CVE-2026-39943
published 2026-04-09CVE-2026-39943: Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions)…
PriorityP341medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.17%
6.6th percentile
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| directus | directus | < 11.17.0 | 11.17.0 |
| directus | directus | >= 0 < 11.17.0 | 11.17.0 |
| monospace | directus | < 11.17.0 | 11.17.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Directus up to 11.16.x information disclosure (GHSA-mvv8-v4jj-g47j)
vuldb·2026-04-09·CVSS 6.5
CVE-2026-39943 [MEDIUM] Directus up to 11.16.x information disclosure (GHSA-mvv8-v4jj-g47j)
A vulnerability, which was classified as problematic, has been found in Directus up to 11.16.x. The affected element is an unknown function. Performing a manipulation results in information disclosure.
This vulnerability is reported as CVE-2026-39943. The attack is possible to be carried out remotely. No exploit exists.
It is advisable to upgrade the affected component.
GHSA
Directus: Sensitive fields exposed in revision history
ghsa·2026-04-04
CVE-2026-39943 [MEDIUM] CWE-200 Directus: Sensitive fields exposed in revision history
Directus: Sensitive fields exposed in revision history
### Summary
Directus stores revision records (in `directus_revisions`) whenever items are created or updated. Due to the revision snapshot code not consistently calling the `prepareDelta` sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records.
### Impact
Any user or service account with read access to `directus_revisions` (or flow logs) could retrieve values for fields that are supposed to be concealed or encrypted at rest, including:
- `token`, `tfa_secret`, `external_identifier`, `auth_data`, `credentials`
- `ai_openai_api_key`, `ai_anthropic_api_key`,
OSV
Directus: Sensitive fields exposed in revision history
osv·2026-04-04
CVE-2026-39943 [MEDIUM] Directus: Sensitive fields exposed in revision history
Directus: Sensitive fields exposed in revision history
### Summary
Directus stores revision records (in `directus_revisions`) whenever items are created or updated. Due to the revision snapshot code not consistently calling the `prepareDelta` sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records.
### Impact
Any user or service account with read access to `directus_revisions` (or flow logs) could retrieve values for fields that are supposed to be concealed or encrypted at rest, including:
- `token`, `tfa_secret`, `external_identifier`, `auth_data`, `credentials`
- `ai_openai_api_key`, `ai_anthropic_api_key`,
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-39409 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39409 [MEDIUM] CVE-2026-39409 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39409 :
JavaScript vulnerability analysis and mitigation
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, ipRestriction() does not canonicalize IPv4-mapped IPv6 client addresses (e.g. ::ffff:127.0.0.1) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior. This vulnerability is fixed in 4.12.12.
Source : NVD
## 6.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.2
Exploitation Probability (EPSS
Wiz
CVE-2026-39983 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39983 [MEDIUM] CVE-2026-39983 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39983 :
JavaScript vulnerability analysis and mitigation
basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequences (\r\n) in file path parameters passed to high-level path APIs such as cd(), remove(), rename(), uploadFrom(), downloadTo(), list(), and removeDir(). The library's protectWhitespace() helper only handles leading spaces and returns other paths unchanged, while FtpContext.send() writes the resulting command string directly to the control socket with \r\n appended. This lets attacker-controlled path strings split one intended FTP command into multiple commands. This vulnerability is fixed in 5.2.1.
Source : NVD
## 8.6
Score
Published April 9, 2026
Severity HIGH
CNA Score 8.6
Affected Technologies
JavaS
Wiz
CVE-2026-35525 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.2
CVE-2026-35525 [HIGH] CVE-2026-35525 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35525 :
JavaScript vulnerability analysis and mitigation
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, for {% include %}, {% render %}, and {% layout %}, LiquidJS checks whether the candidate path is inside the configured partials or layouts roots before reading it. That check is path-based, not realpath-based. Because of that, a file like partials/link.liquid passes the directory containment check as long as its pathname is under the allowed root. If link.liquid is actually a symlink to a file outside the allowed root, the filesystem follows the symlink when the file is opened and LiquidJS renders the external target. So the restriction is applied to the path string that was requested, not to the file that is actually r
Wiz
CVE-2026-35041 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 4.2
CVE-2026-35041 [MEDIUM] CVE-2026-35041 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35041 :
JavaScript vulnerability analysis and mitigation
fast-jwt provides fast JSON Web Token (JWT) implementation. From 5.0.0 to 6.2.0, a denial-of-service condition exists in fast-jwt when the allowedAud verification option is configured using a regular expression. Because the aud claim is attacker-controlled and the library evaluates it against the supplied RegExp, a crafted JWT can trigger catastrophic backtracking in the JavaScript regex engine, resulting in significant CPU consumption during verification. This vulnerability is fixed in 6.2.1.
