nes
203 known vulnerabilities · 4 critical · 10 high
vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE
React Router has stored XSS via unescaped Location header in prerendered redirect HTML
Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm
Malicious code in @voiceflow/nestjs-rate-limit (npm)
@grackle-ai/server: Unescaped Error String in renderPairingPage() HTML Template
AutoUpdater module fails to validate certain nested components of the bundle
OpenClaw has a Command Injection via unescaped environment assignments in Windows Scheduled Task script generation
Potential Authorization Header Exposure in NPM Packages @finastra/nestjs-proxy, @ffdc/nestjs-proxy
Duplicate Advisory: OpenClaw's complex interpreter pipelines could skip exec script preflight validation
Malicious code in yamoney-guidelines (npm)
@stablelib/cbor: Stack exhaustion Denial of Service via deeply nested CBOR arrays, maps, or tags
OpenClaw's complex interpreter pipelines could skip exec script preflight validation
Malicious code in kinesis-app-panel (npm)
Malicious code in business-data (npm)
Malicious code in azure-pipelines-dependency-track (npm)
Parse Server vulnerable to SQL injection via `Increment` operation on nested object field in PostgreSQL
JHipster Kotlin using insecure source of randomness `RandomStringUtils` before v1.2.0
Malicious code in rxnt-healthchecks-nestjs (npm)
Malicious code in com.unity.render-pipelines.high-definition-config (npm)
Malicious code in commandlinesage (npm)
Potential Sensitive Cookie Exposure in NPM Packages @finastra/nestjs-proxy, @ffdc/nestjs-proxy
oRPC has Stored XSS in OpenAPI Reference Plugin via unescaped JSON.stringify
Malicious code in @cloudplatform-single-spa/virtual-machines (npm)
Malicious code in dinesh-dev-nagajikkktest11223qa (npm)
Malicious code in @zitterorg/deserunt-nesciunt (npm)
Malicious code in pug-web-readiness (npm)
Malicious code in facebook-nodejs-business-sdk-tests (npm)
Malicious code in @bmw-chris/onlinesession-default-frontend (npm)
OpenClaw has ReDoS and regex injection via unescaped Feishu mention metadata in RegExp construction
Malicious code in @epc-libraries/kinesis-service (npm)
Malicious code in @linesearch/swiper (npm)
Malicious code in nespresso-design-system (npm)
Malicious code in react-liveness (npm)
h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs
Duplicate Advisory: Nest has a Fastify URL Encoding Middleware Bypass
Duplicate Advisory: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows
@nestjs/core vulnerable to Information Exposure via StreamableFile pipe
Malicious code in @diotoborg/accusamus-nesciunt (npm)
Solana Pay Vulnerable to Weakness in Transfer Validation Logic
Malicious code in cmp-ocr-liveness-acquisition (npm)
Malicious code in @zitterorg/mollitia-laborum-nesciunt (npm)
smol-toml: Denial of Service via TOML documents containing thousands of consecutive commented lines
False-positive validity for NFT1 genesis transactions in SLPJS
Malicious code in genesys-richmedia (npm)
Malicious code in @voiceflow/nestjs-timeout (npm)
Malicious code in @diotoborg/dolore-nesciunt (npm)
Malicious code in cms-businesslogic-extensions (npm)
Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables
Malicious code in link-outside-nest (npm)
Malicious code in tailwind-lines-clamp (npm)
Parse Server has denylist `requestKeywordDenylist` keyword scan bypass through nested object placement
Malicious code in @cloudplatform-single-spa/vcenter-virtual-machines (npm)
Malicious code in obyte-witness (npm)
Malicious code in react-nesting-example-legacy (npm)
Malicious code in @voiceflow/nestjs-redis (npm)
Malicious code in set-nested-prop (npm)
Malicious code in com.unity.editorcoroutines (npm)
Malicious code in bulldog-e-business (npm)
Malicious code in com.unity.render-pipelines.universal-config (npm)
OpenClaw: Isolated cron awareness events were recorded as trusted system events
Malicious code in harness-helm-plugin (npm)
Nest Affected by DoS via Recursive handleData in JsonSocket (TCP Transport)
Malicious code in @sbbol/business (npm)
Malicious code in forge-app-bones (npm)
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
Malicious code in possnested (npm)
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
GitHub Copilot CLI: Nested Bare Repository Can Execute Arbitrary Commands via core.fsmonitor
Malicious code in generate_genesis_values (npm)
Malicious code in @exness/select-component-ab (npm)
Malicious code in kubeflow-pipelines (npm)
defuddle vulnerable to XSS via unescaped string interpolation in _findContentBySchemaText image tag
Malicious code in @exnessimo/style (npm)
Malicious code in import-newlines (npm)
Malicious code in broccolifuknnes (npm)
Malicious code in commandinesrgs (npm)
Malicious code in snyk-azure-pipelines-task (npm)
Malicious code in @diotoborg/nesciunt-ullam (npm)
Malicious code in vite-postcss-nested (npm)
Malicious code in @business_promocode/apply_promocode (npm)
Malicious code in @business_promocode/cancel_promocode (npm)
Malicious code in node-business (npm)
Malicious code in vet-bones (npm)
@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')
Malicious code in @lbnqduy11805/reimagined-happiness (npm)
Malicious code in nestjs-translator (npm)
shell-quote quote() does not escape newlines in object .op values
