|
cve="CVE-2026-26996"
instance="gaeko-ui"
job="npm_audit"
package="minimatch"
patched_versions=">=3.1.3"
recommendation="Upgrade to version 3.1.3 or later"
severity="high"
title="minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern"
url="https://github.com/advisories/GHSA-3ppc-4f35-3m26"
|
0
|
|
cve="CVE-2026-27606"
instance="gaeko-ui"
job="npm_audit"
package="rollup"
patched_versions=">=4.59.0"
recommendation="Upgrade to version 4.59.0 or later"
severity="high"
title="Rollup 4 has Arbitrary File Write via Path Traversal"
url="https://github.com/advisories/GHSA-mw96-cpmx-2vgc"
|
0
|
|
cve="CVE-2026-27903"
instance="gaeko-ui"
job="npm_audit"
package="minimatch"
patched_versions=">=3.1.3"
recommendation="Upgrade to version 3.1.3 or later"
severity="high"
title="minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments"
url="https://github.com/advisories/GHSA-7r86-cg39-jmmj"
|
7.5
|
|
cve="CVE-2026-27904"
instance="gaeko-ui"
job="npm_audit"
package="minimatch"
patched_versions=">=3.1.4"
recommendation="Upgrade to version 3.1.4 or later"
severity="high"
title="minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions"
url="https://github.com/advisories/GHSA-23c5-xmqv-rm74"
|
7.5
|
|
cve="CVE-2026-32141"
instance="gaeko-ui"
job="npm_audit"
package="flatted"
patched_versions=">=3.4.0"
recommendation="Upgrade to version 3.4.0 or later"
severity="high"
title="flatted vulnerable to unbounded recursion DoS in parse() revive phase"
url="https://github.com/advisories/GHSA-25h7-pfq9-p65f"
|
7.5
|
|
cve="CVE-2026-33228"
instance="gaeko-ui"
job="npm_audit"
package="flatted"
patched_versions=">=3.4.2"
recommendation="Upgrade to version 3.4.2 or later"
severity="high"
title="Prototype Pollution via parse() in NodeJS flatted"
url="https://github.com/advisories/GHSA-rf6f-7fwh-wjgh"
|
0
|
|
cve="CVE-2026-33750"
instance="gaeko-ui"
job="npm_audit"
package="brace-expansion"
patched_versions=">=1.1.13"
recommendation="Upgrade to version 1.1.13 or later"
severity="moderate"
title="brace-expansion: Zero-step sequence causes process hang and memory exhaustion"
url="https://github.com/advisories/GHSA-f886-m6hf-6m8v"
|
6.5
|
|
cve="CVE-2026-33672"
instance="gaeko-ui"
job="npm_audit"
package="picomatch"
patched_versions=">=2.3.2"
recommendation="Upgrade to version 2.3.2 or later"
severity="moderate"
title="Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"
url="https://github.com/advisories/GHSA-3v7f-55p6-f55p"
|
5.3
|
|
cve="CVE-2026-33672"
instance="gaeko-ui"
job="npm_audit"
package="picomatch"
patched_versions=">=4.0.4"
recommendation="Upgrade to version 4.0.4 or later"
severity="moderate"
title="Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching"
url="https://github.com/advisories/GHSA-3v7f-55p6-f55p"
|
5.3
|
|
cve="CVE-2026-33671"
instance="gaeko-ui"
job="npm_audit"
package="picomatch"
patched_versions=">=2.3.2"
recommendation="Upgrade to version 2.3.2 or later"
severity="high"
title="Picomatch has a ReDoS vulnerability via extglob quantifiers"
url="https://github.com/advisories/GHSA-c2c7-rcm5-vvqj"
|
7.5
|
|
cve="CVE-2026-33671"
instance="gaeko-ui"
job="npm_audit"
package="picomatch"
patched_versions=">=4.0.4"
recommendation="Upgrade to version 4.0.4 or later"
severity="high"
title="Picomatch has a ReDoS vulnerability via extglob quantifiers"
url="https://github.com/advisories/GHSA-c2c7-rcm5-vvqj"
|
7.5
|
|
cve="CVE-2026-4800"
instance="gaeko-ui"
job="npm_audit"
package="lodash-es"
patched_versions=">=4.18.0"
recommendation="Upgrade to version 4.18.0 or later"
severity="high"
title="lodash vulnerable to Code Injection via `_.template` imports key names"
url="https://github.com/advisories/GHSA-r5fr-rjxr-66jc"
|
8.1
|
|
cve="CVE-2026-4800"
instance="gaeko-ui"
job="npm_audit"
package="lodash"
patched_versions=">=4.18.0"
recommendation="Upgrade to version 4.18.0 or later"
severity="high"
title="lodash vulnerable to Code Injection via `_.template` imports key names"
url="https://github.com/advisories/GHSA-r5fr-rjxr-66jc"
|
8.1
|
|
cve="CVE-2026-2950"
instance="gaeko-ui"
job="npm_audit"
