| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-41213 | @node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes | node-oauth | node-oauth2-server | Medium | 5.9 | 2026-04-23 18:33:42 | Deep Dive |
| CVE-2026-40931 | Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing | node-modules | compressing | High | 8.4 | 2026-04-21 20:57:10 | Deep Dive |
| CVE-2026-21710 | Node.js 安全漏洞 | nodejs | node | - | - | 2026-03-30 19:07:29 | Deep Dive |
| CVE-2026-21711 | Node.js 安全漏洞 | nodejs | node | - | - | 2026-03-30 19:07:29 | Deep Dive |
| CVE-2026-21715 | Node.js 安全漏洞 | nodejs | node | - | - | 2026-03-30 19:07:29 | Deep Dive |
| CVE-2026-21716 | Node.js 安全漏洞 | nodejs | node | - | - | 2026-03-30 19:07:29 | Deep Dive |
| CVE-2026-21713 | Node.js 安全漏洞 | nodejs | node | - | - | 2026-03-30 19:07:28 | Deep Dive |
| CVE-2026-21714 | Node.js 安全漏洞 | nodejs | node | - | - | 2026-03-30 19:07:28 | Deep Dive |
| CVE-2026-21717 | Node.js 安全漏洞 | nodejs | node | - | - | 2026-03-30 19:07:28 | Deep Dive |
| CVE-2026-21712 | Node.js 安全漏洞 | nodejs | node | - | - | 2026-03-30 15:13:59 | Deep Dive |
| CVE-2026-4933 | Unpublished Node Permissions - Critical - Access bypass - SA-CONTRIB-2026-029 | Drupal | Unpublished Node Permissions | 中危 | - | 2026-03-26 20:10:27 | Deep Dive |
| CVE-2026-4191 | JawherKl node-api-postgres Profile Picture index.js path.extname unrestricted upload | JawherKl | node-api-postgres | High | 7.3 | 2026-03-15 20:02:09 | Deep Dive |
| CVE-2026-4190 | JawherKl node-api-postgres user.js User.getAll sql injection | JawherKl | node-api-postgres | High | 7.3 | 2026-03-15 19:32:16 | Deep Dive |
| CVE-2026-31802 | node-tar Symlink Path Traversal via Drive-Relative Linkpath | isaacs | node-tar | - | - | 2026-03-09 21:11:57 | Deep Dive |
| CVE-2026-29786 | node-tar: Hardlink Path Traversal via Drive-Relative Linkpath | isaacs | node-tar | 中危 | - | 2026-03-07 15:32:23 | Deep Dive |
| CVE-2026-29087 | @hono/node-server: Authorization bypass for protected static paths via encoded slashes in Serve Static Middleware | honojs | node-server | High | 7.5 | 2026-03-06 17:03:30 | Deep Dive |
| CVE-2026-27492 | Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused | lettermint | lettermint-node | Medium | 4.7 | 2026-02-21 10:16:04 | Deep Dive |
| CVE-2026-26960 | node-tar has Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in Extraction | isaacs | node-tar | High | 7.1 | 2026-02-20 01:07:53 | Deep Dive |
| CVE-2026-2629 | jishi node-sonos-http-api TTS Provider mac-os.js Promise os command injection | jishi | node-sonos-http-api | High | 7.3 | 2026-02-17 22:02:07 | Deep Dive |
| CVE-2026-24884 | Compressing Vulnerable to Arbitrary File Write via Symlink Extraction | node-modules | compressing | High | 8.4 | 2026-02-04 19:35:56 | Deep Dive |