| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
Known vulnerabilities affecting Nodejs products and systems
| CVE ID | Description | CVSS | Priority | Trend | Exploit | Patch |
|---|---|---|---|---|---|---|
| CVE-2026-34226 | ### Summary `happy-dom` may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cooki... | 7.5 | 386 | Neutral | No |
| Yes |
| CVE-2026-2581 | ## Impact This is an uncontrolled resource consumption vulnerability (CWE-400) that can lead to Denial of Service (DoS). In vulnerable Undici versions, when `interceptors.deduplicate()` is enabled, r... | 5.9 | 155 | Neutral | No | Yes |
| CVE-2026-22704 | ### Summary Stored XSS Leading to Account Takeover ### Details The Exploit Chain: 1.Upload: The attacker uploads an `.html` file containing a JavaScript payload. 2.Execution: A logged-in administrato... | 5.4 | 325 | Neutral | Yes | Yes |
| CVE-2026-2229 | ### Impact The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the `server_max_window_bits` parameter in the permessage-deflate extension. When a Web... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2026-22036 | ### Impact The `fetch()` API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress i... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2026-21637 | A flaw in Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when `pskCallback` or `ALPNCallback` are in use. Synchronous exceptions thrown during these c... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2026-21636 | A flaw in Node.js's permission model allows Unix Domain Socket (UDS) connections to bypass network restrictions when `--permission` is enabled. Even without `--allow-net`, attacker-controlled inputs (... | 10.0 | 736 | Neutral | Yes | Yes |
| CVE-2026-1528 | ### Impact A server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a ... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2026-1527 | ### Impact When an application passes user-controlled input to the `upgrade` option of `client.request()`, an attacker can inject CRLF sequences (`\r\n`) to: 1. Inject arbitrary HTTP headers 2. Term... | 4.6 | 95 | Neutral | No | Yes |
| CVE-2026-1526 | ## Description The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2026-1525 | ### Impact Undici allows duplicate HTTP `Content-Length` headers when they are provided in an array with case-variant names (e.g., `Content-Length` and `content-length`). This produces malformed HTTP... | 9.8 | 588 | Neutral | No | Yes |
| CVE-2025-59466 | We have identified a bug in Node.js error handling where "Maximum call stack size exceeded" errors become uncatchable when `async_hooks.createHook()` is enabled. Instead of reaching `process.on('uncau... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2025-59465 | A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, ... | 0.0 | 0 | Neutral | No | Yes |
| CVE-2025-59464 | A memory leak in Node.js’s OpenSSL integration occurs when converting `X.509` certificate fields to UTF-8 without freeing the allocated buffer. When applications call `socket.getPeerCertificate(true)`... | 7.5 | 386 | Neutral | No | Yes |
| CVE-2025-55132 | A flaw in Node.js's permission model allows a file's access and modification timestamps to be changed via `futimes()` even when the process has only read permissions. Unlike `utimes()`, `futimes()` do... | 5.3 | 124 | Neutral | No | Yes |
| CVE-2025-55130 | A flaw in Node.js’s Permissions model allows attackers to bypass `--allow-fs-read` and `--allow-fs-write` restrictions using crafted relative symlink paths. By chaining directories and symlinks, a scr... | 9.1 | 669 | Neutral | Yes | Yes |
| CVE-2025-54378 | ### Summary The HAX CMS API endpoints do not perform authorization checks when interacting with a resource. Both the JS and PHP versions of the CMS do not verify that a user has permission to interac... | 8.3 | 666 | Neutral | Yes | Yes |
| CVE-2025-54139 | ### Summary All pages within the HAX CMS application do not contain headers to stop other websites from loading the site within an iframe. This applies to both the CMS and generated sites. ### PoC ... | 6.1 | 266 | Neutral | Yes | Yes |
| CVE-2025-54137 | ### Summary The NodeJS version of the HAX CMS application is distributed with hardcoded default credentials for the user and superuser accounts. Additionally, the application has default private keys... | 7.3 | 349 | Neutral | No | Yes |
| CVE-2025-54134 | ### Summary The HAX CMS NodeJS application crashes when an authenticated attacker provides an API request lacking required URL parameters. This vulnerability affects the `listFiles` and `saveFiles` en... | 6.5 | 295 | Neutral | No | Yes |