Source : NVD
## 4.2
Score
Published April 9, 2026
Severity MEDIUM
CNA Score 4.2
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploita
Wiz
CVE-2025-62718 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
CVE-2025-62718 [CRITICAL] CVE-2025-62718 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-62718 :
JavaScript vulnerability analysis and mitigation
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0.
Source : NVD
## 9.3
Sc
Wiz
CVE-2026-34765 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.0
CVE-2026-34765 [MEDIUM] CVE-2026-34765 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34765 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, when a renderer calls window.open() with a target name, Electron did not correctly scope the named-window lookup to the opener's browsing context group. A renderer could navigate an existing child window that was opened by a different, unrelated renderer if both used the same target name. If that existing child was created with more permissive webPreferences (via setWindowOpenHandler's overrideBrowserWindowOptions), content loaded by the second renderer inherits those permissions. Apps are only affected if they open multiple top-level windows with differing trust le
Wiz
CVE-2026-35040 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.3
CVE-2026-35040 [MEDIUM] CVE-2026-35040 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35040 :
JavaScript vulnerability analysis and mitigation
fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.1, using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt regardless of the validity of the token provided. Such modifiers are /g (global matching) and /y (sticky matching). This does NOT allow invalid tokens to be accepted, only for valid tokens to be improperly rejected in some configurations. Instead it causes 50% of valid authentication requests to fail in an alternating pattern. This vulnerability is fixed in 6.2.1.
Wiz
CVE-2026-34781 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 2.8
CVE-2026-34781 [LOW] CVE-2026-34781 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34781 :
JavaScript vulnerability analysis and mitigation
Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. Prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, apps that call clipboard.readImage() may be vulnerable to a denial of service. If the system clipboard contains image data that fails to decode, the resulting null bitmap is passed unchecked to image construction, triggering a controlled abort and crashing the process. Apps are only affected if they call clipboard.readImage(). Apps that do not read images from the clipboard are not affected. This issue does not allow memory corruption or code execution. This vulnerability is fixed in 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5.
Source : NVD
## 2.8
Score
Publish
Wiz
CVE-2026-39859 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39859 [MEDIUM] CVE-2026-39859 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39859 :
JavaScript vulnerability analysis and mitigation
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, liquidjs 10.25.0 documents root as constraining filenames passed to renderFile() and parseFile(), but top-level file loads do not enforce that boundary. A Liquid instance configured with an empty temporary directory as root can return the contents of arbitrary files. This vulnerability is fixed in 10.25.3.
Source : NVD
## 6.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 19.6
Exploitation Probability (EPSS) 0.1
Wiz
CVE-2026-39321 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39321 [MEDIUM] CVE-2026-39321 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39321 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.6 and 8.6.74, he login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant latency. This timing difference allows an unauthenticated attacker to enumerate valid usernames. This vulnerability is fixed in 9.8.0-alpha.6 and 8.6.74.
Source : NVD
## 6.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 6.3
Affected Technologies
JavaScript
Has Public Exploit No
Has C
Wiz
CVE-2026-39381 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39381 [MEDIUM] CVE-2026-39381 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39381 :
JavaScript vulnerability analysis and mitigation
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.8.0-alpha.7 and 8.6.75, the GET /sessions/me endpoint returns _Session fields that the server operator explicitly configured as protected via the protectedFields server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent GET /sessions and GET /sessions/:objectId endpoints correctly strip protected fields. This vulnerability is fixed in 9.8.0-alpha.7 and 8.6.75.
