| linkify-it |
CVE-2026-48801 |
高危 |
5.0.0 |
5.0.1 |
LinkifyIt#match scan loop has quadratic algorithmic complexity
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-48801
镜像层: sha256:63d82252533292fe55ab0476182c197e12eaa3c6f669fa2fe746728f498db19a
发布日期: 0001-01-01 00:00 修改: 0001-01-01 00:00
|
| nodemailer |
GHSA-p6gq-j5cr-w38f |
高危 |
7.0.13 |
9.0.1 |
Nodemailer: Message-level raw option bypasses disableFileAccess/disableUrlAccess, enabling arbitrary file read and full-response SSRF in the delivered message
漏洞详情: https://github.com/advisories/GHSA-p6gq-j5cr-w38f
镜像层: sha256:63d82252533292fe55ab0476182c197e12eaa3c6f669fa2fe746728f498db19a
发布日期: 2026-06-18 14:28 修改: 2026-06-18 14:28
|
| pnpm |
CVE-2026-50015 |
高危 |
10.33.4 |
10.34.0, 11.4.0 |
pnpm: pnpm: Arbitrary file write/delete due to lack of path validation in patch files
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-50015
镜像层: sha256:56323f8989e6225c91d8945cd9c87377047471a4f46cbca74dce087b888b8dea
发布日期: 2026-06-25 18:16 修改: 2026-06-29 21:15
|
| pnpm |
CVE-2026-50016 |
高危 |
10.33.4 |
10.34.0, 11.4.0 |
pnpm: pnpm: Arbitrary code execution due to path traversal in dependency aliases
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-50016
镜像层: sha256:56323f8989e6225c91d8945cd9c87377047471a4f46cbca74dce087b888b8dea
发布日期: 2026-06-25 18:16 修改: 2026-06-29 23:57
|
| pnpm |
CVE-2026-55487 |
高危 |
10.33.4 |
10.34.2, 11.5.3 |
pnpm: pnpm: Supply chain compromise via manipulated package source strings
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-55487
镜像层: sha256:56323f8989e6225c91d8945cd9c87377047471a4f46cbca74dce087b888b8dea
发布日期: 2026-06-25 18:16 修改: 2026-06-29 21:16
|
| pnpm |
CVE-2026-55697 |
高危 |
10.33.4 |
11.5.3 |
pnpm: pnpm: Arbitrary code execution via improper handling of config dependencies
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-55697
镜像层: sha256:56323f8989e6225c91d8945cd9c87377047471a4f46cbca74dce087b888b8dea
发布日期: 2026-06-25 18:16 修改: 2026-06-30 19:04
|
| pnpm |
CVE-2026-55698 |
高危 |
10.33.4 |
10.34.2, 11.5.3 |
pnpm: pnpm: Arbitrary code execution via malicious package-manager lockfile
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-55698
镜像层: sha256:56323f8989e6225c91d8945cd9c87377047471a4f46cbca74dce087b888b8dea
发布日期: 2026-06-25 18:16 修改: 2026-06-30 19:03
|
| pnpm |
GHSA-72r4-9c5j-mj57 |
高危 |
10.33.4 |
10.34.4, 11.7.0 |
pnpm: `patch-remove` could delete project-selected files outside the patches directory
漏洞详情: https://github.com/advisories/GHSA-72r4-9c5j-mj57
镜像层: sha256:56323f8989e6225c91d8945cd9c87377047471a4f46cbca74dce087b888b8dea
发布日期: 2026-06-27 00:12 修改: 2026-06-27 00:12
|
| pnpm |
GHSA-fr4h-3cph-29xv |
高危 |
10.33.4 |
10.34.4, 11.7.0 |
pnpm: Hoisted install imports lockfile alias outside node_modules
漏洞详情: https://github.com/advisories/GHSA-fr4h-3cph-29xv
镜像层: sha256:56323f8989e6225c91d8945cd9c87377047471a4f46cbca74dce087b888b8dea
发布日期: 2026-06-27 00:02 修改: 2026-06-27 00:03
|
| pnpm |
GHSA-qrv3-253h-g69c |
高危 |
10.33.4 |
10.34.4, 11.8.0 |
pnpm: Path traversal in configDependencies env lockfile allows symlink creation outside node_modules/.pnpm-config
漏洞详情: https://github.com/advisories/GHSA-qrv3-253h-g69c
镜像层: sha256:56323f8989e6225c91d8945cd9c87377047471a4f46cbca74dce087b888b8dea
