| protobufjs |
CVE-2026-41242 |
严重 |
7.5.4 |
8.0.1, 7.5.5 |
protobufjs: protobufjs: Arbitrary code execution via injected protobuf definition type fields
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-41242
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-18 17:16 修改: 2026-06-30 03:19
|
| shell-quote |
CVE-2026-9277 |
严重 |
1.8.3 |
1.8.4 |
shell-quote: shell-quote: Arbitrary code execution via command injection due to unescaped line terminators
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-9277
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-22 14:16 修改: 2026-07-02 12:17
|
| hono |
CVE-2026-54290 |
高危 |
4.12.9 |
4.12.25 |
hono: CORS Middleware reflects any Origin with credentials when `origin` defaults to the wildcard
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-54290
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-22 18:16 修改: 2026-06-22 19:49
|
| js-cookie |
CVE-2026-46625 |
高危 |
3.0.5 |
3.0.7 |
js-cookie: JavaScript Cookie: Cookie attribute manipulation via prototype pollution
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-46625
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-10 22:16 修改: 2026-06-30 03:20
|
| linkify-it |
CVE-2026-48801 |
高危 |
5.0.0 |
5.0.1 |
LinkifyIt#match scan loop has quadratic algorithmic complexity
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-48801
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 0001-01-01 00:00 修改: 0001-01-01 00:00
|
| lodash |
CVE-2026-4800 |
高危 |
4.17.23 |
4.18.0 |
lodash: lodash: Arbitrary code execution via untrusted input in template imports
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-4800
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-03-31 20:16 修改: 2026-07-03 13:17
|
| lodash-es |
CVE-2026-4800 |
高危 |
4.17.23 |
4.18.0 |
lodash: lodash: Arbitrary code execution via untrusted input in template imports
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-4800
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-03-31 20:16 修改: 2026-07-03 13:17
|
| picomatch |
CVE-2026-33671 |
高危 |
4.0.3 |
4.0.4, 3.0.2, 2.3.2 |
picomatch: Picomatch: Regular Expression Denial of Service via crafted extglob patterns
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-33671
镜像层: sha256:67d07178115b6011759cff40cd14f51892e5400b489de3499a8b3c07a8329ac7
发布日期: 2026-03-26 22:16 修改: 2026-06-17 10:37
|
| fast-uri |
CVE-2026-6321 |
高危 |
3.1.0 |
3.1.1 |
fast-uri: fast-uri: Path traversal vulnerability allows bypass of security policies
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-6321
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-04 20:16 修改: 2026-07-02 12:17
|
| protobufjs |
CVE-2026-44289 |
高危 |
7.5.4 |
7.5.6, 8.0.2 |
protobufjs: protobufjs: Denial of Service via uncontrolled recursion in protobuf decoding
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-44289
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-13 16:16 修改: 2026-07-01 13:17
|
| protobufjs |
CVE-2026-44290 |
高危 |
7.5.4 |
7.5.6, 8.0.2 |
protobufjs: protobufjs: Denial of Service via crafted schema
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-44290
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-13 16:16 修改: 2026-06-17 10:50
|
| protobufjs |
CVE-2026-44291 |
高危 |
7.5.4 |
7.5.6, 8.0.2 |
protobufjs: protobufjs: Arbitrary Code Execution via prototype pollution
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-44291
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-13 16:16 修改: 2026-06-17 10:50
|
| protobufjs |
CVE-2026-44293 |
高危 |
7.5.4 |
7.5.6, 8.0.2 |
protobufjs: protobufjs: Arbitrary code execution due to unsafe expression generation from crafted protobuf descriptors
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-44293
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-13 16:16 修改: 2026-07-02 12:17
|
| protobufjs |
CVE-2026-48712 |
高危 |
7.5.4 |
7.6.1, 8.4.1 |
protobufjs: protobufjs: Denial of Service via uncontrolled recursion with crafted protobuf payload
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-48712
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-22 18:16 修改: 2026-06-26 20:04
|
| fast-uri |
CVE-2026-6322 |
高危 |
3.1.0 |
3.1.2 |
