Trivy Scan Report
Report Information
| Generated At | 2026-05-27T03:34:40.447672-07:00 |
|---|---|
| --input | ./input/trivy-report-cadenzaflow-v1.2.0.json |
| --output | output/trivy-report-cadenzaflow-v1.2.0.html |
Vulnerability Summary
| Severity | Count |
|---|---|
| CRITICAL | 6 |
| HIGH | 16 |
| MEDIUM | 21 |
| LOW | 7 |
Vulnerabilities
| Severity | CVE | Package | Installed | Fixed | Target | Title |
|---|---|---|---|---|---|---|
| CRITICAL | CVE-2026-41293 | org.apache.tomcat:tomcat | 10.1.54 | 9.0.118, 10.1.55, 11.0.22 | distro/tomcat/assembly/pom.xml | Improper Input Validation vulnerability in Apache Tomcat. This issue ... |
| CRITICAL | CVE-2026-43512 | org.apache.tomcat:tomcat | 10.1.54 | 9.0.118, 10.1.55, 11.0.22 | distro/tomcat/assembly/pom.xml | DEPRECATED: Authentication Bypass Issues vulnerability in digest authe ... |
| CRITICAL | CVE-2026-43515 | org.apache.tomcat:tomcat | 10.1.54 | 9.0.118, 10.1.55, 11.0.22 | distro/tomcat/assembly/pom.xml | Improper Authorization vulnerability when multiple method constraints ... |
| CRITICAL | CVE-2026-25896 | fast-xml-parser | 4.5.3 | 5.3.5, 4.5.4 | engine-rest/docs/package-lock.json | fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) due to improper DOCTYPE entity handling |
| CRITICAL | CVE-2016-1000027 | org.springframework:spring-web | 5.3.39 | 6.0.0 | qa/integration-tests-engine/pom.xml | spring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserialization |
| CRITICAL | CVE-2019-10202 | org.codehaus.jackson:jackson-mapper-asl | 1.9.13 | qa/performance-tests-engine/pom.xml | codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities | |
| HIGH | CVE-2026-41284 | org.apache.tomcat:tomcat | 10.1.54 | 9.0.118, 10.1.55, 11.0.22 | distro/tomcat/assembly/pom.xml | Allocation of Resources Without Limits or Throttling vulnerability in ... |
| HIGH | CVE-2026-42498 | org.apache.tomcat:tomcat | 10.1.54 | 9.0.118, 10.1.55, 11.0.22 | distro/tomcat/assembly/pom.xml | Exposure of HTTP Authentication Header to unexpected hosts during WebS ... |
| HIGH | CVE-2026-43513 | org.apache.tomcat:tomcat | 10.1.54 | 9.0.118, 10.1.55, 11.0.22 | distro/tomcat/assembly/pom.xml | Improper Handling of Case Sensitivity vulnerability in LockOutRealm in ... |
| HIGH | CVE-2026-26278 | fast-xml-parser | 4.5.3 | 4.5.4, 5.3.6 | engine-rest/docs/package-lock.json | fast-xml-parser: fast-xml-parser: Denial of Service via unlimited XML entity expansion |
| HIGH | CVE-2026-33036 | fast-xml-parser | 4.5.3 | 5.5.6, 4.5.5 | engine-rest/docs/package-lock.json | fast-xml-parser: fast-xml-parser: Denial of Service via XML entity expansion bypass |
| HIGH | CVE-2026-26996 | minimatch | 5.1.6 | 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 | engine-rest/docs/package-lock.json | minimatch: minimatch: Denial of Service via specially crafted glob patterns |
| HIGH | CVE-2026-27903 | minimatch | 5.1.6 | 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 | engine-rest/docs/package-lock.json | minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns |
| HIGH | CVE-2026-27904 | minimatch | 5.1.6 | 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 | engine-rest/docs/package-lock.json | minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions |
| HIGH | CVE-2019-10172 | org.codehaus.jackson:jackson-mapper-asl | 1.9.13 | qa/performance-tests-engine/pom.xml | jackson-mapper-asl: XML external entity similar to CVE-2016-3720 | |
| HIGH | CVE-2026-42198 | org.postgresql:postgresql | 42.5.5 | 42.7.11 | qa/tomcat-runtime/pom.xml | jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication |
| HIGH | CVE-2026-42198 | org.postgresql:postgresql | 42.5.5 | 42.7.11 | qa/tomcat9-runtime/pom.xml | jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication |
