Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 5.3

    MEDIUM
    CVE-2016-10543

    call is an HTTP router that is primarily used by the hapi framework. There exists a bug in call versions 2.0.1-3.0.1 that does not validate empty parameters, which could result in invalid input bypassing the route validation rules.... Read more

    Affected Products : call
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2016-10542

    ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects... Read more

    Affected Products : ws
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2016-10541

    The npm module "shell-quote" 1.6.0 and earlier cannot correctly escape ">" and "<" operator used for redirection in shell. Applications that depend on shell-quote may also be vulnerable. A malicious user could perform code injection.... Read more

    Affected Products : shell-quote
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2016-10540

    Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript `RegExp` objects. The primary function, `minimatch(path, pattern)` in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the `pattern` parameter.... Read more

    Affected Products : minimatch
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2016-10539

    negotiator is an HTTP content negotiator for Node.js and is used by many modules and frameworks including Express and Koa. The header for "Accept-Language", when parsed by negotiator 0.6.0 and earlier is vulnerable to Regular Expression Denial of Service ... Read more

    Affected Products : negotiator
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 4.9

    MEDIUM
    CVE-2016-10538

    The package `node-cli` before 1.0.0 insecurely uses the lock_file and log_file. Both of these are temporary, but it allows the starting user to overwrite any file they have access to.... Read more

    Affected Products : debian_linux cli
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 5.4

    MEDIUM
    CVE-2016-10537

    backbone is a module that adds in structure to a JavaScript heavy application through key-value pairs and custom events connecting to your RESTful API through JSON There exists a potential Cross Site Scripting vulnerability in the `Model#Escape` function ... Read more

    Affected Products : backbone
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 5.9

    MEDIUM
    CVE-2016-10536

    engine.io-client is the client for engine.io, the implementation of a transport-based cross-browser/cross-device bi-directional communication layer for Socket.IO. The vulnerability is related to the way that node.js handles the `rejectUnauthorized` settin... Read more

    Affected Products : engine.io-client
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 5.9

    MEDIUM
    CVE-2016-10535

    csrf-lite is a cross-site request forgery protection library for framework-less node sites. csrf-lite uses `===`, a fail first string comparison, instead of a time constant string comparison This enables an attacker to guess the secret in no more than (16... Read more

    Affected Products : csrf-lite
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 5.9

    MEDIUM
    CVE-2016-10534

    electron-packager is a command line tool that packages Electron source code into `.app` and `.exe` packages. along with Electron. The `--strict-ssl` command line option in electron-packager >= 5.2.1 <= 6.0.0 || >=6.0.0 <= 6.0.2 defaults to false if not ex... Read more

    Affected Products : electron-packager
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2016-10533

    express-restify-mongoose is a module to easily create a flexible REST interface for mongoose models. express-restify-mongoose 2.4.2 and earlier and 3.0.X through 3.0.1 allows a malicious user to send a request for `GET /User?distinct=password` and get all... Read more

    Affected Products : express-restify-mongoose
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 10.0

    HIGH
    CVE-2016-10532

    console-io is a module that allows users to implement a web console in their application. A malicious user could bypass the authentication and execute any command that the user who is running the console-io application 2.2.13 and earlier is able to run. T... Read more

    Affected Products : console-io
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 6.1

    MEDIUM
    CVE-2016-10531

    marked is an application that is meant to parse and compile markdown. Due to the way that marked 0.3.5 and earlier parses input, specifically HTML entities, it's possible to bypass marked's content injection protection (`sanitize: true`) to inject a `java... Read more

    Affected Products : marked
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 5.9

    MEDIUM
    CVE-2016-10530

    The airbrake module 0.3.8 and earlier defaults to sending environment variables over HTTP. Environment variables can often times contain secret keys and other sensitive values. A malicious user could be on the same network as a regular user and intercept ... Read more

    Affected Products : airbrake
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 8.8

    HIGH
    CVE-2016-10529

    Droppy versions <3.5.0 does not perform any verification for cross-domain websocket requests. An attacker is able to make a specially crafted page that can send requests as the context of the currently logged in user. For example this means the malicious ... Read more

    Affected Products : droppy
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 4.9

    MEDIUM
    CVE-2016-10528

    restafary is a REpresentful State Transfer API for Creating, Reading, Using, Deleting files on a server from the web. Restafary before 1.6.1 is able to set up a root path, which should only allow it to run inside of that root path it specified.... Read more

    Affected Products : restafary
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 7.5

    HIGH
    CVE-2016-10527

    The riot-compiler version version 2.3.21 has an issue in a regex (Catastrophic Backtracking) thats make it unusable under certain conditions.... Read more

    Affected Products : riot-compiler
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 8.6

    HIGH
    CVE-2016-10526

    A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logg... Read more

    Affected Products : grunt-gh-pages
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024

  • 9.8

    CRITICAL
    CVE-2016-10525

    When attempting to allow authentication mode `try` in hapi, hapi-auth-jwt2 version 5.1.1 introduced an issue whereby people could bypass authentication.... Read more

    Affected Products : hapi-auth-jwt2
    • Published: May. 29, 2018
    • Modified: Nov. 21, 2024

  • 8.2

    HIGH
    CVE-2016-10524

    i18n-node-angular is a module used to interact between i18n and angular without using additional resources. A REST API endpoint that is used for development in i18n-node-angular before 1.4.0 was not disabled in production environments a malicious user cou... Read more

    Affected Products : i18n-node-angular
    • Published: May. 31, 2018
    • Modified: Nov. 21, 2024
Showing 20 of 292862 Results