fast-uri: fast-uri: URI authority bypass due to improper delimiter handling
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-6322
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-05 11:16 修改: 2026-07-03 13:17
|
| sigstore |
CVE-2026-48815 |
高危 |
3.1.0 |
4.1.1 |
sigstore's `certificateOIDs` verification constraints are silently dropped and never enforced
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-48815
镜像层: sha256:67d07178115b6011759cff40cd14f51892e5400b489de3499a8b3c07a8329ac7
发布日期: 0001-01-01 00:00 修改: 0001-01-01 00:00
|
| undici |
CVE-2026-12151 |
高危 |
6.26.0 |
6.27.0, 7.28.0, 8.5.0 |
undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-12151
镜像层: sha256:7b964d9d90b645c10c857a08769d0e68d3f18532851085a807dd336cf9ddae5e
发布日期: 2026-06-17 17:16 修改: 2026-07-07 12:16
|
| undici |
CVE-2026-12151 |
高危 |
7.24.6 |
6.27.0, 7.28.0, 8.5.0 |
undici: undici: Denial of Service due to unbounded memory growth via WebSocket frames
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-12151
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-17 17:16 修改: 2026-07-07 12:16
|
| undici |
CVE-2026-6734 |
高危 |
7.24.6 |
7.28.0, 8.2.0 |
undici: undici: Information disclosure and data integrity issues due to incorrect Socks5ProxyAgent connection routing
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-6734
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-17 18:18 修改: 2026-07-07 12:17
|
| undici |
CVE-2026-9697 |
高危 |
7.24.6 |
7.28.0, 8.5.0 |
undici: undici: Man-in-the-Middle attack via ignored TLS options with SOCKS5 proxy
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-9697
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-17 18:18 修改: 2026-07-07 12:17
|
| vite |
CVE-2026-39363 |
高危 |
8.0.3 |
8.0.5, 7.3.2, 6.4.2 |
Vite: Vite: Information disclosure via WebSocket connection bypasses access control
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-39363
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-07 20:16 修改: 2026-06-30 03:19
|
| vite |
CVE-2026-39363 |
高危 |
8.0.3 |
8.0.5, 7.3.2, 6.4.2 |
Vite: Vite: Information disclosure via WebSocket connection bypasses access control
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-39363
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-07 20:16 修改: 2026-06-30 03:19
|
| vite |
CVE-2026-39364 |
高危 |
8.0.3 |
8.0.5, 7.3.2 |
vite: Vite: Information disclosure via query parameter manipulation on the development server
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-39364
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-07 20:16 修改: 2026-06-30 03:19
|
| vite |
CVE-2026-39364 |
高危 |
8.0.3 |
8.0.5, 7.3.2 |
vite: Vite: Information disclosure via query parameter manipulation on the development server
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-39364
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-07 20:16 修改: 2026-06-30 03:19
|
| vite |
CVE-2026-53571 |
高危 |
8.0.3 |
8.0.16, 7.3.5, 6.4.3 |
vite: `server.fs.deny` bypass on Windows alternate paths
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-53571
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-22 18:16 修改: 2026-06-24 20:44
|
| vite |
CVE-2026-53571 |
高危 |
8.0.3 |
8.0.16, 7.3.5, 6.4.3 |
vite: `server.fs.deny` bypass on Windows alternate paths
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-53571
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-22 18:16 修改: 2026-06-24 20:44
|
| ws |
CVE-2026-48779 |
高危 |
8.20.0 |
5.2.5, 6.2.4, 7.5.11, 8.21.0 |
ws: ws: Denial of Service via memory exhaustion from small WebSocket fragments
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-48779
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-17 13:20 修改: 2026-07-07 12:16
|
| hono |
CVE-2026-44458 |
中危 |
4.12.9 |
4.12.18 |
Hono has CSS Declaration Injection via Style Object Values in JSX SSR
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-44458
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-13 16:16 修改: 2026-06-17 10:50
|
| hono |
CVE-2026-47673 |
中危 |
4.12.9 |
4.12.21 |
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-47673
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-28 17:16 修改: 2026-06-17 10:54
|
| hono |
CVE-2026-47674 |
中危 |
