Vulnerability-Lookup

Vulnerability from cleanstart

Published

2026-05-18 13:18

Modified

2026-05-13 14:10

Summary

Security fixes for CVE-2025-15599, CVE-2025-62718, CVE-2025-69873, CVE-2026-0540, CVE-2026-25639, CVE-2026-2739, CVE-2026-27903, CVE-2026-27904, CVE-2026-2950, CVE-2026-33750, CVE-2026-33916, CVE-2026-33937, CVE-2026-35213, CVE-2026-40175, CVE-2026-41238, CVE-2026-41239, CVE-2026-41240, CVE-2026-42033, CVE-2026-42034, CVE-2026-42035, CVE-2026-42036, CVE-2026-42037, CVE-2026-42038, CVE-2026-42039, CVE-2026-42040, CVE-2026-42041, CVE-2026-42042, CVE-2026-42043, CVE-2026-42044, CVE-2026-42264, CVE-2026-4800, CVE-2026-6321, CVE-2026-6322, ghsa-2328-f5f3-gj25, ghsa-23c5-xmqv-rm74, ghsa-2g4f-4pwh-qvx6, ghsa-2qvq-rjwj-gvw9, ghsa-2w6w-674q-4c4q, ghsa-378v-28hj-76wf, ghsa-37qj-frw5-hhjh, ghsa-39q2-94rc-95cp, ghsa-3mfm-83xf-c92r, ghsa-3p68-rc4w-qgx5, ghsa-3ppc-4f35-3m26, ghsa-3v7f-55p6-f55p, ghsa-3w6x-2g7m-8v23, ghsa-43fc-jf86-j433, ghsa-442j-39wm-28r2, ghsa-445q-vr5w-6q77, ghsa-5c6j-r48x-rmvq, ghsa-5c9x-8gcm-mpgx, ghsa-5m6q-g25r-mvwx, ghsa-62hf-57xw-28j9, ghsa-6475-r3vj-m8vf, ghsa-6chq-wfr3-2hj9, ghsa-7r86-cg39-jmmj, ghsa-7rx3-28cr-v5wh, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-9cx6-37pm-9jff, ghsa-9ppj-qmqm-q256, ghsa-c2c7-rcm5-vvqj, ghsa-cj63-jhhr-wcxv, ghsa-cjmm-f4jc-qw8r, ghsa-crv5-9vww-q3g8, ghsa-f23m-r3pf-42rh, ghsa-f886-m6hf-6m8v, ghsa-fj3w-jwp8-x2g3, ghsa-fvcv-3m26-pcqx, ghsa-gh4j-gqv2-49f6, ghsa-h7mw-gpvr-xq4m, ghsa-h8r8-wccr-v5f2, ghsa-jg4p-7fhp-p32p, ghsa-jmr7-xgp7-cmfj, ghsa-jp2q-39xq-3w4g, ghsa-m7jm-9gc2-mpf2, ghsa-m7pr-hjqh-92cm, ghsa-pf86-5x62-jrwf, ghsa-pmwg-cvhr-8vh7, ghsa-ppp5-5v6c-4jwp, ghsa-q3j6-qgpj-74h6, ghsa-q67f-28xg-22rw, ghsa-q8qp-cvcw-x6jj, ghsa-qffp-2rhf-9h96, ghsa-qj8w-gfj5-8c6v, ghsa-r4q5-vmmm-2653, ghsa-r5fr-rjxr-66jc, ghsa-v2v4-37r5-5v8g, ghsa-v2wj-7wpq-c8vv, ghsa-v39h-62p7-jpjc, ghsa-v8jm-5vwx-cfxm, ghsa-v9jr-rg53-9pgp, ghsa-vf2m-468p-8v99, ghsa-w5hq-g745-h8pq, ghsa-w7fw-mjwx-w883, ghsa-w9j2-pvgh-6h63, ghsa-xhjh-pmcv-23jw, ghsa-xhpv-hc6g-r9c6, ghsa-xjpj-3mr7-gcpf, ghsa-xx6v-rp6x-q39c applied in versions: 3.5.0-r0, 3.5.0-r1, 3.5.0-r2

Details

Multiple security vulnerabilities affect the opensearch-dashboards-fips package. These issues are resolved in later releases. See references for individual vulnerability details.

