Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-1526 (GCVE-0-2026-1526)
Vulnerability from cvelistv5 – Published: 2026-03-12 20:08 – Updated: 2026-03-13 18:04
VLAI?
EPSS
Title
undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression
Summary
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
Severity ?
7.5 (High)
CWE
- CWE-409 - Improper handling of highly compressed data (data amplification)
Assigner
References
Impacted products
Credits
Matteo Collina
Ulises Gascón
HO9
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1526",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-13T18:04:06.608247Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T18:04:20.683Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://github.com/nodejs/undici/",
"defaultStatus": "unaffected",
"packageName": "undici",
"product": "undici",
"repo": "https://github.com/nodejs/undici/",
"vendor": "undici",
"versions": [
{
"status": "affected",
"version": "\u003c 6.24.0; 7.0.0 \u003c 7.24.0"
},
{
"status": "unaffected",
"version": "6.24.0: 7.24.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "remediation developer",
"value": "Matteo Collina"
},
{
"lang": "en",
"type": "remediation developer",
"value": "Ulises Gasc\u00f3n"
},
{
"lang": "en",
"type": "finder",
"value": "HO9"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a \"decompression bomb\") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.\u003c/p\u003e\u003cp\u003eThe vulnerability exists in the\u0026nbsp;\u003ccode\u003ePerMessageDeflate.decompress()\u003c/code\u003e\u0026nbsp;method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.\u003c/p\u003e"
}
],
"value": "The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a \"decompression bomb\") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.\n\nThe vulnerability exists in the\u00a0PerMessageDeflate.decompress()\u00a0method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-409",
"description": "CWE-409 Improper handling of highly compressed data (data amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-12T20:08:05.950Z",
"orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"shortName": "openjs"
},
"references": [
{
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q"
},
{
"url": "https://hackerone.com/reports/3481206"
},
{
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"url": "https://datatracker.ietf.org/doc/html/rfc7692"
}
],
"source": {
"advisory": "GHSA-vrm6-8vpv-qv8q",
"discovery": "EXTERNAL"
},
"title": "undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression",
"x_generator": {
"engine": "Vulnogram 1.0.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
"assignerShortName": "openjs",
"cveId": "CVE-2026-1526",
"datePublished": "2026-03-12T20:08:05.950Z",
"dateReserved": "2026-01-28T12:05:07.017Z",
"dateUpdated": "2026-03-13T18:04:20.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-1526",
"date": "2026-05-20",
"epss": "0.00021",
"percentile": "0.05959"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-1526\",\"sourceIdentifier\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"published\":\"2026-03-12T21:16:23.933\",\"lastModified\":\"2026-03-20T15:56:47.337\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a \\\"decompression bomb\\\") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.\\n\\nThe vulnerability exists in the\u00a0PerMessageDeflate.decompress()\u00a0method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.\"},{\"lang\":\"es\",\"value\":\"El cliente WebSocket undici es vulnerable a un ataque de denegaci\u00f3n de servicio a trav\u00e9s de un consumo de memoria ilimitado durante la descompresi\u00f3n permessage-deflate. Cuando una conexi\u00f3n WebSocket negocia la extensi\u00f3n permessage-deflate, el cliente descomprime las tramas comprimidas entrantes sin imponer ning\u00fan l\u00edmite en el tama\u00f1o de los datos descomprimidos. Un servidor WebSocket malicioso puede enviar una peque\u00f1a trama comprimida (una \u0027bomba de descompresi\u00f3n\u0027) que se expande a un tama\u00f1o extremadamente grande en memoria, causando que el proceso de Node.js agote la memoria disponible y colapse o deje de responder.\\n\\nLa vulnerabilidad existe en el m\u00e9todo PerMessageDeflate.decompress(), que acumula todos los fragmentos descomprimidos en memoria y los concatena en un \u00fanico Buffer sin verificar si el tama\u00f1o total excede un umbral seguro.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-409\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"6.24.0\",\"matchCriteriaId\":\"C08CE582-019D-4A06-910A-6010C2D6EF4F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*\",\"versionStartIncluding\":\"7.0.0\",\"versionEndExcluding\":\"7.24.0\",\"matchCriteriaId\":\"F016E7D9-C45A-4DEF-9AD8-F0581AF5E509\"}]}]}],\"references\":[{\"url\":\"https://cna.openjsf.org/security-advisories.html\",\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://datatracker.ietf.org/doc/html/rfc7692\",\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"tags\":[\"Technical Description\"]},{\"url\":\"https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q\",\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://hackerone.com/reports/3481206\",\"source\":\"ce714d77-add3-4f53-aff5-83d477b104bb\",\"tags\":[\"Permissions Required\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-1526\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-13T18:04:06.608247Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-13T18:04:13.626Z\"}}], \"cna\": {\"title\": \"undici is vulnerable to Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression\", \"source\": {\"advisory\": \"GHSA-vrm6-8vpv-qv8q\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Matteo Collina\"}, {\"lang\": \"en\", \"type\": \"remediation developer\", \"value\": \"Ulises Gasc\\u00f3n\"}, {\"lang\": \"en\", \"type\": \"finder\", \"value\": \"HO9\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"repo\": \"https://github.com/nodejs/undici/\", \"vendor\": \"undici\", \"product\": \"undici\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 6.24.0; 7.0.0 \u003c 7.24.0\"}, {\"status\": \"unaffected\", \"version\": \"6.24.0: 7.24.0\"}], \"packageName\": \"undici\", \"collectionURL\": \"https://github.com/nodejs/undici/\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q\"}, {\"url\": \"https://hackerone.com/reports/3481206\"}, {\"url\": \"https://cna.openjsf.org/security-advisories.html\"}, {\"url\": \"https://datatracker.ietf.org/doc/html/rfc7692\"}], \"x_generator\": {\"engine\": \"Vulnogram 1.0.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a \\\"decompression bomb\\\") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.\\n\\nThe vulnerability exists in the\\u00a0PerMessageDeflate.decompress()\\u00a0method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003eThe undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a \\\"decompression bomb\\\") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.\u003c/p\u003e\u003cp\u003eThe vulnerability exists in the\u0026nbsp;\u003ccode\u003ePerMessageDeflate.decompress()\u003c/code\u003e\u0026nbsp;method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-409\", \"description\": \"CWE-409 Improper handling of highly compressed data (data amplification)\"}]}], \"providerMetadata\": {\"orgId\": \"ce714d77-add3-4f53-aff5-83d477b104bb\", \"shortName\": \"openjs\", \"dateUpdated\": \"2026-03-12T20:08:05.950Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-1526\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-13T18:04:20.683Z\", \"dateReserved\": \"2026-01-28T12:05:07.017Z\", \"assignerOrgId\": \"ce714d77-add3-4f53-aff5-83d477b104bb\", \"datePublished\": \"2026-03-12T20:08:05.950Z\", \"assignerShortName\": \"openjs\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
alsa-2026:7080
Vulnerability from osv_almalinux
Published
2026-04-08 00:00
Modified
2026-04-09 02:15
Summary
Important: nodejs22 security update
Details
Node.js is a platform built on Chrome's JavaScript runtime \ for easily building fast, scalable network applications. \ Node.js uses an event-driven, non-blocking I/O model that \ makes it lightweight and efficient, perfect for data-intensive \ real-time applications that run across distributed devices.