Source : NVD
## 5.3
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Re
Wiz
CVE-2026-39974 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.5
CVE-2026-39974 [HIGH] CVE-2026-39974 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39974 :
JavaScript vulnerability analysis and mitigation
n8n-MCP is a Model Context Protocol (MCP) server that provides AI assistants with comprehensive access to n8n node documentation, properties, and operations. Prior to 2.47.4, an authenticated Server-Side Request Forgery in n8n-mcp allows a caller holding a valid AUTH_TOKEN to cause the server to issue HTTP requests to arbitrary URLs supplied through multi-tenant HTTP headers. Response bodies are reflected back through JSON-RPC, so an attacker can read the contents of any URL the server can reach — including cloud instance metadata endpoints (AWS IMDS, GCP, Azure, Alibaba, Oracle), internal network services, and any other host the server process has network access to. The primary at-risk deployments are multi-tenant HTTP
Wiz
GHSA-5478-66c3-rhxr Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
[MEDIUM] GHSA-5478-66c3-rhxr Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5478-66c3-rhxr :
JavaScript vulnerability analysis and mitigation
## 8.7
Score
Published April 8, 2026
Severity HIGH
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
@chenglou/pretext
Sources
NVD
npm Severity HIGH Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Published date
CVE-2026-39983
HIGH
8.6
JavaScript
Wiz
CVE-2026-39356 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39356 [MEDIUM] CVE-2026-39356 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39356 :
JavaScript vulnerability analysis and mitigation
Drizzle is a modern TypeScript ORM. Prior to 0.45.2 and 1.0.0-beta.20, Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific escapeName() implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks. As a result, applications that pass attacker-controlled input to APIs that construct SQL identifiers or aliases, such as sql.identifier(), .as(), may allow an attacker to terminate the quoted identifier and inject SQL. This vulnerability is fixed in 0.45.2 and 1.0.0-beta.20.
Source : NVD
## 7.5
Score
Published April 7, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Public Exploit No
H
Wiz
CVE-2026-39412 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39412 [MEDIUM] CVE-2026-39412 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39412 :
JavaScript vulnerability analysis and mitigation
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.4, the sort_natural filter bypasses the ownPropertyOnly security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying on ownPropertyOnly: true as a security boundary (e.g., multi-tenant template systems) are exposed to information disclosure of sensitive prototype properties such as API keys and tokens. This vulnerability is fixed in 10.25.4.
Source : NVD
## 5.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV
Wiz
CVE-2026-39942 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39942 [MEDIUM] CVE-2026-39942 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39942 :
JavaScript vulnerability analysis and mitigation
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, the PATCH /files/{id} endpoint accepts a user-controlled filename_disk parameter. By setting this value to match the storage path of another user's file, an attacker can overwrite that file's content while manipulating metadata fields such as uploaded_by to obscure the tampering. This vulnerability is fixed in 11.17.0.
Source : NVD
## 8.5
Score
Published April 9, 2026
Severity HIGH
CNA Score 8.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affe
Wiz
GHSA-26pp-8wgv-hjvm Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
[MEDIUM] GHSA-26pp-8wgv-hjvm Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-26pp-8wgv-hjvm :
JavaScript vulnerability analysis and mitigation
## Summary
setCookie()
serialize()
serializeSigned()
## Details
setCookie()
serialize()
serializeSigned()
\r
\n
Set-Cookie
Set-Cookie: legit
X-Injected: evil=value
However, in modern runtimes such as Node.js and Cloudflare Workers, such invalid header values are rejected and result in a runtime error before the response is sent.
As a result, the reported header injection / response splitting behavior could not be reproduced in these environments.
## Impact
setCookie()
serialize()
serializeSigned()
Set-Cookie
Source : NVD
## 5.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release
Wiz
GHSA-vvjj-xcjg-gr5g Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-vvjj-xcjg-gr5g Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-vvjj-xcjg-gr5g :
JavaScript vulnerability analysis and mitigation
## Summary
name
name
\r\n
## Details
lib/smtp-connection/index.js
name
// lib/smtp-connection/index.js, line 71
this.name = this.options.name || this._getHostname();
// line 1336
this._sendCommand('EHLO ' + this.name);
_sendCommand
\r\n
this._socket.write(Buffer.from(str + '\r\n', 'utf-8'));
name
\r\n
envelope.from
envelope.to
\r\n
envelope.size
name
name
size
name
## PoC
const nodemailer = require('nodemailer');
const net = require('net');
// Simple SMTP server to observe injected commands
const server = net.createServer(socket => {
socket.write('220 test ESMTP\r\n');
socket.on('data', data => {
const lines = data.toString().split('\r\n').filter(l => l);
lines.forEach(line => {
console.l
Wiz
GHSA-5g3j-89fr-r2vp Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
[MEDIUM] GHSA-5g3j-89fr-r2vp Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-5g3j-89fr-r2vp :
JavaScript vulnerability analysis and mitigation
## Summary
skilleton
0.3.1
0.3.1
## Affected Versions
=0.3.1
## Impact
0.3.1
replacing vulnerable parsing behavior with deterministic logic,
validating subpaths earlier before allocating git worktree resources,
adding stricter and broader regression tests around these flows.
