CVE-2024-10491
- EPSS 0.1%
- Published 29.10.2024 17:15:03
- Last modified 06.11.2024 23:08:49
A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can al...
CVE-2024-43796
- EPSS 0.06%
- Published 10.09.2024 15:15:17
- Last modified 20.09.2024 16:07:47
Express.js minimalist web framework for node. In express < 4.20.0, passing untrusted user input - even after sanitizing it - to response.redirect() may execute untrusted code. This issue is patched in express 4.20.0.
CVE-2022-24999
- EPSS 3.12%
- Published 26.11.2022 22:15:10
- Last modified 29.04.2025 14:15:20
qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attack...
CVE-2014-6393
- EPSS 0.29%
- Published 09.08.2017 18:29:00
- Last modified 20.04.2025 01:37:25
The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters...