE-2026-27729 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-27729 [MEDIUM] CVE-2026-27729 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27729 :
JavaScript vulnerability analysis and mitigation
mode: 'standalone'
Source : NVD
## 7.5
Score
Published February 24, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 36.2
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
@astrojs/node
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE
Wiz
CVE-2026-33042 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-33042 [MEDIUM] CVE-2026-33042 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33042 :
JavaScript vulnerability analysis and mitigation
authData
authData
authData
beforeSave
_User
authData
Source : NVD
## 6.9
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
parse-server
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 18, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV ex
Wiz
CVE-2026-1528 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-1528 [HIGH] CVE-2026-1528 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1528 :
JavaScript vulnerability analysis and mitigation
ImpactA server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.
Patches
Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.
Source : NVD
## 7.5
Score
Published March 12, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Node.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 32.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
nodejs:22::nodejs-devel
nodejs:2
Wiz
CVE-2026-26226 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-26226 [MEDIUM] CVE-2026-26226 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26226 :
JavaScript vulnerability analysis and mitigation
beautiful-mermaid versions prior to 0.1.3 contain an SVG attribute injection issue that can lead to cross-site scripting (XSS) when rendering attacker-controlled Mermaid diagrams. User-controlled values from Mermaid style and classDef directives are interpolated into SVG attribute values without proper escaping, allowing crafted input to break out of an attribute context and inject arbitrary SVG elements/attributes into the rendered output. When the generated SVG is embedded in a web page, this can result in script execution in the context of the embedding origin.
Source : NVD
## 5.3
Score
Published February 13, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CI
Wiz
CVE-2026-29786 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-29786 [HIGH] CVE-2026-29786 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29786 :
JavaScript vulnerability analysis and mitigation
node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extraction directory by using a drive-relative link target such as C:../target.txt, which enables file overwrite outside cwd during normal tar.x() extraction. This issue has been patched in version 7.5.10.
Source : NVD
## 8.2
Score
Published March 7, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
npm
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
nodejs20-debuginfo
Sources
NV
Wiz
CVE-2026-21440 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-21440 [CRITICAL] CVE-2026-21440 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-21440 :
JavaScript vulnerability analysis and mitigation
AdonisJS is a TypeScript-first web framework. A Path Traversal vulnerability in AdonisJS multipart file handling may allow a remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This impacts @adonisjs/bodyparser through version 10.1.1 and 11.x prerelease versions prior to 11.0.0-next.6. This issue has been patched in @adonisjs/bodyparser versions 10.1.2 and 11.0.0-next.6.
Source : NVD
## 9.2
Score
Published January 2, 2026
Severity CRITICAL
CNA Score 9.2
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.3
Exploitation Probability (EPSS) 0.1
Affe
Wiz
CVE-2025-68467 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.4
CVE-2025-68467 [LOW] CVE-2025-68467 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68467 :
JavaScript vulnerability analysis and mitigation
http[:]//localhost[:]8080/style[.]css
darkreader
setFetchMethod()
Source : NVD
## 3.4
Score
Published March 4, 2026
Severity LOW
CNA Score 3.4
Affected Technologies
JavaScript
Linux Alpine
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
darkreader
Sources
NVD
Alpine edge Severity LOW No Fix Added at: Mar 19, 2026
npm Severity LOW Has Fix Added at: Mar 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilitie
Wiz
CVE-2025-67419 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-67419 [HIGH] CVE-2025-67419 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67419 :
JavaScript vulnerability analysis and mitigation
A Denial of Service (DoS) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to exhaust the application server's resources via the "GET /images" API. The application fails to limit the height of the use-element shadow tree or the dimensions of pattern tiles during the processing of SVG files, resulting in unbounded resource consumption and system-wide denial of service.
Source : NVD
## 7.5
Score
Published January 5, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.9
Exploitation Probability (EPSS) 0.1
Affected packages and li
Wiz
CVE-2026-25881 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.0
CVE-2026-25881 [CRITICAL] CVE-2026-25881 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25881 :
JavaScript vulnerability analysis and mitigation
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.31, a sandbox escape vulnerability allows sandboxed code to mutate host built-in prototypes by laundering the isGlobal protection flag through array literal intermediaries. When a global prototype reference (e.g., Map.prototype, Set.prototype) is placed into an array and retrieved, the isGlobal taint is stripped, permitting direct prototype mutation from within the sandbox. This results in persistent host-side prototype pollution and may enable RCE in applications that use polluted properties in sensitive sinks (example gadget: execSync(obj.cmd)). This vulnerability is fixed in 0.8.31.
Source : NVD
## 10
Score
Published February 9, 2026
Severity CRITICAL
Wiz
CVE-2026-32723 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2026-32723 [MEDIUM] CVE-2026-32723 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32723 :
JavaScript vulnerability analysis and mitigation
currentTicks.current
currentTicks.current
Source : NVD
## 4.8
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@nyariv/sandboxjs
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 17, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Ha
Wiz
CVE-2026-25044 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-25044 [HIGH] CVE-2026-25044 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25044 :
JavaScript vulnerability analysis and mitigation
Budibase is an open-source low-code platform. Prior to version 3.33.4, the bash automation step executes user-provided commands using execSync without proper sanitization or validation. User input is processed through processStringSync which allows template interpolation, potentially allowing arbitrary command execution. This issue has been patched in version 3.33.4.
Source : NVD
## 8.7
Score
Published April 3, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@budibase/server
So
Wiz
CVE-2026-35214 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-35214 [HIGH] CVE-2026-35214 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35214 :
JavaScript vulnerability analysis and mitigation
Budibase is an open-source low-code platform. Prior to version 3.33.4, the plugin file upload endpoint (POST /api/plugin/upload) passes the user-supplied filename directly to createTempFolder() without sanitizing path traversal sequences. An attacker with Global Builder privileges can craft a multipart upload with a filename containing ../ to delete arbitrary directories via rmSync and write arbitrary files via tarball extraction to any filesystem path the Node.js process can access. This issue has been patched in version 3.33.4.
Source : NVD
## 8.7
Score
Published April 3, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N
Wiz
CVE-2026-29091 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-29091 [HIGH] CVE-2026-29091 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29091 :
JavaScript vulnerability analysis and mitigation
Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. Prior to version 3.0.0, a remote code execution (RCE) flaw was discovered in the locutus project, specifically within the call_user_func_array function implementation. The vulnerability allows an attacker to inject arbitrary JavaScript code into the application's runtime environment. This issue stems from an insecure implementation of the call_user_func_array function (and its wrapper call_user_func), which fails to properly validate all components of a callback array before passing them to eval(). This issue has been patched in version 3.0.0.
Source : NVD
## 8.1
Score
Published March 6, 2026
Severity HIGH
CNA Score 8.1
Wiz
CVE-2025-69262 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-69262 [HIGH] CVE-2025-69262 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69262 :
JavaScript vulnerability analysis and mitigation
pnpm is a package manager. Versions 6.25.0 through 10.26.2 have a Command Injection vulnerability when using environment variable substitution in .npmrc configuration files with tokenHelper settings. An attacker who can control environment variables during pnpm operations could achieve Remote Code Execution (RCE) in build environments. This issue is fixed in version 10.27.0.
Source : NVD
## 7.8
Score
Published January 7, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
pn
Wiz
CVE-2026-22866 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-22866 [LOW] CVE-2026-22866 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22866 :
JavaScript vulnerability analysis and mitigation
RSASHA256Algorithm
RSASHA1Algorithm
Source : NVD
## 2.7
Score
Published February 25, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@ensdomains/ens-contracts
Sources
NVD
npm Severity LOW No Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has f
Wiz
CVE-2026-34220 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-34220 [CRITICAL] CVE-2026-34220 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34220 :
JavaScript vulnerability analysis and mitigation
MikroORM is a TypeScript ORM for Node.js based on Data Mapper, Unit of Work and Identity Map patterns. Prior to versions 6.6.10 and 7.0.6, there is a SQL injection vulnerability when specially crafted objects are interpreted as raw SQL query fragments. This issue has been patched in versions 6.6.10 and 7.0.6.
Source : NVD
## 9.3
Score
Published March 31, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@mikro-orm/core
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Mar
Wiz
CVE-2026-27597 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-27597 [CRITICAL] CVE-2026-27597 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27597 :
JavaScript vulnerability analysis and mitigation
@enclave-vm/core
Source : NVD
## 10
Score
Published February 25, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
JavaScript
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 67.8
Exploitation Probability (EPSS) 0.5
Affected packages and libraries
@enclave-vm/core
enclave
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Mar 02, 2026
Homebrew Severity CRITICAL Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Wiz
CVE-2026-28357 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-28357 [MEDIUM] CVE-2026-28357 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28357 :
JavaScript vulnerability analysis and mitigation
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rendered via v-html without sanitization, allowing injected HTML to execute. This issue has been patched in version 0.301.3.
Source : NVD
## 5.3
Score
Published March 2, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nocodb
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 03,
Wiz
CVE-2026-28465 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-28465 [HIGH] CVE-2026-28465 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28465 :
JavaScript vulnerability analysis and mitigation
OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-* headers in reverse-proxy configurations that implicitly trust these headers.
Source : NVD
## 8.2
Score
Published March 5, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 39.4
Exploitation Probability (EPSS) 0.2
Affect
Wiz
GHSA-mvv8-v4jj-g47j Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-mvv8-v4jj-g47j Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-mvv8-v4jj-g47j :
JavaScript vulnerability analysis and mitigation
## Summary
directus_revisions
prepareDelta
directus_users
## Impact
directus_revisions
token
tfa_secret
external_identifier
auth_data
credentials
ai_openai_api_key
ai_anthropic_api_key
ai_google_api_key
ai_openai_compatible_api_key
## Affected code paths
Item create/update revisions The data (snapshot) field written to directus_revisions was not processed through prepareDelta, so concealed/encrypted fields were stored without redaction. Relational fields were also included, which should have been excluded.
Authentication service When a user was auto-suspended after repeated failed login attempts, the revision record was created with the raw user object (including all sensitive fields) rather t
Wiz
CVE-2025-70948 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-70948 [CRITICAL] CVE-2025-70948 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-70948 :
JavaScript vulnerability analysis and mitigation
A host header injection vulnerability in the mailer component of @perfood/couch-auth v0.26.0 allows attackers to obtain reset tokens and execute an account takeover via spoofing the HTTP Host header.
Source : NVD
## 9.3
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@perfood/couch-auth
Sources
NVD
npm Severity MEDIUM No Fix Added at: Mar 08, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what
Wiz
GHSA-6q22-g298-grjh Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-6q22-g298-grjh Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-6q22-g298-grjh :
JavaScript vulnerability analysis and mitigation
## Summary
The GraphQL specification permits a single query to repeat the same field multiple times using aliases, with each alias resolved independently by default. Directus did not deduplicate resolver invocations within a single request, meaning each alias triggered a full, independent execution of the underlying resolver.
The health check resolver ran all backend checks (database connectivity, cache, storage writes, and SMTP verification) on every invocation. Combined with unauthenticated access to the system GraphQL endpoint, this allowed an attacker to amplify resource consumption significantly from a single HTTP request, exhausting the database connection pool, storage I/O, and SMTP connections.
## Fix
Wiz
CVE-2025-68115 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-68115 [MEDIUM] CVE-2025-68115 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68115 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available in versions 8.6.1 and 9.1.0-alpha.3, escapes user controlled values that are inserted into the HTML pages. No known workarounds are available.
Source : NVD
## 5.3
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.3
Exploitation
Wiz
CVE-2025-68429 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2025-68429 [HIGH] CVE-2025-68429 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68429 :
JavaScript vulnerability analysis and mitigation
.env
storybook build
storybook build
.env
.env.local
.env
.env
storybook dev
.env
STORYBOOK_
env
Source : NVD
## 7.3
Score
Published December 17, 2025
Severity HIGH
CNA Score 7.3
High-profile Vulnerability Yes
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana
grafana-selinux
Sources
NVD
npm Severity HIGH Has Fix Added at: Dec 18, 2025
Red Hat 9, 10 Severity HIGH No Fix Added at: Dec 21, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can fo
Wiz
GHSA-3mjm-x6gw-2x42 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-3mjm-x6gw-2x42 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-3mjm-x6gw-2x42 :
JavaScript vulnerability analysis and mitigation
## Impact
Content-Security-Policy
X-Frame-Options
X-Content-Type-Options
dangerouslySetInnerHTML
packages/server/src/index.ts
res.writeHead()
Content-Type
## Patches
0.70.4 Fix: Add security headers to all HTML/API responses:
res.writeHead(200, {
"Content-Type": contentType,
"Content-Security-Policy": "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:",
"X-Frame-Options": "DENY",
"X-Content-Type-Options": "nosniff"
});
## Workarounds
Use a reverse proxy (nginx, Caddy) in front of the Grackle server to inject security headers.
## References
CWE-693: Protection Mechanism Failure
OWASP: HTTP Security Response Headers
packages/server/src/index.ts
Sourc
Wiz
CVE-2026-3304 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-3304 [HIGH] CVE-2026-3304 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3304 :
JavaScript vulnerability analysis and mitigation
multipart/form-data
Source : NVD
## 8.7
Score
Published February 27, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
multer
librechat
Sources
NVD
Chainguard Has Fix Added at: Mar 08, 2026
npm Severity HIGH Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Compone
Wiz
CVE-2026-27699 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-27699 [CRITICAL] CVE-2026-27699 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27699 :
JavaScript vulnerability analysis and mitigation
basic-ftp
downloadToDir()
../
Source : NVD
## 9.8
Score
Published February 25, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
JavaScript
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
langfuse-3
kibana-9.2
Sources
NVD
Chainguard Has Fix Added at: Mar 02, 2026
Debian 13, 14 Severity CRITICAL Has Fix Added at: Mar 02, 2026
Echo Severity CRITICAL Has Fix Added at: Mar 02, 2026
npm Severity CRITICAL Has Fix Added at: Mar 02, 2026
MinimOS Severity CRITICAL Has Fix Added at: Mar 02, 2026
Wolfi Has Fix Added at: Mar 02
Wiz
CVE-2026-31860 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-31860 [MEDIUM] CVE-2026-31860 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31860 :
JavaScript vulnerability analysis and mitigation
Unhead is a document head and template manager. Prior to 2.1.11, useHeadSafe() can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. The acceptDataAttrs function (safe.ts, line 16-20) allows any property key starting with data- through to the final HTML. It only checks the prefix, not whether the key contains spaces or other characters that break HTML attribute parsing. This vulnerability is fixed in 2.1.11.
Source : NVD
## 5.3
Score
Published March 12, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CI
Wiz
CVE-2026-34083 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-34083 [MEDIUM] CVE-2026-34083 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34083 :
JavaScript vulnerability analysis and mitigation
Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.24.0, SignalK Server contains a code-level vulnerability in its OIDC login and logout handlers where the unvalidated HTTP Host header is used to construct the OAuth2 redirect_uri. Because the redirectUri configuration is silently unset by default, an attacker can spoof the Host header to steal OAuth authorization codes and hijack user sessions in realistic deployments as The OIDC provider will then send the authorization code to whatever domain was injected. This issue has been patched in version 2.24.0.
Source : NVD
## 6.1
Score
Published April 2, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
JavaScript
Wiz
CVE-2025-14284 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2025-14284 [MEDIUM] CVE-2025-14284 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14284 :
JavaScript vulnerability analysis and mitigation
Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting (XSS) due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload into these attributes, which is then triggered either by user interaction.
Source : NVD
## 5.1
Score
Published December 9, 2025
Severity MEDIUM
CNA Score 5.1
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@tiptap/exte
Wiz
CVE-2026-30947 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-30947 [HIGH] CVE-2026-30947 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30947 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.3 and 8.6.16, class-level permissions (CLP) are not enforced for LiveQuery subscriptions. An unauthenticated or unauthorized client can subscribe to any LiveQuery-enabled class and receive real-time events for all objects, regardless of CLP restrictions. All Parse Server deployments that use LiveQuery with class-level permissions are affected. Data intended to be restricted by CLP is leaked to unauthorized subscribers in real time. This vulnerability is fixed in 9.5.2-alpha.3 and 8.6.16.
Source : NVD
## 8.7
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
Wiz
CVE-2026-28358 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-28358 [LOW] CVE-2026-28358 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28358 :
JavaScript vulnerability analysis and mitigation
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3.
Source : NVD
## 2.7
Score
Published March 2, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 71.4
Exploitation Probability (EPSS) 0.7
Affected packages and libraries
nocodb
Sources
NVD
npm Severity LOW Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVE
Wiz
CVE-2026-33532 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-33532 [MEDIUM] CVE-2026-33532 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33532 :
JavaScript vulnerability analysis and mitigation
yaml
yaml
RangeError: Maximum call stack size exceeded
RangeError
YAMLParseError
[
]
Parser
YAML.parse()
YAML.parseDocument()
YAML.parseAllDocuments()
Source : NVD
## 4.3
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
grafana-graphite
grafana-stackdriver
Sources
NVD
Chainguard Has Fix Added at: Mar 29, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 29, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Mar 29, 202
Wiz
CVE-2026-33418 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33418 [HIGH] CVE-2026-33418 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33418 :
JavaScript vulnerability analysis and mitigation
ensureSize()
@dicebear/converter
width
height
<svg
@resvg/resvg-js
fast-xml-parser
fitTo
renderAsync
Source : NVD
## 7.5
Score
Published March 24, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
dicebear
@dicebear/converter
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 21, 2026
Homebrew Severity HIGH Has Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
GHSA-g3qj-j598-cxmq Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-g3qj-j598-cxmq Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-g3qj-j598-cxmq :
JavaScript vulnerability analysis and mitigation
## Summary
extractStrings()
## Affected versions
cbor
cbor-extract
## PoC
const { decode } = require("cbor-x");
decode(Buffer.from("7a10000000", "hex")); // exit code 139 (SIGSEGV)
extractStrings()
readString()
attestationObject
attestationResult()
cbor-x.decode()
cbor-extract
## Fix
Bump cbor-x to >= 1.6.3 (which pulls cbor-extract >= 2.2.1).
-"cbor-x": "~1.6.0"
+"cbor-x": "^1.6.3"
— Malik X (@Xvush)
Source : NVD
## 7.5
Score
Published March 24, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (E
Wiz
CVE-2026-26019 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.1
CVE-2026-26019 [MEDIUM] CVE-2026-26019 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26019 :
JavaScript vulnerability analysis and mitigation
LangChain is a framework for building LLM-powered applications. Prior to 1.1.14, the RecursiveUrlLoader class in @langchain/community is a web crawler that recursively follows links from a starting URL. Its preventOutside option (enabled by default) is intended to restrict crawling to the same site as the base URL. The implementation used String.startsWith() to compare URLs, which does not perform semantic URL validation. An attacker who controls content on a crawled page could include links to domains that share a string prefix with the target, causing the crawler to follow links to attacker-controlled or internal infrastructure. Additionally, the crawler performed no validation against private or reserved IP addresses
Wiz
CVE-2026-30925 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-30925 [HIGH] CVE-2026-30925 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30925 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.0-alpha.14 and 8.6.11, a malicious client can subscribe to a LiveQuery with a crafted $regex pattern that causes catastrophic backtracking, blocking the Node.js event loop. This makes the entire Parse Server unresponsive, affecting all clients. Any Parse Server deployment with LiveQuery enabled is affected. The attacker only needs the application ID and JavaScript key, both of which are public in client-side apps. This only affects LiveQuery subscription matching, which evaluates regex in JavaScript on the Node.js event loop. Normal REST and GraphQL queries are not affected because their regex is evaluate
Wiz
CVE-2026-30229 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2026-30229 [HIGH] CVE-2026-30229 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30229 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.6 and 9.5.0-alpha.4, the readOnlyMasterKey can call POST /loginAs to obtain a valid session token for any user. This allows a read-only credential to impersonate arbitrary users with full read and write access to their data. Any Parse Server deployment that uses readOnlyMasterKey is affected. This issue has been patched in versions 8.6.6 and 9.5.0-alpha.4.
Source : NVD
## 8.5
Score
Published March 6, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability
Wiz
CVE-2026-34779 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-34779 [MEDIUM] CVE-2026-34779 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34779 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on macOS, app.moveToApplicationsFolder() used an AppleScript fallback path that did not properly handle certain characters in the application bundle path. Under specific conditions, a crafted launch path could lead to arbitrary AppleScript execution when the user accepted the move-to-Applications prompt. Apps are only affected if they call app.moveToApplicationsFolder(). Apps that do not use this API are not affected. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8.
Source : NVD
## 6.5
Score
Published April 4, 2026
Se
Wiz
CVE-2026-33442 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-33442 [HIGH] CVE-2026-33442 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33442 :
JavaScript vulnerability analysis and mitigation
sanitizeStringLiteral
'
''
BACKSLASH_ESCAPES
Source : NVD
## 8.1
Score
Published March 26, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
kysely
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Pu
Wiz
CVE-2025-8083 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-8083 [HIGH] CVE-2025-8083 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-8083 :
JavaScript vulnerability analysis and mitigation
The Preset configuration https://v2.vuetifyjs.com/en/features/presets feature of Vuetify is vulnerable to Prototype Pollution https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html due to the internal 'mergeDeep' utility function used to merge options with defaults. Using a specially-crafted, malicious preset can result in polluting all JavaScript objects with arbitrary properties, which can further negatively affect all aspects of the application's behavior. This can lead to a wide range of security issues, including resource exhaustion/denial of service or unauthorized access to data.
If the application utilizes Server-Side Rendering (SSR), this vulnerability could affect the wh
Wiz
GHSA-4hxc-9384-m385 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-4hxc-9384-m385 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-4hxc-9384-m385 :
JavaScript vulnerability analysis and mitigation
## Summary
EventStream
\r
data
comment
\r
\r
push()
7791538
\n
\r
## Details
7791538
_sanitizeSingleLine()
\n
\r
id
event
data
\n
data
formatEventStreamMessage()
src/utils/internal/event-stream.ts:190-193
const data = typeof message.data === "string" ? message.data : "";
for (const line of data.split("\n")) { // Only splits on \n, not \r
result += `data: ${line}\n`;
}
String.prototype.split("\n")
\r
"legit\revent: evil"
data: legit\revent: evil\n
\r
data: legit
event: evil
## 5.3
Score
Published March 20, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Explo
Wiz
CVE-2026-25641 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-25641 [CRITICAL] CVE-2026-25641 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25641 :
JavaScript vulnerability analysis and mitigation
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validation is performed and the key used for accessing properties. Even though the key used in property accesses is annotated as string, this is never enforced. So, attackers can pass malicious objects that coerce to different string values when used, e.g., one for the time the key is sanitized using hasOwnProperty(key) and a different one for when the key is used for the actual property access. This vulnerability is fixed in 0.8.29.
Source : NVD
## 9
Score
Published February 6, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
JavaScript
Has Public Ex
Wiz
CVE-2026-25050 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-25050 [LOW] CVE-2026-25050 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25050 :
JavaScript vulnerability analysis and mitigation
NativeAuthenticationStrategy.authenticate()
packages/core/src/config/auth/native-authentication-strategy.ts
Source : NVD
## 2.7
Score
Published January 30, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@vendure/core
Sources
NVD
npm Severity LOW Has Fix Added at: Jan 31, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Wiz
CVE-2026-32269 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-32269 [MEDIUM] CVE-2026-32269 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32269 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.13 and 8.6.39, the OAuth2 authentication adapter does not correctly validate app IDs when appidField and appIds are configured. During app ID validation, a malformed value is sent to the token introspection endpoint instead of the user's actual access token. Depending on the introspection endpoint's behavior, this could either cause all OAuth2 logins to fail, or allow authentication from disallowed app contexts if the endpoint returns valid-looking data for the malformed request. Deployments using the OAuth2 adapter with appidField and appIds configured are affected. This vulnerability is fixed in
Wiz
CVE-2026-33672 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33672 [MEDIUM] CVE-2026-33672 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33672 :
JavaScript vulnerability analysis and mitigation
POSIX_REGEX_SOURCE
Object.prototype
[[:constructor:]]
picomatch
[[:...:]]
POSIX_REGEX_SOURCE
Source : NVD
## 5.3
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 37.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
nodejs-npm
argo-workflows-4.0
Sources
NVD
Chainguard Has Fix Added at: Mar 29, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 29, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Mar 29, 2026
Echo Severity MEDIUM No Fix Added at: Mar 29, 2026
npm Severity MED
Wiz
CVE-2026-30973 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-30973 [MEDIUM] CVE-2026-30973 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30973 :
JavaScript vulnerability analysis and mitigation
Appium is an automation framework that provides WebDriver-based automation possibilities for a wide range platforms. Prior to 7.0.6, @appium/support contains a ZIP extraction implementation (extractAllTo() via ZipExtractor.extract()) with a path traversal (Zip Slip) check that is non-functional. The check at line 88 of packages/support/lib/zip.js creates an Error object but never throws it, allowing malicious ZIP entries with ../ path components to write files outside the intended destination directory. This affects all JS-based extractions (the default code path), not only those using the fileNamesEncoding option. This vulnerability is fixed in 7.0.6.