Security Fix(es):
- brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)
- minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)
- minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions (CVE-2026-27904)
- undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)
- undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)
- undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)
- undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)
- nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)
- Node.js: Node.js: Denial of Service due to crafted HTTP
__proto__header (CVE-2026-21710)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.22.2-1.el10_1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.22.2-1.el10_1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs-docs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.22.2-1.el10_1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs-full-i18n"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.22.2-1.el10_1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.22.2-1.el10_1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs-npm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:10.9.7-1.22.22.2.1.el10_1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Node.js is a platform built on Chrome\u0027s JavaScript runtime \\ for easily building fast, scalable network applications. \\ Node.js uses an event-driven, non-blocking I/O model that \\ makes it lightweight and efficient, perfect for data-intensive \\ real-time applications that run across distributed devices. \n\nSecurity Fix(es): \n\n * brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)\n * minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)\n * minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions (CVE-2026-27904)\n * undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)\n * undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)\n * undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)\n * undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)\n * nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)\n * Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:7080",
"modified": "2026-04-09T02:15:49Z",
"published": "2026-04-08T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:7080"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-1525"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-1526"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-1528"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21710"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-2229"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-25547"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-26996"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-27135"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-27904"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2436942"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2441268"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2442922"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447142"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447143"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447144"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447145"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2448754"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453151"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/10/ALSA-2026-7080.html"
}
],
"related": [
"CVE-2026-25547",
"CVE-2026-26996",
"CVE-2026-27904",
"CVE-2026-1526",
"CVE-2026-2229",
"CVE-2026-1525",
"CVE-2026-1528",
"CVE-2026-27135",
"CVE-2026-21710"
],
"summary": "Important: nodejs22 security update"
}
alsa-2026:7123
Vulnerability from osv_almalinux
Published
2026-04-08 00:00
Modified
2026-04-15 08:45
Summary
Important: nodejs:22 security update
Details
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Security Fix(es):
- brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)
- minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)
- minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions (CVE-2026-27904)
- undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)
- undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)
- undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)
- undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)
- nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)
- Node.js: Node.js: Denial of Service due to crafted HTTP
__proto__header (CVE-2026-21710)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.22.2-1.module_el8.10.0+4158+e796f37f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.22.2-1.module_el8.10.0+4158+e796f37f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs-docs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.22.2-1.module_el8.10.0+4158+e796f37f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs-full-i18n"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.22.2-1.module_el8.10.0+4158+e796f37f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:22.22.2-1.module_el8.10.0+4158+e796f37f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs-nodemon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.1-1.module_el8.10.0+4006+3c416519"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs-packaging"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2021.06-6.module_el8.10.0+4158+e796f37f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs-packaging-bundler"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2021.06-6.module_el8.10.0+4158+e796f37f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "npm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:10.9.7-1.22.22.2.1.module_el8.10.0+4158+e796f37f"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "v8-12.4-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3:12.4.254.21-1.22.22.2.1.module_el8.10.0+4158+e796f37f"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nSecurity Fix(es): \n\n * brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)\n * minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)\n * minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions (CVE-2026-27904)\n * undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)\n * undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)\n * undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)\n * undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)\n * nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)\n * Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:7123",
"modified": "2026-04-15T08:45:14Z",
"published": "2026-04-08T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:7123"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-1525"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-1526"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-1528"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21710"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-2229"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-25547"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-26996"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-27135"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-27904"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2436942"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2441268"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2442922"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447142"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447143"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447144"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447145"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2448754"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453151"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2026-7123.html"
}
],
"related": [
"CVE-2026-25547",
"CVE-2026-26996",
"CVE-2026-27904",
"CVE-2026-1526",
"CVE-2026-2229",
"CVE-2026-1525",
"CVE-2026-1528",
"CVE-2026-27135",
"CVE-2026-21710"
],
"summary": "Important: nodejs:22 security update"
}
alsa-2026:7350
Vulnerability from osv_almalinux
Published
2026-04-09 00:00
Modified
2026-04-15 08:09
Summary
Important: nodejs:24 security update
Details
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Security Fix(es):
- nodejs: Nodejs denial of service (CVE-2026-21637)
- brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)
- minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)
- undici: Undici: Denial of Service due to uncontrolled resource consumption (CVE-2026-2581)
- undici: Undici: HTTP header injection and request smuggling vulnerability (CVE-2026-1527)
- undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)
- undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)
- undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)
- undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)
- nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)
- Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing (CVE-2026-21712)
- Node.js: Node.js: Denial of Service due to crafted HTTP
__proto__header (CVE-2026-21710) - Node.js: Node.js: Information disclosure due to
fs.realpathSync.native()bypassing filesystem read restrictions (CVE-2026-21715) - nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. (CVE-2026-21716)
- Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks (CVE-2026-21711)
- Node.js: Node.js: Information disclosure via timing oracle in HMAC verification (CVE-2026-21713)
- Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames (CVE-2026-21714)
- nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions (CVE-2026-21717)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.14.1-2.module_el9.7.0+222+ef1c61e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.14.1-2.module_el9.7.0+222+ef1c61e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-docs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.14.1-2.module_el9.7.0+222+ef1c61e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-full-i18n"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.14.1-2.module_el9.7.0+222+ef1c61e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.14.1-2.module_el9.7.0+222+ef1c61e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-nodemon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.3-3.module_el9.7.0+209+ecf6523e"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-packaging"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2021.06-6.module_el9.7.0+209+ecf6523e"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "nodejs-packaging-bundler"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2021.06-6.module_el9.7.0+198+8bf605ba"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "npm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:11.11.0-1.24.14.1.2.module_el9.7.0+222+ef1c61e1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:9",