| HIGH | CVE-2026-42198 | org.postgresql:postgresql | 42.5.5 | 42.7.11 | qa/wildfly-runtime/pom.xml | jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication |
| HIGH | CVE-2026-42198 | org.postgresql:postgresql | 42.5.5 | 42.7.11 | qa/wildfly26-runtime/pom.xml | jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication |
| HIGH | CVE-2024-21490 | angular | 1.8.2 | webapps/frontend/package-lock.json | This affects versions of the package angular from 1.3.0. A regular exp ... | |
| HIGH | CVE-2026-44665 | fast-xml-builder | 1.0.0 | 1.1.7 | webapps/frontend/package-lock.json | fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content manipulation |
| HIGH | CVE-2026-33036 | fast-xml-parser | 5.4.2 | 5.5.6, 4.5.5 | webapps/frontend/package-lock.json | fast-xml-parser: fast-xml-parser: Denial of Service via XML entity expansion bypass |
| MEDIUM | CVE-2026-33750 | brace-expansion | 2.0.1 | 5.0.5, 3.0.2, 2.0.3, 1.1.13 | engine-rest/docs/package-lock.json | brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern |
| MEDIUM | CVE-2026-33349 | fast-xml-parser | 4.5.3 | 4.5.5, 5.5.7 | engine-rest/docs/package-lock.json | fast-xml-parser: fast-xml-parser: Denial of Service via unbounded entity expansion due to incorrect configuration limit handling |
| MEDIUM | CVE-2026-41650 | fast-xml-parser | 4.5.3 | 5.7.0 | engine-rest/docs/package-lock.json | fast-xml-parser: fast-xml-parser: XML injection via improper escaping of comment and CDATA sequences |
| MEDIUM | CVE-2025-64718 | js-yaml | 4.1.0 | 4.1.1, 3.14.2 | engine-rest/docs/package-lock.json | js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1. ... |
| MEDIUM | CVE-2026-41305 | postcss | 8.4.49 | 8.5.10 | engine-rest/docs/package-lock.json | postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags |
| MEDIUM | CVE-2026-33532 | yaml | 1.10.2 | 2.8.3, 1.10.3 | engine-rest/docs/package-lock.json | yaml: yaml: Denial of Service via deeply nested YAML document parsing |
| MEDIUM | CVE-2025-48924 | org.apache.commons:commons-lang3 | 3.12.0 | 3.18.0 | engine-rest/engine-rest-openapi-generator/pom.xml | Uncontrolled Recursion vulnerability in Apache Commons Lang. This iss ... |
| MEDIUM | CVE-2025-48924 | org.apache.commons:commons-lang3 | 3.12.0 | 3.18.0 | engine-rest/pom.xml | Uncontrolled Recursion vulnerability in Apache Commons Lang. This iss ... |
| MEDIUM | CVE-2024-38820 | org.springframework:spring-context | 5.3.39 | 6.1.14 | qa/integration-tests-engine/pom.xml | The fix for CVE-2022-22968 made disallowedFieldspatterns in DataBinder ... |
| MEDIUM | CVE-2024-38820 | org.springframework:spring-web | 5.3.39 | 6.1.14 | qa/integration-tests-engine/pom.xml | The fix for CVE-2022-22968 made disallowedFieldspatterns in DataBinder ... |
| MEDIUM | CVE-2022-25844 | angular | 1.8.2 | webapps/frontend/package-lock.json | angular: Regular Expression Denial of Service (ReDoS) in angular | |
| MEDIUM | CVE-2022-25869 | angular | 1.8.2 | webapps/frontend/package-lock.json | angularjs: Angular Cross-site Scripting (XSS) | |
| MEDIUM | CVE-2023-26116 | angular | 1.8.2 | webapps/frontend/package-lock.json | angularjs: Regular Expression Denial of Service via angular.copy() | |
| MEDIUM | CVE-2023-26117 | angular | 1.8.2 | webapps/frontend/package-lock.json | angularjs: Regular expression denial of service via the $resource service | |
| MEDIUM | CVE-2023-26118 | angular | 1.8.2 | webapps/frontend/package-lock.json | angularjs: Regular Expression Denial of Service via the <input type="url"> element | |
| MEDIUM | CVE-2025-2336 | angular-sanitize | 1.8.2 | webapps/frontend/package-lock.json | Improper sanitization of the value of the 'href' and 'xlink:href' attr ... | |
| MEDIUM | CVE-2024-6485 | bootstrap | 3.4.1 | webapps/frontend/package-lock.json | A security vulnerability has been discovered in bootstrap that could e ... | |
