js 2026
ESLint 10.5.0 Released
ESLint version 10.5.0 is now available. This is an AST-based pattern checker for JavaScript.
tailwindcss 4.3.1 released
Release of tailwindcss version 4.
@langchain/langgraph-checkpoint-mongodb NoSQL injection vulnerability fixed in 1.3.1
A NoSQL injection vulnerability in MongoDBSaver where checkpoint identifier fields from config.
Budibase executeQuery SSRF via automation step queryId
The executeQuery automation step accepts a queryId from inputs and passes it to the query execution controller without validation,
@budibase/backend-core CSRF bypass via unanchored route regex
The buildMatcherRegex() and matches() functions in packages/backend-core/src/middleware/matchers.
esbuild dev server path traversal on Windows
The esbuild development server on Windows has a path traversal vulnerability.
Fabric.js XSS via Gradient ColorStops in toSVG()
A Cross-Site Scripting (XSS) vulnerability was discovered in Fabric.
@budibase/server: OAuth2 token fetch and REST integration lack SSRF protection
OAuth2 token fetch in packages/server/src/sdk/workspace/oauth2/utils.
@budibase/server: Unauthenticated webhook schema update vulnerability
The webhook schema-building endpoint at POST /api/webhooks/schema/:instance/:id is incorrectly bypassed by authorization middlewar
esbuild Deno module lacks binary integrity verification
The esbuild Deno module (lib/deno/mod.
@hapi/wreck: credential stripping now uses full-origin comparison
Wreck now compares scheme, host, and port (full origin) instead of hostname only when deciding to strip credential headers before
joi: Denial of service via untrapped exception in recursive link schemas
Denial of service via untrapped exception in services validating user-supplied JSON/object input with recursive link schemas.
@hapi/inert Path Traversal via Confinement Check
A path traversal vulnerability in @hapi/inert's confinement check allows reading files from sibling directories whose names share
@element-hq/element-call-embedded: analytics leak of URL fragments (CVE-like)
Element Call versions 0.5.17 through 0.19.3 report analytics data to a PostHog server, including full URLs with fragments (e.g., e
@openzeppelin/wizard: Code injection in generated test files via unescaped strings
The OpenZeppelin Contracts Wizard generated example test files that interpolated user-supplied strings without escaping, allowing
@grpc/grpc-js crash on invalid compressed message
An invalid incoming compressed message can cause a crash in @grpc/grpc-js clients and servers.
@grpc/grpc-js: Invalid HTTP/2 stream initiation causes server crash
An invalid incoming HTTP/2 stream initiation can crash the server process.
Vue 3.5.36 released
Vue 3.5.36 is a new version of the progressive JavaScript framework for building modern web UI.
Vue 3.5.37 Patch Release
Vue 3.5.37 is a patch release of the progressive JavaScript framework for building modern web UI.
Vue 3.5.38 Released
Vue 3.5.38 is now available. This is a release of the progressive JavaScript framework for building modern web UI.
@hulumi/baseline < 1.4.0: GuardDuty and Security Hub reuse bugs fixed
In @hulumi/baseline < 1.4.0, AccountFoundation's reuse mode for GuardDuty and Security Hub had two bugs: (1) GuardDuty reuse did n
@papra/webhooks SSRF Protection Bypass via Redirect Following
The webhook delivery HTTP client follows redirects without validating the redirect target against the blocklist, enabling authenti
@hulumi/policies: AWS IAM trust policy multi-provider detection fix
AWS IAM trust policies listing multiple federated identity providers (e.
@hulumi/policies <1.4.0 URN Spoofing Vulnerability
A security vulnerability in @hulumi/policies <1.
@hulumi/policies <1.4.0: HULUMI-H5 exemption validation bypass
HULUMI-H5 policy in @hulumi/policies <1.
@hulumi/baseline: Audit log S3 bucket immutability bypass in AccountFoundation
AccountFoundation's S3 bucket for CloudTrail and AWS Config audit logs had three vulnerabilities: (1) Object Lock disabled on star
@hulumi/drift: classifier bugs mask attacks and fire false positives
Two bugs in @hulumi/drift classifier: (1) adapter failures were cached as 'all clear' (None/none) for 6 hours, masking real attack
baileys: Message spoofing via placeholderResendMessage
A security vulnerability in baileys allows malicious payloads via placeholderResendMessage to spoof messages, corrupt app state sy
Vue 3.5.35 Patch Release
Patch version 3.5.35 of the progressive JavaScript framework Vue.js has been released.
Vite 8.0.15 released
Version 8.0.15 of Vite, a native-ESM powered web dev build tool, was released.
Vite 8.0.16 released
Version 8.0.16 of Vite, a native-ESM powered web dev build tool, was released.
