The OpenJS Foundation's CVE Numbering Authority (CNA)
Security Advisories
Published CVEs for security vulnerabilities in OpenJS hosted projects. Subscribe via RSS to get notified of new advisories.
| Date | CVE ID | Advisory | Project | Title |
|---|---|---|---|---|
| 2026-06-04 | CVE-2026-10796 | Advisory | nvm | nvm vulnerable to OS command injection via crafted version strings from a malicious Node.js mirror |
| 2026-06-03 | CVE-2026-5078 | Advisory | morgan | morgan vulnerable to Log Forging via unneutralized control characters in :remote-user |
| 2026-05-12 | CVE-2026-8162 | Advisory | multiparty | multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing |
| 2026-05-12 | CVE-2026-8161 | Advisory | multiparty | multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception |
| 2026-05-12 | CVE-2026-8159 | Advisory | multiparty | multiparty vulnerable to ReDoS via filename parsing |
| 2026-05-12 | CVE-2026-6402 | Advisory | webpack-dev-server | webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins |
| 2026-05-05 | CVE-2026-6322 | Advisory | fast-uri | fast-uri vulnerable to host confusion via percent-encoded authority delimiters |
| 2026-05-04 | CVE-2026-6321 | Advisory | fast-uri | fast-uri vulnerable to path traversal via percent-encoded dot segments |
| 2026-05-04 | CVE-2026-7768 | Advisory | @fastify/accepts-serializer | @fastify/accepts-serializer vulnerable to Denial of Service via Unbounded Accept Header Cache Growth |
| 2026-04-16 | CVE-2026-33804 | Advisory | @fastify/middie | @fastify/middie vulnerable to middleware bypass via deprecated ignoreDuplicateSlashes option |
| 2026-04-16 | CVE-2026-6270 | Advisory | @fastify/middie | @fastify/middie vulnerable to middleware authentication bypass in child plugin scopes |
| 2026-04-16 | CVE-2026-6410 | Advisory | @fastify/static | @fastify/static vulnerable to path traversal in directory listing |
| 2026-04-16 | CVE-2026-6414 | Advisory | @fastify/static | @fastify/static vulnerable to route guard bypass via encoded path separators |
| 2026-04-15 | CVE-2026-33805 | Advisory | @fastify/reply-from | @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers |
| 2026-04-15 | CVE-2026-33805 | Advisory | @fastify/http-proxy | @fastify/reply-from vulnerable to connection header abuse enabling stripping of proxy-added headers |
| 2026-04-15 | CVE-2026-33807 | Advisory | @fastify/express | @fastify/express vulnerable to middleware path doubling causing authentication bypass in child plugin scopes |
| 2026-04-15 | CVE-2026-33808 | Advisory | @fastify/express | @fastify/express vulnerable to middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons) |
| 2026-04-14 | CVE-2026-33806 | Advisory | fastify | fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header |
| 2026-03-31 | CVE-2026-4800 | Advisory | lodash | Incomplete fix for CVE-2021-23337 allows code injection via _.template imports key names |
| 2026-03-31 | CVE-2026-2950 | Advisory | lodash | lodash vulnerable to Prototype Pollution via array path bypass in _.unset and _.omit |
| 2026-03-26 | CVE-2026-4926 | Advisory | path-to-regexp | path-to-regexp vulnerable to Denial of Service via sequential optional groups |
| 2026-03-26 | CVE-2026-4923 | Advisory | path-to-regexp | ReDoS possible with multiple wildcards |
| 2026-03-26 | CVE-2026-4867 | Advisory | path-to-regexp | path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters |
| 2026-03-23 | CVE-2026-3635 | Advisory | fastify | Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function |
| 2026-03-12 | CVE-2026-2581 | Advisory | undici | Unbounded Memory Consumption in Undici's DeduplicationHandler via Response Buffering leads to DoS |
| 2026-03-12 | CVE-2026-1527 | Advisory | undici | CRLF Injection in undici via upgrade option |
| 2026-03-12 | CVE-2026-1528 | Advisory | undici | Malicious WebSocket 64-bit length overflows undici parser and crashes the client |
| 2026-03-12 | CVE-2026-2229 | Advisory | undici | Unhandled Exception in undici WebSocket Client Due to Invalid server_max_window_bits Validation |
| 2026-03-12 | CVE-2026-1526 | Advisory | undici | Unbounded Memory Consumption in undici WebSocket permessage-deflate Decompression |
| 2026-03-12 | CVE-2026-1525 | Advisory | undici | Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling) in undici |
| 2026-03-05 | CVE-2026-3419 | Advisory | fastify | Fastify vulnerable to missing end anchor in subtypeNameReg Allows Malformed Content-Types to Pass Validation |
| 2026-03-04 | CVE-2026-3520 | Advisory | multer | Multer vulnerable to Denial of Service via uncontrolled recursion |
| 2026-02-27 | CVE-2026-2880 | Advisory | @fastify/middie | @fastify/middie has an improper path normalization vulnerability |
| 2026-02-27 | CVE-2026-3304 | Advisory | multer | Multer vulnerable to Denial of Service via incomplete cleanup |
| 2026-02-27 | CVE-2026-2359 | Advisory | multer | multer vulnerable to Denial of Service via resource exhaustion |
| 2026-01-21 | CVE-2025-13465 | Advisory | lodash | Prototype Pollution Vulnerability in Lodash `_.unset` and `_.omit` functions |
| 2025-11-24 | CVE-2025-13466 | Advisory | body-parser | body-parser vulnerable to denial of service when url encoding is used |
| 2025-07-17 | CVE-2025-7339 | Advisory | on-headers | on-headers vulnerable to http response header manipulation |
| 2025-07-17 | CVE-2025-7338 | Advisory | multer | Multer vulnerable to Denial of Service via unhandled exception from malformed request |