| MEDIUM | CVE-2025-1647 | bootstrap | 3.4.1 | webapps/frontend/package-lock.json | Improper Neutralization of Input During Web Page Generation (XSS or 'C ... | |
| MEDIUM | CVE-2026-33349 | fast-xml-parser | 5.4.2 | 4.5.5, 5.5.7 | webapps/frontend/package-lock.json | fast-xml-parser: fast-xml-parser: Denial of Service via unbounded entity expansion due to incorrect configuration limit handling |
| MEDIUM | CVE-2026-41650 | fast-xml-parser | 5.4.2 | 5.7.0 | webapps/frontend/package-lock.json | fast-xml-parser: fast-xml-parser: XML injection via improper escaping of comment and CDATA sequences |
| MEDIUM | CVE-2026-8723 | qs | 6.15.0 | 6.15.2 | webapps/frontend/package-lock.json | ### Summary `qs.stringify` throws `TypeError` when called with `arr ... |
| LOW | CVE-2026-43514 | org.apache.tomcat:tomcat | 10.1.54 | 9.0.118, 10.1.55, 11.0.22 | distro/tomcat/assembly/pom.xml | Observable Timing Discrepancy vulnerabilitywhen comparing AJP secret i ... |
| LOW | CVE-2025-5889 | brace-expansion | 2.0.1 | 2.0.2, 1.1.12, 3.0.1, 4.0.1 | engine-rest/docs/package-lock.json | A vulnerability was found in juliangruber brace-expansion up to 1.1.11 ... |
| LOW | CVE-2026-27942 | fast-xml-parser | 4.5.3 | 5.3.8, 4.5.4 | engine-rest/docs/package-lock.json | fast-xml-parser: fast-xml-parser: Stack overflow leads to Denial of Service |
| LOW | CVE-2025-22233 | org.springframework:spring-context | 5.3.39 | 6.2.7, 6.1.20 | qa/integration-tests-engine/pom.xml | CVE-2024-38820 ensured Locale-independent, lowercase conversion for bo ... |
| LOW | CVE-2024-8372 | angular | 1.8.2 | webapps/frontend/package-lock.json | Improper sanitization of the value of the 'srcset' attribute in Angula ... | |
| LOW | CVE-2024-8373 | angular | 1.8.2 | webapps/frontend/package-lock.json | Improper sanitization of the value of the [srcset] attribute in <sourc ... | |
| LOW | CVE-2025-0716 | angular | 1.8.2 | webapps/frontend/package-lock.json | Improper sanitization of the value of the 'href' and 'xlink:href' attr ... |
Detailed Descriptions
CVE-2026-41293 - org.apache.tomcat:tomcat
Severity: CRITICAL
Installed Version: 10.1.54
Fixed Version: 9.0.118, 10.1.55, 11.0.22
Target: distro/tomcat/assembly/pom.xml
Title: Improper Input Validation vulnerability in Apache Tomcat. This issue ...
Description:
Improper Input Validation vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27.
Older, end of support versions may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Reference: https://avd.aquasec.com/nvd/cve-2026-41293
CVE-2026-43512 - org.apache.tomcat:tomcat
Severity: CRITICAL
Installed Version: 10.1.54
Fixed Version: 9.0.118, 10.1.55, 11.0.22
Target: distro/tomcat/assembly/pom.xml
Title: DEPRECATED: Authentication Bypass Issues vulnerability in digest authe ...
Description:
DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0.
Older unsupported versions any also be affect
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Reference: https://avd.aquasec.com/nvd/cve-2026-43512
CVE-2026-43515 - org.apache.tomcat:tomcat
Severity: CRITICAL
Installed Version: 10.1.54
Fixed Version: 9.0.118, 10.1.55, 11.0.22
Target: distro/tomcat/assembly/pom.xml
Title: Improper Authorization vulnerability when multiple method constraints ...
Description:
Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Reference: https://avd.aquasec.com/nvd/cve-2026-43515
CVE-2026-25896 - fast-xml-parser
Severity: CRITICAL
Installed Version: 4.5.3
Fixed Version: 5.3.5, 4.5.4
Target: engine-rest/docs/package-lock.json
Title: fast-xml-parser: fast-xml-parser: Cross-Site Scripting (XSS) due to improper DOCTYPE entity handling
Description:
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. From 4.1.3to before 5.3.5, a dot (.) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (<, >, &, ", ') with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered. This vulnerability is fixed in 5.3.5.