package="lodash-es"
patched_versions=">=4.18.0"
recommendation="Upgrade to version 4.18.0 or later"
severity="moderate"
title="lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"
url="https://github.com/advisories/GHSA-f23m-r3pf-42rh"
|
6.5
|
|
cve="CVE-2026-2950"
instance="gaeko-ui"
job="npm_audit"
package="lodash"
patched_versions=">=4.18.0"
recommendation="Upgrade to version 4.18.0 or later"
severity="moderate"
title="lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`"
url="https://github.com/advisories/GHSA-f23m-r3pf-42rh"
|
6.5
|
|
cve="GHSA-r4q5-vmmm-2653"
instance="gaeko-ui"
job="npm_audit"
package="follow-redirects"
patched_versions=">=1.16.0"
recommendation="Upgrade to version 1.16.0 or later"
severity="moderate"
title="follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets"
url="https://github.com/advisories/GHSA-r4q5-vmmm-2653"
|
0
|
|
cve="CVE-2026-41305"
instance="gaeko-ui"
job="npm_audit"
package="postcss"
patched_versions=">=8.5.10"
recommendation="Upgrade to version 8.5.10 or later"
severity="moderate"
title="PostCSS has XSS via Unescaped </style> in its CSS Stringify Output"
url="https://github.com/advisories/GHSA-qx2v-qp2m-jg93"
|
6.1
|
|
cve="CVE-2026-42041"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.15.1"
recommendation="Upgrade to version 1.15.1 or later"
severity="moderate"
title="Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy"
url="https://github.com/advisories/GHSA-w9j2-pvgh-6h63"
|
4.8
|
|
cve="CVE-2026-42043"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.15.1"
recommendation="Upgrade to version 1.15.1 or later"
severity="high"
title="Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0"
url="https://github.com/advisories/GHSA-pmwg-cvhr-8vh7"
|
7.2
|
|
cve="CVE-2026-42044"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.15.2"
recommendation="Upgrade to version 1.15.2 or later"
severity="moderate"
title="Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`"
url="https://github.com/advisories/GHSA-3w6x-2g7m-8v23"
|
6.5
|
|
cve="CVE-2026-42040"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.15.1"
recommendation="Upgrade to version 1.15.1 or later"
severity="low"
title="Axios: Null Byte Injection via Reverse-Encoding in AxiosURLSearchParams"
url="https://github.com/advisories/GHSA-xhjh-pmcv-23jw"
|
3.7
|
|
cve="CVE-2026-42037"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.15.1"
recommendation="Upgrade to version 1.15.1 or later"
severity="moderate"
title="Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream"
url="https://github.com/advisories/GHSA-445q-vr5w-6q77"
|
5.3
|
|
cve="CVE-2026-42038"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.15.1"
recommendation="Upgrade to version 1.15.1 or later"
severity="moderate"
title="Axios: no_proxy bypass via IP alias allows SSRF"
url="https://github.com/advisories/GHSA-m7pr-hjqh-92cm"
|
6.8
|
|
cve="CVE-2026-42034"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.15.1"
recommendation="Upgrade to version 1.15.1 or later"
severity="moderate"
title="Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0"
url="https://github.com/advisories/GHSA-5c9x-8gcm-mpgx"
|
5.3
|
|
cve="CVE-2026-42036"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.15.1"
recommendation="Upgrade to version 1.15.1 or later"
severity="moderate"
title="Axios: HTTP adapter streamed responses bypass maxContentLength"
url="https://github.com/advisories/GHSA-vf2m-468p-8v99"
|
5.3
|
|
cve="CVE-2026-42033"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.15.1"
recommendation="Upgrade to version 1.15.1 or later"
severity="high"
title="Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking"
url="https://github.com/advisories/GHSA-pf86-5x62-jrwf"
|
7.4
|
|
cve="CVE-2026-42035"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.15.1"
recommendation="Upgrade to version 1.15.1 or later"
severity="high"
title="Axios: Header Injection via Prototype Pollution"
url="https://github.com/advisories/GHSA-6chq-wfr3-2hj9"
|
7.4
|
|
cve="CVE-2026-42042"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.15.1"