Source : NVD
## 6.5
Score
Published March 10, 2026
Severity M
Wiz
CVE-2026-27700 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-27700 [HIGH] CVE-2026-27700 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27700 :
JavaScript vulnerability analysis and mitigation
hono/aws-lambda
getConnInfo()
X-Forwarded-For
X-Forwarded-For
ipRestriction
Source : NVD
## 7.5
Score
Published February 25, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
hono
kibana-9.1
Sources
NVD
Chainguard Has Fix Added at: Mar 02, 2026
npm Severity HIGH Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulne
Wiz
GHSA-gq3j-xvxp-8hrf Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-gq3j-xvxp-8hrf Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-gq3j-xvxp-8hrf :
JavaScript vulnerability analysis and mitigation
## Summary
basicAuth
bearerAuth
timingSafeEqual
===
## Details
===
timingSafeEqual
Avoid early termination during comparison
Use a constant-time-style comparison method
## Impact
This issue is unlikely to be exploited in normal environments.
It may only be relevant in highly controlled situations where precise timing measurements are possible.
This change is considered a security hardening improvement. Users are encouraged to upgrade to the latest version.
Source : NVD
## 3.7
Score
Published February 19, 2026
Severity LOW
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability
Wiz
CVE-2026-25151 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-25151 [MEDIUM] CVE-2026-25151 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25151 :
JavaScript vulnerability analysis and mitigation
Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0.
Source : NVD
## 5.9
Score
Published February 3, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@builder.io/qwik-city
S
Wiz
CVE-2026-32701 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-32701 [HIGH] CVE-2026-32701 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32701 :
JavaScript vulnerability analysis and mitigation
Qwik is a performance-focused JavaScript framework. Versions prior to 1.19.2 improperly inferred arrays from dotted form field names during FormData parsing. By submitting mixed array-index and object-property keys for the same path, an attacker could cause user-controlled properties to be written onto values that application code expected to be arrays. When processing application/x-www-form-urlencoded or multipart/form-data requests, Qwik City converted dotted field names (e.g., items.0, items.1) into nested structures. If a path was interpreted as an array, additional attacker-supplied keys on that path—such as items.toString, items.push, items.valueOf, or items.length—could alter the resulting server-side value in un
Wiz
CVE-2026-30951 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-30951 [HIGH] CVE-2026-30951 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30951 :
JavaScript vulnerability analysis and mitigation
Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB where clause processing. The _traverseJSON() function splits JSON path keys on :: to extract a cast type, which is interpolated raw into CAST(... AS ) SQL. An attacker who controls JSON object keys can inject arbitrary SQL and exfiltrate data from any table. This vulnerability is fixed in 6.37.8.
Source : NVD
## 7.5
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.3
Exploitation Probability (EPSS) N/A
Affec
Wiz
CVE-2026-23956 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-23956 [HIGH] CVE-2026-23956 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23956 :
JavaScript vulnerability analysis and mitigation
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0
and below, overriding RegExp serialization with extremely large patterns can exhaust JavaScript runtime memory during deserialization. Additionally, overriding RegExp serialization with patterns that trigger catastrophic backtracking can lead to ReDoS (Regular Expression Denial of Service). This issue has been fixed in version 1.4.1.
Source : NVD
## 7.5
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS
Wiz
CVE-2026-25224 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.7
CVE-2026-25224 [LOW] CVE-2026-25224 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25224 :
JavaScript vulnerability analysis and mitigation
Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3.
Source : NVD
## 3.7
Score
Published February 3, 2026
Severity LOW
CNA Score 3.7
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Dat
Wiz
CVE-2026-32621 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-32621 [CRITICAL] CVE-2026-32621 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32621 :
JavaScript vulnerability analysis and mitigation
Apollo Federation is an architecture for declaratively composing APIs into a unified graph. Prior to 2.9.6, 2.10.5, 2.11.6, 2.12.3, and 2.13.2, a vulnerability exists in query plan execution within the gateway that may allow pollution of Object.prototype in certain scenarios. A malicious client may be able to pollute Object.prototype in gateway directly by crafting operations with field aliases and/or variable names that target prototype-inheritable properties. Alternatively, if a subgraph were to be compromised by a malicious actor, they may be able to pollute Object.prototype in gateway by crafting JSON response payloads that target prototype-inheritable properties. This vulnerability is fixed in 2.9.6, 2.10.5, 2.11.6
Wiz
GHSA-cr3w-cw5w-h3fj Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-cr3w-cw5w-h3fj Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-cr3w-cw5w-h3fj :
JavaScript vulnerability analysis and mitigation
## Summary
There is a reflected XSS vulnerability in the GET /admin/edit-codepage/:name route through the name parameter. This can be used to hijack the session of an admin if they click a specially crafted link.
Additionally, there is a Command Injection vulnerability in GET /admin/backup. The admin can inject a shell command in the backup password which is inserted in the command used to create the backup zip.Both vulnerabilities can be chained to craft a malicious link which will execute an arbitrary shell command on the server if it is clicked by a saltcorn admin with an active session. I believe iframes could also be used to exploit this silently when the admin visits an attacker-controlled web page (though
Wiz
CVE-2026-25153 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-25153 [HIGH] CVE-2026-25153 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25153 :
JavaScript vulnerability analysis and mitigation
runIn: local
mkdocs.yml
hooks
mkdocs.yml
@techdocs/cli
@backstage/plugin-techdocs-node
runIn: docker
runIn: local
mkdocs.yml
mkdocs.yml
hooks
@techdocs/cli
@backstage/plugin-techdocs-node
Source : NVD
## 8.8
Score
Published January 30, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@backstage/plugin-techdocs-node
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 03, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus
Wiz
CVE-2026-4092 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-4092 [MEDIUM] CVE-2026-4092 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4092 :
JavaScript vulnerability analysis and mitigation
Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences.
Source : NVD
## 8.7
Score
Published March 13, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 77.3
Exploitation Probability (EPSS) 1
Affected packages and libraries
@google/clasp
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 14, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you ca
Wiz
CVE-2026-22028 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-22028 [HIGH] CVE-2026-22028 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22028 :
JavaScript vulnerability analysis and mitigation
Preact, a lightweight web development framework, JSON serialization protection to prevent Virtual DOM elements from being constructed from arbitrary JSON. A regression introduced in Preact 10.26.5 caused this protection to be softened. In applications where values from JSON payloads are assumed to be strings and passed unmodified to Preact as children, a specially-crafted JSON payload could be constructed that would be incorrectly treated as a valid VNode. When this chain of failures occurs it can result in HTML injection, which can allow arbitrary script execution if not mitigated by CSP or other means. Applications using affected Preact versions are vulnerable if they meet all of the following conditions: first, pass
Wiz
CVE-2026-32638 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-32638 [LOW] CVE-2026-32638 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32638 :
JavaScript vulnerability analysis and mitigation
getUsers
rank
rank=owner
getUser
Source : NVD
## 2.7
Score
Published March 18, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
studiocms
Sources
NVD
npm Severity LOW Has Fix Added at: Mar 17, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
Wiz
CVE-2026-34601 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-34601 [HIGH] CVE-2026-34601 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34601 :
JavaScript vulnerability analysis and mitigation
DOMParser
XMLSerializer
Source : NVD
## 7.5
Score
Published April 2, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
node-xmldom
arangodb-3.11
Sources
NVD
Chainguard Has Fix Added at: Apr 07, 2026
Debian 11, 12, 13, 14 Severity HIGH No Fix Added at: Apr 05, 2026
Echo Severity HIGH No Fix Added at: Apr 05, 2026
npm Severity HIGH Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what
Wiz
CVE-2026-2265 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-2265 [MEDIUM] CVE-2026-2265 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2265 :
JavaScript vulnerability analysis and mitigation
An unauthenticated remote code execution (RCE) vulnerability exists in applications that use the Replicator node package manager (npm) version 1.0.5 to deserialize untrusted user input and execute the resulting object.
Source : NVD
## 6.5
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
replicator
Sources
NVD
npm Severity MEDIUM No Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus
Wiz
CVE-2026-24909 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-24909 [MEDIUM] CVE-2026-24909 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24909 :
JavaScript vulnerability analysis and mitigation
vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction.
Source : NVD
## 5.9
Score
Published January 27, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@vltpkg/tar
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Jan 28, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Wiz
CVE-2026-34746 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-34746 [HIGH] CVE-2026-34746 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34746 :
JavaScript vulnerability analysis and mitigation
Payload is a free and open source headless content management system. Prior to version 3.79.1, an authenticated Server-Side Request Forgery (SSRF) vulnerability exists in the upload functionality. Authenticated users with create or update access to an upload-enabled collection could cause the server to make outbound HTTP requests to arbitrary URLs. This issue has been patched in version 3.79.1.
Source : NVD
## 7.7
Score
Published April 1, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9
Exploitation Probability (EPSS) N/A
Affected packages and librar
Wiz
CVE-2026-33750 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-33750 [MEDIUM] CVE-2026-33750 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33750 :
JavaScript vulnerability analysis and mitigation
{1..2..0}
expand()
0
Source : NVD
## 6.5
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
grafana-graphite
gemini-cli
Sources
NVD
Chainguard Has Fix Added at: Mar 29, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 29, 2026
Debian 14 Severity MEDIUM Has Fix Added at: Mar 29, 2026
Echo Severity MEDIUM No Fix Added at: Mar 29, 2026
npm Severity MEDIUM Has Fix Added at: Mar 29, 2026
MinimOS Severity MEDIUM Has Fix Added at:
Wiz
CVE-2026-24001 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-24001 [LOW] CVE-2026-24001 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24001 :
JavaScript vulnerability analysis and mitigation
\r
\u2028
\u2029
parsePatch
parsePatch
parsePatch
applyPatch
parsePatch
parsePatch
\r
\u2028
\u2029
Source : NVD
## 2.7
Score
Published January 22, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
JavaScript
npm
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
redisinsight
vitess-23
Sources
NVD
Chainguard Has Fix Added at: Jan 23, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Jan 23, 2026
Debian 14 Severity HIGH No Fix Added at: Jan 23, 2026
Echo Severity HIGH No Fix Added at: Jan 23, 2026
npm Severity LOW Has
Wiz
CVE-2025-69263 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-69263 [HIGH] CVE-2025-69263 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69263 :
JavaScript vulnerability analysis and mitigation
pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs) in the lockfile without integrity hashes. This allows the remote server to serve different content on each install, even when a lockfile is committed. An attacker who publishes a package with an HTTP tarball dependency can serve different code to different users or CI/CD environments. The attack requires the victim to install a package that has an HTTP/git tarball in its dependency tree. The victim's lockfile provides no protection. This issue is fixed in version 10.26.0.
Source : NVD
## 8.8
Score
Published January 7, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
NixOS
Has Publi
Wiz
GHSA-cjmm-f4jc-qw8r Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-cjmm-f4jc-qw8r Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-cjmm-f4jc-qw8r :
JavaScript vulnerability analysis and mitigation
## Summary
ADD_ATTR
EXTRA_ELEMENT_HANDLING.attributeCheck
true
_isValidAttribute
javascript:
href
## Impact
javascript:
## Credits
Identified by Cantina’s Apex ( https://www.cantina.security ).
Source : NVD
## 5.3
Score
Published April 3, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dompurify
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on
Wiz
CVE-2026-23733 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-23733 [MEDIUM] CVE-2026-23733 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23733 :
JavaScript vulnerability analysis and mitigation
electronAPI
Source : NVD
## 6.4
Score
Published January 18, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 28.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@lobehub/chat
Sources
NVD
npm Severity CRITICAL No Fix Added at: Jan 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-
Wiz
CVE-2026-31818 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-31818 [CRITICAL] CVE-2026-31818 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31818 :
JavaScript vulnerability analysis and mitigation
Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the BLACKLIST_IPS environment variable is not set by default in any of the official deployment configurations. When this variable is empty, the blacklist function unconditionally returns false, allowing all requests through without restriction. This issue has been patched in version 3.33.4.
Source : NVD
## 9.6
Score
Published April 3, 2026
Severity CRITICAL
CNA Score 9.6
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploi
Wiz
CVE-2026-34226 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-34226 [HIGH] CVE-2026-34226 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34226 :
JavaScript vulnerability analysis and mitigation
window.location
fetch(..., { credentials: "include" })
Source : NVD
## 7.5
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
happy-dom
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Wiz
CVE-2026-27601 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-27601 [HIGH] CVE-2026-27601 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27601 :
JavaScript vulnerability analysis and mitigation
Underscore.js is a utility-belt library for JavaScript. Prior to 1.13.8, the _.flatten and _.isEqual functions use recursion without a depth limit. Under very specific conditions, detailed below, an attacker could exploit this in a Denial of Service (DoS) attack by triggering a stack overflow. Untrusted input must be used to create a recursive datastructure, for example using JSON.parse, with no enforced depth limit. The datastructure thus created must be passed to _.flatten or _.isEqual. In the case of _.flatten, the vulnerability can only be exploited if it is possible for a remote client to prepare a datastructure that consists of arrays at all levels AND if no finite depth limit is passed as the second argument to _
Wiz
CVE-2026-29086 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-29086 [MEDIUM] CVE-2026-29086 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29086 :
JavaScript vulnerability analysis and mitigation
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, the setCookie() utility did not validate semicolons (;), carriage returns (\r), or newline characters (\n) in the domain and path options when constructing the Set-Cookie header. Because cookie attributes are delimited by semicolons, this could allow injection of additional cookie attributes if untrusted input was passed into these fields. This issue has been patched in version 4.12.4.
Source : NVD
## 5.4
Score
Published March 4, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Wiz
CVE-2026-22030 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-22030 [MEDIUM] CVE-2026-22030 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22030 :
JavaScript vulnerability analysis and mitigation
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode ( ) or Data Mode (createBrowserRouter/ ) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0.
Source : NVD
## 6.5
Score
Published January 10, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
React Router
Has Public Exploit No
Has CISA K
Wiz
CVE-2026-31898 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-31898 [HIGH] CVE-2026-31898 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31898 :
JavaScript vulnerability analysis and mitigation
createAnnotation
createAnnotation
color
Source : NVD
## 6.5
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 8.1
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
jspdf
opensearch-dashboards-2
Sources
NVD
Chainguard Has Fix Added at: Mar 20, 2026
npm Severity HIGH Has Fix Added at: Mar 17, 2026
Wolfi Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScr
Wiz
CVE-2026-30228 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-30228 [MEDIUM] CVE-2026-30228 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30228 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.5 and 9.5.0-alpha.3, the readOnlyMasterKey can be used to create and delete files via the Files API (POST /files/:filename, DELETE /files/:filename). This bypasses the read-only restriction which violates the access scope of the readOnlyMasterKey. Any Parse Server deployment that uses readOnlyMasterKey and exposes the Files API is affected. An attacker with access to the readOnlyMasterKey can upload arbitrary files or delete existing files. This issue has been patched in versions 8.6.5 and 9.5.0-alpha.3.
Source : NVD
## 6.9
Score
Published March 6, 2026
Severity MEDIUM
CNA Score 6.9
Affe
Wiz
CVE-2026-33429 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-33429 [MEDIUM] CVE-2026-33429 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33429 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.54 and 9.6.0-alpha.43, an attacker can subscribe to LiveQuery with a watch parameter targeting a protected field. Although the protected field value is properly stripped from event payloads, the presence or absence of update events reveals whether the protected field changed, creating a binary oracle. For boolean protected fields, the timing of change events is equivalent to knowing the field value. This issue has been patched in versions 8.6.54 and 9.6.0-alpha.43.
Source : NVD
## 6.3
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
JavaScript
Has Publ
Wiz
CVE-2026-24043 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-24043 [MEDIUM] CVE-2026-24043 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24043 :
JavaScript vulnerability analysis and mitigation
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in [email protected] .
Source : NVD
## 6.9
Score
Published February 2, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
JavaScript
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation
Wiz
CVE-2026-27901 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-27901 [MEDIUM] CVE-2026-27901 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27901 :
JavaScript vulnerability analysis and mitigation
bind:innerText
bind:textContent
contenteditable
Source : NVD
## 5.3
Score
Published February 26, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pgadmin4-debugsource
pgadmin4-qt
Sources
NVD
Chainguard Has Fix Added at: Apr 05, 2026
npm Severity MEDIUM Has Fix Added at: Mar 02, 2026
Wolfi Has Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
##
Wiz
CVE-2026-24047 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-24047 [MEDIUM] CVE-2026-24047 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24047 :
JavaScript vulnerability analysis and mitigation
resolveSafeChildPath
@backstage/backend-plugin-api
link1 → link2 → /outside
@backstage/backend-plugin-api
Source : NVD
## 6.3
Score
Published January 21, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.1
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@backstage/cli-common
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Jan 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE
Wiz
CVE-2025-68113 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-68113 [MEDIUM] CVE-2025-68113 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68113 :
JavaScript vulnerability analysis and mitigation
salt
?expires=&
Source : NVD
## 6.5
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
Java
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Exploitation Probability (EPSS) N/A
Affected packages and libraries
github.com/altcha-org/altcha-lib-go
altcha
Sources
NVD
Chainguard Has Fix Added at: Dec 21, 2025
Composer Severity MEDIUM Has Fix Added at: Dec 16, 2025
GoLang Severity MEDIUM Has Fix Added at: Dec 16, 2025
Maven Severity MEDIUM Has Fix Added at: Dec 16, 2025
RubyGems Severity MEDIUM Has Fix Added at: Dec 16, 2025
npm Severity MEDIUM Has Fix Added at:
Wiz
CVE-2026-26832 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-26832 [CRITICAL] CVE-2026-26832 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26832 :
JavaScript vulnerability analysis and mitigation
node-tesseract-ocr is an npm package that provides a Node.js wrapper for Tesseract OCR. In all versions through 2.2.1, the recognize() function in src/index.js is vulnerable to OS Command Injection. The file path parameter is concatenated into a shell command string and passed to child_process.exec() without proper sanitization
Source : NVD
## 9.8
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 50.7
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
node-tesseract-ocr
Sources
NVD
npm Severity CRITICAL
Wiz
GHSA-wvr4-3wq4-gpc5 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-wvr4-3wq4-gpc5 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-wvr4-3wq4-gpc5 :
JavaScript vulnerability analysis and mitigation
## Summary
When AUTH_TOKEN and ACCESS_TOKEN environment variables are not set (which is the default out-of-the-box configuration) the /bridge HTTP endpoint is completely unauthenticated. Any network-accessible caller can POST a request with an attacker-controlled serverPath and args payload, causing the server to spawn an arbitrary OS process as the user running mcp-bridge. This results in full remote code execution on the host without any credentials.
## Details
Root cause 1 - Authentication not enforced when token is absent src/config/config.ts line 161 sets authToken to an empty string when neither environment variable is configured:
authToken: process.env.AUTH_TOKEN || process.env.ACCESS_TOKEN || '',
Th
Wiz
CVE-2026-27902 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-27902 [MEDIUM] CVE-2026-27902 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27902 :
JavaScript vulnerability analysis and mitigation
transformError
transformError
Source : NVD
## 5.3
Score
Published February 26, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Linux Fedora
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pgadmin4-langpack-es
pgadmin4-langpack-it
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Compone
Wiz
CVE-2026-24046 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-24046 [HIGH] CVE-2026-24046 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24046 :
JavaScript vulnerability analysis and mitigation
debug:log
/etc/passwd
fs:delete
@backstage/backend-defaults
@backstage/plugin-scaffolder-backend
@backstage/plugin-scaffolder-node
Source : NVD
## 7.1
Score
Published January 21, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@backstage/backend-defaults
@backstage/plugin-scaffolder-backend
Sources
NVD
npm Severity HIGH Has Fix Added at: Jan 22, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2026-33498 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-33498 [HIGH] CVE-2026-33498 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33498 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.55 and 9.6.0-alpha.44, an attacker can send an unauthenticated HTTP request with a deeply nested query containing logical operators to permanently hang the Parse Server process. The server becomes completely unresponsive and must be manually restarted. This is a bypass of the fix for CVE-2026-32944. This issue has been patched in versions 8.6.55 and 9.6.0-alpha.44.
Source : NVD
## 8.7
Score
Published March 24, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation P
Wiz
CVE-2026-33943 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-33943 [HIGH] CVE-2026-33943 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33943 :
JavaScript vulnerability analysis and mitigation
ECMAScriptModuleCompiler
export { }
Source : NVD
## 8.8
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
happy-dom
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published d
Wiz
CVE-2026-33490 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.7
CVE-2026-33490 [LOW] CVE-2026-33490 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33490 :
JavaScript vulnerability analysis and mitigation
mount()
startsWith()
/
/admin
/admin-public
/administrator
/adminstuff
Source : NVD
## 5.3
Score
Published March 26, 2026
Severity MEDIUM
CNA Score 3.7
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
h3
Sources
NVD
npm Severity LOW Has Fix Added at: Mar 21, 2026
Homebrew Severity MEDIUM No Fix Added at: Apr 05, 2026
Nix Severity MEDIUM No Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just wh
Wiz
CVE-2026-33151 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-33151 [HIGH] CVE-2026-33151 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33151 :
JavaScript vulnerability analysis and mitigation
Socket.IO is an open source, real-time, bidirectional, event-based, communication framework. Prior to versions 3.3.5, 3.4.4, and 4.2.6, a specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory. This issue has been patched in versions 3.3.5, 3.4.4, and 4.2.6.
Source : NVD
## 8.7
Score
Published March 20, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27.7
Exploitation Probability (EPSS) 0.1
Affected packages and librar
Wiz
CVE-2026-32742 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-32742 [MEDIUM] CVE-2026-32742 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32742 :
JavaScript vulnerability analysis and mitigation
sessionToken
expiresAt
createdWith
POST /classes/_Session
beforeSave
_Session
sessionToken
expiresAt
createdWith
Source : NVD
## 4.3
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 4.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
parse-server
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 18, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE
Wiz
CVE-2026-34749 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-34749 [MEDIUM] CVE-2026-34749 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34749 :
JavaScript vulnerability analysis and mitigation
Payload is a free and open source headless content management system. Prior to version 3.79.1, a Cross-Site Request Forgery (CSRF) vulnerability exists in the authentication flow. Under certain conditions, the configured CSRF protection could be bypassed, allowing cross-site requests to be made. This issue has been patched in version 3.79.1.
Source : NVD
## 5.4
Score
Published April 1, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
payload
Sources
NVD
npm Severity MEDIUM Ha
Wiz
CVE-2026-33896 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.4
CVE-2026-33896 [HIGH] CVE-2026-33896 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33896 :
JavaScript vulnerability analysis and mitigation
node-forge
pki.verifyCertificateChain()
basicConstraints
keyUsage
Source : NVD
## 7.4
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.4
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
kibana-8.17
kibana-9.0
Sources
NVD
Chainguard Has Fix Added at: Apr 02, 2026
npm Severity HIGH Has Fix Added at: Mar 29, 2026
MinimOS Severity HIGH Has Fix Added at: Apr 05, 2026
Red Hat 8, 9, 10 Severity HIGH No Fix Added at: Mar 29, 2026
Wolfi Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessmen
Wiz
CVE-2026-22813 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-22813 [CRITICAL] CVE-2026-22813 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22813 :
JavaScript vulnerability analysis and mitigation
OpenCode is an open source AI coding agent. The markdown renderer used for LLM responses will insert arbitrary HTML into the DOM. There is no sanitization with DOMPurify or even a CSP on the web interface to prevent JavaScript execution via HTML injection. This means controlling the LLM response for a chat session gets JavaScript execution on the http://localhost:4096 origin. This vulnerability is fixed in 1.1.10.
Source : NVD
## 9.4
Score
Published January 12, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
JavaScript
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.7
Exploitation Probability
Wiz
CVE-2026-1525 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-1525 [MEDIUM] CVE-2026-1525 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1525 :
JavaScript vulnerability analysis and mitigation
Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.
Who is impacted:
Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
Applications that accept user-controlled header names without case-normalization
Potential consequences:
Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate heade
Wiz
CVE-2026-31828 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.0
CVE-2026-31828 [MEDIUM] CVE-2026-31828 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31828 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnera
Wiz
CVE-2026-26861 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-26861 [HIGH] CVE-2026-26861 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26861 :
JavaScript vulnerability analysis and mitigation
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain
Source : NVD
## 8.3
Score
Published February 27, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
clevertap-web-sdk
Sources
NVD
npm Severity HIGH H
Wiz
CVE-2026-29087 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-29087 [HIGH] CVE-2026-29087 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29087 :
JavaScript vulnerability analysis and mitigation
@hono/node-server allows running the Hono application on Node.js. Prior to version 1.19.10, when using @hono/node-server's static file serving together with route-based middleware protections (e.g. protecting /admin/*), inconsistent URL decoding can allow protected static resources to be accessed without authorization. In particular, paths containing encoded slashes (%2F) may be evaluated differently by routing/middleware matching versus static file path resolution, enabling a bypass where middleware does not run but the static file is still served. This issue has been patched in version 1.19.10.
