#js

Users of the "@adonisjs/bodyparser" npm package are being advised to update to the latest version following the disclosure of a critical security vulnerability that, if successfully exploited, could allow a remote attacker to write arbitrary files on the server. Tracked as CVE-2026-21440 (CVSS score: 9.2), the flaw has been described as a path traversal issue affecting the AdonisJS multipart

### Impact For sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the [public API](https://vega.github.io/vega/docs/expressions/)) could be used to run unintentional javascript (XSS). ### Patches Fixed in vega-functions `6.1.1` ### Workarounds There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in [CSP safe mode](https://vega.github.io/vega/usage/interpreter/) does not prevent this issue. ### Exploit Proof of Concept Vega's expression `modify()` [function](https://github.com/vega/vega/blob/d8add5819346e5af597d82ef8253742acc0283ba/packages/vega-functions/src/functions/modify.js#L40), used by setdata, allows attacker to control both the method called and the values supplied, which results to XSS . This was a previous POC: ```json { "$schema": "https://vega.github.io/schema/vega/v6.json", "data": [ { "name": "table", "values": [ {"category": "A", "amount": 2...

## Impact Applications meeting these two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" [expressionInterpreter](https://vega.github.io/vega/usage/interpreter/) is used. 1. Use `vega` in an application that attaches both `vega` library and a `vega.View` instance similar to the Vega [Editor](https://github.com/vega/editor) to the global `window`, or has any other satisfactory function gadgets in the global scope 2. Allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code) ## Patches - With Vega v6, use `vega-selections@6.1.2` (requires ESM) - With Vega v5, use `vega-selections@5.6.3` (No ESM needed) ## Workarounds - Do not attach `vega` or `vega.View` instances to global variables or the window as the editor used to do [here](https://github.com/vega/editor/blob/e102355589d23cdd0dbfd607a2cc5f9c5b7a4c55/src/components/renderer/renderer.tsx#L239) . This is a development-only debugging practice that should n...

### Impact The primary impact is allowing users to fetch data from a remote URL. This data can be then injected into Spinnaker pipelines via helm or other methods to extract things LIKE idmsv1 authentication data. This ALSO includes calling INTERNAL Spinnaker API's via a get and similar endpoints. Further, depending upon the artifact configuration, auth data may be exposed to arbitrary endpoints (e.g. GitHub auth headers) leading to credentials exposure. To trigger this, a Spinnaker installation MUST have: * An artifact enabled that allows user input. This includes GitHub file artifacts, BitBucket, GitLab, HTTP artifacts and similar artifact providers. JUST enabling the http artifact provider will add a "no-auth" http provider that could be used to extract link local data (e.g. AWS Metadata information). * A system that can consume the output of these artifacts. E.g. Rosco helm can use this to fetch values data. K8s account manifests if the API returns JSON can be used to in...

Anthropic's MCP TypeScript SDK versions up to and including 1.25.1 contain a regular expression denial of service (ReDoS) vulnerability in the UriTemplate class when processing RFC 6570 exploded array patterns. The dynamically generated regular expression used during URI matching contains nested quantifiers that can trigger catastrophic backtracking on specially crafted inputs, resulting in excessive CPU consumption. An attacker can exploit this by supplying a malicious URI that causes the Node.js process to become unresponsive, leading to a denial of service.

Note that attackers must have administrator access to the Craft Control Panel for this to work. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Resources: https://github.com/craftcms/cms/commit/6e608a1a5bfb36943f94f584b7548ca542a86fef https://github.com/craftcms/cms/commit/27f55886098b56c00ddc53b69239c9c9192252c7 https://github.com/craftcms/cms/commit/ec43c497edde0b2bf2e39a119cded2e55f9fe593 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 ### Summary This was reported as a vulnerability in Yii framework on August 7th (https://github.com/yiisoft/yii2/security/advisories/GHSA-gcmh-9pjj-7fp4). The Yii framework team denies responsibility for this (placing the onus on application developers) and hence has not (and seemingly will not) provide a fix at the framework level. Hence, I am reporting this to Craft as I found it to affect the latest (`5.6.0`) version of Craft CMS. Leveraging a legitimate but maliciously crafte...

Unauthenticated users can trigger database backup operations via specific admin actions, potentially leading to resource exhaustion or information disclosure. Users should update to the patched versions (5.8.21 and 4.16.17) to mitigate the issue. Craft 3 users should update to the latest Craft 4 and 5 releases, which include the fixes. Resources: https://github.com/craftcms/cms/commit/f83d4e0c6b906743206b4747db4abf8164b8da39 https://github.com/craftcms/cms/blob/5.x/CHANGELOG.md#5821---2025-12-04 ## Affected Endpoints - `POST /admin/actions/app/migrate` (unauthenticated) - `POST /admin/actions/updater/backup` ## Vulnerability Details ### Root Cause Certain admin actions are explicitly configured with anonymous access: ```php // AppController.php protected array|bool|int $allowAnonymous = [ 'migrate' => self::ALLOW_ANONYMOUS_LIVE | self::ALLOW_ANONYMOUS_OFFLINE, // ... ]; // BaseUpdaterController.php protected array|bool|int $allowAnonymous = self::ALLOW_ANONYMOUS_L...

### Impact User control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node process is running in. The file contents are included verbatim in the generated PDFs. Other affected methods are: `addImage`, `html`, `addFont`. Only the node.js builds of the library are affected, namely the `dist/jspdf.node.js` and `dist/jspdf.node.min.js` files. Example attack vector: ```js import { jsPDF } from "./dist/jspdf.node.js"; const doc = new jsPDF(); doc.addImage("./secret.txt", "JPEG", 0, 0, 10, 10); doc.save("test.pdf"); // the generated PDF will contain the "secret.txt" file ``` ### Patches The vulnerability has been fixed in jsPDF@4.0.0. This version restricts file system access per default. This semver-major update does not introduce other breaking changes. ### Workaro...

Recent attacks are targeting Next.js servers and pose a significant threat of cryptomining, botnet payloads, and other malicious activity to IoT networks and enterprises.

The year opened without a reset. The same pressure carried over, and in some places it tightened. Systems people assume are boring or stable are showing up in the wrong places. Attacks moved quietly, reused familiar paths, and kept working longer than anyone wants to admit. This week’s stories share one pattern. Nothing flashy. No single moment. Just steady abuse of trust — updates, extensions,