express vulnerable to XSS via response.redirect()
Published Sep 10, 2024
No Charset in Content-Type Header in express
Published Oct 23, 2018
Withdrawn Advisory: express improperly controls modification of query properties
Published Dec 1, 2025
Express.js Open Redirect in malformed URLs
Published Mar 25, 2024
Malicious code in expressos (npm)
Published Nov 24, 2025
angular vulnerable to regular expression denial of service via the <input type="url"> element
Published Mar 30, 2023
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards
Published Mar 27, 2026
steal vulnerable to Regular Expression Denial of Service via source and sourceWithComments
Published Sep 16, 2022
Regular Expression Denial of Service (ReDoS) in lodash
Published Jan 6, 2022
es5-ext vulnerable to Regular Expression Denial of Service in `function#copy` and `function#toStringTokens`
Published Feb 26, 2024
XSS Attack with Express API
Published Jan 31, 2023
Regular expression denial of service in semver-regex
Published Jun 3, 2022
Regular Expression Denial of Service in dat.gui
Published May 10, 2021
Broken Authentication in Atlassian Connect Express
Published May 24, 2022
Malicious code in express-core-validator (npm)
Published Feb 27, 2026
Flowise: Weak Default Express Session Secret
Published Apr 16, 2026
express-param vulnerable to Improper Handling of Extra Parameters
Published Dec 31, 2022
printf vulnerable to Regular Expression Denial of Service (ReDoS)
Published Mar 19, 2021
Regular Expression Denial of Service in ssri
Published Mar 7, 2018
jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions
Published Feb 9, 2026
Regular Expression Denial of Service in moment
Published Oct 24, 2017
Regular Expression Denial of Service in jadedown
Published Feb 18, 2019
Regular Expression Denial of Service in charset
Published Aug 9, 2018
Regular Expression Denial of Service (REDoS) in Marked
Published Feb 8, 2021
Malicious code in express-session-js (npm)
Published Apr 2, 2026
Uptime Kuma's Regular Expression in pushdeeer and whapi file Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Published Mar 31, 2025
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
Published Mar 27, 2026
Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)
Published Mar 27, 2026
Regular Expression Denial of Service in forwarded
Published Jul 24, 2018
Regular Expression Denial of Service in djvalidator
Published Feb 9, 2022
n8n has SQL Injection in Data Table Node via orderByColumn Expression
Published Mar 26, 2026
Malicious code in express-v4 (npm)
Published Jan 5, 2025
nope-validator Regular Expression Denial of Service vulnerability
Published Oct 26, 2024
Prototype Pollution in express-fileupload
Published Aug 5, 2020
Inefficient Regular Expression Complexity in chalk/ansi-regex
Published Sep 20, 2021
Regular Expression Denial of Service (ReDoS) in cross-spawn
Published Nov 8, 2024
Regular Expression Denial of Service in uglify-js
Published Oct 24, 2017
Regular expression deinal of service (ReDoS) in is-my-json-valid
Published Jan 6, 2022
Regular Expression Denial of Service in moment
Published Mar 5, 2018
rgb2hex vulnerable to inefficient regular expression complexity
Published Dec 31, 2022
Switcher Client contains Regular Expression Denial of Service (ReDoS)
Published Feb 2, 2023
Regular expression denial of service in npm-user-validate
Published May 10, 2021
Inefficient Regular Expression Complexity in code-server
Published Sep 20, 2021
Regular Expression Denial of Service in no-case
Published Jul 24, 2018
Inefficient Regular Expression Complexity in node-email-check
Published Oct 25, 2023
tarteaucitron.js has Regular Expression Denial of Service (ReDoS) vulnerability
Published Jan 13, 2026
@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Published Feb 14, 2025
debug Inefficient Regular Expression Complexity vulnerability
Published Jan 9, 2023