References

URL

Type

	https://github.com/cleanstart-dev/cleanstart-secu…	ADVISORY
	https://osv.dev/vulnerability/CVE-2025-15599	WEB
	https://osv.dev/vulnerability/CVE-2025-62718	WEB
	https://osv.dev/vulnerability/CVE-2025-69873	WEB
	https://osv.dev/vulnerability/CVE-2026-0540	WEB
	https://osv.dev/vulnerability/CVE-2026-25639	WEB
	https://osv.dev/vulnerability/CVE-2026-2739	WEB
	https://osv.dev/vulnerability/CVE-2026-27903	WEB
	https://osv.dev/vulnerability/CVE-2026-27904	WEB
	https://osv.dev/vulnerability/CVE-2026-2950	WEB
	https://osv.dev/vulnerability/CVE-2026-33750	WEB
	https://osv.dev/vulnerability/CVE-2026-33916	WEB
	https://osv.dev/vulnerability/CVE-2026-33937	WEB
	https://osv.dev/vulnerability/CVE-2026-35213	WEB
	https://osv.dev/vulnerability/CVE-2026-40175	WEB
	https://osv.dev/vulnerability/CVE-2026-41238	WEB
	https://osv.dev/vulnerability/CVE-2026-41239	WEB
	https://osv.dev/vulnerability/CVE-2026-41240	WEB
	https://osv.dev/vulnerability/CVE-2026-42033	WEB
	https://osv.dev/vulnerability/CVE-2026-42034	WEB
	https://osv.dev/vulnerability/CVE-2026-42035	WEB
	https://osv.dev/vulnerability/CVE-2026-42036	WEB
	https://osv.dev/vulnerability/CVE-2026-42037	WEB
	https://osv.dev/vulnerability/CVE-2026-42038	WEB
	https://osv.dev/vulnerability/CVE-2026-42039	WEB
	https://osv.dev/vulnerability/CVE-2026-42040	WEB
	https://osv.dev/vulnerability/CVE-2026-42041	WEB
	https://osv.dev/vulnerability/CVE-2026-42042	WEB
	https://osv.dev/vulnerability/CVE-2026-42043	WEB
	https://osv.dev/vulnerability/CVE-2026-42044	WEB
	https://osv.dev/vulnerability/CVE-2026-42264	WEB
	https://osv.dev/vulnerability/CVE-2026-4800	WEB
	https://osv.dev/vulnerability/CVE-2026-6321	WEB
	https://osv.dev/vulnerability/CVE-2026-6322	WEB
	https://osv.dev/vulnerability/ghsa-2328-f5f3-gj25	WEB
	https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74	WEB
	https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6	WEB
	https://osv.dev/vulnerability/ghsa-2qvq-rjwj-gvw9	WEB
	https://osv.dev/vulnerability/ghsa-2w6w-674q-4c4q	WEB
	https://osv.dev/vulnerability/ghsa-378v-28hj-76wf	WEB
	https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh	WEB
	https://osv.dev/vulnerability/ghsa-39q2-94rc-95cp	WEB
	https://osv.dev/vulnerability/ghsa-3mfm-83xf-c92r	WEB
	https://osv.dev/vulnerability/ghsa-3p68-rc4w-qgx5	WEB
	https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26	WEB
	https://osv.dev/vulnerability/ghsa-3v7f-55p6-f55p	WEB
	https://osv.dev/vulnerability/ghsa-3w6x-2g7m-8v23	WEB
	https://osv.dev/vulnerability/ghsa-43fc-jf86-j433	WEB
	https://osv.dev/vulnerability/ghsa-442j-39wm-28r2	WEB
	https://osv.dev/vulnerability/ghsa-445q-vr5w-6q77	WEB
	https://osv.dev/vulnerability/ghsa-5c6j-r48x-rmvq	WEB
	https://osv.dev/vulnerability/ghsa-5c9x-8gcm-mpgx	WEB
	https://osv.dev/vulnerability/ghsa-5m6q-g25r-mvwx	WEB
	https://osv.dev/vulnerability/ghsa-62hf-57xw-28j9	WEB
	https://osv.dev/vulnerability/ghsa-6475-r3vj-m8vf	WEB
	https://osv.dev/vulnerability/ghsa-6chq-wfr3-2hj9	WEB
	https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj	WEB
	https://osv.dev/vulnerability/ghsa-7rx3-28cr-v5wh	WEB
	https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx	WEB
	https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r	WEB
	https://osv.dev/vulnerability/ghsa-9cx6-37pm-9jff	WEB
	https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256	WEB
	https://osv.dev/vulnerability/ghsa-c2c7-rcm5-vvqj	WEB
	https://osv.dev/vulnerability/ghsa-cj63-jhhr-wcxv	WEB
	https://osv.dev/vulnerability/ghsa-cjmm-f4jc-qw8r	WEB
	https://osv.dev/vulnerability/ghsa-crv5-9vww-q3g8	WEB
	https://osv.dev/vulnerability/ghsa-f23m-r3pf-42rh	WEB
	https://osv.dev/vulnerability/ghsa-f886-m6hf-6m8v	WEB
	https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3	WEB
	https://osv.dev/vulnerability/ghsa-fvcv-3m26-pcqx	WEB
	https://osv.dev/vulnerability/ghsa-gh4j-gqv2-49f6	WEB
	https://osv.dev/vulnerability/ghsa-h7mw-gpvr-xq4m	WEB
	https://osv.dev/vulnerability/ghsa-h8r8-wccr-v5f2	WEB
	https://osv.dev/vulnerability/ghsa-jg4p-7fhp-p32p	WEB
	https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj	WEB
	https://osv.dev/vulnerability/ghsa-jp2q-39xq-3w4g	WEB
	https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2	WEB
	https://osv.dev/vulnerability/ghsa-m7pr-hjqh-92cm	WEB
	https://osv.dev/vulnerability/ghsa-pf86-5x62-jrwf	WEB
	https://osv.dev/vulnerability/ghsa-pmwg-cvhr-8vh7	WEB
	https://osv.dev/vulnerability/ghsa-ppp5-5v6c-4jwp	WEB
	https://osv.dev/vulnerability/ghsa-q3j6-qgpj-74h6	WEB
	https://osv.dev/vulnerability/ghsa-q67f-28xg-22rw	WEB
	https://osv.dev/vulnerability/ghsa-q8qp-cvcw-x6jj	WEB
	https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96	WEB
	https://osv.dev/vulnerability/ghsa-qj8w-gfj5-8c6v	WEB
	https://osv.dev/vulnerability/ghsa-r4q5-vmmm-2653	WEB
	https://osv.dev/vulnerability/ghsa-r5fr-rjxr-66jc	WEB
	https://osv.dev/vulnerability/ghsa-v2v4-37r5-5v8g	WEB
	https://osv.dev/vulnerability/ghsa-v2wj-7wpq-c8vv	WEB
	https://osv.dev/vulnerability/ghsa-v39h-62p7-jpjc	WEB
	https://osv.dev/vulnerability/ghsa-v8jm-5vwx-cfxm	WEB
	https://osv.dev/vulnerability/ghsa-v9jr-rg53-9pgp	WEB
	https://osv.dev/vulnerability/ghsa-vf2m-468p-8v99	WEB
	https://osv.dev/vulnerability/ghsa-w5hq-g745-h8pq	WEB
	https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883	WEB
	https://osv.dev/vulnerability/ghsa-w9j2-pvgh-6h63	WEB
	https://osv.dev/vulnerability/ghsa-xhjh-pmcv-23jw	WEB
	https://osv.dev/vulnerability/ghsa-xhpv-hc6g-r9c6	WEB
	https://osv.dev/vulnerability/ghsa-xjpj-3mr7-gcpf	WEB
	https://osv.dev/vulnerability/ghsa-xx6v-rp6x-q39c	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-15599	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-62718	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2025-69873	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-0540	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-25639	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-2739	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27903	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-27904	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-2950	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33750	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33916	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-33937	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-35213	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-40175	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-41238	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-41239	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-41240	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42033	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42034	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42035	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42036	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42037	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42038	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42039	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42040	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42041	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42042	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42043	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42044	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-42264	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-4800	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-6321	WEB
	https://nvd.nist.gov/vuln/detail/CVE-2026-6322	WEB