"name": "v8-13.6-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3:13.6.233.17-1.24.14.1.2.module_el9.7.0+222+ef1c61e1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nSecurity Fix(es): \n\n * nodejs: Nodejs denial of service (CVE-2026-21637)\n * brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)\n * minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)\n * undici: Undici: Denial of Service due to uncontrolled resource consumption (CVE-2026-2581)\n * undici: Undici: HTTP header injection and request smuggling vulnerability (CVE-2026-1527)\n * undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)\n * undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)\n * undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)\n * undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)\n * nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)\n * Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing (CVE-2026-21712)\n * Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)\n * Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions (CVE-2026-21715)\n * nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. (CVE-2026-21716)\n * Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks (CVE-2026-21711)\n * Node.js: Node.js: Information disclosure via timing oracle in HMAC verification (CVE-2026-21713)\n * Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames (CVE-2026-21714)\n * nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions (CVE-2026-21717)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:7350",
"modified": "2026-04-15T08:09:29Z",
"published": "2026-04-09T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:7350"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-1525"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-1526"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-1527"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-1528"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21710"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21711"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21712"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21713"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21714"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21715"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-2229"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-25547"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-2581"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-26996"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-27135"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2431340"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2436942"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2441268"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447140"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447141"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447142"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447143"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447144"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447145"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2448754"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453037"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453151"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453152"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453157"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453158"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453160"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453161"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453162"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/9/ALSA-2026-7350.html"
}
],
"related": [
"CVE-2026-21637",
"CVE-2026-25547",
"CVE-2026-26996",
"CVE-2026-2581",
"CVE-2026-1527",
"CVE-2026-1526",
"CVE-2026-2229",
"CVE-2026-1525",
"CVE-2026-1528",
"CVE-2026-27135",
"CVE-2026-21712",
"CVE-2026-21710",
"CVE-2026-21715",
"CVE-2026-21716",
"CVE-2026-21711",
"CVE-2026-21713",
"CVE-2026-21714",
"CVE-2026-21717"
],
"summary": "Important: nodejs:24 security update"
}
alsa-2026:7670
Vulnerability from osv_almalinux
Published
2026-04-13 00:00
Modified
2026-04-15 07:50
Summary
Important: nodejs:24 security update
Details
Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.
Security Fix(es):
- nodejs: Nodejs denial of service (CVE-2026-21637)
- minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)
- undici: Undici: Denial of Service due to uncontrolled resource consumption (CVE-2026-2581)
- undici: Undici: HTTP header injection and request smuggling vulnerability (CVE-2026-1527)
- undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)
- undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)
- undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)
- undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)
- nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)
- Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing (CVE-2026-21712)
- Node.js: Node.js: Denial of Service due to crafted HTTP
__proto__header (CVE-2026-21710) - Node.js: Node.js: Information disclosure due to
fs.realpathSync.native()bypassing filesystem read restrictions (CVE-2026-21715) - nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. (CVE-2026-21716)
- Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks (CVE-2026-21711)
- Node.js: Node.js: Information disclosure via timing oracle in HMAC verification (CVE-2026-21713)
- Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames (CVE-2026-21714)
- nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions (CVE-2026-21717)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.14.1-2.module_el8.10.0+4160+4819ac42"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.14.1-2.module_el8.10.0+4160+4819ac42"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs-docs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.14.1-2.module_el8.10.0+4160+4819ac42"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs-full-i18n"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.14.1-2.module_el8.10.0+4160+4819ac42"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.14.1-2.module_el8.10.0+4160+4819ac42"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs-nodemon"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.0.3-1.module_el8.10.0+4061+f8ceeab9"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs-packaging"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2021.06-6.module_el8.10.0+4086+70facd4a"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "nodejs-packaging-bundler"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2021.06-6.module_el8.10.0+4086+70facd4a"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "npm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:11.11.0-1.24.14.1.2.module_el8.10.0+4160+4819ac42"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:8",
"name": "v8-13.6-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3:13.6.233.17-1.24.14.1.2.module_el8.10.0+4160+4819ac42"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. \n\nSecurity Fix(es): \n\n * nodejs: Nodejs denial of service (CVE-2026-21637)\n * minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)\n * undici: Undici: Denial of Service due to uncontrolled resource consumption (CVE-2026-2581)\n * undici: Undici: HTTP header injection and request smuggling vulnerability (CVE-2026-1527)\n * undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)\n * undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)\n * undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)\n * undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)\n * nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)\n * Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing (CVE-2026-21712)\n * Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)\n * Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions (CVE-2026-21715)\n * nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. (CVE-2026-21716)\n * Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks (CVE-2026-21711)\n * Node.js: Node.js: Information disclosure via timing oracle in HMAC verification (CVE-2026-21713)\n * Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames (CVE-2026-21714)\n * nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions (CVE-2026-21717)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:7670",
"modified": "2026-04-15T07:50:26Z",
"published": "2026-04-13T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:7670"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-1525"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-1526"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-1527"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-1528"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21710"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21711"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21712"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21713"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21714"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21715"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-2229"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-2581"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-26996"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-27135"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2431340"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2441268"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447140"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447141"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447142"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447143"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447144"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447145"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2448754"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453037"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453151"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453152"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453157"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453158"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453160"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453161"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453162"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/8/ALSA-2026-7670.html"
}
],
"related": [
"CVE-2026-21637",
"CVE-2026-26996",
"CVE-2026-2581",
"CVE-2026-1527",
"CVE-2026-1526",
"CVE-2026-2229",
"CVE-2026-1525",
"CVE-2026-1528",
"CVE-2026-27135",
"CVE-2026-21712",
"CVE-2026-21710",
"CVE-2026-21715",
"CVE-2026-21716",
"CVE-2026-21711",
"CVE-2026-21713",
"CVE-2026-21714",
"CVE-2026-21717"
],
"summary": "Important: nodejs:24 security update"
}
alsa-2026:7675
Vulnerability from osv_almalinux
Published
2026-04-13 00:00
Modified
2026-04-14 13:07
Summary
Important: nodejs24 security update
Details
Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices.