Malicious code in @infinid-indonesia/ui-kit (npm)
Malicious code in romanes-eunt-domus-jd-1337 (npm)
Malicious code in helm-harness (npm)
Malicious code in @nestor_hexom/garfield (npm)
Malicious code in @beproduct/nestjs-auth (npm)
Malicious code in @mcpassure/mcp-cnes (npm)
Malicious code in icnes (npm)
Malicious code in @self-evolving-harness/kivo (npm)
Malicious code in nestjs-ldap-auth (npm)
Malicious code in @diotoborg/harum-nesciunt-dolores (npm)
Malicious code in adc-harness-state (npm)
Malicious code in @zitterorg/nesciunt-quas (npm)
Malicious code in amazon-kinesis-video-streams-webrtc-sdk-js (npm)
Malicious code in @diotoborg/nesciunt-veniam (npm)
Malicious code in clientcore-base-businesslogic (npm)
Malicious code in safeness-sb-new (npm)
Malicious code in @diotoborg/quae-nesciunt (npm)
Malicious code in @diotoborg/quis-soluta-nesciunt (npm)
Malicious code in barebones-css (npm)
Duplicate Advisory: Command Injection via unescaped environment assignments in Windows Scheduled Task script generation
Malicious code in exnessimo (npm)
Malicious code in safeness-backup (npm)
Malicious code in @edwardjones/fetlife-assets (npm)
Malicious code in freekws-devportal-api-client-nestjs (npm)
Malicious code in runkit-engines (npm)
Malicious code in httpness (npm)
Malicious code in @diotoborg/error-nesciunt-qui (npm)
Malicious code in genshin-impact-free-primogems-and-genesis-crystals-2022 (npm)
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
TinyMCE vulnerable to mutation Cross-site Scripting via special characters in unescaped text nodes
Malicious code in genesis-volatility-adapter (npm)
Malicious code in genesys-frontend-facade (npm)
Malicious code in @zitterorg/itaque-nesciunt-voluptatibus (npm)
Malicious code in ui-platform-business-elements (npm)
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs
Malicious code in @juiggitea/nesciunt-ut-culpa-ad (npm)
Malicious code in comcast.business.web.ui.trident (npm)
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options
Malicious code in n8n-nodes-whatsapp-business-api-by-automations-builder (npm)
Malicious code in nesiahanzz (npm)
Malicious code in jquery-ui-smoothness (npm)
Malicious code in @zitterorg/similique-nesciunt (npm)
Malicious code in do-wnload-available-2014-20032-happiness-is-happening-2iby6-rsrcqq (npm)
Malicious code in @voiceflow/nestjs-common (npm)
Malicious code in @stepstone-genesis/components (npm)
Malicious code in @voiceflow/nestjs-mongodb (npm)
Malicious code in valentinesgiftt (npm)
Malicious code in @posthog/kinesis-plugin (npm)
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser
OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows
Malicious code in unescaped (npm)
Malicious code in nestjs-proxy (npm)
Malicious code in vzyfxaumldnesjor (npm)
Malicious code in business_api_client (npm)
Malicious code in cms-businesslogic (npm)
vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution
Nest: Middleware Bypass on Fastify via Trailing Slash
Astro: Reflected XSS via unescaped slot name
Nuxt: URL-handling weaknesses in `navigateTo` and `reloadNuxtApp`: SSR open redirect, client-side script execution via the `open` option, and protocol-relative bypass in `reloadNuxtApp`
Malicious code in nest-moralis (npm)
form-data: CRLF injection in form-data via unescaped multipart field names and filenames
Malicious code in @exnessimus/hooks (npm)
Astro: XSS via Unescaped Attribute Names in Spread Props
Malicious code in pipelines-javascript (npm)
Malicious code in buildkite-pipelines (npm)
Malicious code in harness-skil (npm)
Malicious code in svharness (npm)
Duplicate Advisory: OpenClaw: Isolated cron awareness events were recorded as trusted system events
Malicious code in @nestor_hexom/garfield1 (npm)
parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names
Malicious code in @mastra/nestjs (npm)
Malicious code in canvas-nest.js (npm)
Malicious code in @nestor_hexom/qyxb (npm)
Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference
Malicious code in react-nesting-example-modern (npm)
Electron context isolation bypass via nested unserializable return value
Malicious code in @cloudplatform-single-spa/business-solutions (npm)
Malicious code in skype4business (npm)
Malicious code in clientcore-catalyst-businesslogic (npm)
Malicious code in clientcore-onesrv-businesslogic (npm)
Malicious code in clientcore-onesrv-serviceclients (npm)
Malicious code in @cloudplatform-single-spa/dataplatform-nessie (npm)
joi has an uncaught RangeError on deeply nested input through recursive `link()` schemas
Multer vulnerable to Denial of Service via deeply nested field names
http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`
Malicious code in wellness-expert-ng-gallery (npm)
Malicious code in onesignal-hooks (npm)
minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
MCPVault: PathFilter restricted directories (.git/.obsidian/node_modules) only denied at vault root, not nested
OpenZeppelin Contracts Wizard: Line terminators in info.securityContact / info.license can inject lines into generated source
parse-server: Denial of service via exponential-time processing of deeply nested query operators
flat-to-nested: Prototype pollution in flat-to-nested convert() via __proto__ parent/id key
appium-mcp: Unescaped Locator Data XSS in MCP-UI Resource (createLocatorGeneratorUI)