Recent vulnerabilities
Recent vulnerabilities from
Select from 70 available sources using the dropdown above.
| ID | Description | Published | Updated |
|---|---|---|---|
| msrc_cve-2026-39829 | Invoking pathological RSA/DSA parameters may cause DoS in golang.org/x/crypto/ssh | 2026-05-02T00:00:00.000Z | 2026-06-01T01:42:15.000Z |
| msrc_cve-2026-39821 | Invoking failure to reject ASCII-only Punycode-encoded labels in golang.org/x/net/idna | 2026-05-02T00:00:00.000Z | 2026-06-01T01:42:03.000Z |
| msrc_cve-2026-39835 | Invoking server panic during CheckHostKey/Authenticate in golang.org/x/crypto/ssh | 2026-05-02T00:00:00.000Z | 2026-06-01T01:41:51.000Z |
| msrc_cve-2026-39834 | Invoking infinite loop on large channel writes in golang.org/x/crypto/ssh | 2026-05-02T00:00:00.000Z | 2026-05-31T14:47:21.000Z |
| msrc_cve-2026-46597 | Invoking byte arithmetic causes underflow and panic in golang.org/x/crypto/ssh | 2026-05-02T00:00:00.000Z | 2026-05-31T14:47:00.000Z |
| msrc_cve-2026-39830 | Invoking client can cause server deadlock on unexpected responses in golang.org/x/crypto/ssh | 2026-05-02T00:00:00.000Z | 2026-05-31T14:46:01.000Z |
| msrc_cve-2026-42506 | Invoking incorrect handling of namespaced elements in foreign content in golang.org/x/net/html | 2026-05-02T00:00:00.000Z | 2026-05-31T14:45:47.000Z |
| msrc_cve-2026-25681 | Invoking incorrect handling of character references in DOCTYPE nodes in golang.org/x/net/html | 2026-05-02T00:00:00.000Z | 2026-05-31T14:45:30.000Z |
| msrc_cve-2026-39827 | Invoking memory leak when rejecting channels can lead to DoS in golang.org/x/crypto/ssh | 2026-05-02T00:00:00.000Z | 2026-05-31T14:45:03.000Z |
| msrc_cve-2026-25680 | Invoking denial of service when parsing arbitrary HTML in golang.org/x/net/html | 2026-05-02T00:00:00.000Z | 2026-05-31T14:44:20.000Z |
| msrc_cve-2026-42502 | Invoking incorrect handling of HTML elements in foreign content in golang.org/x/net/html | 2026-05-02T00:00:00.000Z | 2026-05-31T14:43:47.000Z |
| msrc_cve-2026-27136 | Invoking duplicate attributes can cause XSS in golang.org/x/net/html | 2026-05-02T00:00:00.000Z | 2026-05-31T14:43:03.000Z |
| msrc_cve-2026-21717 | A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such collisions in V8's internal string table, an attacker can significantly degrade performance of the Node.js process. The most common trigger is any endpoint that calls `JSON.parse()` on attacker-controlled input, as JSON parsing automatically internalizes short strings into the affected hash table. This vulnerability affects **20.x, 22.x, 24.x, and 25.x**. | 2026-03-02T00:00:00.000Z | 2026-05-31T01:41:41.000Z |
| msrc_cve-2025-13230 | Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-02T00:00:00.000Z | 2026-05-31T01:41:09.000Z |
| msrc_cve-2025-13226 | Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-02T00:00:00.000Z | 2026-05-31T01:41:02.000Z |
| msrc_cve-2025-13227 | Type Confusion in V8 in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2025-11-02T00:00:00.000Z | 2026-05-31T01:40:55.000Z |
| msrc_cve-2025-23167 | A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade. | 2025-05-02T00:00:00.000Z | 2026-05-31T01:40:30.000Z |
| msrc_cve-2024-36137 | A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used. Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. | 2024-09-01T07:00:00.000Z | 2026-05-31T01:40:05.000Z |
| msrc_cve-2024-22018 | A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js. | 2024-07-01T07:00:00.000Z | 2026-05-31T01:39:56.000Z |
| msrc_cve-2026-40034 | gitoxide - Command Injection via Partial .gitmodules Override in gix-submodule | 2026-05-02T00:00:00.000Z | 2026-05-31T01:04:52.000Z |
| msrc_cve-2026-44839 | RabbitMQ: Unsanitized vhost names allow for XSS in management UI | 2026-05-02T00:00:00.000Z | 2026-05-31T01:04:44.000Z |
| msrc_cve-2025-15649 | IO::Uncompress::Unzip versions before 2.215 for Perl propagate uncaught exception when parsing zip header with malformed DOS date | 2026-05-02T00:00:00.000Z | 2026-05-31T01:04:39.000Z |
| msrc_cve-2026-48962 | IO::Compress versions before 2.220 for Perl can execute arbitrary code in File::GlobMapper via an attacker-controlled output glob | 2026-05-02T00:00:00.000Z | 2026-05-31T01:04:34.000Z |
| msrc_cve-2026-28387 | Potential Use-after-free in DANE Client Code | 2026-04-02T00:00:00.000Z | 2026-05-31T01:04:27.000Z |
| msrc_cve-2026-25833 | Mbed TLS 3.5.0 to 3.6.5 fixed in 3.6.6 and 4.1.0 has a buffer overflow in the x509_inet_pton_ipv6() function | 2026-04-02T00:00:00.000Z | 2026-05-31T01:04:22.000Z |
| msrc_cve-2026-25834 | Mbed TLS v3.3.0 up to 3.6.5 and 4.0.0 allows Algorithm Downgrade. | 2026-04-02T00:00:00.000Z | 2026-05-31T01:04:17.000Z |
| msrc_cve-2026-28388 | NULL Pointer Dereference When Processing a Delta CRL | 2026-04-02T00:00:00.000Z | 2026-05-31T01:04:12.000Z |
| msrc_cve-2026-34873 | An issue was discovered in Mbed TLS 3.5.0 through 4.0.0. Client impersonation can occur while resuming a TLS 1.3 session. | 2026-04-02T00:00:00.000Z | 2026-05-31T01:04:07.000Z |
| msrc_cve-2026-34874 | An issue was discovered in Mbed TLS through 3.6.5 and 4.x through 4.0.0. There is a NULL pointer dereference in distinguished name parsing that allows an attacker to write to address 0. | 2026-04-02T00:00:00.000Z | 2026-05-31T01:04:01.000Z |
| msrc_cve-2025-15504 | lief-project LIEF ELF Binary Parser.tcc parse_binary null pointer dereference | 2026-01-02T00:00:00.000Z | 2026-05-31T01:03:56.000Z |