Security Fix(es):
- nodejs: Nodejs denial of service (CVE-2026-21637)
- brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)
- minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)
- undici: Undici: Denial of Service due to uncontrolled resource consumption (CVE-2026-2581)
- undici: Undici: HTTP header injection and request smuggling vulnerability (CVE-2026-1527)
- undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)
- undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)
- undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)
- undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)
- nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)
- Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing (CVE-2026-21712)
- Node.js: Node.js: Denial of Service due to crafted HTTP
__proto__header (CVE-2026-21710) - Node.js: Node.js: Information disclosure due to
fs.realpathSync.native()bypassing filesystem read restrictions (CVE-2026-21715) - nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. (CVE-2026-21716)
- Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks (CVE-2026-21711)
- Node.js: Node.js: Information disclosure via timing oracle in HMAC verification (CVE-2026-21713)
- Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames (CVE-2026-21714)
- nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions (CVE-2026-21717)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs24"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.14.1-2.el10_1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs24-devel"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.14.1-2.el10_1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs24-docs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.14.1-2.el10_1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs24-full-i18n"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.14.1-2.el10_1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs24-libs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:24.14.1-2.el10_1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "AlmaLinux:10",
"name": "nodejs24-npm"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1:11.11.0-1.24.14.1.2.el10_1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"details": "Node.js is a platform built on Chrome\u0027s JavaScript runtime for easily building fast, scalable network applications. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient, perfect for data-intensive real-time applications that run across distributed devices. \n\nSecurity Fix(es): \n\n * nodejs: Nodejs denial of service (CVE-2026-21637)\n * brace-expansion: brace-expansion: Denial of Service via unbounded brace range expansion (CVE-2026-25547)\n * minimatch: minimatch: Denial of Service via specially crafted glob patterns (CVE-2026-26996)\n * undici: Undici: Denial of Service due to uncontrolled resource consumption (CVE-2026-2581)\n * undici: Undici: HTTP header injection and request smuggling vulnerability (CVE-2026-1527)\n * undici: undici: Denial of Service via unbounded memory consumption during WebSocket permessage-deflate decompression (CVE-2026-1526)\n * undici: Undici: Denial of Service via invalid WebSocket permessage-deflate extension parameter (CVE-2026-2229)\n * undici: Undici: HTTP Request Smuggling and Denial of Service due to duplicate Content-Length headers (CVE-2026-1525)\n * undici: undici: Denial of Service via crafted WebSocket frame with large length (CVE-2026-1528)\n * nghttp2: nghttp2: Denial of Service via malformed HTTP/2 frames after session termination (CVE-2026-27135)\n * Node.js: Node.js: Denial of Service via malformed Internationalized Domain Name processing (CVE-2026-21712)\n * Node.js: Node.js: Denial of Service due to crafted HTTP `__proto__` header (CVE-2026-21710)\n * Node.js: Node.js: Information disclosure due to `fs.realpathSync.native()` bypassing filesystem read restrictions (CVE-2026-21715)\n * nodejs: Node.js: Permission bypass allows unauthorized modification of file permissions and ownership via incomplete security fix. (CVE-2026-21716)\n * Node.js: Node.js: Unauthorized inter-process communication due to missing Unix Domain Socket permission checks (CVE-2026-21711)\n * Node.js: Node.js: Information disclosure via timing oracle in HMAC verification (CVE-2026-21713)\n * Node.js: Node.js: Memory leak and Denial of Service via crafted HTTP/2 WINDOW_UPDATE frames (CVE-2026-21714)\n * nodejs: v8: Node.js: Denial of Service via V8 string hashing mechanism due to predictable hash collisions (CVE-2026-21717)\n\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n",
"id": "ALSA-2026:7675",
"modified": "2026-04-14T13:07:01Z",
"published": "2026-04-13T00:00:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://access.redhat.com/errata/RHSA-2026:7675"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-1525"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-1526"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-1527"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-1528"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21637"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21710"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21711"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21712"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21713"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21714"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21715"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21716"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-21717"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-2229"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-25547"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-2581"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-26996"
},
{
"type": "REPORT",
"url": "https://access.redhat.com/security/cve/CVE-2026-27135"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2431340"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2436942"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2441268"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447140"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447141"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447142"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447143"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447144"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2447145"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2448754"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453037"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453151"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453152"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453157"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453158"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453160"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453161"
},
{
"type": "REPORT",
"url": "https://bugzilla.redhat.com/2453162"
},
{
"type": "ADVISORY",
"url": "https://errata.almalinux.org/10/ALSA-2026-7675.html"
}
],
"related": [
"CVE-2026-21637",
"CVE-2026-25547",
"CVE-2026-26996",
"CVE-2026-2581",
"CVE-2026-1527",
"CVE-2026-1526",
"CVE-2026-2229",
"CVE-2026-1525",
"CVE-2026-1528",
"CVE-2026-27135",
"CVE-2026-21712",
"CVE-2026-21710",
"CVE-2026-21715",
"CVE-2026-21716",
"CVE-2026-21711",
"CVE-2026-21713",
"CVE-2026-21714",
"CVE-2026-21717"
],
"summary": "Important: nodejs24 security update"
}
CERTFR-2026-AVI-0500
Vulnerability from certfr_avis - Published: 2026-04-27 - Updated: 2026-04-27
De multiples vulnérabilités ont été découvertes dans VMware Tanzu. Elles permettent à un attaquant de provoquer un problème de sécurité non spécifié par l'éditeur.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Tanzu Greenplum Platform Extension Framework versions ant\u00e9rieures \u00e0 8.0.0",
"product": {
"name": "N/A",
"vendor": {
"name": "VMware",
"scada": false
}
}
},
{
"description": "Tanzu Data Lake versions ant\u00e9rieures \u00e0 4.0.0",
"product": {
"name": "N/A",
"vendor": {
"name": "VMware",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2019-12384",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-12384"
},
{
"name": "CVE-2019-17267",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-17267"
},
{
"name": "CVE-2026-2229",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2229"
},
{
"name": "CVE-2018-19362",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-19362"
},
{
"name": "CVE-2026-33871",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33871"
},
{
"name": "CVE-2026-22737",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22737"
},
{
"name": "CVE-2026-3449",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3449"
},
{
"name": "CVE-2023-43642",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-43642"
},
{
"name": "CVE-2021-21409",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21409"
},
{
"name": "CVE-2026-22036",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22036"
},
{
"name": "CVE-2023-1370",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-1370"
},
{
"name": "CVE-2023-33201",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33201"
},
{
"name": "CVE-2022-46175",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-46175"
},
{
"name": "CVE-2026-24098",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24098"
},
{
"name": "CVE-2018-14719",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14719"
},
{
"name": "CVE-2026-24734",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24734"
},
{
"name": "CVE-2021-0341",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-0341"
},
{
"name": "CVE-2025-66614",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66614"
},
{
"name": "CVE-2020-9546",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9546"
},
{
"name": "CVE-2025-56200",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-56200"
},
{
"name": "CVE-2020-10673",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10673"
},
{
"name": "CVE-2020-35728",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35728"