Source : NVD
## 7.5
Score
Published March 6, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Wol
Wiz
GHSA-7fqq-q52p-2jjg Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-7fqq-q52p-2jjg Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-7fqq-q52p-2jjg :
JavaScript vulnerability analysis and mitigation
## Summary
CWE-125: Out-of-bounds Read
## Details
matchedLength incorrect derived length -> incorrect pointer advance -> remaining-length desynchronization -> out-of-bounds read
MaxMatchSegmentation::Segment
Conversion::Convert(const char*)
All versions before 1.2.0Patched version:
1.2.0
## PoC
Build a vulnerable version with AddressSanitizer enabled and process input ending with a truncated UTF-8 sequence, such as a missing final byte of a 3-byte character. The original report and ASan reproduction are available in Issue #997 .
## Impact
This vulnerability may cause process crashes and limited, non-deterministic information disclosure when OpenCC processes malformed or attacker-controlled UTF-8 i
Wiz
CVE-2026-32235 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-32235 [MEDIUM] CVE-2026-32235 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32235 :
JavaScript vulnerability analysis and mitigation
Backstage is an open framework for building developer portals. Prior to 0.27.1, the experimental OIDC provider in @backstage/plugin-auth-backend is vulnerable to a redirect URI allowlist bypass. Instances that have enabled experimental Dynamic Client Registration or Client ID Metadata Documents and configured allowedRedirectUriPatterns are affected. A specially crafted redirect URI can pass the allowlist validation while resolving to an attacker-controlled host. If a victim approves the resulting OAuth consent request, their authorization code is sent to the attacker, who can exchange it for a valid access token. This requires victim interaction and that one of the experimental features is explicitly enabled, which is n
Wiz
CVE-2026-30972 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-30972 [MEDIUM] CVE-2026-30972 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30972 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior o 9.5.2-alpha.10 and 8.6.23, Parse Server's rate limiting middleware is applied at the Express middleware layer, but the batch request endpoint (/batch) processes sub-requests internally by routing them directly through the Promise router, bypassing Express middleware including rate limiting. An attacker can bundle multiple requests targeting a rate-limited endpoint into a single batch request to circumvent the configured rate limit. Any Parse Server deployment that relies on the built-in rate limiting feature is affected. This vulnerability is fixed in 9.5.2-alpha.10 and 8.6.23.
Source : NVD
## 6.9
Score
Wiz
CVE-2026-4867 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-4867 [HIGH] CVE-2026-4867 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4867 :
JavaScript vulnerability analysis and mitigation
Impact:
A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b-:c or /:a-:b-:c-:d. The backtrack protection added in [email protected] only prevents ambiguity for two parameters. With three or more, the generated lookahead does not block single separator characters, so capture groups overlap and cause catastrophic backtracking.
Patches:
Upgrade to [email protected]
Custom regex patterns in route definitions (e.g., /:a-:b( -/ +)-:c( -/ +)) are not affected because they override the default capture group.
Workarounds:
All versions can be patched by providing a custom regular expression for p
Wiz
CVE-2026-25528 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.8
CVE-2026-25528 [MEDIUM] CVE-2026-25528 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25528 :
JavaScript vulnerability analysis and mitigation
LangSmith Client SDKs provide SDK's for interacting with the LangSmith platform. The LangSmith SDK's distributed tracing feature is vulnerable to Server-Side Request Forgery via malicious HTTP headers. An attacker can inject arbitrary api_url values through the baggage header, causing the SDK to exfiltrate sensitive trace data to attacker-controlled endpoints. When using distributed tracing, the SDK parses incoming HTTP headers via RunTree.from_headers() in Python or RunTree.fromHeaders() in Typescript. The baggage header can contain replica configurations including api_url and api_key fields. Prior to the fix, these attacker-controlled values were accepted without validation. When a traced operation completes, the SDK'
Wiz
CVE-2026-0775 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.0
CVE-2026-0775 [HIGH] CVE-2026-0775 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0775 :
JavaScript vulnerability analysis and mitigation
npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25430.
Source : NVD
## 7
Score
Published January 23, 2026
Severity HIGH
CNA Score 7.0
Affected Technologies
JavaScript
npm
Has Public Exploit No
Wiz
CVE-2026-24769 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2026-24769 [HIGH] CVE-2026-24769 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24769 :
JavaScript vulnerability analysis and mitigation
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because the malicious payload is stored server-side and executed under the application’s origin, successful exploitation can lead to account compromise, data exfiltration and unauthorized actions performed on behalf of affected users. Version 0.301.0 patches the issue.
Source : NVD
## 8.5
Score
Published January 28, 2026
Severity HIGH
CNA Score 8.5
Wiz
CVE-2026-22029 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.0
CVE-2026-22029 [HIGH] CVE-2026-22029 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22029 :
JavaScript vulnerability analysis and mitigation
React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode ( ) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
Source : NVD
## 6.1
Score
Published January 10, 2026
Severity MEDIUM
CNA Score 8.0
Affected Technologies
Wiz
CVE-2025-68154 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2025-68154 [HIGH] CVE-2025-68154 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68154 :
JavaScript vulnerability analysis and mitigation
fsSize()
drive
fsSize()
Source : NVD
## 8.1
Score
Published December 16, 2025
Severity HIGH
CNA Score 8.1
Affected Technologies
JavaScript
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
kibana-8.19
kibana-9.0
Sources
NVD
Chainguard Has Fix Added at: Feb 24, 2026
npm Severity HIGH Has Fix Added at: Dec 17, 2025
MinimOS Severity HIGH Has Fix Added at: Dec 22, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScr
Wiz
CVE-2026-5323 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-5323 [MEDIUM] CVE-2026-5323 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5323 :
JavaScript vulnerability analysis and mitigation
A vulnerability was found in priyankark a11y-mcp up to 1.0.5. This vulnerability affects the function A11yServer of the file src/index.js. The manipulation results in server-side request forgery. The attack must be initiated from a local position. The exploit has been made public and could be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. Upgrading to version 1.0.6 is able to resolve this issue. The patch is identified as e3e11c9e8482bd06b82fd9fced67be4856f0dffc. It is recommended to upgrade the affected component. The vendor acknowledged the issue but provides additional context for the CVSS rating:
Wiz
CVE-2025-69211 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2025-69211 [MEDIUM] CVE-2025-69211 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69211 :
JavaScript vulnerability analysis and mitigation
@nestjs/platform-fastify
NestMiddleware
MiddlewareConsumer
app.use()
.forRoutes('admin')
@nestjs/[email protected]
Source : NVD
## 6.9
Score
Published December 29, 2025
Severity MEDIUM
CNA Score 6.9
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nest
@nestjs/platform-fastify
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Dec 31, 2025
Homebrew Severity HIGH Has Fix Added at: Feb 24, 2026
Nix Severity HIGH Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioriti
Wiz
CVE-2026-32062 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-32062 [HIGH] CVE-2026-32062 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32062 :
JavaScript vulnerability analysis and mitigation
OpenClaw versions2026.2.21-2 prior to 2026.2.22 and @openclaw/voice-call versions 2026.2.21 prior to 2026.2.22 accept media-stream WebSocket upgrades before stream validation, allowing unauthenticated clients to establish connections. Remote attackers can hold idle pre-authenticated sockets open to consume connection resources and degrade service availability for legitimate streams.
Source : NVD
## 8.7
Score
Published March 11, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 31.7
Exploitation Probability (EPSS)
Wiz
CVE-2026-23744 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-23744 [CRITICAL] CVE-2026-23744 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23744 :
JavaScript vulnerability analysis and mitigation
MCPJam inspector is the local-first development platform for MCP servers. Versions 1.4.2 and earlier are vulnerable to remote code execution (RCE) vulnerability, which allows an attacker to send a crafted HTTP request that triggers the installation of an MCP server, leading to RCE. Since MCPJam inspector by default listens on 0.0.0.0 instead of 127.0.0.1, an attacker can trigger the RCE remotely via a simple HTTP request. Version 1.4.3 contains a patch.
Source : NVD
## 9.8
Score
Published January 16, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2026-30850 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-30850 [MEDIUM] CVE-2026-30850 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30850 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.9 and 9.5.0-alpha.9, the file metadata endpoint (GET /files/:appId/metadata/:filename) does not enforce beforeFind / afterFind file triggers. When these triggers are used as access-control gates, the metadata endpoint bypasses them entirely, allowing unauthorized access to file metadata. This issue has been patched in versions 8.6.9 and 9.5.0-alpha.9.
Source : NVD
## 6.3
Score
Published March 7, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Pe
Wiz
CVE-2026-27567 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-27567 [MEDIUM] CVE-2026-27567 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27567 :
JavaScript vulnerability analysis and mitigation
upload
create
disableExternalFile
create
Source : NVD
## 4.8
Score
Published February 24, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
payload
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Feb 25, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Pu
Wiz
GHSA-24v3-254g-jv85 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-24v3-254g-jv85 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-24v3-254g-jv85 :
JavaScript vulnerability analysis and mitigation
## Impact
Users importing contacts from untrusted sources.
Specifically crafted contact data can lead to some of DOM modifications for the link button next to the field e.g. the link address can be overriden. CSS can be manipulated to give the button arbitrary look and change it's size so that any click on the screen would lead to the specified URL. Modifying event listeners does not seem to be possible so no JS can be executed (which would also be prevented by CSP).
## Technical details
][href=https://ddg.gg][style=position:fixed;width:150vw;height:200vh
## Patches
https://github.com/tutao/tutanota/commit/e28345f5f78f628f9d5c04e785f79543f01dca8b
## Workarounds
Do not open contact viewer on unpatched
Wiz
GHSA-h3hw-29fv-2x75 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-h3hw-29fv-2x75 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-h3hw-29fv-2x75 :
JavaScript vulnerability analysis and mitigation
## Summary
useGraphQLModules
## Details
useGraphQLModules(application)
graphql-modules
2.4.1
3.1.1
useGraphQLModules
async_hooks
## PoC
package.json
npm i
{
"name": "poc",
"scripts": {
"compile": "tsc",
"start": "npm run compile && node ./dist/src/index.js",
"test": "npm run compile && node ./dist/test/bleedtest.js"
},
"dependencies": {
"@envelop/graphql-modules": "^9.0.0",
"graphql-yoga": "^5.0.0",
"graphql": "^16.10.0",
"graphql-modules": "3.1.1",
"reflect-metadata": "0.2.1",
"axios": "^1.8.4"
},
"devDependencies": {
"@types/node": "^22.14.1",
"typescript": "^5.8.3"
}
}
src/index.ts
import { module } from "./module.js";
import { useGraphQLModules } from '@envelop/graphql-modules'
import { creat
Wiz
CVE-2026-31873 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-31873 [MEDIUM] CVE-2026-31873 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31873 :
JavaScript vulnerability analysis and mitigation
Unhead is a document head and template manager. Prior to 2.1.11, The link.href check in makeTagSafe (safe.ts) uses String.includes(), which is case-sensitive. Browsers treat URI schemes case-insensitively. DATA:text/css,... is the same as data:text/css,... to the browser, but 'DATA:...'.includes('data:') returns false. An attacker can inject arbitrary CSS for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks. This vulnerability is fixed in 2.1.11.
Source : NVD
## 6.1
Score
Published March 12, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploita
Wiz
CVE-2026-26318 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-26318 [HIGH] CVE-2026-26318 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26318 :
JavaScript vulnerability analysis and mitigation
locate
versions()
Source : NVD
## 8.8
Score
Published February 19, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
JavaScript
Chainguard
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 7.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
kibana-8.19
kibana-9.0
Sources
NVD
Chainguard Has Fix Added at: Feb 20, 2026
npm Severity HIGH Has Fix Added at: Feb 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Wiz
CVE-2025-69203 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2025-69203 [MEDIUM] CVE-2025-69203 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69203 :
JavaScript vulnerability analysis and mitigation
clientId
description
permissions
description
permissions
admin
X-Forwarded-For
Source : NVD
## 8.8
Score
Published January 1, 2026
Severity HIGH
CNA Score 6.3
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
signalk-server
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Jan 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Wiz
CVE-2026-32730 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-32730 [HIGH] CVE-2026-32730 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32730 :
JavaScript vulnerability analysis and mitigation
@apostrophecms/express/index.js
@apostrophecms/login-totp
afterPasswordVerified
Source : NVD
## 8.1
Score
Published March 18, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
apostrophe
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Compone
Wiz
CVE-2026-30959 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-30959 [MEDIUM] CVE-2026-30959 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30959 :
JavaScript vulnerability analysis and mitigation
OneUptime is a solution for monitoring and managing online services. The resend-verification-code endpoint allows any authenticated user to trigger a verification code resend for any UserWhatsApp record by ID. Ownership is not validated (unlike the verify endpoint). This affects the UserWhatsAppAPI.ts endpoint and the UserWhatsAppService.ts service.
Source : NVD
## 5.3
Score
Published March 10, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@oneuptime/common
Sources
NVD
np
Wiz
CVE-2026-31841 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-31841 [MEDIUM] CVE-2026-31841 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31841 :
JavaScript vulnerability analysis and mitigation
Hyperterse is a tool-first MCP framework for building AI-ready backend surfaces from declarative config. Prior to v2.2.0, the search tool allows LLMs to search for tools using natural language. While returning results, Hyperterse also returned the raw SQL queries, exposing statements which were supposed to be executed under the hood, and protected from being displayed publicly. This issue has been fixed as of v2.2.0.
Source : NVD
## 6.5
Score
Published March 12, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.4
Exploitation Probability (EPSS) N/A
Wiz
CVE-2026-24056 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.7
CVE-2026-24056 [MEDIUM] CVE-2026-24056 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24056 :
JavaScript vulnerability analysis and mitigation
file:
git:
/etc/passwd
~/.ssh/id_rsa
node_modules
file:
git:
~/.aws/credentials
~/.npmrc
~/.ssh/id_rsa
Source : NVD
## 6.7
Score
Published January 26, 2026
Severity MEDIUM
CNA Score 6.7
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pnpm
Sources
NVD
Alpine 3.21, 3.22, 3.23, edge Severity MEDIUM No Fix Added at: Jan 29, 2026
Chainguard Has Fix Added at: Jan 27, 2026
npm Severity MEDIUM Has Fix Added at: Jan 27, 2026
Homebrew Severity MEDIUM Has Fix Added at: Jan 29, 2026
MinimOS Severity
Wiz
CVE-2026-22774 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-22774 [HIGH] CVE-2026-22774 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22774 :
JavaScript vulnerability analysis and mitigation
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.3.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the typed array hydration expecting an ArrayBuffer as input, but not checking the assumption before creating the typed array. This vulnerability is fixed in 5.6.2.
Source : NVD
## 7.5
Score
Published January 15, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Linux Fedora
Has Public
Wiz
CVE-2025-13158 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-13158 [CRITICAL] CVE-2025-13158 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13158 :
JavaScript vulnerability analysis and mitigation
Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed by the application, potentially leading to denial of service or unintended behavior in applications relying on the integrity of prototype chains. This affects the preProcess() function in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker modules.
Source : NVD
## 9.3
Score
Published December 26, 2025
Severity CRITICAL
CNA Score 9.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
E
Wiz
CVE-2026-27612 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-27612 [MEDIUM] CVE-2026-27612 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27612 :
JavaScript vulnerability analysis and mitigation
RepoCard
dangerouslySetInnerHTML
repo
repo
Source : NVD
## 6.1
Score
Published February 25, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
repostat
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has f
Wiz
CVE-2026-4926 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-4926 [MEDIUM] CVE-2026-4926 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4926 :
JavaScript vulnerability analysis and mitigation
Impact:
{a}{b}{c}:z
Patches:
Fixed in version 8.4.0.
Workarounds:
Limit the number of sequential optional groups in route patterns. Avoid passing user-controlled input as route patterns.
Source : NVD
## 7.5
Score
Published March 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
mozjs60
pcs
Sources
NVD
Chainguard Has Fix Added at: Mar 31, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 29, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 29, 2026
Wiz
CVE-2026-33993 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-33993 [MEDIUM] CVE-2026-33993 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33993 :
JavaScript vulnerability analysis and mitigation
unserialize()
locutus/php/var/unserialize
__proto__
__proto__
__proto__
parse_str
unserialize
Source : NVD
## 6.9
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
locutus
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Te
Wiz
CVE-2026-29112 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-29112 [HIGH] CVE-2026-29112 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29112 :
JavaScript vulnerability analysis and mitigation
ensureSize()
@dicebear/converter
width
height
width="999999999"
toPng()
toJpeg()
toWebp()
toAvif()
ensureSize()
size
width
height
Source : NVD
## 7.5
Score
Published March 18, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Homebrew
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@dicebear/converter
dicebear
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 17, 2026
Homebrew Severity HIGH Has Fix Added at: Mar 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can
Wiz
GHSA-vx5f-vmr6-32wf Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-vx5f-vmr6-32wf Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-vx5f-vmr6-32wf :
JavaScript vulnerability analysis and mitigation
## There is a potential issue with the cap-go/capacitor-native-biometric library.
## Summary
onAuthenticationSucceeded()
CryptoObject
@Override
public void onAuthenticationSucceeded(
@NonNull BiometricPrompt.AuthenticationResult result
) {
super.onAuthenticationSucceeded(result);
finishActivity("success");
}
onAuthenticationSucceeded()
CryptoObject
onAuthenticationSucceeded()
## PoC Video:
https://github.com/user-attachments/assets/b7b5a2bc-21dc-4373-b371-84b002dae7a7
## Environment:
cap-go/capacitor-native-biometric library
npx create-react-app
capgo-poc
npx create-react-app capgo-poc --template typescript
Yarn Alternative:
npm install --global yarn
yarn create react-app capgo-poc --template
Wiz
CVE-2026-3089 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-3089 [MEDIUM] CVE-2026-3089 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3089 :
JavaScript vulnerability analysis and mitigation
Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions prior to 26.3.0, improper validation of the user-controlled x-actual-file-id header means that traversal segments (../) can escape the intended directory and write files outside userFiles.This issue affects prior versions of Actual Sync Server 26.3.0.
Source : NVD
## 5.3
Score
Published March 9, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@actual-app/sync-server
So
Wiz
CVE-2026-22036 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-22036 [MEDIUM] CVE-2026-22036 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22036 :
JavaScript vulnerability analysis and mitigation
Undici is an HTTP/1.1 client for Node.js. Prior to 7.18.0 and 6.23.0, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation. This vulnerability is fixed in 7.18.0 and 6.23.0.
Source : NVD
## 7.5
Score
Published January 14, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
JavaScript
Node.js
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
npm20
npm22
Sources
NVD
Chainguard Has Fix
Wiz
CVE-2026-29784 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-29784 [HIGH] CVE-2026-29784 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29784 :
JavaScript vulnerability analysis and mitigation
Ghost is a Node.js content management system. From version 5.101.6 to 6.19.2, incomplete CSRF protections around /session/verify made it possible to use OTCs in login sessions different from the requesting session. In some scenarios this might have made it easier for phishers to take over a Ghost site. This issue has been patched in version 6.19.3.
Source : NVD
## 8.8
Score
Published March 7, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ghost
Sources
NVD
npm Severity
Wiz
CVE-2026-28399 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.2
CVE-2026-28399 [MEDIUM] CVE-2026-28399 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28399 :
JavaScript vulnerability analysis and mitigation
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Creator role can inject arbitrary SQL via the DATEADD formula's unit parameter. This issue has been patched in version 0.301.3.
Source : NVD
## 6.2
Score
Published March 2, 2026
Severity MEDIUM
CNA Score 6.2
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
nocodb
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 04, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your clo
Wiz
GHSA-8qm3-746x-r74r Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-8qm3-746x-r74r Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-8qm3-746x-r74r :
JavaScript vulnerability analysis and mitigation
uneval
eval
Source : NVD
## 2.1
Score
Published February 19, 2026
Severity LOW
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
devalue
Sources
NVD
npm Severity LOW Has Fix Added at: Feb 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35442
Wiz
CVE-2026-25142 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-25142 [CRITICAL] CVE-2026-25142 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25142 :
JavaScript vulnerability analysis and mitigation
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict lookupGetter which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27.
Source : NVD
## 10
Score
Published February 2, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 43.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
@nyariv/sandboxjs
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Feb 03, 2026
## Get a CVE risk assessment
Get
Wiz
CVE-2026-33285 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33285 [HIGH] CVE-2026-33285 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33285 :
JavaScript vulnerability analysis and mitigation
memoryLimit
(100000000..1)
replace
Source : NVD
## 7.5
Score
Published March 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
liquidjs
Sources
NVD
npm Severity HIGH No Fix Added at: Mar 26, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published da
Wiz
CVE-2026-2366 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.1
CVE-2026-2366 [LOW] CVE-2026-2366 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2366 :
JavaScript vulnerability analysis and mitigation
A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.
Source : NVD
## 3.1
Score
Published March 12, 2026
Severity LOW
CNA Score 3.1
Affected Technologies
JavaScript
Java
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
org.keycloak:keycloa
Wiz
CVE-2025-69874 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-69874 [CRITICAL] CVE-2025-69874 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69874 :
JavaScript vulnerability analysis and mitigation
nanotar through 0.2.0 has a path traversal vulnerability in parseTar() and parseTarGzip() that allows remote attackers to write arbitrary files outside the intended extraction directory via a crafted tar archive containing path traversal sequence.
Source : NVD
## 9.8
Score
Published February 11, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
nanotar
Sources
NVD
npm Severity MEDIUM No Fix Added at: Feb 12, 2026
## Get a CVE risk assessment
Get a prioritized view of C
Wiz
CVE-2025-69256 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-69256 [HIGH] CVE-2025-69256 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69256 :
JavaScript vulnerability analysis and mitigation
child_process.exec
|
>
&&
Source : NVD
## 7.5
Score
Published December 30, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
serverless
Sources
NVD
npm Severity HIGH Has Fix Added at: Jan 01, 2026
Homebrew Severity HIGH Has Fix Added at: Mar 24, 2026
Nix Severity HIGH Has Fix Added at: Mar 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vul
Wiz
CVE-2026-29186 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-29186 [HIGH] CVE-2026-29186 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29186 :
JavaScript vulnerability analysis and mitigation
Backstage is an open framework for building developer portals. Prior to version 1.14.3, this is a configuration bypass vulnerability that enables arbitrary code execution. The @backstage/plugin-techdocs-node package uses an allowlist to filter dangerous MkDocs configuration keys during the documentation build process. A gap in this allowlist allows attackers to craft an mkdocs.yml that causes arbitrary Python code execution, completely bypassing TechDocs' security controls. This issue has been patched in version 1.14.3.
Source : NVD
## 9.8
Score
Published March 7, 2026
Severity CRITICAL
CNA Score 7.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CI
Wiz
CVE-2026-29772 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-29772 [MEDIUM] CVE-2026-29772 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29772 :
JavaScript vulnerability analysis and mitigation
Astro is a web framework. Prior to version 10.0.0, Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all Astro SSR apps regardless of whether any component uses server:defer, and the body is parsed before the island name is validated, so any Astro SSR app with the Node standalone adapter is affected. This issue has been patched i
Wiz
GHSA-xq7h-vwjp-5vrh Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-xq7h-vwjp-5vrh Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-xq7h-vwjp-5vrh :
JavaScript vulnerability analysis and mitigation
## Impact
--token
GRACKLE_POWERLINE_TOKEN
"NO AUTH (development only)"
127.0.0.1
packages/powerline/src/index.ts:46
packages/powerline/src/index.ts:63-76
## Patches
--no-auth
--no-auth
## Workarounds
--token
GRACKLE_POWERLINE_TOKEN
## Resources
CWE-306: Missing Authentication for Critical Function
packages/powerline/src/index.ts
Source : NVD
## 6.3
Score
Published March 25, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@grackle-ai/powerline
Sources
Wiz
CVE-2025-68273 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2025-68273 [MEDIUM] CVE-2025-68273 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68273 :
JavaScript vulnerability analysis and mitigation
Signal K Server is a server application that runs on a central hub in a boat. An unauthenticated information disclosure vulnerability in versions prior to 2.19.0 allows any user to retrieve sensitive system information, including the full SignalK data schema, connected serial devices, and installed analyzer tools. This exposure facilitates reconnaissance for further attacks. Version 2.19.0 patches the issue.