Regular Expression Denial of Service in jshamcrest
Published Feb 18, 2019
Express-FileUpload Arbitrary File Overwrite
Published Apr 13, 2022
@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Published Feb 14, 2025
Remote Code Execution Vulnerability in NPM mongo-express
Published Dec 30, 2019
v8n vulnerable to Inefficient Regular Expression Complexity
Published Oct 7, 2022
Regular Expression Denial of Service in trim
Published May 10, 2021
Parse Server LiveQuery subscription with invalid regular expression crashes server
Published Mar 17, 2026
html-parse-stringify and html-parse-stringify2 vulnerable to Regular expression denial of service (ReDoS)
Published Mar 18, 2021
markdown-it vulnerable to Inefficient Regular Expression Complexity
Published Dec 27, 2022
Regular Expression Denial of Service (ReDoS) in jsx-slack
Published Dec 17, 2021
Regular Expression Denial of Service in postcss
Published Jan 7, 2022
Regular Expression Denial of Service (ReDoS) in es6-crawler-detect
Published Apr 13, 2021
Regular Expression Denial of Service in csv-parse
Published Oct 15, 2019
Regular Expression Denial of Service (ReDoS) in lodash
Published Jul 19, 2019
Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
Published Mar 10, 2026
@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
Published Apr 16, 2026
AWS Lambda parser is vulnerable to Regular Expression Denial of Service
Published Mar 5, 2018
Malicious code in icims-express-dot-engine (npm)
Published Apr 16, 2026
angular vulnerable to regular expression denial of service (ReDoS)
Published May 3, 2022
Regular Expression Denial of Service in bleach
Published Sep 1, 2020
steal vulnerable to Regular Expression Denial of Service via input variable
Published Sep 16, 2022
Malicious code in azure-web-pubsub-express (npm)
Published Jun 20, 2022
express-cart allows any user to create an admin user
Published May 13, 2022
string-kit Inefficient Regular Expression Complexity vulnerability
Published Jan 2, 2023
is-url Inefficient Regular Expression Complexity vulnerability
Published Feb 4, 2023
SheetJS Regular Expression Denial of Service (ReDoS)
Published Apr 5, 2024
Remote code execution in mongo-express
Published Apr 13, 2021
skeemas Inefficient Regular Expression Complexity vulnerability
Published Jan 11, 2023
regular expression denial of service (ReDoS)
Published Dec 24, 2020
n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution
Published Jan 27, 2026
Validation bypass in frourio-express
Published Feb 7, 2022
Regular Expression Denial of Service in ua-parser-js
Published May 7, 2021
Regular Expression Denial of Service in ansi2html
Published Sep 1, 2020
Regular expression denial of service in forms
Published Jun 7, 2021
Improperly Controlled Modification of Dynamically-Determined Object Attributes in express-mock-middleware
Published Dec 9, 2021
mel-spintax has Inefficient Regular Expression Complexity
Published Jan 18, 2023
robots-txt-guard Inefficient Regular Expression Complexity vulnerability
Published Jan 5, 2023
Authorization bypass in express-jwt
Published Jun 30, 2020
Regular Expression Denial of Service in Headers
Published Feb 16, 2023
MooTools Regular Expression Denial of Service
Published Jan 3, 2023
brace-expansion Regular Expression Denial of Service vulnerability
Published Jun 9, 2025
Malicious code in create-ot-express-app (npm)
Published Jul 26, 2022
Moment.js vulnerable to Inefficient Regular Expression Complexity
Published Jul 6, 2022
n8n has Unauthenticated Expression Evaluation via Form Node
Published Feb 25, 2026
Regular Expression Denial of Service (ReDoS) in ua-parser-js
Published May 6, 2021
terminal-kit Inefficient Regular Expression Complexity vulnerability
Published Jan 7, 2023
jsPDF Bypass Regular Expression Denial of Service (ReDoS)
Published Mar 18, 2025
inflect vulnerable to Inefficient Regular Expression Complexity
Published Sep 29, 2021