},
{
"name": "CVE-2020-36181",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36181"
},
{
"name": "CVE-2026-1527",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1527"
},
{
"name": "CVE-2020-9548",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9548"
},
{
"name": "CVE-2020-36182",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36182"
},
{
"name": "CVE-2020-24616",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-24616"
},
{
"name": "CVE-2026-41239",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41239"
},
{
"name": "CVE-2020-36185",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36185"
},
{
"name": "CVE-2022-37603",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37603"
},
{
"name": "CVE-2023-34610",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34610"
},
{
"name": "CVE-2024-47561",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47561"
},
{
"name": "CVE-2019-16942",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16942"
},
{
"name": "CVE-2022-25883",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25883"
},
{
"name": "CVE-2026-34486",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34486"
},
{
"name": "CVE-2026-1525",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1525"
},
{
"name": "CVE-2018-1320",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1320"
},
{
"name": "CVE-2020-9547",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-9547"
},
{
"name": "CVE-2026-29145",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-29145"
},
{
"name": "CVE-2025-24970",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-24970"
},
{
"name": "CVE-2025-49128",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-49128"
},
{
"name": "CVE-2020-36179",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36179"
},
{
"name": "CVE-2018-14718",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-14718"
},
{
"name": "CVE-2020-10650",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10650"
},
{
"name": "CVE-2025-1647",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-1647"
},
{
"name": "CVE-2020-36186",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36186"
},
{
"name": "CVE-2026-23745",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23745"
},
{
"name": "CVE-2025-7962",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7962"
},
{
"name": "CVE-2020-36189",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36189"
},
{
"name": "CVE-2019-20444",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20444"
},
{
"name": "CVE-2020-35490",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35490"
},
{
"name": "CVE-2023-34462",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34462"
},
{
"name": "CVE-2026-33870",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33870"
},
{
"name": "CVE-2023-34454",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34454"
},
{
"name": "CVE-2021-20190",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-20190"
},
{
"name": "CVE-2024-29857",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29857"
},
{
"name": "CVE-2020-13949",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-13949"
},
{
"name": "CVE-2023-33202",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-33202"
},
{
"name": "CVE-2024-13009",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-13009"
},
{
"name": "CVE-2023-26115",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26115"
},
{
"name": "CVE-2025-54550",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54550"
},
{
"name": "CVE-2025-54920",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-54920"
},
{
"name": "CVE-2024-34447",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-34447"
},
{
"name": "CVE-2019-16335",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16335"
},
{
"name": "CVE-2023-34453",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34453"
},
{
"name": "CVE-2025-33042",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-33042"
},
{
"name": "CVE-2024-11831",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-11831"
},
{
"name": "CVE-2018-7489",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-7489"
},
{
"name": "CVE-2025-58057",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58057"
},
{
"name": "CVE-2026-34500",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34500"
},
{
"name": "CVE-2025-9624",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-9624"
},
{
"name": "CVE-2026-34043",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34043"
},
{
"name": "CVE-2024-26308",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-26308"
},
{
"name": "CVE-2025-64718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-64718"
},
{
"name": "CVE-2020-11113",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11113"
},
{
"name": "CVE-2025-62718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62718"
},
{
"name": "CVE-2026-4800",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4800"
},
{
"name": "CVE-2026-33671",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33671"
},
{
"name": "CVE-2026-33532",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33532"
},
{
"name": "CVE-2025-68470",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68470"
},
{
"name": "CVE-2025-67721",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-67721"
},
{
"name": "CVE-2024-23454",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23454"
},
{
"name": "CVE-2020-10672",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10672"
},
{
"name": "CVE-2022-3510",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3510"
},
{
"name": "CVE-2022-3509",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3509"
},
{
"name": "CVE-2021-37137",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-37137"
},
{
"name": "CVE-2019-14439",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14439"
},
{
"name": "CVE-2026-33750",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33750"
},
{
"name": "CVE-2025-66236",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66236"
},
{
"name": "CVE-2020-10969",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10969"
},
{
"name": "CVE-2024-48910",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-48910"
},
{
"name": "CVE-2024-8184",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-8184"
},
{
"name": "CVE-2025-11143",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11143"
},
{
"name": "CVE-2026-34480",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34480"
},
{
"name": "CVE-2025-52999",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-52999"
},
{
"name": "CVE-2025-7783",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7783"
},
{
"name": "CVE-2026-33228",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33228"
},
{
"name": "CVE-2025-12758",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12758"
},
{
"name": "CVE-2024-21538",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-21538"
},
{
"name": "CVE-2020-36187",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36187"
},
{
"name": "CVE-2026-40175",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40175"
},
{
"name": "CVE-2024-57083",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57083"
},
{
"name": "CVE-2022-38749",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38749"
},
{
"name": "CVE-2024-23953",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-23953"
},
{
"name": "CVE-2026-29074",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-29074"
},
{
"name": "CVE-2025-68161",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68161"
},
{
"name": "CVE-2023-34455",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-34455"
},
{
"name": "CVE-2024-29131",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29131"
},
{
"name": "CVE-2026-41240",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41240"
},
{
"name": "CVE-2026-26960",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26960"
},
{
"name": "CVE-2020-11620",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11620"
},
{
"name": "CVE-2024-53382",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-53382"
},
{
"name": "CVE-2018-12022",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12022"
},
{
"name": "CVE-2024-47554",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47554"
},
{
"name": "CVE-2022-37601",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37601"
},
{
"name": "CVE-2018-5968",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-5968"
},
{
"name": "CVE-2025-61795",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-61795"
},
{
"name": "CVE-2026-27903",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27903"
},
{
"name": "CVE-2021-21295",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21295"
},
{
"name": "CVE-2024-45801",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-45801"
},
{
"name": "CVE-2020-24750",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-24750"
},
{
"name": "CVE-2025-27821",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27821"
},
{
"name": "CVE-2022-41404",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41404"
},
{
"name": "CVE-2023-39410",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-39410"
},
{
"name": "CVE-2024-25710",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-25710"
},
{
"name": "CVE-2024-7254",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-7254"
},
{
"name": "CVE-2026-22732",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22732"
},
{
"name": "CVE-2024-29133",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29133"
},
{
"name": "CVE-2025-55163",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-55163"
},
{
"name": "CVE-2026-34487",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34487"
},
{
"name": "CVE-2025-27555",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27555"
},
{
"name": "CVE-2025-65995",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-65995"
},
{
"name": "CVE-2022-3517",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3517"
},
{