Source : NVD
## 5.3
Score
Published January 1, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.5
Exploitation Probability (EPSS) N/A
Affecte
Wiz
CVE-2026-34211 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-34211 [MEDIUM] CVE-2026-34211 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34211 :
JavaScript vulnerability analysis and mitigation
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, the @nyariv/sandboxjs parser contains unbounded recursion in the restOfExp function and the lispify/lispifyExpr call chain. An attacker can crash any Node.js process that parses untrusted input by supplying deeply nested expressions (e.g., ~2000 nested parentheses), causing a RangeError: Maximum call stack size exceeded that terminates the process. This vulnerability is fixed in 0.8.36.
Source : NVD
## 6.9
Score
Published April 6, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Explo
Wiz
CVE-2026-34784 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-34784 [HIGH] CVE-2026-34784 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34784 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support streaming (e.g. the default GridFS adapter). This allows access to files that should be protected by afterFind trigger authorization logic or built-in validators such as requireUser. This issue has been patched in versions 8.6.71 and 9.7.1-alpha.1.
Source : NVD
## 8.2
Score
Published March 31, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CI
Wiz
CVE-2026-27739 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-27739 [CRITICAL] CVE-2026-27739 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27739 :
JavaScript vulnerability analysis and mitigation
X-Forwarded-*
HttpClient
Host
X-Forwarded-*
REQUEST
req.headers
server.ts
Source : NVD
## 9.2
Score
Published February 25, 2026
Severity CRITICAL
CNA Score 9.2
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.4
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@angular/ssr
@nguniversal/common
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severit
Wiz
CVE-2026-34751 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-34751 [CRITICAL] CVE-2026-34751 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34751 :
JavaScript vulnerability analysis and mitigation
Payload is a free and open source headless content management system. Prior to version 3.79.1 in @payloadcms/graphql and payload, a vulnerability in the password recovery flow could allow an unauthenticated attacker to perform actions on behalf of a user who initiates a password reset. This issue has been patched in version 3.79.1 for @payloadcms/graphql and payload.
Source : NVD
## 9.1
Score
Published April 1, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@payloadcms/grap
Wiz
GHSA-5jg4-p4qw-cgfr Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-5jg4-p4qw-cgfr Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5jg4-p4qw-cgfr :
JavaScript vulnerability analysis and mitigation
## Summary
@stablelib/cbor
RangeError: Maximum call stack size exceeded
## Details
_decodeValue()
## PoC
import { decode } from "@stablelib/cbor";
const depth = 12000;
const payload = new Uint8Array(depth + 1);
// Build [[[...[null]...]]]
payload.fill(0x81, 0, depth); // array(1)
payload[depth] = 0xf6; // null
decode(payload);
// RangeError: Maximum call stack size exceeded
## Impact
Any application that decodes attacker-controlled CBOR can be forced into a reliable denial of service with a single crafted payload.
The immediate result is an exception during decoding. In services that do not catch that exception safely, the request fails and the worker or process handling the decode may terminate.
So
Wiz
CVE-2025-65098 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.4
CVE-2025-65098 [HIGH] CVE-2025-65098 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-65098 :
JavaScript vulnerability analysis and mitigation
/api/trpc/credentials.getCredentials
Source : NVD
## 7.4
Score
Published January 22, 2026
Severity HIGH
CNA Score 7.4
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@typebot.io/js
Sources
NVD
npm Severity HIGH Has Fix Added at: Jan 23, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publ
Wiz
CVE-2026-24737 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-24737 [HIGH] CVE-2026-24737 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24737 :
JavaScript vulnerability analysis and mitigation
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in [email protected] .
Source : NVD
## 8.1
Score
Published February 2, 2026
Severity HIGH
CNA Score
Wiz
CVE-2026-22787 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-22787 [HIGH] CVE-2026-22787 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22787 :
JavaScript vulnerability analysis and mitigation
html2pdf.js converts any webpage or element into a printable PDF entirely client-side. Prior to 0.14.0, html2pdf.js contains a cross-site scripting (XSS) vulnerability when given a text source rather than an element. This text is not sufficiently sanitized before being attached to the DOM, allowing malicious scripts to be run on the client browser and risking the confidentiality, integrity, and availability of the page's data. This vulnerability has been fixed in [email protected] .
Source : NVD
## 8.7
Score
Published January 14, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Pro
Wiz
CVE-2026-24778 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-24778 [HIGH] CVE-2026-24778 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24778 :
JavaScript vulnerability analysis and mitigation
Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim's permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0 were vulnerable to this issue. Ghost automatically loads the latest patch of the members Portal component via CDN. For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability. v5.121.0 loads Portal v2.51.5, which contains the patch. For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability. v6.15.0 lo
Wiz
CVE-2026-26996 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-26996 [HIGH] CVE-2026-26996 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26996 :
JavaScript vulnerability analysis and mitigation
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate / *? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vu
Wiz
CVE-2026-34825 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2026-34825 [HIGH] CVE-2026-34825 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34825 :
JavaScript vulnerability analysis and mitigation
NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.30, NocoBase plugin-workflow-sql substitutes template variables directly into raw SQL strings via getParsedValue() without parameterization or escaping. Any user who triggers a workflow containing a SQL node with template variables from user-controlled data can inject arbitrary SQL. This issue has been patched in version 2.0.30.
Source : NVD
## 8.5
Score
Published April 2, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1
Wiz
CVE-2025-25341 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-25341 [HIGH] CVE-2025-25341 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-25341 :
JavaScript vulnerability analysis and mitigation
A vulnerability exists in the libxmljs 1.0.11 when parsing a specially crafted XML document. Accessing the internal _ref property on entity_ref and entity_decl nodes causes a segmentation fault, potentially leading to a denial-of-service (DoS).
Source : NVD
## 7.5
Score
Published December 26, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
libxmljs
Sources
NVD
npm Severity HIGH No Fix Added at: Dec 28, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in yo
Wiz
CVE-2026-35200 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.1
CVE-2026-35200 [LOW] CVE-2026-35200 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35200 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. This vulnerability is fixed in 8.6.73 and 9.7.1-alpha.4.
Source : NVD
## 2.1
Wiz
CVE-2026-28396 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.9
CVE-2026-28396 [MEDIUM] CVE-2026-28396 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28396 :
JavaScript vulnerability analysis and mitigation
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has been patched in version 0.301.3.
Source : NVD
## 4.9
Score
Published March 2, 2026
Severity MEDIUM
CNA Score 4.9
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nocodb
Sources
NVD
npm Severity MEDIUM Has Fix Added at:
Wiz
CVE-2026-1513 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-1513 [MEDIUM] CVE-2026-1513 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1513 :
JavaScript vulnerability analysis and mitigation
billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding.
Source : NVD
## 6.1
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
billboard.js
Sources
NVD
npm Severity HIGH Has Fix Added at: Jan 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnera
Wiz
CVE-2026-27013 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-27013 [HIGH] CVE-2026-27013 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27013 :
JavaScript vulnerability analysis and mitigation
escapeXml()
src/shapes/Text/TextSVGExportMixin.ts:186
loadFromJSON()
toSVG()
loadFromJSON()
toSVG()
Source : NVD
## 6.1
Score
Published February 19, 2026
Severity MEDIUM
CNA Score 7.6
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fabric
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Scor
Wiz
CVE-2026-34209 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-34209 [HIGH] CVE-2026-34209 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34209 :
JavaScript vulnerability analysis and mitigation
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using "<" instead of "<=" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled amount, which would be accepted without committing any new funds, effectively closing or griefing the channel for free. This issue has been patched in version 0.4.11.
Source : NVD
## 7.5
Score
Published March 31, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2026-30946 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-30946 [HIGH] CVE-2026-30946 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30946 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior 9.5.2-alpha.2 and 8.6.15, an unauthenticated attacker can exhaust Parse Server resources (CPU, memory, database connections) through crafted queries that exploit the lack of complexity limits in the REST and GraphQL APIs. All Parse Server deployments using the REST or GraphQL API are affected. This vulnerability is fixed in 9.5.2-alpha.2 and 8.6.15.
Source : NVD
## 8.7
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.3
Wiz
CVE-2026-27022 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-27022 [MEDIUM] CVE-2026-27022 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27022 :
JavaScript vulnerability analysis and mitigation
@langchain/langgraph-checkpoint-redis is the Redis checkpoint and store implementation for LangGraph. A query injection vulnerability exists in the @langchain/langgraph-checkpoint-redis package's filter handling. The RedisSaver and ShallowRedisSaver classes construct RediSearch queries by directly interpolating user-provided filter keys and values without proper escaping. RediSearch has special syntax characters that can modify query behavior, and when user-controlled data contains these characters, the query logic can be manipulated to bypass intended access controls. This vulnerability is fixed in 1.0.2.
Source : NVD
## 6.5
Score
Published February 20, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
Wiz
CVE-2026-3635 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-3635 [HIGH] CVE-2026-3635 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3635 :
JavaScript vulnerability analysis and mitigation
Summary
When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.
Affected Versions
fastify <= 5.8.2
Impact
Applications using request.protocol or request.host for security decisions (HTTPS enforcement, secure cookie flags, CSRF origin checks, URL construction, host-based routing) are affected when trustProxy is configured w
Wiz
CVE-2026-33539 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-33539 [HIGH] CVE-2026-33539 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33539 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.59 and 9.6.0-alpha.53, an attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access. Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected. This issue has been patched in versions 8.6.59 and 9.6.0-alpha.53.
Source : NVD
## 8.6
Score
Published March 24, 2026
Severity HIG
Wiz
CVE-2026-35038 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35038 [MEDIUM] CVE-2026-35038 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35038 :
JavaScript vulnerability analysis and mitigation
from
Source : NVD
## 5.3
Score
Published April 2, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
signalk-server
Sources
NVD
npm Severity LOW Has Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-35442
HIGH
Wiz
CVE-2026-30965 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-30965 [CRITICAL] CVE-2026-30965 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30965 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.8 and 8.6.21, a vulnerability in Parse Server's query handling allows an authenticated or unauthenticated attacker to exfiltrate session tokens of other users by exploiting the redirectClassNameForKey query parameter. Exfiltrated session tokens can be used to take over user accounts. The vulnerability requires the attacker to be able to create or update an object with a new relation field, which depends on the Class-Level Permissions of at least one class. This vulnerability is fixed in 9.5.2-alpha.8 and 8.6.21.
Source : NVD
## 9.9
Score
Published March 10, 2026
Severity CRITICAL
CNA Score
Wiz
CVE-2024-14020 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2024-14020 [LOW] CVE-2024-14020 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2024-14020 :
JavaScript vulnerability analysis and mitigation
A weakness has been identified in carboneio carbone up to fbcd349077ad0e8748be73eab2a82ea92b6f8a7e. This impacts an unknown function of the file lib/input.js of the component Formatter Handler. Executing a manipulation can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is said to be difficult. Upgrading to version 3.5.6 will fix this issue. This patch is called 04f9feb24bfca23567706392f9ad2c53bbe4134e. You should upgrade the affected component. A successful exploitation can "only occur if the parent NodeJS application has the same security issue".
Source : NVD
## 2.3
Score
Published
Wiz
CVE-2026-30962 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-30962 [HIGH] CVE-2026-30962 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30962 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.6 and 8.6.19, the validation for protected fields only checks top-level query keys. By wrapping a query constraint on a protected field inside a logical operator, the check is bypassed entirely. This allows any authenticated user to query on protected fields to extract field values. All Parse Server deployments have default protected fields and are vulnerable. This vulnerability is fixed in 9.5.2-alpha.6 and 8.6.19.
Source : NVD
## 7.1
Score
Published March 10, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Rele
Wiz
CVE-2026-5602 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-5602 [MEDIUM] CVE-2026-5602 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5602 :
JavaScript vulnerability analysis and mitigation
A vulnerability was determined in Nor2-io heim-mcp up to 0.1.3. Impacted is the function registerTools of the file src/tools.ts of the component new_heim_application/deploy_heim_application/deploy_heim_application_to_cloud. This manipulation causes os command injection. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Patch name: c321d8af25f77668781e6ccb43a1336f9185df37. It is suggested to install a patch to address this issue. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Source : NVD
## 4.8
Score
Published April 5, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
JavaSc
Wiz
GHSA-72gr-qfp7-vwhw Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-72gr-qfp7-vwhw Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-72gr-qfp7-vwhw :
JavaScript vulnerability analysis and mitigation
## Summary
serveStatic
decodeURI()
H3Event
%25
%252e%252e
%2e%2e
resolveDotSegments()
.
%2e%2e
..
## Details
H3Event
src/event.ts:65-69
if (url.pathname.includes("%")) {
url.pathname = decodeURI(
url.pathname.includes("%25") ? url.pathname.replace(/%25/g, "%2525") : url.pathname,
);
}
%25
/%252e%252e/etc/passwd
event.url.pathname
/%2e%2e/etc/passwd
%25
%252e
%2e
.
serveStatic
src/utils/static.ts:86-88
const originalId = resolveDotSegments(
decodeURI(withLeadingSlash(withoutTrailingSlash(event.url.pathname))),
);
decodeURI()
%2e
.
/../../../etc/passwd
resolveDotSegments()
decodeURI
resolveDotSegments
/%2e%2e/%2e%2e/etc/passwd
decodeURI()
%2e
.
/../../../etc/passwd
resolveDotS
Wiz
CVE-2026-30920 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-30920 [HIGH] CVE-2026-30920 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30920 :
JavaScript vulnerability analysis and mitigation
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installation_id values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub App installation binding. Related GitHub endpoints also lack effective authorization, so a valid installation ID can be used to enumerate repositories and create CodeRepository records in an arbitrary project. This vulnerability is fixed in 10.0.19.
Source : NVD
## 8.6
Score
Published March 10, 2026
Severity HIGH
CNA Score 8.6
Affected Techno
Wiz
CVE-2026-39365 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-39365 [MEDIUM] CVE-2026-39365 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39365 :
JavaScript vulnerability analysis and mitigation
## Summary
.map
## Impact
Only apps that match the following conditions are affected:
--host
server.host
.map
## Details
.map
readFile
../
server.fs.strict
.map
## PoC
cat > /tmp/poc.map <<'EOF'
{"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
EOF
pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080
/@fs
strict
../
.map
/tmp/poc.map
Source : NVD
## 6.3
Score
Published April 6, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
v
Wiz
CVE-2026-1245 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-1245 [MEDIUM] CVE-2026-1245 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1245 :
JavaScript vulnerability analysis and mitigation
A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process.
Source : NVD
## 6.5
Score
Published January 20, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.8
Exploitation Probability (EPSS) 0.1
Affected packages and li
Wiz
CVE-2026-24884 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.4
CVE-2026-24884 [HIGH] CVE-2026-24884 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24884 :
JavaScript vulnerability analysis and mitigation
Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can cause subsequent file entries to be written to arbitrary locations on the host file system. Depending on the extractor’s handling of existing files, this behavior may allow overwriting sensitive files or creating new files in security-critical locations. This issue has been patched in versions 1.10.4 and 2.0.1.
Source : NVD
## 7.8
Score
Published February 4, 2026
Severity HIGH
CNA Score 8.4
Affected Technologies
JavaScript
Wiz
CVE-2026-30957 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-30957 [CRITICAL] CVE-2026-30957 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30957 :
JavaScript vulnerability analysis and mitigation
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, OneUptime Synthetic Monitors allow a low-privileged authenticated project user to execute arbitrary commands on the oneuptime-probe server/container. The root cause is that untrusted Synthetic Monitor code is executed inside Node's vm while live host-realm Playwright browser and page objects are exposed to it. A malicious user can call Playwright APIs on the injected browser object and cause the probe to spawn an attacker-controlled executable. This is a server-side remote code execution issue. It does not require a separate vm sandbox escape. This vulnerability is fixed in 10.0.21.
Source : NVD
## 9.9
Score
Published March 10,
Wiz
CVE-2026-34215 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-34215 [HIGH] CVE-2026-34215 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34215 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access tokens. An attacker who knows a user's password can extract the MFA secret to generate valid MFA codes, defeating multi-factor authentication protection. This issue has been patched in versions 8.6.63 and 9.7.0-alpha.7.
Source : NVD
## 8.2
Score
Published March 31, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitat
Wiz
CVE-2025-66482 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2025-66482 [MEDIUM] CVE-2025-66482 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66482 :
JavaScript vulnerability analysis and mitigation
trustProxy
trustProxy
false
trustProxy: false
Source : NVD
## 6.9
Score
Published December 16, 2025
Severity MEDIUM
CNA Score 6.9
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 22.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
misskey-js
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Dec 16, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Wiz
CVE-2026-34405 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-34405 [MEDIUM] CVE-2026-34405 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34405 :
JavaScript vulnerability analysis and mitigation
Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a vulnerability that allows injection of arbitrary attributes into the HTML page body. This issue has been patched in version 6.2.5.
Source : NVD
## 6.1
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 6.1
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nuxt-og-image
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Apr 0
Wiz
CVE-2026-32763 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-32763 [HIGH] CVE-2026-32763 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32763 :
JavaScript vulnerability analysis and mitigation
visitJSONPathLeg()
.key()
.at()
'$.key'
sanitizeIdentifier()
Source : NVD
## 8.2
Score
Published March 20, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
langfuse-2
langfuse-3
Sources
NVD
Chainguard Has Fix Added at: Apr 02, 2026
npm Severity HIGH Has Fix Added at: Mar 19, 2026
Wolfi Has Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Rel
Wiz
GHSA-qmpg-8xg6-ph5q Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-qmpg-8xg6-ph5q Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-qmpg-8xg6-ph5q :
JavaScript vulnerability analysis and mitigation
## Impact
data-trix-serialized-attributes
data-trix-serialized-attributes
## Patches
Update Recommendation: Users should upgrade to Trix editor version 2.1.17 or later.
## References
The XSS vulnerability was responsibly reported by Hackerone researcher newbiefromcoma .
Source : NVD
## 4.6
Score
Published March 12, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Ruby
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
trix
action_text-trix
Sources
NVD
RubyGems Severity MEDIUM Has Fix Added at: Mar 13, 2026
Wiz
CVE-2026-25639 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-25639 [HIGH] CVE-2026-25639 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25639 :
JavaScript vulnerability analysis and mitigation
Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing proto as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.
Source : NVD
## 7.5
Score
Published February 9, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.8
Exploitation P
Wiz
CVE-2026-0824 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-0824 [MEDIUM] CVE-2026-0824 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-0824 :
JavaScript vulnerability analysis and mitigation
A security flaw has been discovered in questdb ui up to 1.11.9. Impacted is an unknown function of the component Web Console. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Upgrading to version 1.1.10 is recommended to address this issue. The patch is identified as b42fd9f18476d844ae181a10a249e003dafb823d. You should upgrade the affected component. The vendor confirmed early that the fix "is going to be released as a part of QuestDB 9.3.0" as well.
Source : NVD
## 5.1
Score
Published January 10, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV
Wiz
CVE-2025-68150 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2025-68150 [HIGH] CVE-2025-68150 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68150 :
JavaScript vulnerability analysis and mitigation
apiURL
authData
https://graph.instagram.com
apiURL
Source : NVD
## 8.3
Score
Published December 16, 2025
Severity HIGH
CNA Score 8.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
parse-server
Sources
NVD
npm Severity HIGH Has Fix Added at: Dec 17, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploi
Wiz
CVE-2026-34769 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-34769 [HIGH] CVE-2026-34769 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34769 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, an undocumented commandLineSwitches webPreference allowed arbitrary switches to be appended to the renderer process command line. Apps that construct webPreferences by spreading untrusted configuration objects may inadvertently allow an attacker to inject switches that disable renderer sandboxing or web security controls. Apps are only affected if they construct webPreferences from external or untrusted input without an allowlist. Apps that use a fixed, hardcoded webPreferences object are not affected. This issue has been patched in versions 38.8.6, 39.8.0,
Wiz
CVE-2026-30941 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-30941 [HIGH] CVE-2026-30941 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30941 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.14 and 9.5.2-alpha.1, NoSQL injection vulnerability allows an unauthenticated attacker to inject MongoDB query operators via the token field in the password reset and email verification resend endpoints. The token value is passed to database queries without type validation and can be used to extract password reset and email verification tokens. Any Parse Server deployment using MongoDB with email verification or password reset enabled is affected. When emailVerifyTokenReuseIfValid is configured, the email verification token can be fully extracted and used to verify a user's email address without inbox acc
Wiz
CVE-2026-35213 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-35213 [HIGH] CVE-2026-35213 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35213 :
JavaScript vulnerability analysis and mitigation
@hapi/content provided HTTP Content-* headers parsing. All versions of @hapi/content through 6.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via crafted HTTP header values. Three regular expressions used to parse Content-Type and Content-Disposition headers contain patterns susceptible to catastrophic backtracking. This vulnerability is fixed in 6.0.1.
Source : NVD
## 8.7
Score
Published April 6, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 41
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
@hapi/content
S
Wiz
CVE-2026-28343 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-28343 [MEDIUM] CVE-2026-28343 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28343 :
JavaScript vulnerability analysis and mitigation
CKEditor 5 is a modern JavaScript rich-text editor with an MVC architecture. Starting in version 29.0.0 and prior to version 47.6.0, a cross-site scripting (XSS) vulnerability has been discovered in the General HTML Support feature. This vulnerability could be triggered by inserting specially crafted markup, leading to unauthorized JavaScript code execution, if the editor instance used an unsafe General HTML Support configuration. This issue has been patched in version 47.6.0.
Source : NVD
## 6.1
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability
Wiz
CVE-2026-34771 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-34771 [HIGH] CVE-2026-34771 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34771 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, apps that register an asynchronous session.setPermissionRequestHandler() may be vulnerable to a use-after-free when handling fullscreen, pointer-lock, or keyboard-lock permission requests. If the requesting frame navigates or the window closes while the permission handler is pending, invoking the stored callback dereferences freed memory, which may lead to a crash or memory corruption. Apps that do not set a permission request handler, or whose handler responds synchronously, are not affected. This issue has been patched in versions 38.8.6, 39.8.0, 40.7.0, a
Wiz
GHSA-8x4m-qw58-3pcx Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-8x4m-qw58-3pcx Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-8x4m-qw58-3pcx :
JavaScript vulnerability analysis and mitigation
## Impact
tempo/charge
tempo/session
tempo/charge
tempo/charge
tempo/charge
memo
splits
tempo/charge
tempo/session
tempo/session
tempo/session
tempo/session
Bypassing payment on free routes via method-mismatch fallback
tempo/session
closeRequestedAt
## Patches
Fixed in 0.4.8.
## Workarounds
There are no workarounds available for these vulnerabilities.
Source : NVD
## 9.3
Score
Published March 29, 2026
Severity CRITICAL
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mpp
Wiz
CVE-2026-33226 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-33226 [HIGH] CVE-2026-33226 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33226 :
JavaScript vulnerability analysis and mitigation
Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions from 3.30.6 and prior, the REST datasource query preview endpoint (POST /api/queries/preview) makes server-side HTTP requests to any URL supplied by the user in fields.path with no validation. An authenticated admin can reach internal services that are not exposed to the internet — including cloud metadata endpoints (AWS/GCP/Azure), internal databases, Kubernetes APIs, and other pods on the internal network. On GCP this leads to OAuth2 token theft with cloud-platform scope (full GCP access). On any deployment it enables full internal network enumeration. At time of publication, there are no publicly available patches.
Wiz
CVE-2026-34950 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-34950 [MEDIUM] CVE-2026-34950 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34950 :
JavaScript vulnerability analysis and mitigation
fast-jwt provides fast JSON Web Token (JWT) implementation. In 6.1.0 and earlier, the publicKeyPemMatcher regex in fast-jwt/src/crypto.js uses a ^ anchor that is defeated by any leading whitespace in the key string, re-enabling the exact same JWT algorithm confusion attack that CVE-2023-48223 patched.
Source : NVD
## 9.1
Score
Published April 6, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fast-jwt
Sources
NVD
npm Severity CRITICAL No Fix Added at: Apr 03, 2026
## Get
Wiz
CVE-2026-35409 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-35409 [HIGH] CVE-2026-35409 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35409 :
JavaScript vulnerability analysis and mitigation
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.0, a Server-Side Request Forgery (SSRF) protection bypass has been identified and fixed in Directus. The IP address validation mechanism used to block requests to local and private networks could be circumvented using IPv4-Mapped IPv6 address notation. This vulnerability is fixed in 11.16.0.