Regular expression denial of service in react-native
Published Jul 20, 2021
Regular Expression Denial of Service in semver
Published Oct 24, 2017
SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser
Published Apr 3, 2026
Regular Expression Denial of Service in negotiator
Published Oct 9, 2018
URL Redirection to Untrusted Site ('Open Redirect') in express-openid-connect
Published Mar 31, 2022
Regular Expression Denial of Service (ReDoS) in @eslint/plugin-kit
Published Nov 15, 2024
Regular Expression Denial of Service (ReDoS)
Published Mar 19, 2021
Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope
Published Jan 5, 2026
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Published Feb 14, 2025
loader-utils is vulnerable to Regular Expression Denial of Service (ReDoS) via url variable
Published Oct 14, 2022
Regular Expression Denial of Service (ReDoS) in micromatch
Published May 14, 2024
Regular Expression Denial of Service in hosted-git-info
Published May 6, 2021
semver-regex Regular Expression Denial of Service (ReDOS)
Published Sep 20, 2021
Regular expression denial of service in codemirror
Published May 10, 2021
Regular expression Denial of Service in @progfay/scrapbox-parser
Published Mar 1, 2021
Malicious code in sync-express (npm)
Published Jun 8, 2022
Vega Expression Language `scale` expression function Cross Site Scripting
Published Mar 2, 2023
express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network
Published Mar 6, 2026
Session fixation in express-openid-connect
Published Dec 9, 2021
node-fetch Inefficient Regular Expression Complexity
Published Aug 2, 2022
Regular Expression Denial of Service in postcss
Published May 10, 2021
Malicious code in express-starter-template (npm)
Published Nov 24, 2025
semver vulnerable to Regular Expression Denial of Service
Published Jun 21, 2023
Inefficient Regular Expression Complexity in marked
Published Jan 14, 2022
tmpl vulnerable to Inefficient Regular Expression Complexity which may lead to resource exhaustion
Published Sep 20, 2021
Regular Expression Denial of Service in marked
Published Jul 24, 2018
Malicious code in bool-expressions (npm)
Published Nov 24, 2025
Regular Expression Denial of Service in fresh
Published Jul 24, 2018
Duplicate Advisory: Regular Expression Denial of Service in braces
Published Jun 6, 2019
Malicious code in vscode-smoketest-express (npm)
Published Jan 30, 2023
Cross-Site Request Forgery in express-cart
Published Aug 30, 2021
Regular Expression Denial-of-Service in npm schema-inspector
Published Mar 19, 2021
@sideway/formula contains Regular Expression Denial of Service (ReDoS) Vulnerability
Published Feb 8, 2023
Malicious code in iifl_express_middleware (npm)
Published Jan 29, 2024
Regular expression deinal of service in express-validators
Published May 10, 2021
@adobe/css-tools Improper Input Validation and Inefficient Regular Expression Complexity
Published Nov 30, 2023
Denial of Service (DoS) in mongo-express
Published Oct 6, 2021
axios Inefficient Regular Expression Complexity vulnerability
Published Sep 1, 2021
Inefficient Regular Expression Complexity in shescape
Published Oct 25, 2022
Regular Expression Denial of Service in timespan
Published Aug 29, 2018
jquery-validation Regular Expression Denial of Service due to arbitrary input to url2 method
Published Jul 5, 2022
Malicious code in express-request-ip (npm)
Published Sep 23, 2024
Regular expression denial of service in devcert
Published Jun 3, 2022
JSONata expression can pollute the "Object" prototype
Published Mar 4, 2024
Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths
Published Apr 21, 2026
Regular expression denial of service in scss-tokenizer
Published Jul 2, 2022
Regular Expression Denial of Service in hawk
Published Jul 31, 2018
Insecure template handling in Express-handlebars
Published Feb 10, 2022