recommendation="Upgrade to version 1.15.1 or later"
severity="moderate"
title="Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion"
url="https://github.com/advisories/GHSA-xx6v-rp6x-q39c"
|
5.4
|
|
cve="CVE-2026-6321"
instance="gaeko-ui"
job="npm_audit"
package="fast-uri"
patched_versions=">=3.1.1"
recommendation="Upgrade to version 3.1.1 or later"
severity="high"
title="fast-uri vulnerable to path traversal via percent-encoded dot segments"
url="https://github.com/advisories/GHSA-q3j6-qgpj-74h6"
|
7.5
|
|
cve="CVE-2026-6322"
instance="gaeko-ui"
job="npm_audit"
package="fast-uri"
patched_versions=">=3.1.2"
recommendation="Upgrade to version 3.1.2 or later"
severity="high"
title="fast-uri vulnerable to host confusion via percent-encoded authority delimiters"
url="https://github.com/advisories/GHSA-v39h-62p7-jpjc"
|
7.5
|
|
cve="CVE-2026-42264"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.15.2"
recommendation="Upgrade to version 1.15.2 or later"
severity="high"
title="Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking"
url="https://github.com/advisories/GHSA-q8qp-cvcw-x6jj"
|
7.4
|
|
cve="CVE-2026-42338"
instance="gaeko-ui"
job="npm_audit"
package="ip-address"
patched_versions=">=10.1.1"
recommendation="Upgrade to version 10.1.1 or later"
severity="moderate"
title="ip-address has XSS in Address6 HTML-emitting methods"
url="https://github.com/advisories/GHSA-v2v4-37r5-5v8g"
|
0
|
|
cve="CVE-2026-45736"
instance="gaeko-ui"
job="npm_audit"
package="ws"
patched_versions=">=8.20.1"
recommendation="Upgrade to version 8.20.1 or later"
severity="moderate"
title="ws: Uninitialized memory disclosure"
url="https://github.com/advisories/GHSA-58qx-3vcg-4xpx"
|
4.4
|
|
cve="CVE-2026-41907"
instance="gaeko-ui"
job="npm_audit"
package="uuid"
patched_versions=">=11.1.1"
recommendation="Upgrade to version 11.1.1 or later"
severity="moderate"
title="uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided"
url="https://github.com/advisories/GHSA-w5hq-g745-h8pq"
|
7.5
|
|
cve="CVE-2026-44492"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.16.0"
recommendation="Upgrade to version 1.16.0 or later"
severity="high"
title="axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)"
url="https://github.com/advisories/GHSA-pjwm-pj3p-43mv"
|
8.6
|
|
cve="CVE-2026-47428"
instance="gaeko-ui"
job="npm_audit"
package="@vitest/browser"
patched_versions=">=4.1.6"
recommendation="Upgrade to version 4.1.6 or later"
severity="critical"
title="Vitest browser mode serves unsanitized otelCarrier query parameter as inline script"
url="https://github.com/advisories/GHSA-2h32-95rg-cppp"
|
9.6
|
|
cve="CVE-2026-42211"
instance="gaeko-ui"
job="npm_audit"
package="react-router"
patched_versions=">=7.14.2"
recommendation="Upgrade to version 7.14.2 or later"
severity="high"
title="React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE"
url="https://github.com/advisories/GHSA-49rj-9fvp-4h2h"
|
8.1
|
|
cve="CVE-2026-42342"
instance="gaeko-ui"
job="npm_audit"
package="react-router"
patched_versions=">=7.15.0"
recommendation="Upgrade to version 7.15.0 or later"
severity="high"
title="React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint"
url="https://github.com/advisories/GHSA-8x6r-g9mw-2r78"
|
7.5
|
|
cve="CVE-2026-42039"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.15.1"
recommendation="Upgrade to version 1.15.1 or later"
severity="moderate"
title="Axios: unbounded recursion in toFormData causes DoS via deeply nested request data"
url="https://github.com/advisories/GHSA-62hf-57xw-28j9"
|
7.5
|
|
cve="CVE-2026-45149"
instance="gaeko-ui"
job="npm_audit"
package="brace-expansion"
patched_versions=">=5.0.6"
recommendation="Upgrade to version 5.0.6 or later"
severity="moderate"
title="brace-expansion: Large numeric range defeats documented `max` DoS protection"
url="https://github.com/advisories/GHSA-jxxr-4gwj-5jf2"
|
6.5
|
|
cve="CVE-2025-13465"
instance="gaeko-ui"
job="npm_audit"
package="lodash-es"
patched_versions=">=4.17.23"
recommendation="Upgrade to version 4.17.23 or later"
