CVE - zero redgem

Recent Advisories

Severity	ID	Title	Vendor	Product	Date	Type
MEDIUM 6.9	CVE-2026-47739	Frappe: Stored XSS in Note_CVE-2026-47739 Frappe is a full-stack web application framework. Prior to versions 15.106.0 and 16.16.0, stored XSS in Note was possible due to lack of sanitizati...	frappe	frappe < 15.106.0	Jun 12, 2026	CVE
MEDIUM 5.3	CVE-2026-47244	Netty HTTP/2: Advertised MAX_CONCURRENT_STREAMS are not enforced_CVE-2026-47244 Netty is a network application framework for development of protocol servers and clients. Prior to versions 4.1.135.Final and 4.2.15.Final, Default...	netty	netty >= 4.2.0.Final, < 4.2.15.Final	Jun 12, 2026	CVE
CRITICAL 9.8	CVE-2026-47210	vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass_CVE-2026-47210 vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, a sandbox escape vulnerability in vm2 allows arbitrary code execution in the...	patriksimek	vm2 < 3.11.4	Jun 12, 2026	CVE
HIGH 8.6	CVE-2026-47209	vm2: Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain_CVE-2026-47209 vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the BaseHandler.set trap in bridge.js (line 1231) ignores the receiver param...	patriksimek	vm2 < 3.11.4	Jun 12, 2026	CVE
CRITICAL 10	CVE-2026-47208	vm2: Sandbox Breakout Using Promise Species_CVE-2026-47208 vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, VM2 suffers from a sandbox breakout vulnerability. This allows attackers to ...	patriksimek	vm2 < 3.11.4	Jun 12, 2026	CVE
MEDIUM 6.9	CVE-2026-47141	vm2: NodeVM observability builtins leak host process and HTTP request data_CVE-2026-47141 vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM exposes some process-wide observability builtins when they are allowe...	patriksimek	vm2 < 3.11.4	Jun 12, 2026	CVE
CRITICAL 10	CVE-2026-47140	vm2: NodeVM builtin denylist bypass via process and inspector/promises allows host code execution_CVE-2026-47140 vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM blocks several dangerous Node.js builtins such as module, worker_thre...	patriksimek	vm2 < 3.11.4	Jun 12, 2026	CVE
HIGH 8.6	CVE-2026-47139	vm2: NodeVM network builtin exclusions bypass via internal _http_client and _http_server_CVE-2026-47139 vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, NodeVM supports excluding public network builtins from the wildcard builtin ...	patriksimek	vm2 < 3.11.4	Jun 12, 2026	CVE
CRITICAL 10	CVE-2026-47137	vm2: GHSA-8hg8-63c5-gwmx patch bypass: nesting:true without explicit require still allows full RCE_CVE-2026-47137 vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, the fix for GHSA-8hg8-63c5-gwmx (CVE-2023-37903) introduced a check in nodev...	patriksimek	vm2 < 3.11.4	Jun 12, 2026	CVE
HIGH 8.7	CVE-2026-47135	vm2: Sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks_CVE-2026-47135 vm2 is an open source vm/sandbox for Node.js. Prior to version 3.11.4, Symbol.for override in setup-sandbox.js only intercepts 2 of 9 dangerous Nod...	patriksimek	vm2 < 3.11.4	Jun 12, 2026	CVE