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "CleanStart",
        "name": "opensearch-dashboards-fips"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.5.0-r2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "credits": [],
  "database_specific": {},
  "details": "Multiple security vulnerabilities affect the opensearch-dashboards-fips package. These issues are resolved in later releases. See references for individual vulnerability details.",
  "id": "CLEANSTART-2026-LC05413",
  "modified": "2026-05-13T14:10:22Z",
  "published": "2026-05-18T13:18:14.800358Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-LC05413.json"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-15599"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-62718"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2025-69873"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-0540"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-25639"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-2739"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27903"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-27904"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-2950"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33750"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33916"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-33937"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-35213"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-40175"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-41238"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-41239"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-41240"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42033"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42034"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42035"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42036"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42037"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42038"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42039"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42040"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42041"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42042"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42043"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42044"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-42264"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-4800"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-6321"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/CVE-2026-6322"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2328-f5f3-gj25"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2qvq-rjwj-gvw9"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-2w6w-674q-4c4q"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-378v-28hj-76wf"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-39q2-94rc-95cp"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3mfm-83xf-c92r"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3p68-rc4w-qgx5"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3v7f-55p6-f55p"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-3w6x-2g7m-8v23"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-43fc-jf86-j433"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-442j-39wm-28r2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-445q-vr5w-6q77"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-5c6j-r48x-rmvq"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-5c9x-8gcm-mpgx"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-5m6q-g25r-mvwx"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-62hf-57xw-28j9"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-6475-r3vj-m8vf"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-6chq-wfr3-2hj9"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-7rx3-28cr-v5wh"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-9cx6-37pm-9jff"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-c2c7-rcm5-vvqj"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-cj63-jhhr-wcxv"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-cjmm-f4jc-qw8r"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-crv5-9vww-q3g8"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-f23m-r3pf-42rh"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-f886-m6hf-6m8v"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-fvcv-3m26-pcqx"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-gh4j-gqv2-49f6"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-h7mw-gpvr-xq4m"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-h8r8-wccr-v5f2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-jg4p-7fhp-p32p"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-jp2q-39xq-3w4g"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-m7pr-hjqh-92cm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-pf86-5x62-jrwf"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-pmwg-cvhr-8vh7"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-ppp5-5v6c-4jwp"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-q3j6-qgpj-74h6"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-q67f-28xg-22rw"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-q8qp-cvcw-x6jj"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-qj8w-gfj5-8c6v"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-r4q5-vmmm-2653"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-r5fr-rjxr-66jc"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-v2v4-37r5-5v8g"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-v2wj-7wpq-c8vv"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-v39h-62p7-jpjc"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-v8jm-5vwx-cfxm"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-v9jr-rg53-9pgp"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-vf2m-468p-8v99"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-w5hq-g745-h8pq"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-w9j2-pvgh-6h63"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-xhjh-pmcv-23jw"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-xhpv-hc6g-r9c6"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-xjpj-3mr7-gcpf"
    },
    {
      "type": "WEB",
      "url": "https://osv.dev/vulnerability/ghsa-xx6v-rp6x-q39c"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15599"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62718"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0540"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25639"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2739"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33750"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33916"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33937"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35213"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40175"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41238"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41239"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41240"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42033"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42034"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42035"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42036"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42037"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42038"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42039"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42040"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42041"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42042"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42043"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42044"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42264"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6321"
    },
    {
      "type": "WEB",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6322"
    }
  ],
  "related": [],
  "schema_version": "1.7.3",
  "summary": "Security fixes for CVE-2025-15599, CVE-2025-62718, CVE-2025-69873, CVE-2026-0540, CVE-2026-25639, CVE-2026-2739, CVE-2026-27903, CVE-2026-27904, CVE-2026-2950, CVE-2026-33750, CVE-2026-33916, CVE-2026-33937, CVE-2026-35213, CVE-2026-40175, CVE-2026-41238, CVE-2026-41239, CVE-2026-41240, CVE-2026-42033, CVE-2026-42034, CVE-2026-42035, CVE-2026-42036, CVE-2026-42037, CVE-2026-42038, CVE-2026-42039, CVE-2026-42040, CVE-2026-42041, CVE-2026-42042, CVE-2026-42043, CVE-2026-42044, CVE-2026-42264, CVE-2026-4800, CVE-2026-6321, CVE-2026-6322, ghsa-2328-f5f3-gj25, ghsa-23c5-xmqv-rm74, ghsa-2g4f-4pwh-qvx6, ghsa-2qvq-rjwj-gvw9, ghsa-2w6w-674q-4c4q, ghsa-378v-28hj-76wf, ghsa-37qj-frw5-hhjh, ghsa-39q2-94rc-95cp, ghsa-3mfm-83xf-c92r, ghsa-3p68-rc4w-qgx5, ghsa-3ppc-4f35-3m26, ghsa-3v7f-55p6-f55p, ghsa-3w6x-2g7m-8v23, ghsa-43fc-jf86-j433, ghsa-442j-39wm-28r2, ghsa-445q-vr5w-6q77, ghsa-5c6j-r48x-rmvq, ghsa-5c9x-8gcm-mpgx, ghsa-5m6q-g25r-mvwx, ghsa-62hf-57xw-28j9, ghsa-6475-r3vj-m8vf, ghsa-6chq-wfr3-2hj9, ghsa-7r86-cg39-jmmj, ghsa-7rx3-28cr-v5wh, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-9cx6-37pm-9jff, ghsa-9ppj-qmqm-q256, ghsa-c2c7-rcm5-vvqj, ghsa-cj63-jhhr-wcxv, ghsa-cjmm-f4jc-qw8r, ghsa-crv5-9vww-q3g8, ghsa-f23m-r3pf-42rh, ghsa-f886-m6hf-6m8v, ghsa-fj3w-jwp8-x2g3, ghsa-fvcv-3m26-pcqx, ghsa-gh4j-gqv2-49f6, ghsa-h7mw-gpvr-xq4m, ghsa-h8r8-wccr-v5f2, ghsa-jg4p-7fhp-p32p, ghsa-jmr7-xgp7-cmfj, ghsa-jp2q-39xq-3w4g, ghsa-m7jm-9gc2-mpf2, ghsa-m7pr-hjqh-92cm, ghsa-pf86-5x62-jrwf, ghsa-pmwg-cvhr-8vh7, ghsa-ppp5-5v6c-4jwp, ghsa-q3j6-qgpj-74h6, ghsa-q67f-28xg-22rw, ghsa-q8qp-cvcw-x6jj, ghsa-qffp-2rhf-9h96, ghsa-qj8w-gfj5-8c6v, ghsa-r4q5-vmmm-2653, ghsa-r5fr-rjxr-66jc, ghsa-v2v4-37r5-5v8g, ghsa-v2wj-7wpq-c8vv, ghsa-v39h-62p7-jpjc, ghsa-v8jm-5vwx-cfxm, ghsa-v9jr-rg53-9pgp, ghsa-vf2m-468p-8v99, ghsa-w5hq-g745-h8pq, ghsa-w7fw-mjwx-w883, ghsa-w9j2-pvgh-6h63, ghsa-xhjh-pmcv-23jw, ghsa-xhpv-hc6g-r9c6, ghsa-xjpj-3mr7-gcpf, ghsa-xx6v-rp6x-q39c applied in versions: 3.5.0-r0, 3.5.0-r1, 3.5.0-r2",
  "upstream": [
    "CVE-2025-15599",
    "CVE-2025-62718",
    "CVE-2025-69873",
    "CVE-2026-0540",
    "CVE-2026-25639",
    "CVE-2026-2739",
    "CVE-2026-27903",
    "CVE-2026-27904",
    "CVE-2026-2950",
    "CVE-2026-33750",
    "CVE-2026-33916",
    "CVE-2026-33937",
    "CVE-2026-35213",
    "CVE-2026-40175",
    "CVE-2026-41238",
    "CVE-2026-41239",
    "CVE-2026-41240",
    "CVE-2026-42033",
    "CVE-2026-42034",
    "CVE-2026-42035",
    "CVE-2026-42036",
    "CVE-2026-42037",
    "CVE-2026-42038",
    "CVE-2026-42039",
    "CVE-2026-42040",
    "CVE-2026-42041",
    "CVE-2026-42042",
    "CVE-2026-42043",
    "CVE-2026-42044",
    "CVE-2026-42264",
    "CVE-2026-4800",
    "CVE-2026-6321",
    "CVE-2026-6322",
    "ghsa-2328-f5f3-gj25",
    "ghsa-23c5-xmqv-rm74",
    "ghsa-2g4f-4pwh-qvx6",
    "ghsa-2qvq-rjwj-gvw9",
    "ghsa-2w6w-674q-4c4q",
    "ghsa-378v-28hj-76wf",
    "ghsa-37qj-frw5-hhjh",
    "ghsa-39q2-94rc-95cp",
    "ghsa-3mfm-83xf-c92r",
    "ghsa-3p68-rc4w-qgx5",
    "ghsa-3ppc-4f35-3m26",
    "ghsa-3v7f-55p6-f55p",
    "ghsa-3w6x-2g7m-8v23",
    "ghsa-43fc-jf86-j433",
    "ghsa-442j-39wm-28r2",
    "ghsa-445q-vr5w-6q77",
    "ghsa-5c6j-r48x-rmvq",
    "ghsa-5c9x-8gcm-mpgx",
    "ghsa-5m6q-g25r-mvwx",
    "ghsa-62hf-57xw-28j9",
    "ghsa-6475-r3vj-m8vf",
    "ghsa-6chq-wfr3-2hj9",
    "ghsa-7r86-cg39-jmmj",
    "ghsa-7rx3-28cr-v5wh",
    "ghsa-83g3-92jg-28cx",
    "ghsa-8gc5-j5rx-235r",
    "ghsa-9cx6-37pm-9jff",
    "ghsa-9ppj-qmqm-q256",
    "ghsa-c2c7-rcm5-vvqj",
    "ghsa-cj63-jhhr-wcxv",
    "ghsa-cjmm-f4jc-qw8r",
    "ghsa-crv5-9vww-q3g8",
    "ghsa-f23m-r3pf-42rh",
    "ghsa-f886-m6hf-6m8v",
    "ghsa-fj3w-jwp8-x2g3",
    "ghsa-fvcv-3m26-pcqx",
    "ghsa-gh4j-gqv2-49f6",
    "ghsa-h7mw-gpvr-xq4m",
    "ghsa-h8r8-wccr-v5f2",
    "ghsa-jg4p-7fhp-p32p",
    "ghsa-jmr7-xgp7-cmfj",
    "ghsa-jp2q-39xq-3w4g",
    "ghsa-m7jm-9gc2-mpf2",
    "ghsa-m7pr-hjqh-92cm",
    "ghsa-pf86-5x62-jrwf",
    "ghsa-pmwg-cvhr-8vh7",
    "ghsa-ppp5-5v6c-4jwp",
    "ghsa-q3j6-qgpj-74h6",
    "ghsa-q67f-28xg-22rw",
    "ghsa-q8qp-cvcw-x6jj",
    "ghsa-qffp-2rhf-9h96",
    "ghsa-qj8w-gfj5-8c6v",
    "ghsa-r4q5-vmmm-2653",
    "ghsa-r5fr-rjxr-66jc",
    "ghsa-v2v4-37r5-5v8g",
    "ghsa-v2wj-7wpq-c8vv",
    "ghsa-v39h-62p7-jpjc",
    "ghsa-v8jm-5vwx-cfxm",
    "ghsa-v9jr-rg53-9pgp",
    "ghsa-vf2m-468p-8v99",
    "ghsa-w5hq-g745-h8pq",
    "ghsa-w7fw-mjwx-w883",
    "ghsa-w9j2-pvgh-6h63",
    "ghsa-xhjh-pmcv-23jw",
    "ghsa-xhpv-hc6g-r9c6",
    "ghsa-xjpj-3mr7-gcpf",
    "ghsa-xx6v-rp6x-q39c"
  ]
}