Source : NVD
## 7.7
Score
Published April 6, 2026
Severity HIGH
CNA Score 7.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dire
Wiz
GHSA-x3ff-w252-2g7j Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
[HIGH] GHSA-x3ff-w252-2g7j Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-x3ff-w252-2g7j :
JavaScript vulnerability analysis and mitigation
## Ed25519 Signature Malleability via Missing S = L
S >= L
[S]B = [(S mod L)]B = [(S - L)]B
S
(R, S)
(R, S + L)
## Vulnerable code
packages/ed25519/ed25519.ts
lib/ed25519.js:779-802
export function verify(publicKey, message, signature) {
// ... length check, unpack public key ...
const hs = new SHA512();
hs.update(signature.subarray(0, 32)); // R
hs.update(publicKey); // A
hs.update(message); // M
const h = hs.digest();
reduce(h); // h is reduced mod L
scalarmult(p, q, h); // [h](-A)
scalarbase(q, signature.subarray(32)); // [S]B -- S NOT checked or reduced
edadd(p, q);
pack(t, p);
if (verify32(signature, t)) { // compare R
return false;
}
return true;
}
h
reduce()
S
scalarbase()
## Proof of Concep
Wiz
CVE-2025-70058 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.4
CVE-2025-70058 [HIGH] CVE-2025-70058 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-70058 :
JavaScript vulnerability analysis and mitigation
An issue pertaining to CWE-295: Improper Certificate Validation was discovered in YMFE yapi v1.12.0. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in the HTTPS agent configuration for Axios requests
Source : NVD
## 7.4
Score
Published February 23, 2026
Severity HIGH
CNA Score 7.4
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
yapi-vendor
Sources
NVD
npm Severity HIGH No Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs
Wiz
CVE-2026-39363 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-39363 [MEDIUM] CVE-2026-39363 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39363 :
JavaScript vulnerability analysis and mitigation
## Summary
server.fs
fetchModule
## Impact
Only apps that match the following conditions are affected:
--host
server.host
server.ws: false
## Details
Origin
fetchModule
vite:invoke
file://...
?raw
?inline
export default "..."
server.fs.allow
## PoC
pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173
curl -i 'http://localhost:5173/@fs/etc/passwd?raw'
403 Restricted
Origin
vite:invoke
fetchModule
file://...
?raw
Source : NVD
## 8.2
Score
Published April 6, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Explo
Wiz
CVE-2026-34043 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-34043 [MEDIUM] CVE-2026-34043 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34043 :
JavaScript vulnerability analysis and mitigation
Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial of Service (DoS) vulnerability caused by CPU exhaustion. When serializing a specially crafted "array-like" object (an object that inherits from Array.prototype but has a very large length property), the process enters an intensive loop that consumes 100% CPU and hangs indefinitely. This issue has been patched in version 7.0.5.
Source : NVD
## 7.5
Score
Published March 31, 2026
Severity HIGH
CNA Score 5.9
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile
Wiz
CVE-2025-9611 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-9611 [HIGH] CVE-2025-9611 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-9611 :
JavaScript vulnerability analysis and mitigation
Microsoft Playwright MCP Server versions prior to 0.0.40 fails to validate the Origin header on incoming connections. This allows an attacker to perform a DNS rebinding attack via a victim’s web browser and send unauthorized requests to a locally running MCP server, resulting in unintended invocation of MCP tool endpoints.
Source : NVD
## 7.2
Score
Published January 7, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 49.4
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
@playwright/mcp
Sources
NVD
npm Severity HIGH Has Fix Added
Wiz
CVE-2026-30966 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-30966 [CRITICAL] CVE-2026-30966 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30966 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.7 and 8.6.20, Parse Server's internal tables, which store Relation field mappings such as role memberships, can be directly accessed via the REST API or GraphQL API by any client using only the application key. No master key is required. An attacker can create, read, update, or delete records in any internal relationship table. Exploiting this allows the attacker to inject themselves into any Parse Role, gaining all permissions associated with that role, including full read, write, and delete access to classes protected by role-based Class-Level Permissions (CLP). Similarly, writing to any such ta
Wiz
CVE-2026-4601 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-4601 [MEDIUM] CVE-2026-4601 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-4601 :
JavaScript vulnerability analysis and mitigation
Versions of the package jsrsasign before 11.1.1 are vulnerable to Missing Cryptographic Step via the KJUR.crypto.DSA.signWithMessageHash process in the DSA signing implementation. An attacker can recover the private key by forcing r or s to be zero, so the library emits an invalid signature without retrying, and then solves for x from the resulting signature.
Source : NVD
## 9.4
Score
Published March 23, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
jsrsasign
Sources
NVD
Wiz
CVE-2026-31975 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-31975 [HIGH] CVE-2026-31975 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31975 :
JavaScript vulnerability analysis and mitigation
Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.25.0, OS Command Injection via WebSocket Shell. Both projectPath and initialCommand in server/index.js are taken directly from the WebSocket message payload and interpolated into a bash command string without any sanitization, enabling arbitrary OS command execution. A secondary injection vector exists via unsanitized sessionId. This vulnerability is fixed in 1.25.0.
Source : NVD
## 8.7
Score
Published March 11, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Pro
Wiz
CVE-2026-33527 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-33527 [MEDIUM] CVE-2026-33527 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33527 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST API. This allows bypassing the server's configured session lifetime policy, making a session effectively permanent. This issue has been patched in versions 8.6.57 and 9.6.0-alpha.48.
Source : NVD
## 5.3
Score
Published March 24, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Pe
Wiz
CVE-2026-22595 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-22595 [HIGH] CVE-2026-22595 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22595 :
JavaScript vulnerability analysis and mitigation
Ghost is a Node.js content management system. In versions 5.121.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's handling of Staff Token authentication allowed certain endpoints to be accessed that were only intended to be accessible via Staff Session authentication. External systems that have been authenticated via Staff Tokens for Admin/Owner-role users would have had access to these endpoints. This issue has been patched in versions 5.130.6 and 6.11.0.
Source : NVD
## 8.1
Score
Published January 10, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
JavaScript
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Prob
Wiz
CVE-2025-69983 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-69983 [CRITICAL] CVE-2025-69983 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69983 :
JavaScript vulnerability analysis and mitigation
FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project containing system commands, leading to full system compromise.
Source : NVD
## 9.8
Score
Published February 3, 2026
Severity CRITICAL
CNA Score 8.2
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 57.1
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
fuxa-server
Sources
NVD
npm Severity HIGH No Fix Added at: Feb 08, 2026
## Get a
Wiz
CVE-2026-27584 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2026-27584 [CRITICAL] CVE-2026-27584 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27584 :
JavaScript vulnerability analysis and mitigation
Actual is a local-first personal finance tool. Prior to version 26.2.1, missing authentication middleware in the ActualBudget server component allows any unauthenticated user to query the SimpleFIN and Pluggy.ai integration endpoints and read sensitive bank account balance and transaction information. This vulnerability allows an unauthenticated attacker to read the bank account balance and transaction history of ActualBudget users. This vulnerability impacts all ActualBudget Server users with the SimpleFIN or Pluggy.ai integrations configured. The ActualBudget Server instance must be reachable over the network. Version 26.2.1 patches the issue.
Source : NVD
## 9.2
Score
Published February 24, 2026
Severity CRITI
Wiz
GHSA-p9ff-h696-f583 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-p9ff-h696-f583 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-p9ff-h696-f583 :
JavaScript vulnerability analysis and mitigation
## Summary
server.fs
fetchModule
## Impact
Only apps that match the following conditions are affected:
--host
server.host
server.ws: false
## Details
Origin
fetchModule
vite:invoke
file://...
?raw
?inline
export default "..."
server.fs.allow
## PoC
pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173
curl -i 'http://localhost:5173/@fs/etc/passwd?raw'
403 Restricted
Origin
vite:invoke
fetchModule
file://...
?raw
Source : NVD
## 8.2
Score
Published April 6, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Wiz
CVE-2026-24133 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-24133 [HIGH] CVE-2026-24133 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24133 :
JavaScript vulnerability analysis and mitigation
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, which lead to excessive memory allocation. The html method is also affected. The vulnerability has been fixed in [email protected] .
Source : NVD
## 8.7
Score
Published February 2, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA
Wiz
CVE-2025-69287 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-69287 [MEDIUM] CVE-2025-69287 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69287 :
JavaScript vulnerability analysis and mitigation
Peer.ts
processInitialRequest
processInitialResponse
message.initialNonce + sessionNonce
base64ToBytes(concatenatedString)
Source : NVD
## 5.4
Score
Published February 18, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.7
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@bsv/sdk
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Feb 18, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
Wiz
CVE-2026-29182 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-29182 [HIGH] CVE-2026-29182 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29182 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.4 and 9.4.1-alpha.3, Parse Server's readOnlyMasterKey option allows access with master-level read privileges but is documented to deny all write operations. However, some endpoints incorrectly accept the readOnlyMasterKey for mutating operations. This allows a caller who only holds the readOnlyMasterKey to create, modify, and delete Cloud Hooks and to start Cloud Jobs, which can be used for data exfiltration. Any Parse Server deployment that uses the readOnlyMasterKey option is affected. Note than an attacker needs to know the readOnlyMasterKey to exploit this vulnerability. This issue has been p
Wiz
CVE-2026-34777 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-34777 [MEDIUM] CVE-2026-34777 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34777 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, when an iframe requests fullscreen, pointerLock, keyboardLock, openExternal, or media permissions, the origin passed to session.setPermissionRequestHandler() was the top-level page's origin rather than the requesting iframe's origin. Apps that grant permissions based on the origin parameter or webContents.getURL() may inadvertently grant permissions to embedded third-party content. The correct requesting URL remains available via details.requestingUrl. Apps that already check details.requestingUrl are not affected. This issue has been patched in versions 38.8.6, 39
Wiz
CVE-2026-28787 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-28787 [HIGH] CVE-2026-28787 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28787 :
JavaScript vulnerability analysis and mitigation
OneUptime is a solution for monitoring and managing online services. In version 10.0.11 and prior, the WebAuthn authentication implementation does not store the challenge on the server side. Instead, the challenge is returned to the client and accepted back from the client request body during verification. This violates the WebAuthn specification (W3C Web Authentication Level 2, §13.4.3) and allows an attacker who has obtained a valid WebAuthn assertion (e.g., via XSS, MitM, or log exposure) to replay it indefinitely, completely bypassing the second-factor authentication. No known patches are available.
Source : NVD
## 9
Score
Published March 6, 2026
Severity CRITICAL
CNA Score 8.2
Affected Technologies
JavaSc
Wiz
CVE-2025-68458 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.7
CVE-2025-68458 [LOW] CVE-2025-68458 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68458 :
JavaScript vulnerability analysis and mitigation
Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (th
Wiz
CVE-2026-24768 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.7
CVE-2026-24768 [MEDIUM] CVE-2026-24768 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24768 :
JavaScript vulnerability analysis and mitigation
continueAfterSignIn
Source : NVD
## 5.7
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 5.7
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nocodb
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Jan 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-
Wiz
CVE-2026-25586 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-25586 [CRITICAL] CVE-2026-25586 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25586 :
JavaScript vulnerability analysis and mitigation
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables prototype whitelist enforcement in the property-access path. This permits direct access to proto and other blocked prototype properties, enabling host Object.prototype pollution and persistent cross-sandbox impact. This vulnerability is fixed in 0.8.29.
Source : NVD
## 10
Score
Published February 6, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.2
Exploitation Probability (EPSS) N/A
Affect
Wiz
CVE-2026-28794 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-28794 [CRITICAL] CVE-2026-28794 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28794 :
JavaScript vulnerability analysis and mitigation
oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject arbitrary properties into the global Object.prototype. Because this pollution persists for the lifetime of the Node.js process and affects all objects, it can lead to severe security breaches, including authentication bypass, denial of service, and potentially Remote Code Execution. This issue has been patched in version 1.13.6.
Source : NVD
## 9.3
Score
Published March 6, 2026
Severity CRITICAL
CNA Score 9.3
Affected Te
Wiz
CVE-2026-33624 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.1
CVE-2026-33624 [LOW] CVE-2026-33624 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33624 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and the ability to send concurrent requests within milliseconds. This issue has been patched in versions 8.6.60 and 9.6.0-alpha.54.
Source : NVD
## 2.1
Score
Published March 24, 2026
Severity LOW
CNA Score 2.1
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exp
Wiz
CVE-2025-14874 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-14874 [HIGH] CVE-2025-14874 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-14874 :
JavaScript vulnerability analysis and mitigation
A flaw was found in Nodemailer. This vulnerability allows a denial of service (DoS) via a crafted email address header that triggers infinite recursion in the address parser.
Source : NVD
## 7.5
Score
Published December 18, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
kibana-8.18
kibana-9.0
Sources
NVD
Chainguard Has Fix Added at: Feb 04, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Dec 21, 2025
Debian 14 Severity HIGH Has Fix Added at: Dec 21, 2025
Wiz
CVE-2025-65513 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2025-65513 [HIGH] CVE-2025-65513 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-65513 :
JavaScript vulnerability analysis and mitigation
fetch-mcp v1.0.2 and before is vulnerable to Server-Side Request Forgery (SSRF) vulnerability, which allows attackers to bypass private IP validation and access internal network resources.
Source : NVD
## 7.5
Score
Published December 9, 2025
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mcp-fetch-server
Sources
NVD
npm Severity MEDIUM No Fix Added at: Dec 11, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitabl
Wiz
CVE-2026-33131 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.4
CVE-2026-33131 [HIGH] CVE-2026-33131 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33131 :
JavaScript vulnerability analysis and mitigation
H3 is a minimal H(TTP) framework. Versions 2.0.0-0 through 2.0.1-rc.14 contain a Host header spoofing vulnerability in the NodeRequestUrl (which extends FastURL) which allows middleware bypass. When event.url, event.url.hostname, or event.url._url is accessed, such as in a logging middleware, the _url getter constructs a URL from untrusted data, including the user-controlled Host header. Because H3's router resolves the route handler before middleware runs, an attacker can supply a crafted Host header (e.g., Host: localhost:3000/abchehe?) to make the middleware path check fail while the route handler still matches, effectively bypassing authentication or authorization middleware. This affects any application built on H3
Wiz
CVE-2026-27203 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-27203 [HIGH] CVE-2026-27203 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27203 :
JavaScript vulnerability analysis and mitigation
eBay API MCP Server is an open source local MCP server providing AI assistants with comprehensive access to eBay's Sell APIs. All versions are vulnerable to Environment Variable Injection through the updateEnvFile function. The ebay_set_user_tokens tool allows updating the .env file with new tokens. The updateEnvFile function in src/auth/oauth.ts blindly appends or replaces values without validating them for newlines or quotes. This allows an attacker to inject arbitrary environment variables into the configuration file. An attacker can inject arbitrary environment variables into the .env file. This could lead to configuration overwrites, Denial of Service, and potential RCE. There was no fix for this issue at the time
Wiz
CVE-2026-32256 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-32256 [HIGH] CVE-2026-32256 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32256 :
JavaScript vulnerability analysis and mitigation
parseExtensionObject()
lib/asf/AsfParser.ts:112-158
objectSize = 0
Source : NVD
## 7.5
Score
Published March 18, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw
music-metadata
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 18, 2026
MinimOS Severity HIGH Has Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's lis
Wiz
CVE-2026-23745 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-23745 [HIGH] CVE-2026-23745 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23745 :
JavaScript vulnerability analysis and mitigation
node-tar is a Tar for Node.js. The node-tar library (<= 7.5.2) fails to sanitize the linkpath of Link (hardlink) and SymbolicLink entries when preservePaths is false (the default secure behavior). This allows malicious archives to bypass the extraction root restriction, leading to Arbitrary File Overwrite via hardlinks and Symlink Poisoning via absolute symlink targets. This vulnerability is fixed in 7.5.3.
Source : NVD
## 8.2
Score
Published January 16, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.5
Exploitation Probability (EPSS) N/A
Wiz
CVE-2026-23835 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.7
CVE-2026-23835 [MEDIUM] CVE-2026-23835 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23835 :
JavaScript vulnerability analysis and mitigation
Knowledge Base > File Upload
lobechat.com
1 GB
10 MB
10 MB
1 GB
Source : NVD
## 5.7
Score
Published January 30, 2026
Severity MEDIUM
CNA Score 5.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@lobehub/chat
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Feb 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component nam
Wiz
CVE-2026-24473 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-24473 [MEDIUM] CVE-2026-24473 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24473 :
JavaScript vulnerability analysis and mitigation
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue.
Source : NVD
## 6.3
Score
Published January 27, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.7
Expl
Wiz
CVE-2026-27574 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-27574 [CRITICAL] CVE-2026-27574 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27574 :
JavaScript vulnerability analysis and mitigation
OneUptime is a solution for monitoring and managing online services. In versions 9.5.13 and below, custom JavaScript monitor feature uses Node.js's node:vm module (explicitly documented as not a security mechanism) to execute user-supplied code, allowing trivial sandbox escape via a well-known one-liner that grants full access to the underlying process. Because the probe runs with host networking and holds all cluster credentials (ONEUPTIME_SECRET, DATABASE_PASSWORD, REDIS_PASSWORD, CLICKHOUSE_PASSWORD) in its environment variables, and monitor creation is available to the lowest role (ProjectMember) with open registration enabled by default, any anonymous user can achieve full cluster compromise in about 30 seconds. Th
Wiz
CVE-2026-22775 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-22775 [HIGH] CVE-2026-22775 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22775 :
JavaScript vulnerability analysis and mitigation
Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficient for the job. From 5.1.0 to 5.6.1, certain inputs can cause devalue.parse to consume excessive CPU time and/or memory, potentially leading to denial of service in systems that parse input from untrusted sources. This affects applications using devalue.parse on externally-supplied data. The root cause is the ArrayBuffer hydration expecting base64 encoded strings as input, but not checking the assumption before decoding the input. This vulnerability is fixed in 5.6.2.
Source : NVD
## 7.5
Score
Published January 15, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Linux Fedora
Has Publ
Wiz
GHSA-vrhm-gvg7-fpcf Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-vrhm-gvg7-fpcf Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-vrhm-gvg7-fpcf :
JavaScript vulnerability analysis and mitigation
@sveltejs/kit
experimental.remoteFunctions
form
Source : NVD
## 4.6
Score
Published February 19, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@sveltejs/kit
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Feb 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV e
Wiz
CVE-2026-33979 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-33979 [HIGH] CVE-2026-33979 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33979 :
JavaScript vulnerability analysis and mitigation
Express XSS Sanitizer is Express 4.x and 5.x middleware which sanitizes user input data (in req.body, req.query, req.headers and req.params) to prevent Cross Site Scripting (XSS) attack. A vulnerability has been identified in versions prior to 2.0.2 where restrictive sanitization configurations are silently ignored. In version 2.0.2, the validation logic has been updated to respect explicitly provided empty configurations. Now, if allowedTags or allowedAttributes are provided (even if empty), they are passed directly to sanitize-html without being overridden.
Source : NVD
## 8.2
Score
Published March 27, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exp
Wiz
GHSA-cj63-jhhr-wcxv Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-cj63-jhhr-wcxv Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-cj63-jhhr-wcxv :
JavaScript vulnerability analysis and mitigation
## Summary
USE_PROFILES
ALLOWED_ATTR
ALLOWED_ATTR[lcName]
Array.prototype
Array.prototype.onclick = true
onclick
USE_PROFILES
## Impact
Prototype pollution makes DOMPurify accept dangerous event handler attributes, which bypasses the sanitizer and results in DOM-based XSS once the sanitized markup is rendered.
## Credits
Identified by Cantina’s Apex ( https://www.cantina.security ).
Source : NVD
## 5.3
Score
Published April 3, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packa
Wiz
CVE-2026-33994 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-33994 [MEDIUM] CVE-2026-33994 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33994 :
JavaScript vulnerability analysis and mitigation
parse_str
Object.prototype
RegExp.prototype.test
parse_str
String.prototype.includes()
RegExp.prototype.test()
RegExp.prototype.test
Source : NVD
## 6.3
Score
Published March 27, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 26.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
locutus
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 29, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnera
Wiz
CVE-2026-24040 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-24040 [MEDIUM] CVE-2026-24040 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24040 :
JavaScript vulnerability analysis and mitigation
jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions mig
Wiz
CVE-2026-23897 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-23897 [HIGH] CVE-2026-23897 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23897 :
JavaScript vulnerability analysis and mitigation
Apollo Server is an open-source, spec-compliant GraphQL server that's compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer.
Source : NVD
## 7.5
Score
Published February 4, 2026
Severity HIGH
CNA Score 7.5
Affected Techn
Wiz
CVE-2025-15104 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2025-15104 [MEDIUM] CVE-2025-15104 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15104 :
JavaScript vulnerability analysis and mitigation
Nu Html Checker (validator.nu) contains a restriction bypass that allows remote attackers to make the server perform arbitrary HTTP/HTTPS requests to internal resources, including localhost services. While the validator implements hostname-based protections to block direct access to localhost and 127.0.0.1, these controls can be bypassed using DNS rebinding techniques or domains that resolve to loopback addresses.This issue affects The Nu Html Checker (vnu): latest (commit 23f090a11bab8d0d4e698f1ffc197a4fe226a9cd).
Source : NVD
## 6.9
Score
Published January 16, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
JavaScript
Java
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
Wiz
CVE-2026-31808 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-31808 [MEDIUM] CVE-2026-31808 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31808 :
JavaScript vulnerability analysis and mitigation
file-type detects the file type of a file, stream, or data. Prior to 21.3.1, a denial of service vulnerability exists in the ASF (WMV/WMA) file type detection parser. When parsing a crafted input where an ASF sub-header has a size field of zero, the parser enters an infinite loop. The payload value becomes negative (-24), causing tokenizer.ignore(payload) to move the read position backwards, so the same sub-header is read repeatedly forever. Any application that uses file-type to detect the type of untrusted/attacker-controlled input is affected. An attacker can stall the Node.js event loop with a 55-byte payload. Fixed in version 21.3.1.
Source : NVD
## 5.3
Score
Published March 10, 2026
Severity MEDIUM
CNA Sco
Wiz
GHSA-73rr-hh4g-fpgx Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-73rr-hh4g-fpgx Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-73rr-hh4g-fpgx :
JavaScript vulnerability analysis and mitigation
## Impact
\r
\u2028
\u2029
parsePatch
parsePatch
parsePatch
applyPatch
parsePatch
parsePatch
## Patches
All vulnerabilities described are fixed in v8.0.3.
## Workarounds
\r
\u2028
\u2029
## References
PR that fixed the bug: https://github.com/kpdecker/jsdiff/pull/649
## CVE Notes
parsePatch
Source : NVD
## 2.7
Score
Published January 14, 2026
Severity LOW
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
diff
Sources
NVD
npm Severity LOW Has Fix Added at: Jan 15, 2
Wiz
GHSA-xphh-5v4r-r3rx Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-xphh-5v4r-r3rx Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-xphh-5v4r-r3rx :
JavaScript vulnerability analysis and mitigation
## Summary
../../../.ssh/authorized_keys
## Details
The vulnerability exists in the archive download functionality in lib/endpoints.js where user controlled metadata.name is used directly without sanitization when creating TAR archive entries.
lib/endpoints.js:275
const entry = pack.entry({ name: info.metadata.name, size: info.size });
lib/endpoints.js:372
assert(meta.name, 'tus meta prop missing: name');
## PoC
I. Upload file with malicious filename (no authentication required).
MALICIOUS_NAME=$(echo -n "../../../tmp/dp.txt" | base64)
SID=$(echo -n "evil" | base64)
RETENTION=$(echo -n "3600" | base64)
curl -X POST http://TARGET:3000/files \
-H "Tus-Resumable: 1.0.0" \
-H "Upload-Length: 15" \
-H "Uplo
Wiz
GHSA-pqhr-mp3f-hrpp Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
[HIGH] GHSA-pqhr-mp3f-hrpp Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-pqhr-mp3f-hrpp :
JavaScript vulnerability analysis and mitigation
Product: Nuxt OG Image Version:
html
GET /_og/d/og.png?html=
When verbose errors are enabled, the response content is leaked in base64-encoded error messages.
html
GET /_og/d/og.png?html=
## Mitigation
Fixed in v6.2.5. The image source plugin now blocks requests to private IP ranges (IPv4/IPv6), loopback addresses, link-local addresses, and cloud metadata endpoints. Decimal/hexadecimal IP encoding bypasses are also handled.
## Credits
Researcher: Dmitry Prokhorov (Positive Technologies)
Source : NVD
## 5.3
Score
Published March 31, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date
Wiz
CVE-2026-33129 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-33129 [MEDIUM] CVE-2026-33129 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33129 :
JavaScript vulnerability analysis and mitigation
H3 is a minimal H(TTP) framework. Versions 2.0.1-beta.0 through 2.0.0-rc.8 contain a Timing Side-Channel vulnerability in the requireBasicAuth function due to the use of unsafe string comparison (!==). This allows an attacker to deduce the valid password character-by-character by measuring the server's response time, effectively bypassing password complexity protections. This issue is fixed in version 2.0.1-rc.9.