glob-parent vulnerable to Regular Expression Denial of Service in enclosure regex
Published Jun 7, 2021
Regular Expression Denial of Service in path-parse
Published Aug 10, 2021
validate.js Regular Expression Denial of Service vulnerability
Published Oct 26, 2024
Remote Code Execution in Angular Expressions
Published Jan 24, 2020
@fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)
Published Jan 20, 2026
Regular Expression Denial of Service in simple-markdown
Published Feb 12, 2023
Regular Expression Denial of Service in websocket-extensions (NPM package)
Published Jun 5, 2020
Polynomial regular expression used on uncontrolled data in nitrado.js
Published Aug 31, 2022
Regular Expression Denial of Service in minimatch
Published Oct 9, 2018
mime Regular Expression Denial of Service when MIME lookup performed on untrusted user input
Published Jul 20, 2018
Regular Expression Denial of Service (ReDoS) in Prism
Published Jun 28, 2021
Malicious code in ultimates-express (npm)
Published Feb 24, 2026
Regular Expression Denial of Service in simple-markdown
Published Feb 12, 2023
express-cart unrestricted file upload vulnerability
Published May 13, 2022
@adobe/css-tools Regular Expression Denial of Service (ReDOS) while Parsing CSS
Published Aug 29, 2023
Malicious code in transform-member-expression-literals (npm)
Published Mar 16, 2026
Meteor Affected By Inefficient Regular Expression Complexity
Published May 16, 2025
Regular Expression Denial of Service in validator
Published Aug 31, 2020
Regular Expression Denial of Service in jquery-validation
Published Jan 13, 2021
Malicious code in swagger-express-evaluator (npm)
Published Nov 11, 2025
uap-core Regular Expression Denial of Service issue
Published Mar 6, 2019
Regular Expression Denial of Service in string package
Published Jul 24, 2018
Regular Expression Denial of Service in riot-compiler
Published Feb 18, 2019
is_js vulnerable to Regular Expression Denial of Service
Published Jul 6, 2023
CKEditor 5 Markdown plugin Regular expression Denial of Service
Published Jan 29, 2021
Regular expression denial of service in @absolunet/kafe
Published May 10, 2021
Regular Expression Denial of Service in jsoneditor
Published Sep 29, 2021
express-xss-sanitizer vulnerable to Prototype Pollution via allowedTags attribute
Published Sep 27, 2022
Regular Expression Denial of Service (ReDoS)
Published Jun 13, 2019
Inefficient Regular Expression Complexity in handsontable
Published Sep 30, 2021
Malicious code in helper-member-expression-to-functions (npm)
Published Apr 17, 2025
Regular Expression Denial of Service in parsejson
Published Jul 24, 2018
Regular Expression Denial of Service in markdown
Published Sep 4, 2020
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes
Published Apr 16, 2026
Malicious code in internal_crypto_express_package (npm)
Published Jun 20, 2022
Malicious code in express-cronjs (npm)
Published May 7, 2025
http-cache-semantics vulnerable to Regular Expression Denial of Service
Published Jan 31, 2023
Regular Expression Denial of Service in content
Published Jul 24, 2018
Malicious code in pro-express (npm)
Published Apr 2, 2026
Malicious code in overstock-health-express (npm)
Published Jan 23, 2026
Regular Expression Denial of Service in papaparse
Published Sep 4, 2020
Regular Expression Denial of Service in slug
Published Jul 24, 2018
Servify-express rate limit issue
Published Dec 11, 2025
express-xss-sanitizer has an unbounded recursion depth
Published Sep 26, 2025
Malicious code in env-cli-express (npm)
Published Mar 24, 2026
MathJax Regular expression Denial of Service (ReDoS)
Published Aug 29, 2023
Inefficient Regular Expression Complexity in vuelidate
Published Sep 20, 2021
Duplicate Advisory: Regular Expression Denial of Service in simple-markdown
Published Sep 3, 2020
@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser
Published Jul 18, 2025
Malicious code in @antstackio/express-graphql-proxy (npm)
Published Nov 25, 2025
Malicious code in express-my-error-handler (npm)
Published Dec 6, 2025
Regular Expression Denial of Service (ReDoS)
Published Mar 19, 2021
angular vulnerable to regular expression denial of service via the angular.copy() utility
Published Mar 30, 2023
steal Inefficient Regular Expression Complexity vulnerability via string variable
Published Sep 21, 2022
@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
Published Feb 14, 2025
Malicious code in expressyession (npm)
Published Aug 19, 2022
Regular Expression Denial of Service in highcharts
Published Mar 18, 2019
Inefficient Regular Expression Complexity in koa
Published Feb 12, 2025
Luxon Inefficient Regular Expression Complexity vulnerability
Published Jan 9, 2023
Inefficient Regular Expression Complexity in taro
Published Sep 20, 2021
Malicious code in expressjs-lint (npm)
Published Mar 2, 2026
Terser insecure use of regular expressions leads to ReDoS
Published Jul 16, 2022
jspdf vulnerable to Regular Expression Denial of Service (ReDoS)
Published Mar 12, 2021
Malicious code in express-4.x-passport-snapchat-example (npm)
Published Jun 20, 2022
prismjs Regular Expression Denial of Service vulnerability
Published Sep 20, 2021
Regular Expression Denial of Service in tough-cookie
Published Jul 24, 2018
Angular Expressions - Remote Code Execution
Published Feb 1, 2021
taro-css-to-react-native Regular Expression Denial of Service vulnerability
Published Jun 9, 2025
Regular expression denial of service in markdown-link-extractor
Published Jun 3, 2022
Malicious code in swagger-express-cli (npm)
Published Oct 17, 2025
Malicious code in express-configer (npm)
Published Feb 10, 2026
@hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing
Published Apr 4, 2026
Malicious code in brightspot-express (npm)
Published Jun 20, 2022
Malicious code in express-api-sync (npm)
Published Jun 4, 2025
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
Published Feb 26, 2026
markdown-it is has a Regular Expression Denial of Service (ReDoS)
Published Feb 12, 2026
pm2 Regular Expression Denial of Service vulnerability
Published Jun 9, 2025
ua-parser-js Regular Expression Denial of Service vulnerability
Published Feb 9, 2022
Marked allows Regular Expression Denial of Service (ReDoS) attacks
Published May 23, 2025
Malicious code in web-pubsub-express (npm)
Published Jun 20, 2022
Inefficient Regular Expression Complexity in marked
Published Jan 14, 2022
Malicious code in walmart-express (npm)
Published Jul 21, 2022
Malicious code in express-validator-plugin (npm)
Published Apr 30, 2025
@vue/cli-plugin-pwa Regular Expression Denial of Service vulnerability
Published Jun 9, 2025
XSS via Angular Expression in ag-grid
Published Sep 1, 2020
Regular Expression Denial of Service (ReDoS) in braces
Published Jan 6, 2022
cookiejar Regular Expression Denial of Service via Cookie.parse function
Published Jan 18, 2023
Malicious code in bfx-report-express (npm)
Published Jun 20, 2022
email-existence Inefficient Regular Expression Complexity vulnerability
Published Dec 27, 2022
Regular Expression Denial of Service in browserslist
Published May 24, 2021
Inefficient Regular Expression Complexity in validator.js
Published Nov 3, 2021
Malicious code in falcor-express-demo (npm)
Published Feb 28, 2025
Regular Expression Denial of Service in npm-user-validate
Published Oct 16, 2020
Malicious code in swagger-cli-express (npm)
Published Oct 7, 2025
Inefficient Regular Expression Complexity in nth-check
Published Sep 20, 2021
Malicious code in node-express-demo (npm)
Published May 21, 2025
Insecure template handling in express-hbs
Published May 17, 2021
Malicious code in express-dompurify (npm)
Published Oct 1, 2024
Malicious code in express-security-policy (npm)
Published Apr 17, 2026
Malicious code in colors_express (npm)
Published May 31, 2022
Malicious code in express-session-vailidator (npm)
Published Mar 24, 2026
Malicious code in express_update (npm)
Published Feb 5, 2026
Malicious code in express-groups-routes (npm)
Published Feb 4, 2026
Malicious code in express-http-geobase (npm)
Published Jan 30, 2023
Malicious code in express-http-langdetect (npm)
Published Jan 30, 2023
Malicious code in express-blackbox (npm)
Published Jun 20, 2022
Malicious code in express-checkout-sdk (npm)
Published Jun 20, 2022
Malicious code in express-lastest (npm)
Published May 31, 2022
Malicious code in express-metrics-zmarta (npm)
Published Jun 20, 2022
Malicious code in express-uatraits (npm)
Published Jun 20, 2022
Malicious code in express-yandexuid (npm)
Published Jun 20, 2022
Malicious code in express-js-web (npm)
Published Dec 30, 2025
Malicious code in express-soaps (npm)
Published Feb 24, 2026
Malicious code in example-nodejs-express (npm)
Published Mar 11, 2025
Malicious code in express-session-validator (npm)
Published Mar 24, 2026
Malicious code in express-auth-basic (npm)
Published Apr 16, 2026
Malicious code in syntax-do-expressions (npm)
Published Mar 16, 2026
Malicious code in env_express (npm)
Published Apr 15, 2026
Malicious code in express-jscookie (npm)
Published Jun 10, 2025
Regular Expression Denial of Service in Handlebars
Published Feb 10, 2022
Malicious code in cta-onboard-express (npm)
Published Jun 25, 2024
Malicious code in express-configers (npm)
Published Mar 18, 2026
Malicious code in paypal-express (npm)
Published Jun 20, 2022
Malicious code in @trigo/bool-expressions (npm)
Published Nov 24, 2025
Malicious code in expressautomations (npm)
Published Jul 24, 2023
Malicious code in fc-expressions (npm)
Published Jun 6, 2023
Malicious code in express-ranges (npm)
Published Mar 18, 2026
Malicious code in express-security-suite-2024 (npm)
Published Mar 18, 2026
Malicious code in express-sessions-id (npm)
Published Jan 12, 2026
Malicious code in braintree_express_example (npm)
Published Oct 9, 2024
Malicious code in geocaching-express-account-middleware (npm)
Published Nov 17, 2022
Regular expression denial of service in url-regex
Published Jun 22, 2020
Malicious code in express-exp (npm)
Published Apr 17, 2025
Malicious code in express-core-cache (npm)
Published Oct 2, 2024
Regular Expression Denial of Service (ReDOS)
Published Jun 22, 2021
Regular Expression Denial of Service in sshpk
Published Aug 15, 2018
angular vulnerable to regular expression denial of service via the $resource service
Published Mar 30, 2023
Duplicate Advisory: Privilege Escalation in express-cart
Published Jun 3, 2019
Knwl.js Regular Expression Denial of Service vulnerability
Published Oct 26, 2024
path-to-regexp outputs backtracking regular expressions
Published Sep 9, 2024
Private Data Disclosure in express-restify-mongoose
Published Oct 23, 2018
uri-template-lite Regular Expression Denial of Service
Published Aug 25, 2022
Regular Expression Denial of Service in debug
Published Aug 9, 2018
Regular Expression Denial of Service in decamelize
Published Jul 24, 2018
Regular expression Denial of Service in multiple packages
Published Apr 6, 2021
n8n Vulnerable to Remote Code Execution via Expression Injection
Published Dec 22, 2025
n8n: Expression Sandbox Escape Leads to RCE
Published Feb 25, 2026
Authentication Bypass by Spoofing in express-cart
Published Feb 7, 2019
Malicious code in express-authgen (npm)
Published May 30, 2025
Malicious code in express-gueues (npm)
Published Feb 11, 2026
Malicious code in express-http-validator (npm)
Published Mar 18, 2026
Malicious code in express-lists-routes (npm)
Published Jan 28, 2026
Malicious code in dotenv-express (npm)
Published Mar 24, 2026
Malicious code in env-express (npm)
Published Mar 24, 2026
Malicious code in env-express-cli (npm)
Published Mar 24, 2026
Malicious code in express-xmlrequest (npm)
Published Sep 26, 2025