Reference: https://avd.aquasec.com/nvd/cve-2026-25896
CVE-2016-1000027 - org.springframework:spring-web
Severity: CRITICAL
Installed Version: 5.3.39
Fixed Version: 6.0.0
Target: qa/integration-tests-engine/pom.xml
Title: spring: HttpInvokerServiceExporter readRemoteInvocation method untrusted java deserialization
Description:
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Reference: https://avd.aquasec.com/nvd/cve-2016-1000027
CVE-2019-10202 - org.codehaus.jackson:jackson-mapper-asl
Severity: CRITICAL
Installed Version: 1.9.13
Fixed Version:
Target: qa/performance-tests-engine/pom.xml
Title: codehaus: incomplete fix for unsafe deserialization in jackson-databind vulnerabilities
Description:
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
Reference: https://avd.aquasec.com/nvd/cve-2019-10202
CVE-2026-41284 - org.apache.tomcat:tomcat
Severity: HIGH
Installed Version: 10.1.54
Fixed Version: 9.0.118, 10.1.55, 11.0.22
Target: distro/tomcat/assembly/pom.xml
Title: Allocation of Resources Without Limits or Throttling vulnerability in ...
Description:
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117.
Older, unsupported versions may also be affected.
Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
Reference: https://avd.aquasec.com/nvd/cve-2026-41284
CVE-2026-42498 - org.apache.tomcat:tomcat
Severity: HIGH
Installed Version: 10.1.54
Fixed Version: 9.0.118, 10.1.55, 11.0.22
Target: distro/tomcat/assembly/pom.xml
Title: Exposure of HTTP Authentication Header to unexpected hosts during WebS ...
Description:
Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109.
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.
Reference: https://avd.aquasec.com/nvd/cve-2026-42498
CVE-2026-43513 - org.apache.tomcat:tomcat
Severity: HIGH
Installed Version: 10.1.54
Fixed Version: 9.0.118, 10.1.55, 11.0.22
Target: distro/tomcat/assembly/pom.xml
Title: Improper Handling of Case Sensitivity vulnerability in LockOutRealm in ...
Description:
Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Older unsupported versions may also be affected.
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Reference: https://avd.aquasec.com/nvd/cve-2026-43513
CVE-2026-26278 - fast-xml-parser
Severity: HIGH
Installed Version: 4.5.3
Fixed Version: 4.5.4, 5.3.6
Target: engine-rest/docs/package-lock.json
Title: fast-xml-parser: fast-xml-parser: Denial of Service via unlimited XML entity expansion
Description:
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.1.3 through 5.3.5, the XML parser can be forced to do an unlimited amount of entity expansion. With a very small XML input, it’s possible to make the parser spend seconds or even minutes processing a single request, effectively freezing the application. Version 5.3.6 fixes the issue. As a workaround, avoid using DOCTYPE parsing by `processEntities: false` option.
Reference: https://avd.aquasec.com/nvd/cve-2026-26278
CVE-2026-33036 - fast-xml-parser
Severity: HIGH
Installed Version: 4.5.3
Fixed Version: 5.5.6, 4.5.5
Target: engine-rest/docs/package-lock.json
Title: fast-xml-parser: fast-xml-parser: Denial of Service via XML entity expansion bypass
Description:
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like A can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6.
Reference: https://avd.aquasec.com/nvd/cve-2026-33036
CVE-2026-26996 - minimatch
Severity: HIGH
Installed Version: 5.1.6
Fixed Version: 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3
Target: engine-rest/docs/package-lock.json
Title: minimatch: minimatch: Denial of Service via specially crafted glob patterns
Description:
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions 10.2.0 and below are vulnerable to Regular Expression Denial of Service (ReDoS) when a glob pattern contains many consecutive * wildcards followed by a literal character that doesn't appear in the test string. Each * compiles to a separate [^/]*? regex group, and when the match fails, V8's regex engine backtracks exponentially across all possible splits. The time complexity is O(4^N) where N is the number of * characters. With N=15, a single minimatch() call takes ~2 seconds. With N=34, it hangs effectively forever. Any application that passes user-controlled strings to minimatch() as the pattern argument is vulnerable to DoS. This issue has been fixed in version 10.2.1.