发布日期: 2026-06-27 00:13 修改: 2026-06-27 00:13
|
| nodemailer |
GHSA-wqvq-jvpq-h66f |
中危 |
7.0.13 |
8.0.9 |
Nodemailer jsonTransport bypasses disableFileAccess and disableUrlAccess during message normalization
漏洞详情: https://github.com/advisories/GHSA-wqvq-jvpq-h66f
镜像层: sha256:63d82252533292fe55ab0476182c197e12eaa3c6f669fa2fe746728f498db19a
发布日期: 2026-06-15 17:35 修改: 2026-06-15 17:35
|
| brace-expansion |
CVE-2026-45149 |
中危 |
5.0.5 |
5.0.6 |
brace-expansion: brace-expansion: Denial of Service due to excessive memory allocation when expanding large numeric ranges
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-45149
镜像层: sha256:63d82252533292fe55ab0476182c197e12eaa3c6f669fa2fe746728f498db19a
发布日期: 2026-05-29 20:16 修改: 2026-06-17 10:51
|
| js-yaml |
CVE-2026-53550 |
中危 |
4.1.1 |
4.2.0, 3.15.0 |
js-yaml: js-yaml: Denial of Service via crafted YAML merge keys
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-53550
镜像层: sha256:63d82252533292fe55ab0476182c197e12eaa3c6f669fa2fe746728f498db19a
发布日期: 2026-06-22 16:16 修改: 2026-07-09 20:33
|
| @hono/node-server |
CVE-2026-39406 |
中危 |
1.19.11 |
1.19.13 |
@hono/node-server: Middleware bypass via repeated slashes in serveStatic
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-39406
镜像层: sha256:63d82252533292fe55ab0476182c197e12eaa3c6f669fa2fe746728f498db19a
发布日期: 2026-04-08 15:16 修改: 2026-06-17 10:42
|
| mjml |
CVE-2025-67898 |
中危 |
5.0.0-alpha.4 |
5.0.0-alpha.9 |
MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827
漏洞详情: https://avd.aquasec.com/nvd/cve-2025-67898
镜像层: sha256:63d82252533292fe55ab0476182c197e12eaa3c6f669fa2fe746728f498db19a
发布日期: 2025-12-14 22:15 修改: 2026-06-17 09:58
|
| @protobufjs/utf8 |
CVE-2026-44288 |
中危 |
1.1.0 |
1.1.1 |
protobufjs: protobufjs: Security control bypass due to improper handling of overlong UTF-8 sequences
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-44288
镜像层: sha256:63d82252533292fe55ab0476182c197e12eaa3c6f669fa2fe746728f498db19a
发布日期: 2026-05-13 16:16 修改: 2026-06-17 10:50
|
| nodemailer |
GHSA-268h-hp4c-crq3 |
中危 |
7.0.13 |
8.0.9 |
Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection
漏洞详情: https://github.com/advisories/GHSA-268h-hp4c-crq3
镜像层: sha256:63d82252533292fe55ab0476182c197e12eaa3c6f669fa2fe746728f498db19a
发布日期: 2026-06-15 17:36 修改: 2026-06-15 17:36
|
| nodemailer |
GHSA-r7g4-qg5f-qqm2 |
中危 |
7.0.13 |
8.0.8 |
Nodemailer: Improper TLS Certificate Validation in OAuth2 Token Fetch Enables Credential Interception
漏洞详情: https://github.com/advisories/GHSA-r7g4-qg5f-qqm2
镜像层: sha256:63d82252533292fe55ab0476182c197e12eaa3c6f669fa2fe746728f498db19a
发布日期: 2026-06-15 17:34 修改: 2026-06-15 17:34
|
| nodemailer |
GHSA-vvjj-xcjg-gr5g |
中危 |
7.0.13 |
8.0.5 |
Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO)
漏洞详情: https://github.com/advisories/GHSA-vvjj-xcjg-gr5g
镜像层: sha256:63d82252533292fe55ab0476182c197e12eaa3c6f669fa2fe746728f498db19a
发布日期: 2026-04-08 15:05 修改: 2026-04-08 15:05
|
| pnpm |
CVE-2026-50014 |
中危 |
10.33.4 |
10.34.0, 11.4.0 |
pnpm: pnpm: Arbitrary Code Execution via Malicious Lockfile
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-50014
镜像层: sha256:56323f8989e6225c91d8945cd9c87377047471a4f46cbca74dce087b888b8dea