4.12.9 |
4.12.21 |
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-47674
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-28 17:16 修改: 2026-06-17 10:54
|
| hono |
CVE-2026-47675 |
中危 |
4.12.9 |
4.12.21 |
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-47675
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-28 17:16 修改: 2026-06-17 10:54
|
| hono |
CVE-2026-47676 |
中危 |
4.12.9 |
4.12.21 |
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-47676
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-28 17:16 修改: 2026-06-17 10:54
|
| hono |
CVE-2026-54286 |
中危 |
4.12.9 |
4.12.25 |
hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-54286
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-22 18:16 修改: 2026-06-23 15:16
|
| hono |
CVE-2026-54287 |
中危 |
4.12.9 |
4.12.25 |
hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-54287
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-22 18:16 修改: 2026-06-22 19:49
|
| hono |
CVE-2026-54288 |
中危 |
4.12.9 |
4.12.25 |
hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-54288
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-22 19:17 修改: 2026-06-23 15:16
|
| hono |
CVE-2026-54289 |
中危 |
4.12.9 |
4.12.25 |
hono: Lambda@Edge adapter keeps only the last value of a repeated request header, dropping the rest
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-54289
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-22 18:16 修改: 2026-06-22 19:49
|
| hono |
CVE-2026-56761 |
中危 |
4.12.9 |
4.12.14 |
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-56761
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-24 13:16 修改: 2026-06-26 19:59
|
| hono |
GHSA-26pp-8wgv-hjvm |
中危 |
4.12.9 |
4.12.12 |
Hono missing validation of cookie name on write path in setCookie()
漏洞详情: https://github.com/advisories/GHSA-26pp-8wgv-hjvm
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-08 00:17 修改: 2026-04-08 00:17
|
| ip-address |
CVE-2026-42338 |
中危 |
10.1.0 |
10.1.1 |
ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-42338
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-12 20:16 修改: 2026-07-07 12:16
|
| ip-address |
CVE-2026-42338 |
中危 |
10.1.0 |
10.1.1 |
ip-address: ip-address: Cross-site scripting via improper HTML escaping of untrusted input
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-42338
镜像层: sha256:67d07178115b6011759cff40cd14f51892e5400b489de3499a8b3c07a8329ac7
发布日期: 2026-05-12 20:16 修改: 2026-07-07 12:16
|
| @protobufjs/utf8 |
CVE-2026-44288 |
中危 |
1.1.0 |
1.1.1 |
protobufjs: protobufjs: Security control bypass due to improper handling of overlong UTF-8 sequences
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-44288
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-13 16:16 修改: 2026-06-17 10:50
|
| @sigstore/core |
CVE-2026-48758 |
中危 |
2.0.0 |
3.2.1 |
@sigstore/core has DSSE payloadType type-binding failure
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-48758
镜像层: sha256:67d07178115b6011759cff40cd14f51892e5400b489de3499a8b3c07a8329ac7
发布日期: 0001-01-01 00:00 修改: 0001-01-01 00:00
|
| brace-expansion |
CVE-2026-33750 |
中危 |
2.0.2 |
5.0.5, 3.0.2, 2.0.3, 1.1.13 |
brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-33750
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-03-27 15:16 修改: 2026-06-17 10:38
|
| lodash |
CVE-2026-2950 |
中危 |
4.17.23 |
4.18.0 |
lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-2950
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-03-31 20:16 修改: 2026-06-17 10:32
|
| brace-expansion |
CVE-2026-33750 |
中危 |
2.0.2 |
5.0.5, 3.0.2, 2.0.3, 1.1.13 |
brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-33750
镜像层: sha256:67d07178115b6011759cff40cd14f51892e5400b489de3499a8b3c07a8329ac7
发布日期: 2026-03-27 15:16 修改: 2026-06-17 10:38
|
| lodash-es |
CVE-2026-2950 |
中危 |
4.17.23 |
4.18.0 |
lodash: Lodash: Prototype pollution allows deletion of built-in prototype properties via array path bypass
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-2950
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-03-31 20:16 修改: 2026-06-17 10:32
|
| markdown-it |
CVE-2026-48988 |
中危 |
14.1.1 |
14.2.0 |
markdown-it is a Markdown parser. Versions 14.1.1 and below contain a ...