Reference: https://avd.aquasec.com/nvd/cve-2026-26996
CVE-2026-27903 - minimatch
Severity: HIGH
Installed Version: 5.1.6
Fixed Version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3
Target: engine-rest/docs/package-lock.json
Title: minimatch: minimatch: Denial of Service due to unbounded recursive backtracking via crafted glob patterns
Description:
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3, `matchOne()` performs unbounded recursive backtracking when a glob pattern contains multiple non-adjacent `**` (GLOBSTAR) segments and the input path does not match. The time complexity is O(C(n, k)) -- binomial -- where `n` is the number of path segments and `k` is the number of globstars. With k=11 and n=30, a call to the default `minimatch()` API stalls for roughly 5 seconds. With k=13, it exceeds 15 seconds. No memoization or call budget exists to bound this behavior. Any application where an attacker can influence the glob pattern passed to `minimatch()` is vulnerable. The realistic attack surface includes build tools and task runners that accept user-supplied glob arguments (ESLint, Webpack, Rollup config), multi-tenant systems where one tenant configures glob-based rules that run in a shared process, admin or developer interfaces that accept ignore-rule or filter configuration as globs, and CI/CD pipelines that evaluate user-submitted config files containing glob patterns. An attacker who can place a crafted pattern into any of these paths can stall the Node.js event loop for tens of seconds per invocation. The pattern is 56 bytes for a 5-second stall and does not require authentication in contexts where pattern input is part of the feature. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.3 fix the issue.
Reference: https://avd.aquasec.com/nvd/cve-2026-27903
CVE-2026-27904 - minimatch
Severity: HIGH
Installed Version: 5.1.6
Fixed Version: 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4
Target: engine-rest/docs/package-lock.json
Title: minimatch: Minimatch: Denial of Service via catastrophic backtracking in glob expressions
Description:
minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Prior to version 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4, nested `*()` extglobs produce regexps with nested unbounded quantifiers (e.g. `(?:(?:a|b)*)*`), which exhibit catastrophic backtracking in V8. With a 12-byte pattern `*(*(*(a|b)))` and an 18-byte non-matching input, `minimatch()` stalls for over 7 seconds. Adding a single nesting level or a few input characters pushes this to minutes. This is the most severe finding: it is triggered by the default `minimatch()` API with no special options, and the minimum viable pattern is only 12 bytes. The same issue affects `+()` extglobs equally. Versions 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, and 3.1.4 fix the issue.
Reference: https://avd.aquasec.com/nvd/cve-2026-27904
CVE-2019-10172 - org.codehaus.jackson:jackson-mapper-asl
Severity: HIGH
Installed Version: 1.9.13
Fixed Version:
Target: qa/performance-tests-engine/pom.xml
Title: jackson-mapper-asl: XML external entity similar to CVE-2016-3720
Description:
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
Reference: https://avd.aquasec.com/nvd/cve-2019-10172
CVE-2026-42198 - org.postgresql:postgresql
Severity: HIGH
Installed Version: 42.5.5
Fixed Version: 42.7.11
Target: qa/tomcat-runtime/pom.xml
Title: jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication
Description:
pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.
Reference: https://avd.aquasec.com/nvd/cve-2026-42198
CVE-2026-42198 - org.postgresql:postgresql
Severity: HIGH
Installed Version: 42.5.5
Fixed Version: 42.7.11
Target: qa/tomcat9-runtime/pom.xml
Title: jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication
Description:
pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.
Reference: https://avd.aquasec.com/nvd/cve-2026-42198
CVE-2026-42198 - org.postgresql:postgresql
Severity: HIGH
Installed Version: 42.5.5
Fixed Version: 42.7.11
Target: qa/wildfly-runtime/pom.xml
Title: jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication
Description:
pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.
Reference: https://avd.aquasec.com/nvd/cve-2026-42198
CVE-2026-42198 - org.postgresql:postgresql
Severity: HIGH
Installed Version: 42.5.5
Fixed Version: 42.7.11
Target: qa/wildfly26-runtime/pom.xml
Title: jdbc.postgresql.org: pgjdbc: Client-side Denial of Service via malicious SCRAM-SHA-256 authentication
Description:
pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very large iteration count. With a large enough value, the client spends an unbounded amount of CPU time inside PBKDF2 before authentication can fail. A single attempt ties up a CPU core. Repeated or concurrent attempts exhaust client CPU and can wedge connection pools. In affected versions, loginTimeout did not fully mitigate this problem. When loginTimeout expired, the caller could stop waiting, but the worker thread performing the connection attempt could continue running and burning CPU inside the SCRAM PBKDF2 computation. This issue has been patched in version 42.7.11.