CVE-2025-15599 (GCVE-0-2025-15599)

Vulnerability from cvelistv5 – Published: 2026-03-03 17:26 – Updated: 2026-03-03 19:05

Title

DOMPurify XSS via Textarea Rawtext Bypass in SAFE_FOR_XML

Summary

DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like </textarea> in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched.

Severity

5.1 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Assigner

VulnCheck

References

3 references

URL	Tags
https://github.com/cure53/DOMPurify	product
https://github.com/cure53/DOMPurify/commit/c861f5…	patch
https://www.vulncheck.com/advisories/dompurify-xs…	third-party-advisory

Impacted products

1 product

Vendor	Product	Version
cure53	DOMPurify	Affected: 3.1.3 , ≤ 3.2.6 (semver) Unaffected: 3.2.7 (semver) Affected: 2.5.3 , ≤ 2.5.8 (semver)

Credits

Scott Moore - VulnCheck

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-15599",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-03T19:05:27.449675Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-03T19:05:42.548Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "DOMPurify",
          "vendor": "cure53",
          "versions": [
            {
              "lessThanOrEqual": "3.2.6",
              "status": "affected",
              "version": "3.1.3",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "3.2.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "2.5.8",
              "status": "affected",
              "version": "2.5.3",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "3.2.6",
                  "versionStartIncluding": "3.1.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "2.5.8",
                  "versionStartIncluding": "2.5.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Scott Moore - VulnCheck"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "DOMPurify 3.1.3 through 3.2.6 and 2.5.3 through 2.5.8 contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting missing textarea rawtext element validation in the SAFE_FOR_XML regex. Attackers can include closing rawtext tags like \u003c/textarea\u003e in attribute values to break out of rawtext contexts and execute JavaScript when sanitized output is placed inside rawtext elements. The 3.x branch was fixed in 3.2.7; the 2.x branch was never patched."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.1,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "ACTIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS"
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-03T18:06:06.815Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "DOMPurify GitHub Repository",
          "tags": [
            "product"
          ],
          "url": "https://github.com/cure53/DOMPurify"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/cure53/DOMPurify/commit/c861f5a83fb8d90800f1680f855fee551161ac2b"
        },
        {
          "name": "VulnCheck Advisory: DOMPurify XSS via Textarea Rawtext Bypass in SAFE_FOR_XML",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/dompurify-xss-via-textarea-rawtext-bypass-in-safe-for-xml"
        }
      ],
      "title": "DOMPurify XSS via Textarea Rawtext Bypass in SAFE_FOR_XML",
      "x_generator": {
        "engine": "scooter"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2025-15599",
    "datePublished": "2026-03-03T17:26:05.711Z",
    "dateReserved": "2026-03-03T16:11:56.845Z",
    "dateUpdated": "2026-03-03T19:05:42.548Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-62718 (GCVE-0-2025-62718)

Vulnerability from cvelistv5 – Published: 2026-04-09 14:31 – Updated: 2026-04-16 18:44

Title

Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF

Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0.

Severity

6.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

CWE

CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
CWE-918 - Server-Side Request Forgery (SSRF)

Assigner

GitHub_M

References

9 references

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM
https://github.com/axios/axios/pull/10661	x_refsource_MISC
https://github.com/axios/axios/pull/10688	x_refsource_MISC
https://github.com/axios/axios/commit/03cdfc99e8d…	x_refsource_MISC
https://github.com/axios/axios/commit/fb3befb6daa…	x_refsource_MISC
https://datatracker.ietf.org/doc/html/rfc1034#sec…	x_refsource_MISC
https://datatracker.ietf.org/doc/html/rfc3986#sec…	x_refsource_MISC
https://github.com/axios/axios/releases/tag/v0.31.0	x_refsource_MISC
https://github.com/axios/axios/releases/tag/v1.15.0	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.0.0, < 1.15.0 Affected: < 0.31.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-62718",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T15:02:50.313939Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-09T16:15:31.322Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.15.0"
            },
            {
              "status": "affected",
              "version": "\u003c 0.31.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.0 and 0.31.0, Axios does not correctly handle hostname normalization when checking NO_PROXY rules. Requests to loopback addresses like localhost. (with a trailing dot) or [::1] (IPv6 literal) skip NO_PROXY matching and go through the configured proxy. This goes against what developers expect and lets attackers force requests through a proxy, even if NO_PROXY is set up to protect loopback or internal services. This issue leads to the possibility of proxy bypass and SSRF vulnerabilities allowing attackers to reach sensitive loopback or internal services despite the configured protections. This vulnerability is fixed in 1.15.0 and 0.31.0."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "LOW",
            "vulnIntegrityImpact": "LOW"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-441",
              "description": "CWE-441: Unintended Proxy or Intermediary (\u0027Confused Deputy\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918: Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-16T18:44:20.705Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-3p68-rc4w-qgx5"
        },
        {
          "name": "https://github.com/axios/axios/pull/10661",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/pull/10661"
        },
        {
          "name": "https://github.com/axios/axios/pull/10688",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/pull/10688"
        },
        {
          "name": "https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/commit/03cdfc99e8db32a390e12128208b6778492cee9c"
        },
        {
          "name": "https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/commit/fb3befb6daac6cad26b2e54094d0f2d9e47f24df"
        },
        {
          "name": "https://datatracker.ietf.org/doc/html/rfc1034#section-3.1",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://datatracker.ietf.org/doc/html/rfc1034#section-3.1"
        },
        {
          "name": "https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://datatracker.ietf.org/doc/html/rfc3986#section-3.2.2"
        },
        {
          "name": "https://github.com/axios/axios/releases/tag/v0.31.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/releases/tag/v0.31.0"
        },
        {
          "name": "https://github.com/axios/axios/releases/tag/v1.15.0",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/releases/tag/v1.15.0"
        }
      ],
      "source": {
        "advisory": "GHSA-3p68-rc4w-qgx5",
        "discovery": "UNKNOWN"
      },
      "title": "Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-62718",
    "datePublished": "2026-04-09T14:31:46.067Z",
    "dateReserved": "2025-10-20T19:41:22.741Z",
    "dateUpdated": "2026-04-16T18:44:20.705Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-69873 (GCVE-0-2025-69873)

Vulnerability from cvelistv5 – Published: 2026-02-11 00:00 – Updated: 2026-03-03 17:25

Summary

ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0.

Severity

2.9 (Low)


                        
                          CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE

CWE-1333 - Inefficient Regular Expression Complexity

Assigner

mitre

References

6 references

URL	Tags
https://github.com/advisories/GHSA-2g4f-4pwh-qvx6
https://github.com/EthanKim88/ethan-cve-disclosur…
https://github.com/github/advisory-database/pull/6991
https://github.com/ajv-validator/ajv/pull/2588
https://github.com/ajv-validator/ajv/releases/tag…
https://github.com/ajv-validator/ajv/pull/2590

Impacted products

1 product

Vendor	Product	Version
ajv.js	ajv	Affected: 0 , < 6.14.0 (semver) Affected: 7.0.0 , < 8.17.2 (semver)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-69873",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-12T15:13:03.482882Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-400",
                "description": "CWE-400 Uncontrolled Resource Consumption",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-03T17:25:31.651Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ajv",
          "vendor": "ajv.js",
          "versions": [
            {
              "lessThan": "6.14.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThan": "8.17.2",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:ajv.js:ajv:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:ajv.js:ajv:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "8.17.2",
                  "versionStartIncluding": "7.0.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., \"^(a|a)*$\") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation. This issue is also fixed in version 6.14.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 2.9,
            "baseSeverity": "LOW",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333 Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-02T20:22:25.698Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6"
        },
        {
          "url": "https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md"
        },
        {
          "url": "https://github.com/github/advisory-database/pull/6991"
        },
        {
          "url": "https://github.com/ajv-validator/ajv/pull/2588"
        },
        {
          "url": "https://github.com/ajv-validator/ajv/releases/tag/v6.14.0"
        },
        {
          "url": "https://github.com/ajv-validator/ajv/pull/2590"
        }
      ],
      "x_generator": {
        "engine": "enrichogram 0.0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2025-69873",
    "datePublished": "2026-02-11T00:00:00.000Z",
    "dateReserved": "2026-01-09T00:00:00.000Z",
    "dateUpdated": "2026-03-03T17:25:31.651Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-0540 (GCVE-0-2026-0540)

Vulnerability from cvelistv5 – Published: 2026-03-03 17:26 – Updated: 2026-03-25 15:52 X_Open Source

Title

DOMPurify XSS via Missing Rawtext Elements in SAFE_FOR_XML

Summary

DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like </noscript><img src=x onerror=alert(1)> in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.