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-48988
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-17 21:16 修改: 2026-06-24 19:06
|
| brace-expansion |
CVE-2026-45149 |
中危 |
5.0.5 |
5.0.6 |
brace-expansion: brace-expansion: Denial of Service due to excessive memory allocation when expanding large numeric ranges
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-45149
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-29 20:16 修改: 2026-06-17 10:51
|
| picomatch |
CVE-2026-33672 |
中危 |
4.0.3 |
4.0.4, 3.0.2, 2.3.2 |
picomatch: Picomatch: Data integrity compromised via method injection with crafted POSIX bracket expressions
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-33672
镜像层: sha256:67d07178115b6011759cff40cd14f51892e5400b489de3499a8b3c07a8329ac7
发布日期: 2026-03-26 22:16 修改: 2026-06-17 10:37
|
| postcss |
CVE-2026-41305 |
中危 |
8.5.8 |
8.5.10 |
postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-41305
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-24 03:16 修改: 2026-06-17 10:46
|
| dompurify |
CVE-2026-41238 |
中危 |
3.3.3 |
3.4.0 |
DOMPurify: DOMPurify: Cross-Site Scripting bypass via prototype pollution
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-41238
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-23 16:16 修改: 2026-06-17 10:46
|
| dompurify |
CVE-2026-41239 |
中危 |
3.3.3 |
3.4.0 |
DOMPurify: Vue 2: DOMPurify: Cross-site scripting due to incomplete sanitization of template expressions
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-41239
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-23 16:16 修改: 2026-06-17 10:46
|
| dompurify |
CVE-2026-41240 |
中危 |
3.3.3 |
3.4.0 |
DOMPurify: DOMPurify: Cross-Site Scripting (XSS) via inconsistent tag sanitization
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-41240
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-23 16:16 修改: 2026-06-17 10:46
|
| dompurify |
CVE-2026-49458 |
中危 |
3.3.3 |
3.4.6 |
DOMPurify: Cross-realm IN_PLACE sanitization leaves executable markup intact via realm-bound `instanceof` checks
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-49458
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 0001-01-01 00:00 修改: 0001-01-01 00:00
|
| dompurify |
CVE-2026-49459 |
中危 |
3.3.3 |
3.4.6 |
DOMPurify: IN_PLACE mode preserves attributes of a clobbered root element, allowing XSS via attacker-controlled root DOM
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-49459
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 0001-01-01 00:00 修改: 0001-01-01 00:00
|
| dompurify |
CVE-2026-49978 |
中危 |
3.3.3 |
3.4.7 |
DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-49978
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 0001-01-01 00:00 修改: 0001-01-01 00:00
|
| protobufjs |
CVE-2026-44288 |
中危 |
7.5.4 |
7.5.6, 8.0.2 |
protobufjs: protobufjs: Security control bypass due to improper handling of overlong UTF-8 sequences
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-44288
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-13 16:16 修改: 2026-06-17 10:50
|
| protobufjs |
CVE-2026-44292 |
中危 |
7.5.4 |
7.5.6, 8.0.2 |
protobufjs: protobufjs: Data integrity impact due to prototype pollution
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-44292
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-13 16:16 修改: 2026-06-17 10:50
|
| protobufjs |
CVE-2026-44294 |
中危 |
7.5.4 |
7.5.6, 8.0.2 |
protobufjs: protobufjs: Denial of Service due to unescaped control characters in field names
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-44294
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-13 16:16 修改: 2026-06-17 10:50
|
| protobufjs |
CVE-2026-45740 |
中危 |
7.5.4 |
7.5.8, 8.2.0 |
protobufjs: protobufjs: Denial of Service via crafted JSON descriptors
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-45740
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-13 16:17 修改: 2026-06-17 10:52
|
| protobufjs |
CVE-2026-54269 |
中危 |
7.5.4 |
7.6.3, 8.6.0 |
protobufjs: protobufjs-cli: protobufjs: Denial of Service due to name collision with runtime helpers
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-54269
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-22 18:16 修改: 2026-06-24 20:40
|
| qs |
CVE-2026-8723 |
中危 |
6.15.0 |
6.15.2 |
### Summary `qs.stringify` throws `TypeError` when called with `arr ...
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-8723
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-17 00:16 修改: 2026-06-17 11:04
|
| dompurify |
GHSA-39q2-94rc-95cp |
中危 |
3.3.3 |
3.4.0 |
DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation
漏洞详情: https://github.com/advisories/GHSA-39q2-94rc-95cp
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-16 00:46 修改: 2026-04-16 00:46
|
| dompurify |
GHSA-76mc-f452-cxcm |
中危 |
3.3.3 |
3.4.7 |
DOMPurify: Hook mutation of `data.allowedTags` / `data.allowedAttributes` permanently pollutes `DEFAULT_ALLOWED_TAGS` / `DEFAULT_ALLOWED_ATTR`
漏洞详情: https://github.com/advisories/GHSA-76mc-f452-cxcm
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-15 19:59 修改: 2026-06-15 19:59
|
| tar |
CVE-2026-53655 |
中危 |
7.5.11 |
7.5.16 |
node-tar is a full-featured Tar for Node.js. Prior to 7.5.16, tar (nod ...