Source : NVD
## 5.9
Score
Published March 20, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.4
Exploitation Probability (EPSS)
Wiz
GHSA-q5pr-72pq-83v3 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-q5pr-72pq-83v3 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-q5pr-72pq-83v3 :
JavaScript vulnerability analysis and mitigation
## Summary
setChunkedCookie()
deleteChunkedCookie()
__chunked__N
Cookie: h3=__chunked__999999
## Details
__chunked__N
getChunkedCookieCount()
src/utils/cookie.ts:244-249
function getChunkedCookieCount(cookie: string | undefined): number {
if (!cookie?.startsWith(CHUNKED_COOKIE)) {
return Number.NaN;
}
return Number.parseInt(cookie.slice(CHUNKED_COOKIE.length));
// No upper bound check — attacker controls this value
}
setChunkedCookie()
src/utils/cookie.ts:182-190
const previousCookie = getCookie(event, name); // reads from request headers
if (previousCookie?.startsWith(CHUNKED_COOKIE)) {
const previousChunkCount = getChunkedCookieCount(previousCookie);
if (previousChunkCount > chunkCount) {
for (let
Wiz
CVE-2026-27702 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-27702 [CRITICAL] CVE-2026-27702 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27702 :
JavaScript vulnerability analysis and mitigation
eval()
packages/server/src/db/inMemoryView.ts
app-service
INTERNAL_API_KEY
JWT_SECRET
Source : NVD
## 9
Score
Published February 25, 2026
Severity CRITICAL
CNA Score 9.9
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 24.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
budibase
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Techno
Wiz
CVE-2026-27609 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-27609 [HIGH] CVE-2026-27609 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27609 :
JavaScript vulnerability analysis and mitigation
POST /apps/:appId/agent
agent
agent
Source : NVD
## 8.3
Score
Published February 25, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
parse-dashboard
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Pu
Wiz
CVE-2026-28401 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-28401 [MEDIUM] CVE-2026-28401 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28401 :
JavaScript vulnerability analysis and mitigation
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, rich text cell content rendered via v-html without sanitization enables stored XSS. This issue has been patched in version 0.301.3.
Source : NVD
## 5.3
Score
Published March 2, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nocodb
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 04, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on
Wiz
GHSA-88qp-p4qg-rqm6 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-88qp-p4qg-rqm6 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-88qp-p4qg-rqm6 :
JavaScript vulnerability analysis and mitigation
@sveltejs/kit
experimental.remoteFunctions
form
Source : NVD
## 6.9
Score
Published February 19, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@sveltejs/kit
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Feb 20, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV e
Wiz
CVE-2026-29066 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.2
CVE-2026-29066 [MEDIUM] CVE-2026-29066 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29066 :
JavaScript vulnerability analysis and mitigation
Tina is a headless content management system. Prior to 2.1.8, the TinaCMS CLI dev server configures Vite with server.fs.strict: false, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system. This vulnerability is fixed in 2.1.8.
Source : NVD
## 6.2
Score
Published March 12, 2026
Severity MEDIUM
CNA Score 6.2
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@tinacms/cli
Sources
NVD
npm Severi
Wiz
GHSA-v8w9-8mx6-g223 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-v8w9-8mx6-g223 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-v8w9-8mx6-g223 :
JavaScript vulnerability analysis and mitigation
## Summary
parseBody({ dot: true })
__proto__.x
__proto__
## Details
parseBody({ dot: true })
__proto__
__proto__.x
__proto__
Object.prototype
## Impact
Applications that merge parsed form data into regular objects using unsafe patterns (for example recursive deep merge utilities) may become vulnerable to prototype pollution.
Source : NVD
## 4.8
Score
Published March 11, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
hono
Sources
NVD
npm Severity MEDIUM
Wiz
CVE-2026-22594 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-22594 [HIGH] CVE-2026-22594 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22594 :
JavaScript vulnerability analysis and mitigation
Ghost is a Node.js content management system. In versions 5.105.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's 2FA mechanism allows staff users to skip email 2FA. This issue has been patched in versions 5.130.6 and 6.11.0.
Source : NVD
## 8.1
Score
Published January 10, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
JavaScript
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.5
Exploitation Probability (EPSS) N/A
Affected packages and libraries
ghost
Sources
NVD
npm Severity HIGH Has Fix Added at: Jan 11, 2026
Nix Severity HIGH Has Fix Added at: Jan 19, 2026
## Get a CVE
Wiz
CVE-2025-56647 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-56647 [MEDIUM] CVE-2025-56647 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-56647 :
JavaScript vulnerability analysis and mitigation
npm @farmfe/core before 1.7.6 is Missing Origin Validation in WebSocket. The development (hot module reloading) server does not validate origin when connecting to a WebSocket client. This allows attackers to surveil developers running Farm who visit their webpage and steal source code that is leaked by the WebSocket server.
Source : NVD
## 6.5
Score
Published February 12, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@farmfe/core
Sources
NVD
npm Severity MEDIUM Has Fix Add
Wiz
CVE-2026-25545 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-25545 [MEDIUM] CVE-2026-25545 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25545 :
JavaScript vulnerability analysis and mitigation
404.astro
500.astro
Host:
/500.html
Host:
Source : NVD
## 6.9
Score
Published February 24, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@astrojs/node
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Wiz
CVE-2026-26974 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-26974 [HIGH] CVE-2026-26974 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26974 :
JavaScript vulnerability analysis and mitigation
Slyde is a program that creates animated presentations from XML. In versions 0.0.4 and below, Node.js automatically imports **/*.plugin.{js,mjs} files including those from node_modules, so any malicious package with a .plugin.js file can execute arbitrary code when installed or required. All projects using this loading behavior are affected, especially those installing untrusted packages. This issue has been fixed in version 0.0.5. To workaround this issue, users can audit and restrict which packages are installed in node_modules.
Source : NVD
## 7.6
Score
Published February 20, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release D
Wiz
CVE-2026-34841 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-34841 [CRITICAL] CVE-2026-34841 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34841 :
JavaScript vulnerability analysis and mitigation
Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT). Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted. Upgrade to 3.2.1
Source : NVD
## 9.8
Score
Published April 6, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.5
Exploitation Probability (EPSS) N/A
Affected package
Wiz
CVE-2026-2880 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-2880 [HIGH] CVE-2026-2880 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2880 :
JavaScript vulnerability analysis and mitigation
A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)).
When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.
Source : NVD
## 8.2
Score
Published February 27, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 45.4
Exploitation Probability (EPSS)
Wiz
GHSA-8986-v76q-8vr2 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
[HIGH] GHSA-8986-v76q-8vr2 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-8986-v76q-8vr2 :
JavaScript vulnerability analysis and mitigation
## Overview
P2PKH has 20 bytes just like P2SH. We protect against revealing P2PKH deposits by manually assembling the expected P2SH script in the smart contract and comparing hashes. However, we missed the case when the attacker embeds a valid P2SH inside of P2PKH as an output script. bitcoin-spv library extracts the P2SH from P2PKH and we treat it as a valid P2SH output.
This does not lead to stealing funds but can lead to protocol insolvency.
The off-chain client handles this case correctly, but the problem is in the optimistic minting bot. The bot assumes that if the funding TX exists on Bitcoin with the right amount and it was successfully revealed, the transaction is valid. https://bugs.immunefi.com/magnus/6
Wiz
CVE-2026-25149 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.7
CVE-2026-25149 [LOW] CVE-2026-25149 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25149 :
JavaScript vulnerability analysis and mitigation
Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City's default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This issue has been patched in version 1.19.0.
Source : NVD
## 2.7
Score
Published February 3, 2026
Severity LOW
CNA Score 2.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPS
Wiz
CVE-2026-25533 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.4
CVE-2026-25533 [MEDIUM] CVE-2026-25533 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25533 :
JavaScript vulnerability analysis and mitigation
Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.10.1, the existing layers of security in enclave-vm are insufficient: The AST sanitization can be bypassed with dynamic property accesses, the hardening of the error objects does not cover the peculiar behavior or the vm module and the function constructor access prevention can be side-stepped by leveraging host object references. This vulnerability is fixed in 2.10.1.
Source : NVD
## 6.4
Score
Published February 6, 2026
Severity MEDIUM
CNA Score 6.4
Affected Technologies
JavaScript
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Per
Wiz
CVE-2026-30956 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-30956 [CRITICAL] CVE-2026-30956 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30956 :
JavaScript vulnerability analysis and mitigation
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.21, a low‑privileged user can bypass authorization and tenant isolation in OneUptime v10.0.20 and earlier by sending a forged is-multi-tenant-query header together with a controlled projectid header. Because the server trusts this client-supplied header, internal permission checks in BasePermission are skipped and tenant scoping is disabled. This allows attackers to access project data belonging to other tenants, read sensitive User fields via nested relations, leak plaintext resetPasswordToken, and reset the victim’s password and fully take over the account. This results in cross‑tenant data exposure and full account takeover. This vulne
Wiz
GHSA-h8r8-wccr-v5f2 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-h8r8-wccr-v5f2 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-h8r8-wccr-v5f2 :
JavaScript vulnerability analysis and mitigation
## Description
innerHTML
script
xmp
iframe
noembed
noframes
noscript
DOMPurify.sanitize()
alert(1)
## Vulnerability
...
## PoC
Start the PoC app:
npm install
npm start
http://localhost:3001
Wrapper en sink
xmp
Use payload:
">
Sanitize + Render
Observe:
Sanitized response
alt
alert('expoc')
Files:
index.html
expoc - DOMPurify SSR PoC
:root {
--bg: #f7f8fb;
--panel: #ffffff;
--line: #d8dce6;
--text: #0f172a;
--muted: #475569;
--accent: #0ea5e9;
}
* {
box-sizing: border-box;
}
body {
margin: 0;
font-family: "SF Mono", Menlo, Consolas, monospace;
color: var(--text);
background: radial-gradient(circle at 10% 0%, #e0f2fe 0%, var(--bg) 60%);
}
main {
max-width: 980px;
margin: 28px au
Wiz
CVE-2026-33863 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-33863 [MEDIUM] CVE-2026-33863 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33863 :
JavaScript vulnerability analysis and mitigation
## Impact
Two unguarded prototype pollution paths exist, not covered by previous fixes:
config.load()
config.loadFile()
overlay()
__proto__
constructor.prototype
Object.prototype
constructor.prototype.*
convict({...})
Object.prototype
## Workarounds
Do not pass untrusted data to load(), loadFile(), or convict().
## Resources
Prior advisory: GHSA-44fc-8fm5-q62h Related issue: https://github.com/mozilla/node-convict/issues/423
Source : NVD
## 9.4
Score
Published March 26, 2026
Severity CRITICAL
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploita
Wiz
CVE-2026-31872 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-31872 [HIGH] CVE-2026-31872 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31872 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.6 and 8.6.32, the protectedFields class-level permission (CLP) can be bypassed using dot-notation in query WHERE clauses and sort parameters. An attacker can use dot-notation to query or sort by sub-fields of a protected field, enabling a binary oracle attack to enumerate protected field values. This affects both MongoDB and PostgreSQL deployments. This vulnerability is fixed in 9.6.0-alpha.6 and 8.6.32.
Source : NVD
## 8.7
Score
Published March 11, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
Wiz
CVE-2026-34603 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-34603 [HIGH] CVE-2026-34603 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34603 :
JavaScript vulnerability analysis and mitigation
Tina is a headless content management system. Prior to version 2.2.2, @tinacms/cli recently added lexical path-traversal checks to the dev media routes, but the implementation still validates only the path string and does not resolve symlink or junction targets. If a link already exists under the media root, Tina accepts a path like pivot/written-from-media.txt as "inside" the media directory and then performs real filesystem operations through that link target. This allows out-of-root media listing and write access, and the same root cause also affects delete. This issue has been patched in version 2.2.2.
Source : NVD
## 7.1
Score
Published April 1, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
JavaS
Wiz
CVE-2026-5603 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-5603 [MEDIUM] CVE-2026-5603 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5603 :
JavaScript vulnerability analysis and mitigation
A vulnerability was identified in elgentos magento2-dev-mcp up to 1.0.2. The affected element is the function executeMagerun2Command of the file src/index.ts. Such manipulation leads to os command injection. An attack has to be approached locally. The exploit is publicly available and might be used. The name of the patch is aa1ffcc0aea1b212c69787391783af27df15ae9d. A patch should be applied to remediate this issue.
Source : NVD
## 4.8
Score
Published April 5, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18
Exploitation Probability (EPSS) 0.1
Affe
Wiz
CVE-2026-34363 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-34363 [HIGH] CVE-2026-34363 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34363 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. The sensitive data filter modifies these shared objects in-place, so when one subscriber's filter removes a protected field, subsequent subscribers may receive the already-filtered object. This can cause protected fields and authentication data to leak to clients that should not see them, or cause clients that should see the data to receive an incomplete object. Additionally, when an afterEvent Cloud Code trigger is registered
Wiz
CVE-2026-33891 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33891 [HIGH] CVE-2026-33891 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33891 :
JavaScript vulnerability analysis and mitigation
node-forge
Source : NVD
## 7.5
Score
Published March 27, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
argo-workflows-3.6
argo-workflows-3.7
Sources
NVD
Chainguard Has Fix Added at: Apr 02, 2026
npm Severity HIGH Has Fix Added at: Mar 29, 2026
MinimOS Severity HIGH Has Fix Added at: Apr 05, 2026
Red Hat 8, 9, 10 Severity HIGH No Fix Added at: Mar 29, 2026
Wolfi Has Fix Added at: Apr 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in yo
Wiz
CVE-2026-33163 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-33163 [HIGH] CVE-2026-33163 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33163 :
JavaScript vulnerability analysis and mitigation
Parse.Cloud.afterLiveQueryEvent
authData
protectedFields
afterEvent
Parse.Object
toJSONwithObjects()
Parse.Object
Parse.Cloud.afterLiveQueryEvent
afterEvent
Source : NVD
## 8.2
Score
Published March 18, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
parse-server
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 19, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## R
Wiz
CVE-2026-26021 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-26021 [CRITICAL] CVE-2026-26021 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26021 :
JavaScript vulnerability analysis and mitigation
set-in provides the set value of nested associative structure given array of keys. A prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1, < 2.0.5). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.
Source : NVD
## 9.4
Score
Published February 11, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Exploitation Probab
Wiz
GHSA-8mpm-q7mh-8fvh Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-8mpm-q7mh-8fvh Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-8mpm-q7mh-8fvh :
JavaScript vulnerability analysis and mitigation
## Summary
The Capgo CLI writes sensitive local files (.capgo API key file and build credentials JSON) using unsafe file operations that follow symlinks and do not enforce safe permissions. This allows an attacker-controlled repository to cause arbitrary file overwrite on the developer’s machine when the developer runs the CLI inside that repo. Additionally, global build credentials are written with world-readable permissions (664), exposing signing materials on shared systems.
## Details
Issue 1 - Arbitrary file overwrite via .capgo symlink (login --local)
Location: src/login.ts
Behavior: loginInternal(..., { local: true }) performs writeFileSync('.capgo', ...) before validating the API key with verifyUser
Wiz
GHSA-xgx4-2wgv-4jhm Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-xgx4-2wgv-4jhm Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-xgx4-2wgv-4jhm :
JavaScript vulnerability analysis and mitigation
## Summary
@pdfme/schemas
innerHTML
options.labels
{variables}
## Details
{variable}
innerHTML
packages/schemas/src/multiVariableText/propPanel.ts:65-71
// Use safe string concatenation for innerHTML
const typingInstructions = i18n('schemas.mvt.typingInstructions');
const sampleField = i18n('schemas.mvt.sampleField');
para.innerHTML =
typingInstructions +
` {` +
sampleField +
'}';
innerHTML
typingInstructions
sampleField
packages/ui/src/i18n.ts:903
export const i18n = (key: keyof Dict, dict?: Dict) => (dict || getDict(DEFAULT_LANG))[key];
packages/ui/src/components/AppContextProvider.tsx:57-63
let dict = getDict(lang);
if (options.labels) {
dict = deepMerge(
dict as unknown as Record,
options.lab
Wiz
CVE-2025-15284 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2025-15284 [MEDIUM] CVE-2025-15284 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15284 :
JavaScript vulnerability analysis and mitigation
Improper Input Validation vulnerability in qs (parse modules) allows HTTP DoS.This issue affects qs: < 6.14.1.
Summary
The arrayLimit option in qs did not enforce limits for bracket notation (a[]=1&a[]=2), only for indexed notation (a[0]=1). This is a consistency bug; arrayLimit should apply uniformly across all array notations.
Note: The default parameterLimit of 1000 effectively mitigates the DoS scenario originally described. With default options, bracket notation cannot produce arrays larger than parameterLimit regardless of arrayLimit, because each a[]=valueconsumes one parameter slot. The severity has been reduced accordingly.
Details
The arrayLimit option only checked limits for indexed notation (a[0]=1&a[1]
Wiz
CVE-2025-69264 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2025-69264 [HIGH] CVE-2025-69264 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69264 :
JavaScript vulnerability analysis and mitigation
pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary code during pnpm install, circumventing the v10 security feature "Dependency lifecycle scripts execution disabled by default". While pnpm v10 blocks postinstall scripts via the onlyBuiltDependencies mechanism, git dependencies can still execute prepare, prepublish, and prepack scripts during the fetch phase, enabling remote code execution without user consent or approval. This issue is fixed in version 10.26.0.
Source : NVD
## 9.8
Score
Published January 7, 2026
Severity CRITICAL
CNA Score 8.8
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date
Wiz
GHSA-v2wj-q39q-566r Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-v2wj-q39q-566r Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-v2wj-q39q-566r :
JavaScript vulnerability analysis and mitigation
## Summary
server.fs.deny
## Impact
Only apps that match the following conditions are affected:
--host
server.host
server.fs.allow
server.fs.deny
## Details
server.fs.deny
.env
*.crt
?raw
?import&raw
?import&url&inline
## PoC
pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPort
server.fs.deny
curl -i http://127.0.0.1:5175/src/.env | head -n 20
Confirm that the same files can be retrieved with query parameters (expect 200):
Source : NVD
## 8.2
Score
Published April 6, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS)
Wiz
CVE-2026-29184 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.0
CVE-2026-29184 [LOW] CVE-2026-29184 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29184 :
JavaScript vulnerability analysis and mitigation
Backstage is an open framework for building developer portals. Prior to version 3.1.4, a malicious scaffolder template can bypass the log redaction mechanism to exfiltrate secrets provided run through task event logs. This issue has been patched in version 3.1.4.
Source : NVD
## 2
Score
Published March 7, 2026
Severity LOW
CNA Score 2.0
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@backstage/plugin-scaffolder-backend
Sources
NVD
npm Severity LOW Has Fix Added at: Mar 08, 2026
## Get a CVE risk assessment
Wiz
CVE-2025-64166 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2025-64166 [MEDIUM] CVE-2025-64166 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-64166 :
JavaScript vulnerability analysis and mitigation
Mercurius is a GraphQL adapter for Fastify. Prior to version 16.4.0, a cross-site request forgery (CSRF) vulnerability was identified. The issue arises from incorrect parsing of the Content-Type header in requests. Specifically, requests with Content-Type values such as application/x-www-form-urlencoded, multipart/form-data, or text/plain could be misinterpreted as application/json. This misinterpretation bypasses the preflight checks performed by the fetch() API, potentially allowing unauthorized actions to be performed on behalf of an authenticated user. This issue has been patched in version 16.4.0.
Source : NVD
## 5.4
Score
Published March 5, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
JavaScr
Wiz
CVE-2026-22709 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-22709 [CRITICAL] CVE-2026-22709 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22709 :
JavaScript vulnerability analysis and mitigation
Promise.prototype.then
Promise.prototype.catch
localPromise.prototype.then
globalPromise.prototype.then
globalPromise
Source : NVD
## 10
Score
Published January 26, 2026
Severity CRITICAL
CNA Score 9.8
High-profile Vulnerability Yes
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
vm2
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Jan 27, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related Ja
Wiz
GHSA-3573-4c68-g8cc Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-3573-4c68-g8cc Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-3573-4c68-g8cc :
JavaScript vulnerability analysis and mitigation
## Security Advisory: Open Redirect in Directus SAML Authentication
## Summary
RelayState
## Vulnerability Description
RelayState
## Impact
Phishing : Users can be redirected to attacker-controlled sites that mimic legitimate login pages
Credential theft : Chained attacks may leverage the redirect to capture OAuth tokens or authorization codes
Trust erosion : Users may lose confidence in the application's security postureThis vulnerability can be exploited without authentication.
Source : NVD
## 4.3
Score
Published January 6, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
E
Wiz
CVE-2025-66398 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2025-66398 [CRITICAL] CVE-2025-66398 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66398 :
JavaScript vulnerability analysis and mitigation
restoreFilePath
/skServer/validateBackup
security.json
package.json
Source : NVD
## 8.8
Score
Published January 1, 2026
Severity HIGH
CNA Score 9.6
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 27
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
signalk-server
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Jan 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component n
Wiz
CVE-2026-32141 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-32141 [HIGH] CVE-2026-32141 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32141 :
JavaScript vulnerability analysis and mitigation
flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase to resolve circular references in deserialized JSON. When given a crafted payload with deeply nested or self-referential $ indices, the recursion depth is unbounded, causing a stack overflow that crashes the Node.js process. This vulnerability is fixed in 3.4.0.
Source : NVD
## 7.5
Score
Published March 12, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
node-fl
Wiz
CVE-2026-25951 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2026-25951 [HIGH] CVE-2026-25951 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25951 :
JavaScript vulnerability analysis and mitigation
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences (e.g., ....//), an attacker can write arbitrary files to the server filesystem, including sensitive directories like runtime/scripts. This leads to Remote Code Execution (RCE) when the server reloads the malicious scripts. This vulnerability is fixed in 1.2.11.
Source : NVD
## 8.6
Score
Published February 9, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Rele
Wiz
CVE-2026-33671 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-33671 [HIGH] CVE-2026-33671 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33671 :
JavaScript vulnerability analysis and mitigation
+()
*()
picomatch
picomatch
noextglob: true
+()
*()
Source : NVD
## 7.5
Score
Published March 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.3
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
grafana-cloudwatch
grafana-stackdriver
Sources
NVD
Chainguard Has Fix Added at: Mar 29, 2026
Debian 11, 12, 13 Severity MEDIUM No Fix Added at: Mar 29, 2026
Debian 14 Severity HIGH Has Fix Added at: Mar 29, 2026
Echo Severity HIGH No Fix Added at: Mar 29, 2026
npm Severity HIGH Has Fix Added at: Mar 26, 2026
Min
Wiz
CVE-2026-34780 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-34780 [HIGH] CVE-2026-34780 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34780 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects (from the WebCodecs API) across the contextBridge are vulnerable to a context isolation bypass. An attacker who can execute JavaScript in the main world (for example, via XSS) can use a bridged VideoFrame to gain access to the isolated world, including any Node.js APIs exposed to the preload script. Apps are only affected if a preload script returns, resolves, or passes a VideoFrame object to the main world via contextBridge.exposeInMainWorld(). Apps that do not
Wiz
CVE-2026-1721 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.2
CVE-2026-1721 [MEDIUM] CVE-2026-1721 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1721 :
JavaScript vulnerability analysis and mitigation
Summary
error_description
Root cause
site/ai-playground/src/server.ts
authError
error_description
Impact
An attacker could craft a malicious link that, when clicked by a victim, would:
Steal user chat message history - Access all LLM interactions stored in the user's session.
Access connected MCP Servers - Interact with any MCP servers connected to the victim's session (public or authenticated/private), potentially allowing the attacker to perform actions on the victim's behalf
Mitigation:
PR: https://github.com/cloudflare/agents/pull/841 https://github.com/cloudflare/agents/pull/841
Agents-sdk users should upgrade to [email protected]
Developers using configureOAuthCallback with custom error handling in their o
Wiz
CVE-2026-28474 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-28474 [CRITICAL] CVE-2026-28474 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28474 :
JavaScript vulnerability analysis and mitigation
OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room allowlists. An attacker can change their Nextcloud display name to match an allowlisted user ID and gain unauthorized access to restricted conversations.
Source : NVD
## 9.3
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@openclaw/nextcloud-talk
Sources
Wiz
CVE-2026-22596 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.7
CVE-2026-22596 [MEDIUM] CVE-2026-22596 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22596 :
JavaScript vulnerability analysis and mitigation
Ghost is a Node.js content management system. In versions 5.90.0 through 5.130.5 and 6.0.0 through 6.10.3, a vulnerability in Ghost's /ghost/api/admin/members/events endpoint allows users with authentication credentials for the Admin API to execute arbitrary SQL. This issue has been patched in versions 5.130.6 and 6.11.0.
Source : NVD
## 7.2
Score
Published January 10, 2026
Severity HIGH
CNA Score 6.7
Affected Technologies
JavaScript
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 30.9
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ghost
Sources
NVD
npm Severity MEDIUM Has Fix Added a
Wiz
CVE-2026-25751 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-25751 [CRITICAL] CVE-2026-25751 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25751 :
JavaScript vulnerability analysis and mitigation
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker to obtain the full system configuration, including administrative credentials for the InfluxDB database. Possession of these credentials may allow an attacker to authenticate directly to the database service, enabling them to read, modify, or delete all historical process data, or perform a Denial of Service by corrupting the database. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.