"name": "CVE-2019-16943",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-16943"
},
{
"name": "CVE-2021-43797",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-43797"
},
{
"name": "CVE-2026-24842",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24842"
},
{
"name": "CVE-2017-7525",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-7525"
},
{
"name": "CVE-2026-23950",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23950"
},
{
"name": "CVE-2019-20330",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20330"
},
{
"name": "CVE-2026-2950",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2950"
},
{
"name": "CVE-2020-14195",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14195"
},
{
"name": "CVE-2018-10237",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10237"
},
{
"name": "CVE-2019-12814",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-12814"
},
{
"name": "CVE-2020-35491",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-35491"
},
{
"name": "CVE-2019-17531",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-17531"
},
{
"name": "CVE-2026-32280",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32280"
},
{
"name": "CVE-2023-52428",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-52428"
},
{
"name": "CVE-2025-69873",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69873"
},
{
"name": "CVE-2020-14061",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14061"
},
{
"name": "CVE-2024-6485",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-6485"
},
{
"name": "CVE-2025-67735",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-67735"
},
{
"name": "CVE-2022-42004",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42004"
},
{
"name": "CVE-2025-68458",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68458"
},
{
"name": "CVE-2021-22569",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22569"
},
{
"name": "CVE-2020-11619",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11619"
},
{
"name": "CVE-2026-29786",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-29786"
},
{
"name": "CVE-2025-26791",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-26791"
},
{
"name": "CVE-2020-36183",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36183"
},
{
"name": "CVE-2026-25854",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25854"
},
{
"name": "CVE-2021-22573",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-22573"
},
{
"name": "CVE-2020-8840",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8840"
},
{
"name": "CVE-2026-2332",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2332"
},
{
"name": "CVE-2025-58056",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58056"
},
{
"name": "CVE-2026-1526",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1526"
},
{
"name": "CVE-2019-0205",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0205"
},
{
"name": "CVE-2024-47875",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-47875"
},
{
"name": "CVE-2022-41854",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-41854"
},
{
"name": "CVE-2026-33672",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33672"
},
{
"name": "CVE-2020-8908",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-8908"
},
{
"name": "CVE-2024-37890",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-37890"
},
{
"name": "CVE-2020-36184",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36184"
},
{
"name": "CVE-2023-42503",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-42503"
},
{
"name": "CVE-2024-56373",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56373"
},
{
"name": "CVE-2026-25639",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25639"
},
{
"name": "CVE-2020-36180",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36180"
},
{
"name": "CVE-2024-28863",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28863"
},
{
"name": "CVE-2021-31684",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-31684"
},
{
"name": "CVE-2022-25857",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-25857"
},
{
"name": "CVE-2022-38751",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38751"
},
{
"name": "CVE-2025-25193",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-25193"
},
{
"name": "CVE-2020-36518",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36518"
},
{
"name": "CVE-2026-22735",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22735"
},
{
"name": "CVE-2025-5889",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5889"
},
{
"name": "CVE-2024-30171",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-30171"
},
{
"name": "CVE-2026-24733",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24733"
},
{
"name": "CVE-2022-38900",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38900"
},
{
"name": "CVE-2025-68157",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68157"
},
{
"name": "CVE-2017-15095",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-15095"
},
{
"name": "CVE-2019-14540",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14540"
},
{
"name": "CVE-2024-36114",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-36114"
},
{
"name": "CVE-2025-27789",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27789"
},
{
"name": "CVE-2019-12086",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-12086"
},
{
"name": "CVE-2025-48924",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48924"
},
{
"name": "CVE-2022-38752",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38752"
},
{
"name": "CVE-2025-8916",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8916"
},
{
"name": "CVE-2025-8885",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-8885"
},
{
"name": "CVE-2025-41249",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-41249"
},
{
"name": "CVE-2022-38750",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-38750"
},
{
"name": "CVE-2021-21290",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-21290"
},
{
"name": "CVE-2018-11307",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-11307"
},
{
"name": "CVE-2026-26996",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26996"
},
{
"name": "CVE-2020-10968",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-10968"
},
{
"name": "CVE-2022-42003",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-42003"
},
{
"name": "CVE-2020-25649",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-25649"
},
{
"name": "CVE-2025-68675",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68675"
},
{
"name": "CVE-2023-2976",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-2976"
},
{
"name": "CVE-2017-17485",
"url": "https://www.cve.org/CVERecord?id=CVE-2017-17485"
},
{
"name": "CVE-2026-34483",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34483"
},
{
"name": "CVE-2022-37599",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-37599"
},
{
"name": "CVE-2026-32141",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32141"
},
{
"name": "CVE-2025-59419",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59419"
},
{
"name": "CVE-2022-1471",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-1471"
},
{
"name": "CVE-2019-14379",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14379"
},
{
"name": "CVE-2023-26136",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26136"
},
{
"name": "CVE-2026-33816",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33816"
},
{
"name": "CVE-2022-3171",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-3171"
},
{
"name": "CVE-2026-25219",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25219"
},
{
"name": "CVE-2020-11112",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11112"
},
{
"name": "CVE-2020-11111",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-11111"
},
{
"name": "CVE-2026-31802",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31802"
},
{
"name": "CVE-2025-13465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13465"
},
{
"name": "CVE-2025-22227",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22227"
},
{
"name": "CVE-2026-27904",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27904"
},
{
"name": "CVE-2026-1225",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1225"
},
{
"name": "CVE-2020-14060",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14060"
},
{
"name": "CVE-2020-36188",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-36188"
},
{
"name": "CVE-2016-1000027",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-1000027"
},
{
"name": "CVE-2024-57699",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-57699"
},
{
"name": "CVE-2019-14892",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14892"
},
{
"name": "CVE-2019-20445",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-20445"
},
{
"name": "CVE-2025-48734",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-48734"
},
{
"name": "CVE-2025-11226",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11226"
},
{
"name": "CVE-2020-14062",
"url": "https://www.cve.org/CVERecord?id=CVE-2020-14062"
}
],
"initial_release_date": "2026-04-27T00:00:00",
"last_revision_date": "2026-04-27T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0500",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-04-27T00:00:00.000000"
}
],
"risks": [
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans VMware Tanzu. Elles permettent \u00e0 un attaquant de provoquer un probl\u00e8me de s\u00e9curit\u00e9 non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans VMware Tanzu",
"vendor_advisories": [
{
"published_at": "2026-04-24",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37405",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37405"
},
{
"published_at": "2026-04-24",
"title": "Bulletin de s\u00e9curit\u00e9 VMware 37404",
"url": "https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/37404"
}
]
}
cleanstart-2026-dv49099
Vulnerability from cleanstart
Published
2026-04-01 09:31
Modified
2026-03-23 10:49
Summary
Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0
Details
Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.