Severity

5.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

6.1 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE

CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Assigner

VulnCheck

References

5 references

URL	Tags
https://github.com/cure53/DOMPurify	product
https://github.com/cure53/DOMPurify/commit/302b51…	patch
https://github.com/cure53/DOMPurify/releases/tag/3.3.2	release-notes
https://fluidattacks.com/advisories/daft	third-party-advisory
https://www.vulncheck.com/advisories/dompurify-xs…	third-party-advisory

Impacted products

1 product

Vendor	Product	Version
cure53	DOMPurify	Affected: 3.1.3 , ≤ 3.3.1 (semver) Affected: 2.5.3 , ≤ 2.5.8 (semver)

Date Public

2026-03-24 14:30

Credits

Camilo Vera - Fluid Attacks Cristian Vargas - Fluid Attacks Scott Moore - VulnCheck

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-0540",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-03T19:01:28.294008Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-03T19:02:09.216Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "DOMPurify",
          "vendor": "cure53",
          "versions": [
            {
              "lessThanOrEqual": "3.3.1",
              "status": "affected",
              "version": "3.1.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "2.5.8",
              "status": "affected",
              "version": "2.5.3",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "3.3.1",
                  "versionStartIncluding": "3.1.3",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:cure53:dompurify:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "2.5.8",
                  "versionStartIncluding": "2.5.3",
                  "vulnerable": true
                }
              ],
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Camilo Vera - Fluid Attacks"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Cristian Vargas - Fluid Attacks"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "Scott Moore - VulnCheck"
        }
      ],
      "datePublic": "2026-03-24T14:30:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like \u0026lt;/noscript\u0026gt;\u0026lt;img src=x onerror=alert(1)\u0026gt; in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts.\u003c/p\u003e"
            }
          ],
          "value": "DOMPurify 3.1.3 through 3.3.1 and 2.5.3 through 2.5.8, fixed in commit 2726c74, contain a cross-site scripting vulnerability that allows attackers to bypass attribute sanitization by exploiting five missing rawtext elements (noscript, xmp, noembed, noframes, iframe) in the SAFE_FOR_XML regex. Attackers can include payloads like \u003c/noscript\u003e\u003cimg src=x onerror=alert(1)\u003e in attribute values to execute JavaScript when sanitized output is placed inside these unprotected rawtext contexts."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "LOW",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-25T15:52:12.404Z",
        "orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869",
        "shortName": "Fluid Attacks"
      },
      "references": [
        {
          "name": "DOMPurify GitHub Repository",
          "tags": [
            "product"
          ],
          "url": "https://github.com/cure53/DOMPurify"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80"
        },
        {
          "name": "VulnCheck Advisory: DOMPurify XSS via Missing Rawtext Elements in SAFE_FOR_XML",
          "tags": [
            "release-notes"
          ],
          "url": "https://github.com/cure53/DOMPurify/releases/tag/3.3.2"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://fluidattacks.com/advisories/daft"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "tags": [
        "x_open-source"
      ],
      "title": "DOMPurify XSS via Missing Rawtext Elements in SAFE_FOR_XML",
      "x_generator": {
        "engine": "scooter"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-0540",
    "datePublished": "2026-03-03T17:26:06.621Z",
    "dateReserved": "2025-12-27T01:44:44.145Z",
    "dateUpdated": "2026-03-25T15:52:12.404Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-25639 (GCVE-0-2026-25639)

Vulnerability from cvelistv5 – Published: 2026-02-09 20:11 – Updated: 2026-02-18 17:16

Title

Axios affected by Denial of Service via __proto__ Key in mergeConfig

Summary

Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-754 - Improper Check for Unusual or Exceptional Conditions

Assigner

GitHub_M

References

7 references

URL	Tags
https://github.com/axios/axios/security/advisorie…	x_refsource_CONFIRM
https://github.com/axios/axios/pull/7369	x_refsource_MISC
https://github.com/axios/axios/pull/7388	x_refsource_MISC
https://github.com/axios/axios/commit/28c721588c7…	x_refsource_MISC
https://github.com/axios/axios/commit/d7ff1409c68…	x_refsource_MISC
https://github.com/axios/axios/releases/tag/v0.30.3	x_refsource_MISC
https://github.com/axios/axios/releases/tag/v1.13.5	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
axios	axios	Affected: >= 1.0.0, < 1.13.5 Affected: < 0.30.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25639",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-10T15:39:46.394625Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-10T15:59:44.468Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "axios",
          "vendor": "axios",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 1.0.0, \u003c 1.13.5"
            },
            {
              "status": "affected",
              "version": "\u003c 0.30.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Axios is a promise based HTTP client for the browser and Node.js. Prior to versions 0.30.3 and 1.13.5, the mergeConfig function in axios crashes with a TypeError when processing configuration objects containing __proto__ as an own property. An attacker can trigger this by providing a malicious configuration object created via JSON.parse(), causing complete denial of service. This vulnerability is fixed in versions 0.30.3 and 1.13.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-754",
              "description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-18T17:16:16.391Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/axios/axios/security/advisories/GHSA-43fc-jf86-j433"
        },
        {
          "name": "https://github.com/axios/axios/pull/7369",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/pull/7369"
        },
        {
          "name": "https://github.com/axios/axios/pull/7388",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/pull/7388"
        },
        {
          "name": "https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/commit/28c721588c7a77e7503d0a434e016f852c597b57"
        },
        {
          "name": "https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/commit/d7ff1409c68168d3057fc3891f911b2b92616f9e"
        },
        {
          "name": "https://github.com/axios/axios/releases/tag/v0.30.3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/releases/tag/v0.30.3"
        },
        {
          "name": "https://github.com/axios/axios/releases/tag/v1.13.5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/axios/axios/releases/tag/v1.13.5"
        }
      ],
      "source": {
        "advisory": "GHSA-43fc-jf86-j433",
        "discovery": "UNKNOWN"
      },
      "title": "Axios affected by Denial of Service via __proto__ Key in mergeConfig"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25639",
    "datePublished": "2026-02-09T20:11:22.374Z",
    "dateReserved": "2026-02-04T05:15:41.791Z",
    "dateUpdated": "2026-02-18T17:16:16.391Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-2739 (GCVE-0-2026-2739)

Vulnerability from cvelistv5 – Published: 2026-02-20 05:00 – Updated: 2026-02-20 15:03

Summary

This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.