Source : NVD
##
Wiz
CVE-2026-23737 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-23737 [HIGH] CVE-2026-23737 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23737 :
JavaScript vulnerability analysis and mitigation
seroval facilitates JS value stringification, including complex structures beyond JSON.stringify capabilities. In versions 1.4.0 and below, improper input handling in the JSON deserialization component can lead to arbitrary JavaScript code execution. Exploitation is possible via overriding constant value and error deserialization, allowing indirect access to unsafe JS evaluation. At minimum, attackers need the ability to perform 4 separate requests on the same function, and partial knowledge of how the serialized data is used during later runtime processing. This vulnerability affects the fromJSON and fromCrossJSON functions in a client-to-server transmission scenario. This issue has been fixed in version 1.4.0.
Source
Wiz
GHSA-m272-9rp6-32mc Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-m272-9rp6-32mc Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-m272-9rp6-32mc :
JavaScript vulnerability analysis and mitigation
## Summary
@orpc/client
Object.prototype
## Vulnerability Details
deserialize()
StandardRPCJsonSerializer
meta
maps
__proto__
constructor
meta
Map
Set
Date
maps
getBlob(i)
FormData.get(i.toString())
as Blob
## Proof of Concept
pnpm dev
curl
curl -X POST http://localhost:4321/rpc/planet/create \
-F 'data={"json":{},"meta":[],"maps":[["__proto__","role"]]}' \
-F '0=admin'
maps
__proto__
0
"admin"
Object.prototype.role = "admin"
## Impact
StandardRPCJsonSerializer
if (user.role === "admin")
true
Remote Code Execution: If the application or its dependencies contain susceptible prototype pollution gadgets (e.g., dynamically executing shell commands or scripts based on object propert
Wiz
CVE-2026-31839 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-31839 [HIGH] CVE-2026-31839 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31839 :
JavaScript vulnerability analysis and mitigation
Striae is a firearms examiner's comparison companion. A high-severity integrity bypass vulnerability existed in Striae's digital confirmation workflow prior to v3.0.0. Hash-only validation trusted manifest hash fields that could be modified together with package content, allowing tampered confirmation packages to pass integrity checks. This vulnerability is fixed in 3.0.0.
Source : NVD
## 7.5
Score
Published March 11, 2026
Severity HIGH
CNA Score 8.2
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@striae-org/st
Wiz
CVE-2026-34768 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.9
CVE-2026-34768 [LOW] CVE-2026-34768 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34768 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, on Windows, app.setLoginItemSettings({openAtLogin: true}) wrote the executable path to the Run registry key without quoting. If the app is installed to a path containing spaces, an attacker with write access to an ancestor directory may be able to cause a different executable to run at login instead of the intended app. On a default Windows install, standard system directories are protected against writes by standard users, so exploitation typically requires a non-standard install location. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.0, and
Wiz
CVE-2025-69202 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.0
CVE-2025-69202 [MEDIUM] CVE-2025-69202 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69202 :
JavaScript vulnerability analysis and mitigation
Authorization
Vary: Authorization
Vary
v1.11.1
Vary
Vary: Authorization
Source : NVD
## 6
Score
Published December 29, 2025
Severity MEDIUM
CNA Score 6.0
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 14.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
axios-cache-interceptor
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Dec 31, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technolo
Wiz
CVE-2026-30887 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-30887 [CRITICAL] CVE-2026-30887 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30887 :
JavaScript vulnerability analysis and mitigation
OneUptime is a solution for monitoring and managing online services. Prior to 10.0.18, OneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js vm module. By leveraging a standard prototype-chain escape (this.constructor.constructor), an attacker can bypass the sandbox, gain access to the underlying Node.js process object, and execute arbitrary system commands (RCE) on the oneuptime-probe container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise. This vulnerability is fixed in 10.0.
Wiz
CVE-2026-24134 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-24134 [MEDIUM] CVE-2026-24134 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24134 :
JavaScript vulnerability analysis and mitigation
StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the "Visitor" role to access draft content created by Editor/Admin/Owner users. Version 0.2.0 patches the issue.
Source : NVD
## 6.5
Score
Published January 28, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
studiocms
Sources
NVD
npm Severity
Wiz
CVE-2026-35394 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-35394 [HIGH] CVE-2026-35394 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35394 :
JavaScript vulnerability analysis and mitigation
Mobile Next is an MCP server for mobile development and automation. Prior to 0.0.50, the mobile_open_url tool in mobile-mcp passes user-supplied URLs directly to Android's intent system without any scheme validation, allowing execution of arbitrary Android intents, including USSD codes, phone calls, SMS messages, and content provider access. This vulnerability is fixed in 0.0.50.
Source : NVD
## 8.3
Score
Published April 6, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@mobile
Wiz
CVE-2026-3484 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-3484 [MEDIUM] CVE-2026-3484 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3484 :
JavaScript vulnerability analysis and mitigation
A vulnerability was detected in PhialsBasement nmap-mcp-server up to bee6d23547d57ae02460022f7c78ac0893092e38. Affected by this issue is the function child_process.exec of the file src/index.ts of the component Nmap CLI Command Handler. The manipulation results in command injection. The attack may be performed from remote. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The patch is identified as 30a6b9e1c7fa6146f51e28d6ab83a2568d9a3488. It is best practice to apply a patch to resolve this issue.
Source : NVD
## 5.3
Score
Published March 3, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScri
Wiz
CVE-2025-69981 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-69981 [CRITICAL] CVE-2025-69981 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69981 :
JavaScript vulnerability analysis and mitigation
/api/upload
Source : NVD
## 9.8
Score
Published February 3, 2026
Severity CRITICAL
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 15.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fuxa-server
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 08, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-354
Wiz
CVE-2026-22031 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.4
CVE-2026-22031 [HIGH] CVE-2026-22031 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22031 :
JavaScript vulnerability analysis and mitigation
/%61dmin
/admin
Source : NVD
## 8.8
Score
Published January 19, 2026
Severity HIGH
CNA Score 8.4
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 29.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@fastify/middie
Sources
NVD
npm Severity HIGH Has Fix Added at: Jan 21, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-20
Wiz
CVE-2026-27804 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-27804 [CRITICAL] CVE-2026-27804 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27804 :
JavaScript vulnerability analysis and mitigation
alg: "none"
RS256
jwks-rsa
Source : NVD
## 9.3
Score
Published February 26, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 11
Exploitation Probability (EPSS) N/A
Affected packages and libraries
parse-server
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Publish
Wiz
CVE-2026-28359 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-28359 [MEDIUM] CVE-2026-28359 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28359 :
JavaScript vulnerability analysis and mitigation
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, an authenticated user with Editor role can inject arbitrary HTML into Rich Text cells by bypassing the TipTap editor and sending raw HTML via the API. This issue has been patched in version 0.301.3.
Source : NVD
## 5.3
Score
Published March 2, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
nocodb
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Mar 03, 2026
## Get a CVE risk assessment
Wiz
CVE-2026-33949 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.1
CVE-2026-33949 [HIGH] CVE-2026-33949 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33949 :
JavaScript vulnerability analysis and mitigation
Tina is a headless content management system. Prior to version 2.2.2, a path traversal vulnerability in @tinacms/graphql allows unauthenticated users to write and overwrite arbitrary files within the project root. This is achieved by manipulating the relativePath parameter in GraphQL mutations. The impact includes the ability to replace critical server configuration files and potentially execute arbitrary commands by sabotaging build script. This issue has been patched in version 2.2.2.
Source : NVD
## 8.1
Score
Published April 1, 2026
Severity HIGH
CNA Score 8.1
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Prob
Wiz
CVE-2026-34747 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2026-34747 [HIGH] CVE-2026-34747 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34747 :
JavaScript vulnerability analysis and mitigation
Payload is a free and open source headless content management system. Prior to version 3.79.1, certain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections. This issue has been patched in version 3.79.1.
Source : NVD
## 8.5
Score
Published April 1, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.8
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
payload
Sources
NVD
npm Severity HIGH Has Fix Added at: Apr 02, 2026
Wiz
CVE-2026-3455 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-3455 [MEDIUM] CVE-2026-3455 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3455 :
JavaScript vulnerability analysis and mitigation
Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote " to the URL with embedded malicious JavaScript code.
Source : NVD
## 5.1
Score
Published March 3, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 10.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mailparser
Sources
NVD
npm Severity LOW Has Fix Added at: Mar
Wiz
CVE-2025-15599 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2025-15599 [MEDIUM] CVE-2025-15599 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15599 :
JavaScript vulnerability analysis and mitigation
DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.
Source : NVD
## 5.1
Score
Published March 3, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitat
Wiz
CVE-2026-35515 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-35515 [MEDIUM] CVE-2026-35515 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35515 :
JavaScript vulnerability analysis and mitigation
## Impact
SseStream._transform()
message.type
message.id
\r
\n
\r
\n
\n\n
id
event
event:
EventSource.addEventListener()
data:
id:
Last-Event-ID
type
id
## Patches
@nestjs/[email protected]
Source : NVD
## 6.3
Score
Published April 6, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@nestjs/core
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Apr 06, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what'
Wiz
CVE-2026-30048 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.4
CVE-2026-30048 [MEDIUM] CVE-2026-30048 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30048 :
JavaScript vulnerability analysis and mitigation
A stored cross-site scripting (XSS) vulnerability exists in the NotChatbot WebChat widget thru 1.4.4. User-supplied input is not properly sanitized before being stored and rendered in the chat conversation history. This allows an attacker to inject arbitrary JavaScript code which is executed when the chat history is reloaded. The issue is reproducible across multiple independent implementations of the widget, indicating that the vulnerability resides in the product itself rather than in a specific website configuration.
Source : NVD
## 5.4
Score
Published March 18, 2026
Severity MEDIUM
CNA Score 5.4
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CI
Wiz
CVE-2025-67647 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.4
CVE-2025-67647 [HIGH] CVE-2025-67647 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67647 :
JavaScript vulnerability analysis and mitigation
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.49.5, SvelteKit is vulnerable to a server side request forgery (SSRF) and denial of service (DoS) under certain conditions. From 2.44.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route (export const prerender = true). From 2.19.0 through 2.49.4, the vulnerability results in a DoS when your app has at least one prerendered route and you are using adapter-node without a configured ORIGIN environment variable, and you are not using a reverse proxy that implements Host header validation. This vulnerability is fixed in 2.49.5.
Source : NVD
## 8.4
Score
Published
Wiz
CVE-2026-35216 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.0
CVE-2026-35216 [CRITICAL] CVE-2026-35216 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35216 :
JavaScript vulnerability analysis and mitigation
Budibase is an open-source low-code platform. Prior to version 3.33.4, an unauthenticated attacker can achieve Remote Code Execution (RCE) on the Budibase server by triggering an automation that contains a Bash step via the public webhook endpoint. No authentication is required to trigger the exploit. The process executes as root inside the container. This issue has been patched in version 3.33.4.
Source : NVD
## 9
Score
Published April 3, 2026
Severity CRITICAL
CNA Score 9.0
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 56.4
Exploitation Probability (EPSS) 0.3
Affected packages an
Wiz
CVE-2026-25896 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-25896 [CRITICAL] CVE-2026-25896 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25896 :
JavaScript vulnerability analysis and mitigation
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.
Wiz Threat Research note: This vulnerability's initial access potential has been overridden to FALSE by the Wiz Research team, as it is an XSS vulnerability and therefore does not allow access to the host.
Source : NVD
## 9.3
Score
Published February 2
Wiz
CVE-2026-23890 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2026-23890 [MEDIUM] CVE-2026-23890 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23890 :
JavaScript vulnerability analysis and mitigation
node_modules/.bin
@
../../
Source : NVD
## 6.5
Score
Published January 26, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
pnpm
Sources
NVD
Alpine 3.21, 3.22, 3.23, edge Severity MEDIUM No Fix Added at: Jan 29, 2026
Chainguard Has Fix Added at: Jan 27, 2026
npm Severity MEDIUM Has Fix Added at: Jan 27, 2026
Homebrew Severity MEDIUM Has Fix Added at: Jan 29, 2026
MinimOS Severity MEDIUM Has Fix Added at: Jan 29, 2026
Nix Severity MEDIUM Has Fix Added at: Jan 29,
Wiz
CVE-2026-35413 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-35413 [MEDIUM] CVE-2026-35413 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35413 :
JavaScript vulnerability analysis and mitigation
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, when GRAPHQL_INTROSPECTION=false is configured, Directus correctly blocks standard GraphQL introspection queries (__schema, __type). However, the server_specs_graphql resolver on the /graphql/system endpoint returns an equivalent SDL representation of the schema and was not subject to the same restriction. This allowed the introspection control to be bypassed, exposing schema structure (collection names, field names, types, and relationships) to unauthenticated users at the public permission level, and to authenticated users at their permitted permission level. This vulnerability is fixed in 11.16.1.
Source : NVD
## 5.3
Wiz
CVE-2026-31875 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-31875 [HIGH] CVE-2026-31875 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31875 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication (MFA) via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as a fallback when the user cannot provide a TOTP token. However, recovery codes are not consumed after use, allowing the same recovery code to be used an unlimited number of times. This defeats the single-use design of recovery codes and weakens the security of MFA-protected accounts. An attacker who obtains a single recovery code can repeatedly authenticate as the affected user without the code ever being invalidated. This vul
Wiz
CVE-2026-5327 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-5327 [MEDIUM] CVE-2026-5327 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-5327 :
JavaScript vulnerability analysis and mitigation
A security flaw has been discovered in efforthye fast-filesystem-mcp up to 3.5.1. The affected element is the function handleGetDiskUsage of the file src/index.ts. Performing a manipulation results in command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
Source : NVD
## 5.3
Score
Published April 2, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 76
Exploitation Probab
Wiz
CVE-2025-15056 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2025-15056 [MEDIUM] CVE-2025-15056 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-15056 :
JavaScript vulnerability analysis and mitigation
A lack of data validation vulnerability in the HTML export feature in Quill in allows Cross-Site Scripting (XSS).
This issue affects Quill: 2.0.3.
Source : NVD
## 5.1
Score
Published January 13, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 21.5
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
quill
Sources
NVD
npm Severity LOW No Fix Added at: Jan 18, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vul
Wiz
CVE-2026-25752 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-25752 [CRITICAL] CVE-2026-25752 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25752 :
JavaScript vulnerability analysis and mitigation
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based access controls and overwrite arbitrary device tags or disable communication drivers, exposing connected ICS/SCADA environments to follow-on actions. This may allow an attacker to manipulate physical processes and disconnected devices from the HMI. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.
Source : NVD
## 9.3
Score
Published February 6, 2026
Severity CRITICAL
CNA Score 9.3
Affected Techno
Wiz
CVE-2026-35411 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-35411 [MEDIUM] CVE-2026-35411 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35411 :
JavaScript vulnerability analysis and mitigation
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.16.1, Directus is vulnerable to an open redirect via the redirect query parameter on the /admin/tfa-setup page. When an administrator who has not yet configured Two-Factor Authentication (2FA) visits a crafted URL, they are presented with the legitimate Directus 2FA setup page. After completing the setup process, the application redirects the user to the attacker-controlled URL specified in the redirect parameter without any validation. This vulnerability could be used in phishing attacks targeting Directus administrators, as the initial interaction occurs on a trusted domain. This vulnerability is fixed in 11.16.1.
Source : NV
Wiz
CVE-2026-26831 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-26831 [CRITICAL] CVE-2026-26831 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26831 :
JavaScript vulnerability analysis and mitigation
textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization
Source : NVD
## 9.8
Score
Published March 25, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
JavaScript
Homebrew
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 63.2
Exploitation Probability (EPSS) 0.4
Affected packages and libraries
textract
Sources
NVD
npm Severity CRITICAL No Fix Added
Wiz
CVE-2025-69971 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2025-69971 [CRITICAL] CVE-2025-69971 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-69971 :
JavaScript vulnerability analysis and mitigation
FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access.
Source : NVD
## 9.8
Score
Published February 3, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 88.9
Exploitation Probability (EPSS) 4.3
Affected packages and libraries
fuxa-server
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 08, 2026
## Get a CVE risk ass
Wiz
CVE-2026-23966 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-23966 [CRITICAL] CVE-2026-23966 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23966 :
JavaScript vulnerability analysis and mitigation
sm-crypto provides JavaScript implementations of the Chinese cryptographic algorithms SM2, SM3, and SM4. A private key recovery vulnerability exists in the SM2 decryption logic of sm-crypto prior to version 0.3.14. By interacting with the SM2 decryption interface multiple times, an attacker can fully recover the private key within approximately several hundred interactions. Version 0.3.14 patches the issue.
Source : NVD
## 9.1
Score
Published January 22, 2026
Severity CRITICAL
CNA Score 9.1
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.9
Exploitation Probability (EPSS) N/A
Affect
Wiz
CVE-2026-22696 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-22696 [CRITICAL] CVE-2026-22696 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22696 :
JavaScript vulnerability analysis and mitigation
@phala/dcap-qvl-node
@phala/dcap-qvl-web
@phala/dcap-qvl
Source : NVD
## 9.3
Score
Published January 26, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
JavaScript
Python
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 0.9
Exploitation Probability (EPSS) N/A
Affected packages and libraries
dcap-qvl
@phala/dcap-qvl
Sources
NVD
Rust Severity CRITICAL Has Fix Added at: Jan 27, 2026
npm Severity CRITICAL Has Fix Added at: Jan 27, 2026
pip Severity CRITICAL Has Fix Added at: Jan 27, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitab
Wiz
CVE-2026-2581 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.9
CVE-2026-2581 [MEDIUM] CVE-2026-2581 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-2581 :
JavaScript vulnerability analysis and mitigation
This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS).
In vulnerable Undici versions, when interceptors.deduplicate() is enabled, response data for deduplicated requests could be accumulated in memory for downstream handlers. An attacker-controlled or untrusted upstream endpoint can exploit this with large/chunked responses and concurrent identical requests, causing high memory usage and potential OOM process termination.
Impacted users are applications that use Undici’s deduplication interceptor against endpoints that may produce large or long-lived response bodies.
PatchesThe issue has been patched by changing deduplication behavior to stream response chunks to
Wiz
CVE-2026-32887 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.4
CVE-2026-32887 [HIGH] CVE-2026-32887 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32887 :
JavaScript vulnerability analysis and mitigation
RpcServer.toWebHandler
HttpApp.toWebHandlerRuntime
AsyncLocalStorage
auth()
@clerk/nextjs/server
Source : NVD
## 7.4
Score
Published March 20, 2026
Severity HIGH
CNA Score 7.4
Affected Technologies
JavaScript
Wolfi
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 1.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
jitsucom-jitsu
langfuse-3
Sources
NVD
Chainguard Has Fix Added at: Apr 05, 2026
npm Severity HIGH Has Fix Added at: Mar 21, 2026
Wolfi Has Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's explo
Wiz
CVE-2026-27492 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.7
CVE-2026-27492 [MEDIUM] CVE-2026-27492 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27492 :
JavaScript vulnerability analysis and mitigation
Lettermint Node.js SDK is the official Node.js SDK for Lettermint. In versions 1.5.0 and below, email properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence — such as transactional flows like password resets or notifications — are affected. This issue has been fixed in version 1.5.1.
Source : NVD
## 4.7
Score
Published February 21, 2026
Severity MEDIUM
CNA Score 4.7
Affected Technologies
Jav
Wiz
CVE-2026-34764 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.3
CVE-2026-34764 [LOW] CVE-2026-34764 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34764 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From 33.0.0-alpha.1 to before 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that use offscreen rendering with GPU shared textures may be vulnerable to a use-after-free. Under certain conditions, the release() callback provided on a paint event texture can outlive its backing native state, and invoking it after that point dereferences freed memory in the main process, which may lead to a crash or memory corruption. Apps are only affected if they use offscreen rendering with webPreferences.offscreen: { useSharedTexture: true }. Apps that do not enable shared-texture offscreen rendering are not affected. To mitigate t
Wiz
CVE-2026-34208 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-34208 [CRITICAL] CVE-2026-34208 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34208 :
JavaScript vulnerability analysis and mitigation
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.36, SandboxJS blocks direct assignment to global objects (for example Math.random = ...), but this protection can be bypassed through an exposed callable constructor path: this.constructor.call(target, attackerObject). Because this.constructor resolves to the internal SandboxGlobal function and Function.prototype.call is allowed, attacker code can write arbitrary properties into host global objects and persist those mutations across sandbox instances in the same process. This vulnerability is fixed in 0.8.36.
Source : NVD
## 10
Score
Published April 6, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
JavaScript
Has Public Exploit No
Has CI
Wiz
CVE-2026-23830 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-23830 [CRITICAL] CVE-2026-23830 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23830 :
JavaScript vulnerability analysis and mitigation
AsyncFunction
SandboxFunction
Function
SandboxFunction
utils.ts
Function
sandboxFunction
AsyncFunction
GeneratorFunction
AsyncGeneratorFunction
.constructor
(async () => {}).constructor
executor.ts
.constructor
executor
AsyncFunction
executor
AsyncFunction
Function
AsyncFunction
AsyncFunction
Source : NVD
## 10
Score
Published January 28, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 41.5
Exploitation Probability (EPSS) 0.2
Affected packages and libraries
@nyariv/sandboxjs
Sources
NVD
npm Severity CRITICAL Has Fix Added
Wiz
CVE-2026-25895 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.5
CVE-2026-25895 [CRITICAL] CVE-2026-25895 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25895 :
JavaScript vulnerability analysis and mitigation
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. A path traversal vulnerability in FUXA allows an unauthenticated, remote attacker to write arbitrary files to arbitrary locations on the server filesystem. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10.
Source : NVD
## 9.5
Score
Published February 9, 2026
Severity CRITICAL
CNA Score 9.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 20.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
fuxa-server
Sources
NVD
npm Severity CRITICAL Has Fix Add
Wiz
CVE-2026-34595 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-34595 [MEDIUM] CVE-2026-34595 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34595 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.70 and 9.7.0-alpha.18, an authenticated user with find class-level permission can bypass the protectedFields class-level permission setting on LiveQuery subscriptions. By sending a subscription with a $or, $and, or $nor operator value as a plain object with numeric keys and a length property (an "array-like" object) instead of an array, the protected-field guard is bypassed. The subscription event firing acts as a binary oracle, allowing the attacker to infer whether a protected field matches a given test value. This issue has been patched in versions 8.6.70 and 9.7.0-alpha.18.
Source : NVD
##
Wiz
CVE-2026-30835 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-30835 [MEDIUM] CVE-2026-30835 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30835 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.7 and 9.5.0-alpha.6, malformed $regex query parameter (e.g. [abc) causes the database to return a structured error object that is passed unsanitized through the API response. This leaks database internals such as error messages, error codes, code names, cluster timestamps, and topology details. The vulnerability is exploitable by any client that can send query requests, depending on the deployment's permission configuration. This issue has been patched in versions 8.6.7 and 9.5.0-alpha.6.
Source : NVD
## 6.9
Score
Published March 6, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologie
Wiz
CVE-2026-29053 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-29053 [HIGH] CVE-2026-29053 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29053 :
JavaScript vulnerability analysis and mitigation
Ghost is a Node.js content management system. From version 0.7.2 to 6.19.0, specifically crafted malicious themes can execute arbitrary code on the server running Ghost. This issue has been patched in version 6.19.1.
Source : NVD
## 9.8
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 7.6
Affected Technologies
JavaScript
NixOS
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.1
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
ghost
Sources
NVD
npm Severity HIGH Has Fix Added at: Mar 04, 2026
Nix Severity CRITICAL Has Fix Added at: Mar 10, 2026
## Get a CVE risk assessment
Get a
Wiz
CVE-2025-67718 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2025-67718 [HIGH] CVE-2025-67718 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67718 :
JavaScript vulnerability analysis and mitigation
Form.io is a combined Form and API platform for Serverless applications. Versions 3.5.6 and below and 4.0.0-rc.1 through 4.4.2 contain a flaw in path handling which could allow an attacker to access protected API endpoints by sending a crafted request path. An unauthenticated or unauthorized request could retrieve data from endpoints that should be protected. This issue is fixed in versions 3.5.7 and 4.4.3.
Source : NVD
## 8.7
Score
Published December 11, 2025
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.5
Exploitation Probability (EPSS) 0.1
Affected
Wiz
CVE-2026-34404 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-34404 [MEDIUM] CVE-2026-34404 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34404 :
JavaScript vulnerability analysis and mitigation
Nuxt OG Image generates OG Images with Vue templates in Nuxt. Prior to version 6.2.5, the image‑generation component by the URI: /_og/d/ (and, in older versions, /og-image/) contains a Denial of Service (DoS) vulnerability. The issue arises because there is no restriction on the width and height parameters of the generated image. The vulnerability was reproduced using the standard configuration and the default templates. This issue has been patched in version 6.2.5.