References
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "43.4.4-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-DV49099",
"modified": "2026-03-23T10:49:42Z",
"published": "2026-04-01T09:31:16.419730Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-DV49099.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-34x7-hfp2-rc4v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5j98-mcp5-4vw2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-73rr-hh4g-fpgx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8qq5-rm4j-mr97"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r6q2-hw4h-h46w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0",
"upstream": [
"CVE-2025-64756",
"CVE-2025-69873",
"CVE-2026-1525",
"CVE-2026-1526",
"CVE-2026-1527",
"CVE-2026-1528",
"CVE-2026-2229",
"CVE-2026-2327",
"CVE-2026-23745",
"CVE-2026-2391",
"CVE-2026-24842",
"CVE-2026-25128",
"CVE-2026-25547",
"CVE-2026-2581",
"CVE-2026-25896",
"CVE-2026-26278",
"CVE-2026-26960",
"CVE-2026-27601",
"CVE-2026-27903",
"CVE-2026-27904",
"CVE-2026-27942",
"CVE-2026-28292",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-32141",
"CVE-2026-33036",
"ghsa-23c5-xmqv-rm74",
"ghsa-25h7-pfq9-p65f",
"ghsa-2g4f-4pwh-qvx6",
"ghsa-2mjp-6q6p-2qxm",
"ghsa-34x7-hfp2-rc4v",
"ghsa-37qj-frw5-hhjh",
"ghsa-38c4-r59v-3vqw",
"ghsa-3ppc-4f35-3m26",
"ghsa-4992-7rv2-5pvq",
"ghsa-5j98-mcp5-4vw2",
"ghsa-73rr-hh4g-fpgx",
"ghsa-7h2j-956f-4vf2",
"ghsa-7r86-cg39-jmmj",
"ghsa-83g3-92jg-28cx",
"ghsa-8gc5-j5rx-235r",
"ghsa-8qq5-rm4j-mr97",
"ghsa-8wc6-vgrq-x6cf",
"ghsa-9ppj-qmqm-q256",
"ghsa-f269-vfmq-vjvj",
"ghsa-fj3w-jwp8-x2g3",
"ghsa-jmr7-xgp7-cmfj",
"ghsa-m7jm-9gc2-mpf2",
"ghsa-phc3-fgpg-7m6h",
"ghsa-qffp-2rhf-9h96",
"ghsa-qpx9-hpmf-5gmw",
"ghsa-r275-fr43-pm7q",
"ghsa-r6q2-hw4h-h46w",
"ghsa-v9p9-hfj2-hcw8",
"ghsa-vrm6-8vpv-qv8q",
"ghsa-w7fw-mjwx-w883"
]
}
cleanstart-2026-gs57401
Vulnerability from cleanstart
Published
2026-04-01 09:43
Modified
2026-03-19 07:48
Summary
Security fixes for CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-2391, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.3-r1
Details
Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "43.4.3-r1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-GS57401",
"modified": "2026-03-19T07:48:38Z",
"published": "2026-04-01T09:43:24.793409Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-GS57401.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-2391, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.3-r1",
"upstream": [
"CVE-2025-69873",
"CVE-2026-1525",
"CVE-2026-1526",
"CVE-2026-1527",
"CVE-2026-1528",
"CVE-2026-2229",
"CVE-2026-2327",
"CVE-2026-2391",
"CVE-2026-25128",
"CVE-2026-25547",
"CVE-2026-2581",
"CVE-2026-25896",
"CVE-2026-26278",
"CVE-2026-26960",
"CVE-2026-27601",
"CVE-2026-27903",
"CVE-2026-27904",
"CVE-2026-27942",
"CVE-2026-28292",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-32141",
"CVE-2026-33036",
"ghsa-23c5-xmqv-rm74",
"ghsa-25h7-pfq9-p65f",
"ghsa-2g4f-4pwh-qvx6",
"ghsa-2mjp-6q6p-2qxm",
"ghsa-37qj-frw5-hhjh",
"ghsa-38c4-r59v-3vqw",
"ghsa-3ppc-4f35-3m26",
"ghsa-4992-7rv2-5pvq",
"ghsa-7h2j-956f-4vf2",
"ghsa-7r86-cg39-jmmj",
"ghsa-83g3-92jg-28cx",
"ghsa-8gc5-j5rx-235r",
"ghsa-8wc6-vgrq-x6cf",
"ghsa-9ppj-qmqm-q256",
"ghsa-f269-vfmq-vjvj",
"ghsa-fj3w-jwp8-x2g3",
"ghsa-jmr7-xgp7-cmfj",
"ghsa-m7jm-9gc2-mpf2",
"ghsa-phc3-fgpg-7m6h",
"ghsa-qffp-2rhf-9h96",
"ghsa-qpx9-hpmf-5gmw",
"ghsa-r275-fr43-pm7q",
"ghsa-v9p9-hfj2-hcw8",
"ghsa-vrm6-8vpv-qv8q",
"ghsa-w7fw-mjwx-w883"
]
}
cleanstart-2026-sw34937
Vulnerability from cleanstart
Published
2026-04-01 09:43
Modified
2026-03-19 07:58
Summary
Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0
Details
Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.