Severity

5.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P

CWE

CWE-835 - Infinite loop

Assigner

snyk

References

6 references

URL	Tags
https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301
https://github.com/indutny/bn.js/issues/316
https://github.com/indutny/bn.js/issues/186
https://gist.github.com/Kr0emer/02370d18328c28b5d…
https://github.com/indutny/bn.js/pull/317
https://github.com/indutny/bn.js/commit/33df26b57…

Impacted products

1 product

Vendor	Product	Version
n/a	bn.js	Affected: 0 , < 5.2.3 (semver)

Credits

Kr0emer

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2739",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-20T15:00:34.443345Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-20T15:03:53.743Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "bn.js",
          "vendor": "n/a",
          "versions": [
            {
              "lessThan": "5.2.3",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Kr0emer"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "exploitCodeMaturity": "PROOF_OF_CONCEPT",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P",
            "version": "3.1"
          },
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0",
            "vulnAvailabilityImpact": "LOW",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-835",
              "description": "Infinite loop",
              "lang": "en"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-20T13:27:09.218Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "url": "https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301"
        },
        {
          "url": "https://github.com/indutny/bn.js/issues/316"
        },
        {
          "url": "https://github.com/indutny/bn.js/issues/186"
        },
        {
          "url": "https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91"
        },
        {
          "url": "https://github.com/indutny/bn.js/pull/317"
        },
        {
          "url": "https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2026-2739",
    "datePublished": "2026-02-20T05:00:08.253Z",
    "dateReserved": "2026-02-19T10:59:37.687Z",
    "dateUpdated": "2026-02-20T15:03:53.743Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27903 (GCVE-0-2026-27903)

Vulnerability from cvelistv5 – Published: 2026-02-26 01:06 – Updated: 2026-02-26 19:20

Title

minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments

Summary

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-407 - Inefficient Algorithmic Complexity

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/isaacs/minimatch/security/advi…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
isaacs	minimatch	Affected: >= 10.0.0, < 10.2.3 Affected: >= 9.0.0, < 9.0.7 Affected: >= 8.0.0, < 8.0.6 Affected: >= 7.0.0, < 7.4.8 Affected: >= 6.0.0, < 6.2.2 Affected: >= 5.0.0, < 5.1.8 Affected: >= 4.0.0, < 4.2.5 Affected: < 3.1.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27903",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-26T19:20:40.009551Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T19:20:51.517Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "minimatch",
          "vendor": "isaacs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 10.0.0, \u003c 10.2.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 9.0.0, \u003c 9.0.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.0.0, \u003c 8.0.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.0.0, \u003c 7.4.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 6.0.0, \u003c 6.2.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.1.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.2.5"
            },
            {
              "status": "affected",
              "version": "\u003c 3.1.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-407",
              "description": "CWE-407: Inefficient Algorithmic Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-26T01:06:32.856Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/isaacs/minimatch/security/advisories/GHSA-7r86-cg39-jmmj"
        }
      ],
      "source": {
        "advisory": "GHSA-7r86-cg39-jmmj",
        "discovery": "UNKNOWN"
      },
      "title": "minimatch has a ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27903",
    "datePublished": "2026-02-26T01:06:32.856Z",
    "dateReserved": "2026-02-24T15:19:29.718Z",
    "dateUpdated": "2026-02-26T19:20:51.517Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-27904 (GCVE-0-2026-27904)

Vulnerability from cvelistv5 – Published: 2026-02-26 01:07 – Updated: 2026-02-26 19:21

Title

minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

Summary

minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-1333 - Inefficient Regular Expression Complexity

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/isaacs/minimatch/security/advi…	x_refsource_CONFIRM

Impacted products

1 product

Vendor	Product	Version
isaacs	minimatch	Affected: >= 10.0.0, < 10.2.3 Affected: >= 9.0.0, < 9.0.7 Affected: >= 8.0.0, < 8.0.6 Affected: >= 7.0.0, < 7.4.8 Affected: >= 6.0.0, < 6.2.2 Affected: >= 5.0.0, < 5.1.8 Affected: >= 4.0.0, < 4.2.5 Affected: < 3.1.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27904",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-26T19:21:18.964387Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-26T19:21:39.006Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "minimatch",
          "vendor": "isaacs",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 10.0.0, \u003c 10.2.3"
            },
            {
              "status": "affected",
              "version": "\u003e= 9.0.0, \u003c 9.0.7"
            },
            {
              "status": "affected",
              "version": "\u003e= 8.0.0, \u003c 8.0.6"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.0.0, \u003c 7.4.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 6.0.0, \u003c 6.2.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0, \u003c 5.1.8"
            },
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 4.2.5"
            },
            {
              "status": "affected",
              "version": "\u003c 3.1.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-26T01:07:42.693Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/isaacs/minimatch/security/advisories/GHSA-23c5-xmqv-rm74"
        }
      ],
      "source": {
        "advisory": "GHSA-23c5-xmqv-rm74",
        "discovery": "UNKNOWN"
      },
      "title": "minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27904",
    "datePublished": "2026-02-26T01:07:42.693Z",
    "dateReserved": "2026-02-24T15:19:29.718Z",
    "dateUpdated": "2026-02-26T19:21:39.006Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-2950 (GCVE-0-2026-2950)

Vulnerability from cvelistv5 – Published: 2026-03-31 19:18 – Updated: 2026-04-01 13:43

Title

lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`

Summary

Impact: Lodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype. The issue permits deletion of prototype properties but does not allow overwriting their original behavior. Patches: This issue is patched in 4.18.0. Workarounds: None. Upgrade to the patched version.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CWE

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

openjs

References

1 reference

URL	Tags
https://github.com/lodash/lodash/security/advisor…

Impacted products

4 products

Vendor	Product	Version
lodash	lodash	Affected: 4.17.23 , < 4.18.0 (semver) Unaffected: 4.18.0 (semver)
lodash	lodash-es	Affected: 4.17.23 , < 4.18.0 (semver) Unaffected: 4.18.0 (semver)
lodash	lodash-amd	Affected: 4.17.23 , < 4.18.0 (semver) Unaffected: 4.18.0 (semver)
lodash	lodash.unset	Affected: 4.0.0 , < 4.18.0 (semver) Unaffected: 4.18.0 (semver)