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-53655
镜像层: sha256:67d07178115b6011759cff40cd14f51892e5400b489de3499a8b3c07a8329ac7
发布日期: 2026-06-22 16:16 修改: 2026-06-26 20:03
|
| dompurify |
GHSA-cmwh-pvxp-8882 |
中危 |
3.3.3 |
3.4.11 |
DOMPurify: Permanent `ALLOWED_ATTR` pollution via `setConfig()` bypassing the hook clone-guard (incomplete fix of the 3.4.7 hook-pollution patch)
漏洞详情: https://github.com/advisories/GHSA-cmwh-pvxp-8882
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-18 14:27 修改: 2026-06-18 14:27
|
| undici |
CVE-2026-9679 |
中危 |
6.26.0 |
6.27.0, 7.28.0, 8.5.0 |
undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-9679
镜像层: sha256:7b964d9d90b645c10c857a08769d0e68d3f18532851085a807dd336cf9ddae5e
发布日期: 2026-06-17 18:18 修改: 2026-06-25 17:43
|
| @anthropic-ai/sdk |
CVE-2026-34451 |
中危 |
0.80.0 |
0.81.0 |
Claude SDK for TypeScript: Memory Tool Path Validation Allows Sandbox Escape to Sibling Directories
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-34451
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-03-31 22:16 修改: 2026-06-17 10:39
|
| @anthropic-ai/sdk |
CVE-2026-41686 |
中危 |
0.80.0 |
0.91.1 |
Claude SDK for TypeScript has Insecure Default File Permissions in Local Filesystem Memory Tool
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-41686
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-04 19:16 修改: 2026-06-17 10:47
|
| @hono/node-server |
CVE-2026-39406 |
中危 |
1.19.11 |
1.19.13 |
@hono/node-server: Middleware bypass via repeated slashes in serveStatic
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-39406
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-08 15:16 修改: 2026-06-17 10:42
|
| undici |
CVE-2026-9678 |
中危 |
7.24.6 |
7.28.0, 8.5.0 |
undici: Undici: Information disclosure due to improper cache-control header parsing
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-9678
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-17 18:18 修改: 2026-06-25 17:44
|
| undici |
CVE-2026-9679 |
中危 |
7.24.6 |
6.27.0, 7.28.0, 8.5.0 |
undici: undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-9679
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-17 18:18 修改: 2026-06-25 17:43
|
| uuid |
CVE-2026-41907 |
中危 |
13.0.0 |
11.1.1, 12.0.1, 13.0.1 |
uuid: uuid: Out-of-bounds write vulnerability impacts data integrity and confidentiality
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-41907
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-24 19:17 修改: 2026-06-17 10:47
|
| hono |
CVE-2026-39407 |
中危 |
4.12.9 |
4.12.12 |
Hono: Middleware bypass via repeated slashes in serveStatic
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-39407
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-08 15:16 修改: 2026-06-17 10:42
|
| hono |
CVE-2026-39408 |
中危 |
4.12.9 |
4.12.12 |
Hono: Path traversal in toSSG() allows writing files outside the output directory
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-39408
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-08 15:16 修改: 2026-06-17 10:42
|
| hono |
CVE-2026-39409 |
中危 |
4.12.9 |
4.12.12 |
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-39409
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-08 15:16 修改: 2026-06-17 10:42
|
| hono |
CVE-2026-39410 |
中危 |
4.12.9 |
4.12.12 |
Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-39410
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-08 15:16 修改: 2026-06-17 10:42
|
| hono |
CVE-2026-44455 |
中危 |
4.12.9 |
4.12.16 |
hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-44455
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-13 16:16 修改: 2026-06-17 10:50
|
| hono |
CVE-2026-44456 |
中危 |
4.12.9 |
4.12.16 |
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-44456
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-13 16:16 修改: 2026-06-17 10:50
|
| vite |
CVE-2026-39365 |
中危 |
8.0.3 |
8.0.5, 7.3.2, 6.4.2 |
vite: Vite: Information disclosure via path traversal in dev server's .map request handling
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-39365