Node.js Blog: Node.js v26.3.0 Released
Node.js v26.3.0 is out with notable changes, commits, and contributor updates.
React 19.0.7 Patch Release
React 19.0.7 is a patch release of the React library for building user interfaces.
React 19.1.8 Patch Release
React 19.1.8 is a patch release of the React library for building user interfaces.
nocodb: Shared-view relation endpoints now enforce column visibility check
Public shared-view relation endpoints (`publicMmList`, `publicHmList`, `relDataList`) now verify that the requested column's `show
NocoDB: Reflected XSS in password-reset page via unescaped URL token
The password-reset page in NocoDB had a reflected XSS vulnerability where the URL token was embedded directly into a JavaScript st
NocoDB hashRedirect plugin rejects protocol-relative URLs to fix open redirect
The client-side hashRedirect plugin now rejects protocol-relative URLs (starting with //) to prevent open redirect attacks.
NocoDB: Public shared-view endpoints no longer expose hidden column values
Public shared-view endpoints no longer expose hidden column values.
NocoDB: Timing-safe password verification for shared views
The shared-view password check in View.
NocoDB: Fixed timing-based email enumeration in sign-in endpoint
The unknown-user branch in auth.
nocodb: testConnection endpoint now scopes integration access to workspace
The `testConnection` endpoint previously fetched integrations in a bypass scope and only checked that the integration was non-priv
nocodb: SSRF protection via validateDbConnectionHost helper
Added a `validateDbConnectionHost` helper that resolves hostnames, parses addresses with ipaddr.
NocoDB SQL Injection via Column Title in Bulk GroupBy Endpoint
An authenticated user with column-create permission can inject SQL into the bulk groupBy endpoint by setting a column's title to a
NocoDB OAuth PKCE race condition fix
Fixed a race condition in OAuth token exchange where two concurrent requests using the same authorization code could each mint a d
nocodb MCP readAttachment tool now enforces file ownership check
The MCP `readAttachment` tool now verifies file ownership by looking up the path in `nc_file_references` and checking that the `ba
NocoDB OAuth tokens no longer persist after password change
OAuth access and refresh tokens are now revoked when a user changes, resets, or recovers their password.
Actual macOS 25.x (Electron 39.2.7) ELECTRON_RUN_AS_NODE enabled allows arbitrary code execution
A vulnerability in Actual macOS application version 25.
fuxa-server: SQL injection in TDengine DAQ storage connector
The TDengine DAQ storage connector's escapeTdString function doubles single quotes but does not escape backslashes, allowing SQL i
fuxa-server: Scheduler API missing admin permission checks fixed in 1.3.2
The Scheduler API did not enforce administrator permissions, allowing non-admin users to create or modify scheduled actions that e
NocoDB Stored XSS in Row Comments via Unsanitized HTML and Tippy allowHTML
Stored XSS vulnerability in row comments: HTML stored without server-side sanitization, and Tippy tooltip with allowHTML: true exe
NocoDB Shared Form XSS via redirect_url
The shared form-view submit handler writes the form's `redirect_url` to `window.
DbGate JSON script runner endpoint vulnerable to remote code execution
The POST /runners/start endpoint in DbGate's JSON script runner allows remote code execution via code injection in the functionNam
@sync-in/server: SSRF bypass via IPv4-mapped IPv6 addresses in URL download
The private IP blocklist regex in the URL download feature does not match IPv4-mapped IPv6 addresses (e.
DbGate API: Arbitrary Code Execution via Unsanitized functionName in POST /runners/load-reader
The POST /runners/load-reader endpoint directly interpolates the functionName parameter into a JavaScript code template without sa
TinyMCE XSS vulnerability via SVG namespace bypass in 6.8.x-7.0.x
TinyMCE 6.8.x-7.0.x contains an XSS vulnerability due to improper SVG namespace scope handling in the sanitizer, allowing crafted
TinyMCE Stored XSS via Unsanitized data-mce-* Attributes
Stored XSS vulnerability via unsanitized data-mce-* attributes (data-mce-href, data-mce-src, data-mce-style).
TinyMCE Stored XSS via forged mce:protected comments
Stored XSS vulnerability via forged mce:protected comments bypasses sanitization and injects scripts on content restore.
TinyMCE media plugin stored XSS via data-mce-* attributes
Stored XSS vulnerability in the media plugin allows attackers to inject malicious scripts via crafted data-mce-* attributes.
FUXA Server Missing Authorization in Socket.IO Handlers Leading to SSRF
Two Socket.IO event handlers (DEVICE_PROPERTY and DEVICE_WEBAPI_REQUEST) in server/runtime/index.js lack authorization checks, all