severity="moderate"
title="Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions"
url="https://github.com/advisories/GHSA-xxjr-mmjv-4gpg"
|
6.5
|
|
cve="CVE-2026-9277"
instance="gaeko-ui"
job="npm_audit"
package="shell-quote"
patched_versions=">=1.8.4"
recommendation="Upgrade to version 1.8.4 or later"
severity="critical"
title="shell-quote quote() does not escape newlines in object .op values"
url="https://github.com/advisories/GHSA-w7jw-789q-3m8p"
|
8.1
|
|
cve="CVE-2026-44496"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.16.0"
recommendation="Upgrade to version 1.16.0 or later"
severity="high"
title="Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection"
url="https://github.com/advisories/GHSA-hfxv-24rg-xrqf"
|
7.5
|
|
cve="CVE-2026-44488"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.16.0"
recommendation="Upgrade to version 1.16.0 or later"
severity="high"
title="Allocation of Resources Without Limits or Throttling in Axios"
url="https://github.com/advisories/GHSA-777c-7fjr-54vf"
|
7.5
|
|
cve="CVE-2026-44487"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.16.0"
recommendation="Upgrade to version 1.16.0 or later"
severity="high"
title="Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter"
url="https://github.com/advisories/GHSA-p92q-9vqr-4j8v"
|
0
|
|
cve="CVE-2026-44486"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.16.0"
recommendation="Upgrade to version 1.16.0 or later"
severity="high"
title="Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection"
url="https://github.com/advisories/GHSA-j5f8-grm9-p9fc"
|
7.5
|
|
cve="CVE-2026-44495"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.15.2"
recommendation="Upgrade to version 1.15.2 or later"
severity="high"
title="axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge"
url="https://github.com/advisories/GHSA-3g43-6gmg-66jw"
|
7
|
|
cve="CVE-2026-44494"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.16.0"
recommendation="Upgrade to version 1.16.0 or later"
severity="high"
title="axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`"
url="https://github.com/advisories/GHSA-35jp-ww65-95wh"
|
8.7
|
|
cve="CVE-2026-44490"
instance="gaeko-ui"
job="npm_audit"
package="axios"
patched_versions=">=1.16.0"
recommendation="Upgrade to version 1.16.0 or later"
severity="moderate"
title="axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions"
url="https://github.com/advisories/GHSA-898c-q2cr-xwhg"
|
4.8
|
|
cve="GHSA-g7r4-m6w7-qqqr"
instance="gaeko-ui"
job="npm_audit"
package="esbuild"
patched_versions=">=0.28.1"
recommendation="Upgrade to version 0.28.1 or later"
severity="low"
title="esbuild allows arbitrary file read when running the development server on Windows"
url="https://github.com/advisories/GHSA-g7r4-m6w7-qqqr"
|
2.5
|
|
cve="CVE-2026-48779"
instance="gaeko-ui"
job="npm_audit"
package="ws"
patched_versions=">=8.21.0"
recommendation="Upgrade to version 8.21.0 or later"
severity="high"
title="ws: Memory exhaustion DoS from tiny fragments and data chunks"
url="https://github.com/advisories/GHSA-96hv-2xvq-fx4p"
|
7.5
|
|
cve="CVE-2026-12143"
instance="gaeko-ui"
job="npm_audit"
package="form-data"
patched_versions=">=4.0.6"
recommendation="Upgrade to version 4.0.6 or later"
severity="high"
title="form-data: CRLF injection in form-data via unescaped multipart field names and filenames"
url="https://github.com/advisories/GHSA-hmw2-7cc7-3qxx"
|
7.5
|
|
cve="CVE-2026-53655"
instance="gaeko-ui"
job="npm_audit"
package="tar"
patched_versions=">=7.5.16"
recommendation="Upgrade to version 7.5.16 or later"
severity="moderate"
title="node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)"
url="https://github.com/advisories/GHSA-vmf3-w455-68vh"
|
0
|
|
cve="CVE-2026-53632"
instance="gaeko-ui"
job="npm_audit"
package="vite"
patched_versions=">=8.0.16"
recommendation="Upgrade to version 8.0.16 or later"
severity="moderate"
title="launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows"
url="https://github.com/advisories/GHSA-v6wh-96g9-6wx3"
|
0
|
|
cve="CVE-2026-53571"