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-07 20:16 修改: 2026-06-17 10:42
|
| vite |
CVE-2026-39365 |
中危 |
8.0.3 |
8.0.5, 7.3.2, 6.4.2 |
vite: Vite: Information disclosure via path traversal in dev server's .map request handling
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-39365
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-04-07 20:16 修改: 2026-06-17 10:42
|
| vite |
CVE-2026-53632 |
中危 |
8.0.3 |
8.0.16, 7.3.5, 6.4.3 |
launch-editor: launch-editor: Credential compromise via NTLMv2 password hash leak through UNC path access
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-53632
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-22 18:16 修改: 2026-06-23 15:44
|
| vite |
CVE-2026-53632 |
中危 |
8.0.3 |
8.0.16, 7.3.5, 6.4.3 |
launch-editor: launch-editor: Credential compromise via NTLMv2 password hash leak through UNC path access
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-53632
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-22 18:16 修改: 2026-06-23 15:44
|
| hono |
CVE-2026-44457 |
中危 |
4.12.9 |
4.12.18 |
Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-44457
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-13 16:16 修改: 2026-06-17 10:50
|
| ws |
CVE-2026-45736 |
中危 |
8.20.0 |
8.20.1 |
ws: ws: Uninitialized memory disclosure via `websocket.close()` with `TypedArray`
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-45736
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-15 15:16 修改: 2026-07-02 12:17
|
| dompurify |
GHSA-x4vx-rjvf-j5p4 |
低危 |
3.3.3 |
|
DOMPurify: `IN_PLACE` mode trusts attacker-controlled `nodeName` on live non-form nodes, allowing script retention and XSS via attacker-supplied DOM objects
漏洞详情: https://github.com/advisories/GHSA-x4vx-rjvf-j5p4
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-15 20:00 修改: 2026-06-15 20:00
|
| esbuild |
GHSA-g7r4-m6w7-qqqr |
低危 |
0.27.4 |
0.28.1 |
esbuild allows arbitrary file read when running the development server on Windows
漏洞详情: https://github.com/advisories/GHSA-g7r4-m6w7-qqqr
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-12 20:08 修改: 2026-06-12 20:08
|
| dompurify |
GHSA-gvmj-g25r-r7wr |
低危 |
3.3.3 |
3.4.8 |
DOMPurify: SAFE_FOR_TEMPLATES bypass - template expressions survive sanitization inside <template> content when using DOM output modes
漏洞详情: https://github.com/advisories/GHSA-gvmj-g25r-r7wr
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-15 20:02 修改: 2026-06-15 20:02
|
| undici |
CVE-2026-11525 |
低危 |
7.24.6 |
6.27.0, 7.28.0, 8.5.0 |
undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-11525
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-17 18:17 修改: 2026-06-25 17:46
|
| undici |
CVE-2026-6733 |
低危 |
7.24.6 |
6.27.0, 7.28.0, 8.5.0 |
undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-6733
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-17 18:18 修改: 2026-06-27 23:46
|
| undici |
CVE-2026-11525 |
低危 |
6.26.0 |
6.27.0, 7.28.0, 8.5.0 |
undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-11525
镜像层: sha256:7b964d9d90b645c10c857a08769d0e68d3f18532851085a807dd336cf9ddae5e
发布日期: 2026-06-17 18:17 修改: 2026-06-25 17:46
|
| undici |
CVE-2026-6733 |
低危 |
6.26.0 |
6.27.0, 7.28.0, 8.5.0 |
undici: Undici: Response queue poisoning on reused keep-alive sockets can lead to incorrect response delivery.
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-6733
镜像层: sha256:7b964d9d90b645c10c857a08769d0e68d3f18532851085a807dd336cf9ddae5e
发布日期: 2026-06-17 18:18 修改: 2026-06-27 23:46
|
| hono |
CVE-2026-44459 |
低危 |
4.12.9 |
4.12.18 |
Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
漏洞详情: https://avd.aquasec.com/nvd/cve-2026-44459
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-05-13 16:16 修改: 2026-06-17 10:50
|
| dompurify |
GHSA-vxr8-fq34-vvx9 |
低危 |
3.3.3 |
3.4.9 |
DOMPurify: Trusted Types policy survives `clearConfig()` and can poison later `RETURN_TRUSTED_TYPE` output
漏洞详情: https://github.com/advisories/GHSA-vxr8-fq34-vvx9
镜像层: sha256:ca08dc16bc84f913bd605d748bee29952778f2c1a8987b8d8724711e1885d4ca
发布日期: 2026-06-15 20:12 修改: 2026-06-15 20:12
|