Source : NVD
## 6.9
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile
Wiz
CVE-2026-32594 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.9
CVE-2026-32594 [MEDIUM] CVE-2026-32594 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-32594 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.40 and 9.6.0-alpha.14, the GraphQL WebSocket endpoint for subscriptions does not pass requests through the Express middleware chain that enforces authentication, introspection control, and query complexity limits. An attacker can connect to the WebSocket endpoint and execute GraphQL operations without providing a valid application or API key, access the GraphQL schema via introspection even when public introspection is disabled, and send arbitrarily complex queries that bypass configured complexity limits. This vulnerability is fixed in 8.6.40 and 9.6.0-alpha.14.
Source : NVD
## 6.9
Score
Published
Wiz
CVE-2025-68665 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.6
CVE-2025-68665 [HIGH] CVE-2025-68665 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68665 :
JavaScript vulnerability analysis and mitigation
LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON() method (and subsequently when string-ifying objects using JSON.stringify(). The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in @langchain/core versions 0.3.80 and 1.1.8, and langchain versio
Wiz
CVE-2026-1774 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-1774 [CRITICAL] CVE-2026-1774 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-1774 :
JavaScript vulnerability analysis and mitigation
CASL Ability, versions 2.4.0 through 6.7.4, contains a prototype pollution vulnerability.
Source : NVD
## 9.8
Score
Published February 10, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@casl/ability
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Feb 12, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Te
Wiz
CVE-2025-68619 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.3
CVE-2025-68619 [HIGH] CVE-2025-68619 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68619 :
JavaScript vulnerability analysis and mitigation
postinstall
package.json
postinstall
Source : NVD
## 7.3
Score
Published January 1, 2026
Severity HIGH
CNA Score 7.3
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 17.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
signalk-server
Sources
NVD
npm Severity HIGH Has Fix Added at: Jan 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Pu
Wiz
CVE-2025-8082 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2025-8082 [MEDIUM] CVE-2025-8082 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-8082 :
JavaScript vulnerability analysis and mitigation
Improper neutralization of the title date in the 'VDatePicker' component in Vuetify, allows unsanitized HTML to be inserted into the page. This can lead to a Cross-Site Scripting (XSS) https://owasp.org/www-community/attacks/xss attack. The vulnerability occurs because the 'title-date-format' property of the 'VDatePicker' can accept a user created function and assign its output to the 'innerHTML' property of the title element without sanitization.
This issue affects Vuetify versions greater than or equal to 2.0.0 and less than 3.0.0.
Note:
Version 2.x of Vuetify is End-of-Life and will not receive any updates to address this issue. For more information see here https://v2.vuetifyjs.com/en/about/eol/ .
Source : NVD
#
Wiz
CVE-2026-26980 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-26980 [CRITICAL] CVE-2026-26980 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26980 :
JavaScript vulnerability analysis and mitigation
Ghost is a Node.js content management system. Versions 3.24.0 through 6.19.0 allow unauthenticated attackers to perform arbitrary reads from the database. This issue has been fixed in version 6.19.1.
Source : NVD
## 7.5
Score
Published February 20, 2026
Severity HIGH
CNA Score 9.4
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 96.4
Exploitation Probability (EPSS) 27.5
Affected packages and libraries
ghost
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Feb 19, 2026
Nix Severity HIGH Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized vi
Wiz
CVE-2025-66803 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.8
CVE-2025-66803 [MEDIUM] CVE-2025-66803 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-66803 :
JavaScript vulnerability analysis and mitigation
Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests based on sequence or timing) or by physically proximate attackers when the race condition occurs naturally on shared computers.
Source : NVD
## 4.8
Score
Published January 20, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
JavaScript
NixOS
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16
Exploitation Probability (EPSS) 0.1
Affected
Wiz
CVE-2026-39364 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-39364 [MEDIUM] CVE-2026-39364 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39364 :
JavaScript vulnerability analysis and mitigation
## Summary
server.fs.deny
## Impact
Only apps that match the following conditions are affected:
--host
server.host
server.fs.allow
server.fs.deny
## Details
server.fs.deny
.env
*.crt
?raw
?import&raw
?import&url&inline
## PoC
pnpm exec vite root --host 127.0.0.1 --port 5175 --strictPort
server.fs.deny
curl -i http://127.0.0.1:5175/src/.env | head -n 20
Confirm that the same files can be retrieved with query parameters (expect 200):
Source : NVD
## 8.2
Score
Published April 6, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Wiz
CVE-2026-31862 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.1
CVE-2026-31862 [CRITICAL] CVE-2026-31862 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31862 :
JavaScript vulnerability analysis and mitigation
Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.24.0, multiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands. This vulnerability is fixed in 1.24.0.
Source : NVD
## 8.8
Score
Published March 11, 2026
Severity HIGH
CNA Score 9.1
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.2
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
@siteboon/claude
Wiz
GHSA-xv56-3wq5-9997 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
[HIGH] GHSA-xv56-3wq5-9997 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-xv56-3wq5-9997 :
JavaScript vulnerability analysis and mitigation
## Summary
kustomize
helm pull --untar
## Details
kustomization.yaml
index.yaml
depName
helmRepositoryArgs
quote
shlex
## PoC
index.yaml
apiVersion: v1
entries:
"example || kill 1; echo":
- version: 1.0.1
created: 2016-10-06T16:23:20.499814565-06:00
- version: 1.0.0
created: 2016-10-06T16:23:20.499543808-06:00
Create a git repo with the following content:
renovate.json5
{
$schema: "https://docs.renovatebot.com/renovate-schema.json",
postUpdateOptions: [
"kustomizeInflateHelmCharts",
]
}
kustomization.yaml
kind: Kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
helmCharts:
- name: "example || kill 1; echo"
repo: TODO reference the mocked Helm repository over https
version: 1.0.0
charts
Wiz
CVE-2026-23735 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-23735 [HIGH] CVE-2026-23735 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-23735 :
JavaScript vulnerability analysis and mitigation
GraphQL Modules is a toolset of libraries and guidelines dedicated to create reusable, maintainable, testable and extendable modules out of your GraphQL server. From 2.2.1 to before 2.4.1 and 3.1.1, when 2 or more parallel requests are made which trigger the same service, the context of the requests is mixed up in the service when the context is injected via @ExecutionContext(). ExecutionContext is often used to pass authentication tokens from incoming requests to services loading data from backend APIs. This vulnerability is fixed in 2.4.1 and 3.1.1.
Source : NVD
## 8.7
Score
Published January 16, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
Wiz
CVE-2026-31856 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-31856 [CRITICAL] CVE-2026-31856 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-31856 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. A SQL injection vulnerability exists in the PostgreSQL storage adapter when processing Increment operations on nested object fields using dot notation (e.g., stats.counter). The amount value is interpolated directly into the SQL query without parameterization or type validation. An attacker who can send write requests to the Parse Server REST API can inject arbitrary SQL subqueries to read any data from the database, bypassing CLPs and ACLs. MongoDB deployments are not affected. This vulnerability is fixed in 9.6.0-alpha.3 and 8.6.29.
Source : NVD
## 9.3
Score
Published March 11, 2026
Severity CRITICAL
CNA Sco
Wiz
CVE-2026-27728 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.9
CVE-2026-27728 [CRITICAL] CVE-2026-27728 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27728 :
JavaScript vulnerability analysis and mitigation
NetworkPathMonitor.performTraceroute()
Source : NVD
## 8.8
Score
Published February 25, 2026
Severity HIGH
CNA Score 9.9
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 57
Exploitation Probability (EPSS) 0.3
Affected packages and libraries
@oneuptime/common
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Mar 02, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has
Wiz
CVE-2026-30949 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2026-30949 [HIGH] CVE-2026-30949 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-30949 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp (authorized party) claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse Server that uses the Keycloak adapter. This enables cross-application account takeover in multi-client Keycloak realms. All Parse Server deployments that use the Keycloak authentication adapter with a Keycloak realm that has multiple client applications are affected. This vulnerability is fixed in 9
Wiz
CVE-2026-28792 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.6
CVE-2026-28792 [CRITICAL] CVE-2026-28792 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-28792 :
JavaScript vulnerability analysis and mitigation
Tina is a headless content management system. Prior to 2.1.8 , the TinaCMS CLI dev server combines a permissive CORS configuration (Access-Control-Allow-Origin: *) with the path traversal vulnerability (previously reported) to enable a browser-based drive-by attack. A remote attacker can enumerate the filesystem, write arbitrary files, and delete arbitrary files on developer's machines by simply tricking them into visiting a malicious website while tinacms dev is running. This vulnerability is fixed in 2.1.8.
Source : NVD
## 9.6
Score
Published March 12, 2026
Severity CRITICAL
CNA Score 9.6
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Du
Wiz
CVE-2026-3965 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
CVE-2026-3965 [MEDIUM] CVE-2026-3965 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-3965 :
JavaScript vulnerability analysis and mitigation
A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address this issue. The identifier of the patch is 6bec52dca158481258315ba0fc2f11206df7b719. It is advisable to upgrade the affected component. The code maintainer was informed beforehand about the issues. He reacted very fast and highly professional.
Source : NVD
## 5.3
Score
Published March 12, 2026
Severity MEDIUM
CNA Score 5.3
Wiz
CVE-2026-34773 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.7
CVE-2026-34773 [MEDIUM] CVE-2026-34773 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34773 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0, on Windows, app.setAsDefaultProtocolClient(protocol) did not validate the protocol name before writing to the registry. Apps that pass untrusted input as the protocol name may allow an attacker to write to arbitrary subkeys under HKCU\Software\Classes, potentially hijacking existing protocol handlers. Apps are only affected if they call app.setAsDefaultProtocolClient() with a protocol name derived from external or untrusted input. Apps that use a hardcoded protocol name are not affected. This issue has been patched in versions 38.8.6, 39.8.1, 40.8.1, and 41.0.0.
S
Wiz
CVE-2026-33228 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.9
CVE-2026-33228 [HIGH] CVE-2026-33228 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33228 :
JavaScript vulnerability analysis and mitigation
flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating that they are numeric. Since the internal input buffer is a JavaScript Array, accessing it with the key " proto " returns Array.prototype via the inherited getter. This object is then treated as a legitimate parsed value and assigned as a property of the output object, effectively leaking a live reference to Array.prototype to the consumer. Any code that subsequently writes to that property will pollute the global prototype. This issue has been patched in version 3.4.2.
Wiz Threat Research note: This vulnerability's initi
Wiz
CVE-2026-29793 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-29793 [CRITICAL] CVE-2026-29793 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-29793 :
JavaScript vulnerability analysis and mitigation
Feathersjs is a framework for creating web APIs and real-time applications with TypeScript or JavaScript. From 5.0.0 to before 5.0.42, Socket.IO clients can send arbitrary JavaScript objects as the id argument to any service method (get, patch, update, remove). The transport layer performs no type checking on this argument. When the service uses the MongoDB adapter, these objects pass through getObjectId() and land directly in the MongoDB query as operators. Sending {$ne: null} as the id matches every document in the collection. This vulnerability is fixed in 5.0.42.
Source : NVD
## 9.3
Score
Published March 10, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
JavaScript
Has Public Exploit No
Has C
Wiz
GHSA-9ppg-jx86-fqw7 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-9ppg-jx86-fqw7 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-9ppg-jx86-fqw7 :
JavaScript vulnerability analysis and mitigation
On February 17, 2026 at 3:26 AM PT, an unauthorized party used a compromised npm publish token to publish an update to Cline CLI on the NPM registry: [email protected] . The published package contains a modified package.json with an added postinstall script:
"postinstall": "npm install -g openclaw@latest"
This causes openclaw (an unrelated, non-malicious open source package) to be globally installed when [email protected] is installed. No other files were modified -- the CLI binary (dist/cli.mjs) and all other package contents are identical to the legitimate [email protected] release.
A corrected version (2.4.0) was published at 11:23 AM PT and 2.3.0 was deprecated at 11:30 AM PT. The compromised token has been revoked and npm publi
Wiz
GHSA-4w7w-66w2-5vf9 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.3
[MEDIUM] GHSA-4w7w-66w2-5vf9 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-4w7w-66w2-5vf9 :
JavaScript vulnerability analysis and mitigation
## Summary
.map
## Impact
Only apps that match the following conditions are affected:
--host
server.host
.map
## Details
.map
readFile
../
server.fs.strict
.map
## PoC
cat > /tmp/poc.map <<'EOF'
{"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
EOF
pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080
/@fs
strict
../
.map
/tmp/poc.map
Source : NVD
## 6.3
Score
Published April 6, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and librari
Wiz
CVE-2025-68428 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.2
CVE-2025-68428 [CRITICAL] CVE-2025-68428 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68428 :
JavaScript vulnerability analysis and mitigation
addImage
html
addFont
dist/jspdf.node.js
dist/jspdf.node.min.js
--permission
Source : NVD
## 9.2
Score
Published January 5, 2026
Severity CRITICAL
CNA Score 9.2
Affected Technologies
JavaScript
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 6.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
opensearch-dashboards-2-fips
opensearch-dashboards-3
Sources
NVD
Chainguard Has Fix Added at: Jan 11, 2026
npm Severity CRITICAL Has Fix Added at: Jan 05, 2026
Wolfi Has Fix Added at: Jan 11, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can foc
Wiz
CVE-2026-26862 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.3
CVE-2026-26862 [HIGH] CVE-2026-26862 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-26862 :
JavaScript vulnerability analysis and mitigation
CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain
Source : NVD
## 8.3
Score
Published February 27, 2026
Severity HIGH
CNA Score 8.3
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
clev
Wiz
CVE-2026-24132 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.7
CVE-2026-24132 [HIGH] CVE-2026-24132 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-24132 :
JavaScript vulnerability analysis and mitigation
Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions
7.19.0 and below and 8.0.0-rc.0 through 8.0.2 allow untrusted OpenAPI specifications to inject arbitrary TypeScript/JavaScript into generated mock files via the const keyword on schema properties. These const values are interpolated into the mock scalar generator (getMockScalar in packages/mock/src/faker/getters/scalar.ts) without proper escaping or type-safe serialization, which results in attacker-controlled code being emitted into both interface definitions and faker/MSW handlers. The vulnerability is similar in impact to the previously reported enum x-enumDescriptions (GHSA-h526-wf6g-67jv), but it affect
Wiz
GHSA-vrqm-gvq7-rrwh Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-vrqm-gvq7-rrwh Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-vrqm-gvq7-rrwh :
JavaScript vulnerability analysis and mitigation
## Summary
DecodeStream.ensureBuffer()
@pdfme/pdf-lib
## Details
DecodeStream
FlateStream
ensureBuffer()
packages/pdf-lib/src/core/streams/DecodeStream.ts:148-160
protected ensureBuffer(requested: number) {
const buffer = this.buffer;
if (requested = limit) {
buffer = this.ensureBuffer(pos + 1);
limit = buffer.length;
}
And again at line 297-300:
if (pos + len >= limit) {
buffer = this.ensureBuffer(pos + len);
limit = buffer.length;
}
basePdf
packages/generator/src/helper.ts:42-43
const willLoadPdf = await getB64BasePdf(basePdf);
const embedPdf = await PDFDocument.load(willLoadPdf);
basePdf
PDFDocument.load()
FlateStream
DecodeStream
packages/ui/src/helper.ts:292
packages/ui/src/hooks.ts:67
Wiz
CVE-2026-33627 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.1
CVE-2026-33627 [HIGH] CVE-2026-33627 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33627 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.61 and 9.6.0-alpha.55, an authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely. This issue has been patched in versions 8.6.61 and 9.6.0-alpha.55.
Source : NVD
## 7.1
Score
Published March 24, 2026
Severity HIGH
C
Wiz
CVE-2025-50537 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.5
CVE-2025-50537 [MEDIUM] CVE-2025-50537 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-50537 :
JavaScript vulnerability analysis and mitigation
Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a stack overflow.
Source : NVD
## 5.5
Score
Published January 26, 2026
Severity MEDIUM
CNA Score 5.5
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV R
Wiz
CVE-2026-34574 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-34574 [MEDIUM] CVE-2026-34574 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34574 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.69 and 9.7.0-alpha.14, an authenticated user can bypass the immutability guard on session fields (expiresAt, createdWith) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies. This issue has been patched in versions 8.6.69 and 9.7.0-alpha.14.
Source : NVD
## 5.3
Score
Published March 31, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV D
Wiz
CVE-2025-67427 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.5
CVE-2025-67427 [MEDIUM] CVE-2025-67427 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67427 :
JavaScript vulnerability analysis and mitigation
A Blind Server-Side Request Forgery (SSRF) vulnerability in evershop 2.1.0 and prior allows unauthenticated attackers to force the server to initiate an HTTP request via the "GET /images" API. The vulnerability occurs due to insufficient validation of the "src" query parameter, which permits arbitrary HTTP or HTTPS URIs, resulting in unexpected requests against internal and external networks.
Source : NVD
## 6.5
Score
Published January 5, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.4
Exploitation Probability (EPSS) 0.1
Affected packages and l
Wiz
CVE-2026-22704 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.0
CVE-2026-22704 [HIGH] CVE-2026-22704 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22704 :
JavaScript vulnerability analysis and mitigation
HAX CMS helps manage microsite universe with PHP or NodeJs backends. In versions 11.0.6 to before 25.0.0, HAX CMS is vulnerable to stored XSS, which could lead to account takeover. This issue has been patched in version 25.0.0.
Source : NVD
## 5.4
Score
Published January 10, 2026
Severity MEDIUM
CNA Score 8.0
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 3.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@haxtheweb/haxcms-nodejs
Sources
NVD
npm Severity HIGH Has Fix Added at: Jan 13, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in y
Wiz
CVE-2025-13321 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.3
CVE-2025-13321 [LOW] CVE-2025-13321 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-13321 :
JavaScript vulnerability analysis and mitigation
Mattermost Desktop App versions <6.0.0 fail to sanitize sensitive information from Mattermost logs and clear data on server deletion which allows an attacker with access to the users system to gain access to potentially sensitive information via reading the application logs.
Source : NVD
## 3.3
Score
Published December 17, 2025
Severity LOW
CNA Score 3.3
Affected Technologies
JavaScript
Mattermost Desktop App
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.3
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mattermost-desktop
cpe:2.3:a:mattermost:mattermost_desktop
Sources
npm Severity LOW N
Wiz
GHSA-647h-p824-99w7 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-647h-p824-99w7 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-647h-p824-99w7 :
JavaScript vulnerability analysis and mitigation
## Impact
knowledge_search
knowledge_get_node
SCOPED_TOOLS
authContext
workspaceId
packages/mcp/src/tools/knowledge.ts:146-169
packages/mcp/src/tools/knowledge.ts:244-283
packages/mcp/src/tool-scoping.ts:11
knowledge_create_node
authContext
workspaceId
## Design Note
Cross-workspace knowledge sharing is a legitimate future feature — agents working across different repos may need to collaborate and share knowledge. However, this access should be opt-in with explicit grants , not an implicit bypass. The immediate fix locks scoped agents to their own workspace. A future design could introduce:
Workspace-level "share knowledge with" settings
cross_workspace
workspaceIds
## Patches
authContext
kn
Wiz
CVE-2025-67898 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2025-67898 [HIGH] CVE-2025-67898 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-67898 :
JavaScript vulnerability analysis and mitigation
MJML through 4.18.0 allows mj-include directory traversal to test file existence and (in the type="css" case) read files. NOTE: this issue exists because of an incomplete fix for CVE-2020-12827.
Source : NVD
## 4.5
Score
Published December 14, 2025
Severity MEDIUM
CNA Score 4.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
mjml
Sources
NVD
npm Severity MEDIUM No Fix Added at: Dec 18, 2025
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not
Wiz
CVE-2026-22820 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.3
CVE-2026-22820 [MEDIUM] CVE-2026-22820 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-22820 :
JavaScript vulnerability analysis and mitigation
Outray openSource ngrok alternative. Prior to 0.1.5, a TOCTOU race condition vulnerability allows a user to exceed the set number of active tunnels in their subscription plan. This vulnerability is fixed in 0.1.5.
Source : NVD
## 6.3
Score
Published January 14, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 13.8
Exploitation Probability (EPSS) N/A
Affected packages and libraries
outray
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Jan 14, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on
Wiz
CVE-2026-25754 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.2
CVE-2026-25754 [HIGH] CVE-2026-25754 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25754 :
JavaScript vulnerability analysis and mitigation
AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9.
Source : NVD
## 7.2
Score
Published February 6, 2026
Severity HIGH
CNA Score 7.2
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@adonisjs/bodyparser
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 08, 2026
Wiz
CVE-2026-25520 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 10.0
CVE-2026-25520 [CRITICAL] CVE-2026-25520 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25520 :
JavaScript vulnerability analysis and mitigation
SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren't wrapped. Object.values/Object.entries can be used to get an Array containing the host's Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which can be used to execute arbitrary code outside of the sandbox. This vulnerability is fixed in 0.8.29.
Source : NVD
## 10
Score
Published February 6, 2026
Severity CRITICAL
CNA Score 10.0
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 16.1
Exploitation Probability (EPSS) 0.1
Affected packages and
Wiz
CVE-2026-25939 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2026-25939 [CRITICAL] CVE-2026-25939 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25939 :
JavaScript vulnerability analysis and mitigation
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. From 1.2.8 through version 1.2.10,
an authorization bypass vulnerability in the FUXA allows an unauthenticated, remote attacker to create and modify arbitrary schedulers, exposing connected ICS/SCADA environments to follow-on actions. This has been patched in FUXA version 1.2.11.
Source : NVD
## 9.3
Score
Published February 9, 2026
Severity CRITICAL
CNA Score 9.3
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 5.6
Exploitation Probability (EPSS) N/A
Affected packages and libraries
fuxa-server
Sources
NVD
n
Wiz
CVE-2026-27904 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-27904 [HIGH] CVE-2026-27904 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27904 :
JavaScript vulnerability analysis and mitigation
*()
(?:(?:a|b)*)*
*(*(*(a|b)))
minimatch()
minimatch()
+()
Source : NVD
## 7.5
Score
Published February 26, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Grafana
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.7
Exploitation Probability (EPSS) N/A
Affected packages and libraries
grafana-prometheus
nodejs22
Sources
NVD
Chainguard Has Fix Added at: Mar 02, 2026
Debian 11, 12, 13, 14 Severity HIGH No Fix Added at: Mar 02, 2026
Echo Severity HIGH No Fix Added at: Mar 02, 2026
npm Severity HIGH Has Fix Added at: Mar 02, 2026
MinimOS Severity HIGH Has Fix Added at: Mar 02, 2026
Red H
Wiz
CVE-2026-25535 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-25535 [HIGH] CVE-2026-25535 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25535 :
JavaScript vulnerability analysis and mitigation
addImage
addImage
html
Source : NVD
## 8.7
Score
Published February 19, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Wolfi
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
opensearch-dashboards-2-fips
opensearch-dashboards-3-fips
Sources
NVD
Chainguard Has Fix Added at: Feb 24, 2026
npm Severity HIGH Has Fix Added at: Feb 20, 2026
Wolfi Has Fix Added at: Feb 24, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Re
Wiz
CVE-2026-34748 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-34748 [HIGH] CVE-2026-34748 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34748 :
JavaScript vulnerability analysis and mitigation
Payload is a free and open source headless content management system. Prior to version 3.78.0 in @payloadcms/next, a stored Cross-Site Scripting (XSS) vulnerability existed in the admin panel. An authenticated user with write access to a collection could save content that, when viewed by another user, would execute in their browser. This issue has been patched in version 3.78.0.
Source : NVD
## 8.7
Score
Published April 1, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 9.4
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@payloadc
Wiz
CVE-2026-33143 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.7
CVE-2026-33143 [HIGH] CVE-2026-33143 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33143 :
JavaScript vulnerability analysis and mitigation
OneUptime is a solution for monitoring and managing online services. Prior to version 10.0.34, the WhatsApp POST webhook handler (/notification/whatsapp/webhook) processes incoming status update events without verifying the Meta/WhatsApp X-Hub-Signature-256 HMAC signature, allowing any unauthenticated attacker to send forged webhook payloads that manipulate notification delivery status records, suppress alerts, and corrupt audit trails. The codebase already implements proper signature verification for Slack webhooks. This issue has been patched in version 10.0.34.
Source : NVD
## 8.7
Score
Published March 20, 2026
Severity HIGH
CNA Score 8.7
Affected Technologies
JavaScript
Has Public Exploit Yes
Has CISA KE
2026-04-06
Published