instance="gaeko-ui"
job="npm_audit"
package="vite"
patched_versions=">=8.0.16"
recommendation="Upgrade to version 8.0.16 or later"
severity="high"
title="vite: `server.fs.deny` bypass on Windows alternate paths"
url="https://github.com/advisories/GHSA-fx2h-pf6j-xcff"
|
0
|
|
cve="CVE-2026-53550"
instance="gaeko-ui"
job="npm_audit"
package="js-yaml"
patched_versions=">=4.2.0"
recommendation="Upgrade to version 4.2.0 or later"
severity="moderate"
title="JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases"
url="https://github.com/advisories/GHSA-h67p-54hq-rp68"
|
5.3
|
|
cve="CVE-2026-49356"
instance="gaeko-ui"
job="npm_audit"
package="@babel/core"
patched_versions=">=7.29.6"
recommendation="Upgrade to version 7.29.6 or later"
severity="low"
title="@babel/core: Arbitrary File Read via sourceMappingURL Comment"
url="https://github.com/advisories/GHSA-4x5r-pxfx-6jf8"
|
3.2
|
|
cve="CVE-2026-53663"
instance="gaeko-ui"
job="npm_audit"
package="react-router"
patched_versions=">=7.15.1"
recommendation="Upgrade to version 7.15.1 or later"
severity="low"
title="React Router: Potential CSRF via PUT/PATCH/DELETE document requests"
url="https://github.com/advisories/GHSA-84g9-w2xq-vcv6"
|
3.1
|
|
cve="CVE-2026-53633"
instance="gaeko-ui"
job="npm_audit"
package="@vitest/browser"
patched_versions=">=4.1.8"
recommendation="Upgrade to version 4.1.8 or later"
severity="critical"
title="Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE"
url="https://github.com/advisories/GHSA-g8mr-85jm-7xhm"
|
9.8
|
|
cve="CVE-2026-9697"
instance="gaeko-ui"
job="npm_audit"
package="undici"
patched_versions=">=7.28.0"
recommendation="Upgrade to version 7.28.0 or later"
severity="high"
title="undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent"
url="https://github.com/advisories/GHSA-vmh5-mc38-953g"
|
7.4
|
|
cve="CVE-2026-9679"
instance="gaeko-ui"
job="npm_audit"
package="undici"
patched_versions=">=7.28.0"
recommendation="Upgrade to version 7.28.0 or later"
severity="moderate"
title="undici vulnerable to HTTP header injection via Set-Cookie percent-decoding"
url="https://github.com/advisories/GHSA-p88m-4jfj-68fv"
|
5.9
|
|
cve="CVE-2026-12151"
instance="gaeko-ui"
job="npm_audit"
package="undici"
patched_versions=">=7.28.0"
recommendation="Upgrade to version 7.28.0 or later"
severity="high"
title="undici WebSocket client vulnerable to denial of service via fragment count bypass"
url="https://github.com/advisories/GHSA-vxpw-j846-p89q"
|
7.5
|
|
cve="CVE-2026-6734"
instance="gaeko-ui"
job="npm_audit"
package="undici"
patched_versions=">=7.28.0"
recommendation="Upgrade to version 7.28.0 or later"
severity="high"
title="undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse"
url="https://github.com/advisories/GHSA-hm92-r4w5-c3mj"
|
7.5
|
|
cve="CVE-2026-6733"
instance="gaeko-ui"
job="npm_audit"
package="undici"
patched_versions=">=7.28.0"
recommendation="Upgrade to version 7.28.0 or later"
severity="low"
title="undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse"
url="https://github.com/advisories/GHSA-35p6-xmwp-9g52"
|
3.7
|
|
cve="CVE-2026-11525"
instance="gaeko-ui"
job="npm_audit"
package="undici"
patched_versions=">=7.28.0"
recommendation="Upgrade to version 7.28.0 or later"
severity="low"
title="undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching"
url="https://github.com/advisories/GHSA-g8m3-5g58-fq7m"
|
3.7
|
|
cve="CVE-2026-55849"
instance="gaeko-ui"
job="npm_audit"
package="@cyclonedx/cyclonedx-npm"
patched_versions=">=5.0.0"
recommendation="Upgrade to version 5.0.0 or later"
severity="high"
title="@cyclonedx/cyclonedx-npm: Shell Injection via Unsanitized --workspace Argument"
url="https://github.com/advisories/GHSA-v75r-vx73-82pj"
|
0
|
|
cve="CVE-2026-9678"
instance="gaeko-ui"
job="npm_audit"
package="undici"
patched_versions=">=7.28.0"
recommendation="Upgrade to version 7.28.0 or later"
severity="moderate"
title="undici vulnerable to cross-user information disclosure via shared cache whitespace bypass"
url="https://github.com/advisories/GHSA-pr7r-676h-xcf6"
|
5.9
|