Node.js Security Archives • Daily CyberSecurity

53M Downloads At Risk: Critical 9.8 CVSS Vitest Remote Code Execution Vulnerabilities Disclosed Vitest remote code execution critical 9.8 CVSS flaws

Vitest remote code execution critical 9.8 CVSS flaws

53M Downloads At Risk: Critical 9.8 CVSS Vitest Remote Code Execution Vulnerabilities Disclosed

Do Son June 5, 2026

Newly uncovered flaws expose millions of development setups to a dangerous Vitest remote code execution hazard. This...

shell-quote command injection AI-Driven Vulnerabilities Q1 2026 Cyber Threats vm2 Sandbox Escape Node.js RCE upKeeper Privilege Escalation CVE-2026-2449 Pharos Controls Vulnerability Root Access Exploit Cybersecurity Vulnerability Roundup CVSS 10.0 Flaws Shadow Archives CVE-2026-0866 MS-Agent Prompt Injection CVE-2026-2256 basic-ftp Path Traversal CVE-2026-27699 telnetd Root Vulnerability CVE-1999-0073 Regression USR-W610 Vulnerabilities End-of-Life IoT Security IceWarp Security Update IceWarp Vulnerabilities Airleader Master Vulnerability CVE-2026-1358 ZLAN5143D Vulnerability CISA ICS Advisory Acronis Cyber Protect Vulnerability CVE-2025-30411 WAGO 852 Vulnerability OT Network Security SandboxJS Vulnerability Sandbox Escape (CVSS 10.0) Kubernetes Local Path Provisioner CVE-2025-62878 CISA Unresponsive Vendors Avation & RISS Vulnerabilities KiloView Vulnerability CVE-2026-1453 OpenClaw RCE vulnerability Johnson Controls Vulnerability CVE-2025-26385 SandboxJS Vulnerability CVE-2026-23830 ibaPDA Vulnerability CVE-2025-14988 Protobuf Vulnerability CVE-2026-0994 AVEVA Process Optimization Vulnerability CVE-2025-61937 ConnectWise PSA Vulnerability CVE-2026-0695 Aruba VIA Vulnerability CVE-2025-37186 aiohttp v3.13.3, Denial of Service (DoS) SmarterMail RCE, CVE-2025-52691 Airoha RACE, Headphone Jacking HPE OneView RCE CVE-2025-37164 FreePBX Auth Bypass, PBX Takeover ScreenConnect Config Flaw, Untrusted Extensions Ruby SAML Auth Bypass, XML Parser Differential Devolutions SQL Injection, Password Manager Flaw Vivotek Unauthenticated RCE, EOL IP Camera Flaw Lynx+ Critical Flaw, Unauthenticated Reset Firebox Default Credentials, CVE-2025-59396 Veeder-Root RCE, Critical ATG Flaw ArcGIS Server SQLi Watchdoc RCE, CVE-2025-58384 Delta DIALink Daikin Security Gateway, authentication bypass Frostbyte10, industrial controller security SunPower, vulnerability Ubiquiti UniFi Connect, EV Station Vulnerabilities Adobe Experience Manager, RCE Vulnerability UniFi Access, Command Injection LDAPNightmare - CVE-2025-1316

Popular npm Package shell-quote Patches Critical Command Injection Bug

Do Son May 28, 2026

Maintainers recently patched a critical flaw in a highly popular ecosystem component. Specifically, developers resolved a dangerous...

220 Million at Risk: Critical 9.4 CVSS Remote Code Execution Hits protobuf.js protobuf.js RCE Protocol Buffers Vulnerability

220 Million at Risk: Critical 9.4 CVSS Remote Code Execution Hits protobuf.js

Do Son April 17, 2026

As a pure JavaScript implementation of Google’s Protocol Buffers, protobuf.js is a foundational component for Node.js and...

25 Million Users at Risk: Fastify Publicly Discloses PoC Exploit for Single-Space Security Bypass Fastify CVE-2026-33806 Public PoC Exploit

25 Million Users at Risk: Fastify Publicly Discloses PoC Exploit for Single-Space Security Bypass

Do Son April 15, 2026

In the world of web performance, Fastify is a heavyweight, boasting over 25 million monthly downloads and...

Critical SSRF Flaw Discovered in Axios – CVE-2025-62718 (CVSS 9.3) Axios Vulnerability NO_PROXY Bypass

Critical SSRF Flaw Discovered in Axios – CVE-2025-62718 (CVSS 9.3)

Do Son April 14, 2026

In the complex architecture of modern web applications, the difference between a secure internal request and a...

The Weakest Link: Popular Node.js Config Library “Convict” Hit by Prototype Pollution Prototype Pollution node-convict Vulnerability

The Weakest Link: Popular Node.js Config Library “Convict” Hit by Prototype Pollution

Do Son March 30, 2026

A critical vulnerability has been uncovered in node-convict, the widely used configuration management library designed to make...

Malicious npm Package “pino-sdk-v2” Caught Harvesting Secrets pino-sdk-v2 npm Supply Chain Attack

Malicious npm Package “pino-sdk-v2” Caught Harvesting Secrets

Do Son March 11, 2026

In the modern development landscape, supply chain attacks remain one of the most effective ways for threat...

Algorithm Confusion: Critical 9.1 Flaw in Parse Server Allows Instant Google Account Takeover CVE-2023-36475 Parse Server JWT Bypass CVE-2026-27804

CVE-2023-36475 Parse Server JWT Bypass CVE-2026-27804

Algorithm Confusion: Critical 9.1 Flaw in Parse Server Allows Instant Google Account Takeover

Do Son February 26, 2026

Parse Server, a widely used open-source backend designed to be deployed on any infrastructure running Node.js and...

High-Severity DoS Flaw Hits 46 Million ‘fast-xml-parser’ Downloads fast-xml-parser DoS CVE-2026-26278

High-Severity DoS Flaw Hits 46 Million ‘fast-xml-parser’ Downloads

Do Son February 19, 2026

If your Node.js application parses XML, you might want to check your dependencies immediately. A critical Denial...

Critical Alert 3 Active Exploits Detected Today

Critical Alert

Node.js Security

53M Downloads At Risk: Critical 9.8 CVSS Vitest Remote Code Execution Vulnerabilities Disclosed

Popular npm Package shell-quote Patches Critical Command Injection Bug

220 Million at Risk: Critical 9.4 CVSS Remote Code Execution Hits protobuf.js

25 Million Users at Risk: Fastify Publicly Discloses PoC Exploit for Single-Space Security Bypass

Critical SSRF Flaw Discovered in Axios – CVE-2025-62718 (CVSS 9.3)

The Weakest Link: Popular Node.js Config Library “Convict” Hit by Prototype Pollution

Malicious npm Package “pino-sdk-v2” Caught Harvesting Secrets

Algorithm Confusion: Critical 9.1 Flaw in Parse Server Allows Instant Google Account Takeover

High-Severity DoS Flaw Hits 46 Million ‘fast-xml-parser’ Downloads