## Severity
Low to Moderate (project-maintainer assessed)
## Mitigation
0.3.1
## Workarounds
No complete workaround is recommended other than upgrading.
## References
fix/security-code-scanning-alerts
fix(security): harden git arg handling and path validation
fix(security): use while loop in normalizeRepoUrl instead of regex
Security Policy: SECURITY.md
## Credits
Detected through automated code scanning an
Wiz
CVE-2026-39407 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39407 [MEDIUM] CVE-2026-39407 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39407 :
JavaScript vulnerability analysis and mitigation
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 4.12.12.
Source : NVD
## 5.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV
Wiz
CVE-2026-39865 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39865 [MEDIUM] CVE-2026-39865 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39865 :
JavaScript vulnerability analysis and mitigation
Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.13.2, Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. The vulnerability exists in the Http2Sessions.getSession() method in lib/adapters/http.js. The session cleanup logic contains a control flow error when removing sessions from the sessions array. This vulnerability is fixed in 1.13.2.
Source : NVD
## 5.9
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
JavaScript
Grafana
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Proba
Wiz
CVE-2026-39943 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39943 [MEDIUM] CVE-2026-39943 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39943 :
JavaScript vulnerability analysis and mitigation
Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus stores revision records (in directus_revisions) whenever items are created or updated. Due to the revision snapshot code not consistently calling the prepareDelta sanitization pipeline, sensitive fields (including user tokens, two-factor authentication secrets, external auth identifiers, auth data, stored credentials, and AI provider API keys) could be stored in plaintext within revision records. This vulnerability is fixed in 11.17.0.
Source : NVD
## 6.5
Score
Published April 9, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV
Wiz
CVE-2026-34148 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.5
CVE-2026-34148 [HIGH] CVE-2026-34148 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34148 :
JavaScript vulnerability analysis and mitigation
Fedify is a TypeScript library for building federated server apps powered by ActivityPub. Prior to 1.9.6, 1.10.5, 2.0.8, and 2.1.1, @fedify/fedify follows HTTP redirects recursively in its remote document loader and authenticated document loader without enforcing a maximum redirect count or visited-URL loop detection. An attacker who controls a remote ActivityPub key or actor URL can force a server using Fedify to make repeated outbound requests from a single inbound request, leading to resource consumption and denial of service. This vulnerability is fixed in 1.9.6, 1.10.5, 2.0.8, and 2.1.1.
Source : NVD
## 7.5
Score
Published April 6, 2026
Severity HIGH
CNA Score 7.5
Affected Technologies
JavaScript
Has Pub
Wiz
CVE-2026-39406 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39406 [MEDIUM] CVE-2026-39406 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39406 :
JavaScript vulnerability analysis and mitigation
@hono/node-server allows running the Hono application on Node.js. Prior to 1.19.13, a path handling inconsistency in serveStatic allows protected static files to be accessed by using repeated slashes (//) in the request path. When route-based middleware (e.g., /admin/*) is used for authorization, the router may not match paths containing repeated slashes, while serveStatic resolves them as normalized paths. This can lead to a middleware bypass. This vulnerability is fixed in 1.19.13.
Source : NVD
## 5.3
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.3
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploi
Wiz
CVE-2026-39885 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39885 [MEDIUM] CVE-2026-39885 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39885 :
JavaScript vulnerability analysis and mitigation
FrontMCP is a TypeScript-first framework for the Model Context Protocol (MCP). Prior to 2.3.0, the mcp-from-openapi library uses @apidevtools/json-schema-ref-parser to dereference $ref pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing $ref values pointing to internal network addresses, cloud metadata endpoints, or local files will cause the library to fetch those resources during the initialize() call. This enables Server-Side Request Forgery (SSRF) and local file read attacks when processing untrusted OpenAPI specifications. This vulnerability is fixed in 2.3.0.
Source : NVD
## 7.5
Score
Published April 8, 2026
Severity H
Wiz
CVE-2026-34166 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 3.7
CVE-2026-34166 [LOW] CVE-2026-34166 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-34166 :
JavaScript vulnerability analysis and mitigation
LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript. Prior to 10.25.3, the replace filter in LiquidJS incorrectly accounts for memory usage when the memoryLimit option is enabled. It charges str.length + pattern.length + replacement.length bytes to the memory limiter, but the actual output from str.split(pattern).join(replacement) can be quadratically larger when the pattern occurs many times in the input string. This allows an attacker who controls template content to bypass the memoryLimit DoS protection with approximately 2,500x amplification, potentially causing out-of-memory conditions. This vulnerability is fixed in 10.25.3.