Reference: https://avd.aquasec.com/nvd/cve-2026-42198
CVE-2024-21490 - angular
Severity: HIGH
Installed Version: 1.8.2
Fixed Version:
Target: webapps/frontend/package-lock.json
Title: This affects versions of the package angular from 1.3.0. A regular exp ...
Description:
This affects versions of the package angular from 1.3.0. A regular expression used to split the value of the ng-srcset directive is vulnerable to super-linear runtime due to backtracking. With large carefully-crafted input, this can result in catastrophic backtracking and cause a denial of service.
**Note:**
This package is EOL and will not receive any updates to address this issue. Users should migrate to [@angular/core](https://www.npmjs.com/package/@angular/core).
Reference: https://avd.aquasec.com/nvd/cve-2024-21490
CVE-2026-44665 - fast-xml-builder
Severity: HIGH
Installed Version: 1.0.0
Fixed Version: 1.1.7
Target: webapps/frontend/package-lock.json
Title: fast-xml-builder: fast-xml-builder: Attribute injection leading to information disclosure or content manipulation
Description:
fast-xml-builder builds XML from JSON. Prior to 1.1.7, when an input data has quotes in attribute values but process entities is not enabled, it breaks the attribute value into multiple attributes. This gives the room for an attacker to insert unwanted attributes to the XML/HTML. This vulnerability is fixed in 1.1.7.
Reference: https://avd.aquasec.com/nvd/cve-2026-44665
CVE-2026-33036 - fast-xml-parser
Severity: HIGH
Installed Version: 5.4.2
Fixed Version: 5.5.6, 4.5.5
Target: webapps/frontend/package-lock.json
Title: fast-xml-parser: fast-xml-parser: Denial of Service via XML entity expansion bypass
Description:
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like A can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6.
Reference: https://avd.aquasec.com/nvd/cve-2026-33036
CVE-2026-33750 - brace-expansion
Severity: MEDIUM
Installed Version: 2.0.1
Fixed Version: 5.0.5, 3.0.2, 2.0.3, 1.1.13
Target: engine-rest/docs/package-lock.json
Title: brace-expansion: brace-expansion: Denial of Service via zero step value in brace pattern
Description:
The brace-expansion library generates arbitrary strings containing a common prefix and suffix. Prior to versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13, a brace pattern with a zero step value (e.g., `{1..2..0}`) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. Versions 5.0.5, 3.0.2, 2.0.3, and 1.1.13 fix the issue. As a workaround, sanitize strings passed to `expand()` to ensure a step value of `0` is not used.
Reference: https://avd.aquasec.com/nvd/cve-2026-33750
CVE-2026-33349 - fast-xml-parser
Severity: MEDIUM
Installed Version: 4.5.3
Fixed Version: 4.5.5, 5.5.7
Target: engine-rest/docs/package-lock.json
Title: fast-xml-parser: fast-xml-parser: Denial of Service via unbounded entity expansion due to incorrect configuration limit handling
Description:
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.
Reference: https://avd.aquasec.com/nvd/cve-2026-33349
CVE-2026-41650 - fast-xml-parser
Severity: MEDIUM
Installed Version: 4.5.3
Fixed Version: 5.7.0
Target: engine-rest/docs/package-lock.json
Title: fast-xml-parser: fast-xml-parser: XML injection via improper escaping of comment and CDATA sequences
Description:
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0.
Reference: https://avd.aquasec.com/nvd/cve-2026-41650
CVE-2025-64718 - js-yaml
Severity: MEDIUM
Installed Version: 4.1.0
Fixed Version: 4.1.1, 3.14.2
Target: engine-rest/docs/package-lock.json
Title: js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1. ...
Description:
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).
Reference: https://avd.aquasec.com/nvd/cve-2025-64718
CVE-2026-41305 - postcss
Severity: MEDIUM
Installed Version: 8.4.49
Fixed Version: 8.5.10
Target: engine-rest/docs/package-lock.json
Title: postcss: PostCSS: Cross-Site Scripting (XSS) via improper escaping of style closing tags
Description:
PostCSS takes a CSS file and provides an API to analyze and modify its rules by transforming the rules into an Abstract Syntax Tree. Versions prior to 8.5.10 do not escape `</style>` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `<style>` tags, `</style>` in CSS values breaks out of the style context, enabling XSS. Version 8.5.10 fixes the issue.