References
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "43.4.4-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-SW34937",
"modified": "2026-03-19T07:58:44Z",
"published": "2026-04-01T09:43:38.907490Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-SW34937.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-34x7-hfp2-rc4v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5j98-mcp5-4vw2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-73rr-hh4g-fpgx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8qq5-rm4j-mr97"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r6q2-hw4h-h46w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0",
"upstream": [
"CVE-2025-64756",
"CVE-2025-69873",
"CVE-2026-1525",
"CVE-2026-1526",
"CVE-2026-1527",
"CVE-2026-1528",
"CVE-2026-2229",
"CVE-2026-2327",
"CVE-2026-23745",
"CVE-2026-2391",
"CVE-2026-24842",
"CVE-2026-25128",
"CVE-2026-25547",
"CVE-2026-2581",
"CVE-2026-25896",
"CVE-2026-26278",
"CVE-2026-26960",
"CVE-2026-27601",
"CVE-2026-27903",
"CVE-2026-27904",
"CVE-2026-27942",
"CVE-2026-28292",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-32141",
"CVE-2026-33036",
"ghsa-23c5-xmqv-rm74",
"ghsa-25h7-pfq9-p65f",
"ghsa-2g4f-4pwh-qvx6",
"ghsa-2mjp-6q6p-2qxm",
"ghsa-34x7-hfp2-rc4v",
"ghsa-37qj-frw5-hhjh",
"ghsa-38c4-r59v-3vqw",
"ghsa-3ppc-4f35-3m26",
"ghsa-4992-7rv2-5pvq",
"ghsa-5j98-mcp5-4vw2",
"ghsa-73rr-hh4g-fpgx",
"ghsa-7h2j-956f-4vf2",
"ghsa-7r86-cg39-jmmj",
"ghsa-83g3-92jg-28cx",
"ghsa-8gc5-j5rx-235r",
"ghsa-8qq5-rm4j-mr97",
"ghsa-8wc6-vgrq-x6cf",
"ghsa-9ppj-qmqm-q256",
"ghsa-f269-vfmq-vjvj",
"ghsa-fj3w-jwp8-x2g3",
"ghsa-jmr7-xgp7-cmfj",
"ghsa-m7jm-9gc2-mpf2",
"ghsa-phc3-fgpg-7m6h",
"ghsa-qffp-2rhf-9h96",
"ghsa-qpx9-hpmf-5gmw",
"ghsa-r275-fr43-pm7q",
"ghsa-r6q2-hw4h-h46w",
"ghsa-v9p9-hfj2-hcw8",
"ghsa-vrm6-8vpv-qv8q",
"ghsa-w7fw-mjwx-w883"
]
}
FKIE_CVE-2026-1526
Vulnerability from fkie_nvd - Published: 2026-03-12 21:16 - Updated: 2026-03-20 15:56
Severity ?
Summary
The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.
The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.
References
| URL | Tags | ||
|---|---|---|---|
| ce714d77-add3-4f53-aff5-83d477b104bb | https://cna.openjsf.org/security-advisories.html | Vendor Advisory | |
| ce714d77-add3-4f53-aff5-83d477b104bb | https://datatracker.ietf.org/doc/html/rfc7692 | Technical Description | |
| ce714d77-add3-4f53-aff5-83d477b104bb | https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q | Vendor Advisory | |
| ce714d77-add3-4f53-aff5-83d477b104bb | https://hackerone.com/reports/3481206 | Permissions Required |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "C08CE582-019D-4A06-910A-6010C2D6EF4F",
"versionEndExcluding": "6.24.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:nodejs:undici:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "F016E7D9-C45A-4DEF-9AD8-F0581AF5E509",
"versionEndExcluding": "7.24.0",
"versionStartIncluding": "7.0.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a \"decompression bomb\") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.\n\nThe vulnerability exists in the\u00a0PerMessageDeflate.decompress()\u00a0method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold."
},
{
"lang": "es",
"value": "El cliente WebSocket undici es vulnerable a un ataque de denegaci\u00f3n de servicio a trav\u00e9s de un consumo de memoria ilimitado durante la descompresi\u00f3n permessage-deflate. Cuando una conexi\u00f3n WebSocket negocia la extensi\u00f3n permessage-deflate, el cliente descomprime las tramas comprimidas entrantes sin imponer ning\u00fan l\u00edmite en el tama\u00f1o de los datos descomprimidos. Un servidor WebSocket malicioso puede enviar una peque\u00f1a trama comprimida (una \u0027bomba de descompresi\u00f3n\u0027) que se expande a un tama\u00f1o extremadamente grande en memoria, causando que el proceso de Node.js agote la memoria disponible y colapse o deje de responder.\n\nLa vulnerabilidad existe en el m\u00e9todo PerMessageDeflate.decompress(), que acumula todos los fragmentos descomprimidos en memoria y los concatena en un \u00fanico Buffer sin verificar si el tama\u00f1o total excede un umbral seguro."
}
],
"id": "CVE-2026-1526",
"lastModified": "2026-03-20T15:56:47.337",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "ce714d77-add3-4f53-aff5-83d477b104bb",
"type": "Secondary"
}
]
},
"published": "2026-03-12T21:16:23.933",
"references": [
{
"source": "ce714d77-add3-4f53-aff5-83d477b104bb",
"tags": [
"Vendor Advisory"
],
"url": "https://cna.openjsf.org/security-advisories.html"
},
{
"source": "ce714d77-add3-4f53-aff5-83d477b104bb",
"tags": [
"Technical Description"
],
"url": "https://datatracker.ietf.org/doc/html/rfc7692"
},
{
"source": "ce714d77-add3-4f53-aff5-83d477b104bb",
"tags": [
"Vendor Advisory"
],
"url": "https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q"
},
{
"source": "ce714d77-add3-4f53-aff5-83d477b104bb",
"tags": [
"Permissions Required"
],
"url": "https://hackerone.com/reports/3481206"
}
],
"sourceIdentifier": "ce714d77-add3-4f53-aff5-83d477b104bb",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-409"
}
],
"source": "ce714d77-add3-4f53-aff5-83d477b104bb",
"type": "Secondary"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…