Credits

Haruna38 shpik-kr maru1009 ott3r07 zolbooo backuardo falsyvalues jonchurch jdalton UlisesGascon

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-2950",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-01T13:43:14.280375Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-01T13:43:21.491Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/lodash",
          "product": "lodash",
          "vendor": "lodash",
          "versions": [
            {
              "lessThan": "4.18.0",
              "status": "affected",
              "version": "4.17.23",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.18.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/lodash-es",
          "product": "lodash-es",
          "vendor": "lodash",
          "versions": [
            {
              "lessThan": "4.18.0",
              "status": "affected",
              "version": "4.17.23",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.18.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/lodash-amd",
          "product": "lodash-amd",
          "vendor": "lodash",
          "versions": [
            {
              "lessThan": "4.18.0",
              "status": "affected",
              "version": "4.17.23",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.18.0",
              "versionType": "semver"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/lodash.unset",
          "product": "lodash.unset",
          "vendor": "lodash",
          "versions": [
            {
              "lessThan": "4.18.0",
              "status": "affected",
              "version": "4.0.0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "4.18.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Haruna38"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "shpik-kr"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "maru1009"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "ott3r07"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "zolbooo"
        },
        {
          "lang": "en",
          "type": "finder",
          "value": "backuardo"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "falsyvalues"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "jonchurch"
        },
        {
          "lang": "en",
          "type": "analyst",
          "value": "jdalton"
        },
        {
          "lang": "en",
          "type": "remediation reviewer",
          "value": "UlisesGascon"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Impact:\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\nPatches:\n\nThis issue is patched in 4.18.0.\n\nWorkarounds:\n\nNone. Upgrade to the patched version."
            }
          ],
          "value": "Impact:\n\nLodash versions 4.17.23 and earlier are vulnerable to prototype pollution in the _.unset and _.omit functions. The fix for (CVE-2025-13465: https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg) only guards against string key members, so an attacker can bypass the check by passing array-wrapped path segments. This allows deletion of properties from built-in prototypes such as Object.prototype, Number.prototype, and String.prototype.\n\nThe issue permits deletion of prototype properties but does not allow overwriting their original behavior.\n\nPatches:\n\nThis issue is patched in 4.18.0.\n\nWorkarounds:\n\nNone. Upgrade to the patched version."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-31T19:18:35.796Z",
        "orgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
        "shortName": "openjs"
      },
      "references": [
        {
          "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
        }
      ],
      "title": "lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`",
      "x_generator": {
        "engine": "cve-kit 1.0.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ce714d77-add3-4f53-aff5-83d477b104bb",
    "assignerShortName": "openjs",
    "cveId": "CVE-2026-2950",
    "datePublished": "2026-03-31T19:18:35.796Z",
    "dateReserved": "2026-02-21T20:04:35.087Z",
    "dateUpdated": "2026-04-01T13:43:21.491Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2026-33750 (GCVE-0-2026-33750)

Vulnerability from cvelistv5 – Published: 2026-03-27 14:04 – Updated: 2026-03-27 14:48

Title

brace-expansion: Zero-step sequence causes process hang and memory exhaustion

Summary

The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.

Severity

6.5 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

10 references

URL	Tags
https://github.com/juliangruber/brace-expansion/s…	x_refsource_CONFIRM
https://github.com/juliangruber/brace-expansion/i…	x_refsource_MISC
https://github.com/juliangruber/brace-expansion/pull/95	x_refsource_MISC
https://github.com/juliangruber/brace-expansion/pull/96	x_refsource_MISC
https://github.com/juliangruber/brace-expansion/pull/97	x_refsource_MISC
https://github.com/juliangruber/brace-expansion/c…	x_refsource_MISC
https://github.com/juliangruber/brace-expansion/c…	x_refsource_MISC
https://github.com/juliangruber/brace-expansion/c…	x_refsource_MISC
https://github.com/juliangruber/brace-expansion/b…	x_refsource_MISC
https://github.com/juliangruber/brace-expansion/b…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
juliangruber	brace-expansion	Affected: >= 4.0.0, < 5.0.5 Affected: >= 3.0.0, < 3.0.2 Affected: >= 2.0.0, < 2.0.3 Affected: < 1.1.13

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33750",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-27T14:47:58.490818Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-27T14:48:06.779Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "brace-expansion",
          "vendor": "juliangruber",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 4.0.0, \u003c 5.0.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 3.0.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.0.3"
            },
            {
              "status": "affected",
              "version": "\u003c 1.1.13"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 6.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-27T14:04:52.297Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v"
        },
        {
          "name": "https://github.com/juliangruber/brace-expansion/issues/98",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/juliangruber/brace-expansion/issues/98"
        },
        {
          "name": "https://github.com/juliangruber/brace-expansion/pull/95",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/juliangruber/brace-expansion/pull/95"
        },
        {
          "name": "https://github.com/juliangruber/brace-expansion/pull/96",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/juliangruber/brace-expansion/pull/96"
        },
        {
          "name": "https://github.com/juliangruber/brace-expansion/pull/97",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/juliangruber/brace-expansion/pull/97"
        },
        {
          "name": "https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5"
        },
        {
          "name": "https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2"
        },
        {
          "name": "https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a"
        },
        {
          "name": "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113"
        },
        {
          "name": "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184"
        }
      ],
      "source": {
        "advisory": "GHSA-f886-m6hf-6m8v",
        "discovery": "UNKNOWN"
      },
      "title": "brace-expansion: Zero-step sequence causes process hang and memory exhaustion"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33750",
    "datePublished": "2026-03-27T14:04:52.297Z",
    "dateReserved": "2026-03-23T18:30:14.124Z",
    "dateUpdated": "2026-03-27T14:48:06.779Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

Vulnerability from cleanstart

CVE-2025-15599 (GCVE-0-2025-15599)

CVE-2025-62718 (GCVE-0-2025-62718)

CVE-2025-69873 (GCVE-0-2025-69873)

CVE-2026-0540 (GCVE-0-2026-0540)

CVE-2026-25639 (GCVE-0-2026-25639)

CVE-2026-2739 (GCVE-0-2026-2739)

CVE-2026-27903 (GCVE-0-2026-27903)

CVE-2026-27904 (GCVE-0-2026-27904)

CVE-2026-2950 (GCVE-0-2026-2950)

CVE-2026-33750 (GCVE-0-2026-33750)

Tags

Sightings

Nomenclature