发布日期: 2026-06-25 18:16 修改: 2026-06-29 21:14
|
| pnpm |
CVE-2026-50017 |
中危 |
10.33.4 |
10.34.0, 11.4.0 |
pnpm: pnpm: Information disclosure of authentication credentials via malicious .npmrc file
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-50017
镜像层: sha256:56323f8989e6225c91d8945cd9c87377047471a4f46cbca74dce087b888b8dea
发布日期: 2026-06-25 18:16 修改: 2026-06-30 19:04
|
| pnpm |
CVE-2026-50021 |
中危 |
10.33.4 |
11.4.0, 10.34.1 |
pnpm: pnpm: Integrity bypass allows installation of altered packages via modified lockfile
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-50021
镜像层: sha256:56323f8989e6225c91d8945cd9c87377047471a4f46cbca74dce087b888b8dea
发布日期: 2026-06-25 18:16 修改: 2026-06-29 21:15
|
| pnpm |
CVE-2026-50573 |
中危 |
10.33.4 |
10.34.0, 11.4.0 |
pnpm: pnpm: Package integrity check bypass allows installation of malicious content
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-50573
镜像层: sha256:56323f8989e6225c91d8945cd9c87377047471a4f46cbca74dce087b888b8dea
发布日期: 2026-06-25 18:16 修改: 2026-06-29 21:15
|
| pnpm |
CVE-2026-55180 |
中危 |
10.33.4 |
10.34.2, 11.5.3 |
pnpm: pacquet: pnpm and pacquet: Information disclosure of environment secrets via improper environment variable expansion
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-55180
镜像层: sha256:56323f8989e6225c91d8945cd9c87377047471a4f46cbca74dce087b888b8dea
发布日期: 2026-06-25 18:16 修改: 2026-06-29 21:16
|
| pnpm |
CVE-2026-55699 |
中危 |
10.33.4 |
10.34.2, 11.5.3 |
pnpm: pnpm: Denial of Service due to improper handling of malicious package manifest bin keys
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-55699
镜像层: sha256:56323f8989e6225c91d8945cd9c87377047471a4f46cbca74dce087b888b8dea
发布日期: 2026-06-25 18:16 修改: 2026-06-29 21:16
|
| qs |
CVE-2026-8723 |
中危 |
6.15.0 |
6.15.2 |
### Summary `qs.stringify` throws `TypeError` when called with `arr ...
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-8723
镜像层: sha256:63d82252533292fe55ab0476182c197e12eaa3c6f669fa2fe746728f498db19a
发布日期: 2026-05-17 00:16 修改: 2026-06-17 11:04
|
| serialize-javascript |
CVE-2026-34043 |
中危 |
7.0.3 |
7.0.5 |
serialize-javascript: serialize-javascript: Denial of Service via specially crafted array-like object serialization
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-34043
镜像层: sha256:79d8dc0b282a281f9e9a78dd13c52a95aeb15fdd3c5a799e19c13f77f8f62d57
发布日期: 2026-03-31 03:15 修改: 2026-06-17 10:38
|
| tar |
CVE-2026-53655 |
中危 |
7.5.13 |
7.5.16 |
node-tar: node-tar: File smuggling due to inconsistent tar archive parsing
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-53655
镜像层: sha256:56323f8989e6225c91d8945cd9c87377047471a4f46cbca74dce087b888b8dea
发布日期: 2026-06-22 16:16 修改: 2026-06-26 20:03
|
| uuid |
CVE-2026-41907 |
中危 |
9.0.1 |
11.1.1, 12.0.1, 13.0.1 |
uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-41907
镜像层: sha256:63d82252533292fe55ab0476182c197e12eaa3c6f669fa2fe746728f498db19a
发布日期: 2026-04-24 19:17 修改: 2026-06-17 10:47
|
| nodemailer |
GHSA-c7w3-x93f-qmm8 |
低危 |
7.0.13 |
8.0.4 |
Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter
漏洞详情: https://github.com/advisories/GHSA-c7w3-x93f-qmm8
镜像层: sha256:63d82252533292fe55ab0476182c197e12eaa3c6f669fa2fe746728f498db19a
发布日期: 2026-03-26 22:26 修改: 2026-03-26 22:26
|