Source : NVD
## 3.7
Score
Published April 8, 2026
Se
Wiz
CVE-2026-35613 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 5.1
CVE-2026-35613 [MEDIUM] CVE-2026-35613 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-35613 :
JavaScript vulnerability analysis and mitigation
coursevault-preview is a utility for previewing course material files from a configured directory. coursevault-preview versions prior to 0.1.1 contain a path traversal vulnerability in the resolveSafe utility. The boundary check used String.prototype.startsWith(baseDir) on a normalized path, which does not enforce a directory boundary. An attacker who controls the relativePath argument to affected CoursevaultPreview methods may be able to read files outside the configured baseDir when a sibling directory exists whose name shares the same string prefix. This vulnerability is fixed in 0.1.1.
Source : NVD
## 5.1
Score
Published April 7, 2026
Severity MEDIUM
CNA Score 5.1
Affected Technologies
JavaScript
Has Publ
Wiz
CVE-2026-39411 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39411 [MEDIUM] CVE-2026-39411 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39411 :
JavaScript vulnerability analysis and mitigation
LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected webapi routes. Affected routes include /webapi/chat/[provider], /webapi/models/[provider], /webapi/models/[provider]/pull, and /webapi/create-image/comfyui. This vulnerability is fixed in 2.1.48.
Source : NVD
## 5
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.0
Affected Technologies
JavaScr
Wiz
CVE-2026-39408 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39408 [MEDIUM] CVE-2026-39408 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39408 :
JavaScript vulnerability analysis and mitigation
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a path traversal issue in toSSG() allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via ssgParams, specially crafted values can cause generated file paths to escape the intended output directory. This vulnerability is fixed in 4.12.12.
Source : NVD
## 5.9
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 5.9
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 4.4
Exploitation Probabilit
Wiz
CVE-2026-39397 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39397 [MEDIUM] CVE-2026-39397 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39397 :
JavaScript vulnerability analysis and mitigation
@delmaredigital/payload-puck is a PayloadCMS plugin for integrating Puck visual page builder. Prior to 0.6.23, all /api/puck/* CRUD endpoint handlers registered by createPuckPlugin() called Payload's local API with the default overrideAccess: true, bypassing all collection-level access control. The access option passed to createPuckPlugin() and any access rules defined on Puck-registered collections were silently ignored on these endpoints. This vulnerability is fixed in 0.6.23.
Source : NVD
## 9.4
Score
Published April 7, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probabil
Wiz
CVE-2026-39410 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39410 [MEDIUM] CVE-2026-39410 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39410 :
JavaScript vulnerability analysis and mitigation
Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.12, a discrepancy between browser cookie parsing and parse() handling allows cookie prefix protections to be bypassed. Cookie names that are treated as distinct by the browser may be normalized to the same key by parse(), allowing attacker-controlled cookies to override legitimate ones. This vulnerability is fixed in 4.12.12.
Source : NVD
## 4.8
Score
Published April 8, 2026
Severity MEDIUM
CNA Score 4.8
Affected Technologies
JavaScript
Chainguard
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 12.3
Exploitation Proba
Wiz
CVE-2026-39398 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39398 [MEDIUM] CVE-2026-39398 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39398 :
JavaScript vulnerability analysis and mitigation
Rejected reason: The affected product and advisory are not public.
Source : NVD
Published April 9, 2026
CNA Score N/A
Affected Technologies
JavaScript
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
openclaw-claude-bridge
Sources
NVD
npm Severity MEDIUM Has Fix Added at: Apr 09, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.
## Related JavaScript vulnerabilities:
CVE ID
Severity
Score
Technologies
Component name
CISA KEV exploit
Has fix
Wiz
CVE-2026-39315 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2026-39315 [MEDIUM] CVE-2026-39315 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-39315 :
JavaScript vulnerability analysis and mitigation
Unhead is a document head and template manager. Prior to 2.1.13, useHeadSafe() is the composable that Nuxt's own documentation explicitly recommends for rendering user-supplied content in safely. Internally, the hasDangerousProtocol() function in packages/unhead/src/plugins/safe.ts decodes HTML entities before checking for blocked URI schemes (javascript:, data:, vbscript:). The decoder uses two regular expressions with fixed-width digit caps. The HTML5 specification imposes no limit on leading zeros in numeric character references. When a padded entity exceeds the regex digit cap, the decoder silently skips it. The undecoded string is then passed to startsWith('javascript:'), which does not match. makeTagSafe() writes
2026-04-09
Published