Reference: https://avd.aquasec.com/nvd/cve-2026-41305
CVE-2026-33532 - yaml
Severity: MEDIUM
Installed Version: 1.10.2
Fixed Version: 2.8.3, 1.10.3
Target: engine-rest/docs/package-lock.json
Title: yaml: yaml: Denial of Service via deeply nested YAML document parsing
Description:
`yaml` is a YAML parser and serialiser for JavaScript. Parsing a YAML document with a version of `yaml` on the 1.x branch prior to 1.10.3 or on the 2.x branch prior to 2.8.3 may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a `RangeError: Maximum call stack size exceeded` with a small payload (~2–10 KB). The `RangeError` is not a `YAMLParseError`, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending on the host application's exception handling, this can fail requests or terminate the Node.js process. Flow sequences allow deep nesting with minimal bytes (2 bytes per level: one `[` and one `]`). On the default Node.js stack, approximately 1,000–5,000 levels of nesting (2–10 KB input) exhaust the call stack. The exact threshold is environment-dependent (Node.js version, stack size, call stack depth at invocation). Note: the library's `Parser` (CST phase) uses a stack-based iterative approach and is not affected. Only the compose/resolve phase uses actual call-stack recursion. All three public parsing APIs are affected: `YAML.parse()`, `YAML.parseDocument()`, and `YAML.parseAllDocuments()`. Versions 1.10.3 and 2.8.3 contain a patch.
Reference: https://avd.aquasec.com/nvd/cve-2026-33532
CVE-2025-48924 - org.apache.commons:commons-lang3
Severity: MEDIUM
Installed Version: 3.12.0
Fixed Version: 3.18.0
Target: engine-rest/engine-rest-openapi-generator/pom.xml
Title: Uncontrolled Recursion vulnerability in Apache Commons Lang. This iss ...
Description:
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Reference: https://avd.aquasec.com/nvd/cve-2025-48924
CVE-2025-48924 - org.apache.commons:commons-lang3
Severity: MEDIUM
Installed Version: 3.12.0
Fixed Version: 3.18.0
Target: engine-rest/pom.xml
Title: Uncontrolled Recursion vulnerability in Apache Commons Lang. This iss ...
Description:
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Reference: https://avd.aquasec.com/nvd/cve-2025-48924
CVE-2024-38820 - org.springframework:spring-context
Severity: MEDIUM
Installed Version: 5.3.39
Fixed Version: 6.1.14
Target: qa/integration-tests-engine/pom.xml
Title: The fix for CVE-2022-22968 made disallowedFieldspatterns in DataBinder ...
Description:
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
Reference: https://avd.aquasec.com/nvd/cve-2024-38820
CVE-2024-38820 - org.springframework:spring-web
Severity: MEDIUM
Installed Version: 5.3.39
Fixed Version: 6.1.14
Target: qa/integration-tests-engine/pom.xml
Title: The fix for CVE-2022-22968 made disallowedFieldspatterns in DataBinder ...
Description:
The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive. However, String.toLowerCase() has some Locale dependent exceptions that could potentially result in fields not protected as expected.
Reference: https://avd.aquasec.com/nvd/cve-2024-38820
CVE-2022-25844 - angular
Severity: MEDIUM
Installed Version: 1.8.2
Fixed Version:
Target: webapps/frontend/package-lock.json
Title: angular: Regular Expression Denial of Service (ReDoS) in angular
Description:
The package angular after 1.7.0 are vulnerable to Regular Expression Denial of Service (ReDoS) by providing a custom locale rule that makes it possible to assign the parameter in posPre: ' '.repeat() of NUMBER_FORMATS.PATTERNS[1].posPre with a very high value. **Note:** 1) This package has been deprecated and is no longer maintained. 2) The vulnerable versions are 1.7.0 and higher.
Reference: https://avd.aquasec.com/nvd/cve-2022-25844
CVE-2022-25869 - angular
Severity: MEDIUM
Installed Version: 1.8.2
Fixed Version:
Target: webapps/frontend/package-lock.json
Title: angularjs: Angular Cross-site Scripting (XSS)
Description:
All versions of the package angular; all versions of the package angularjs.core; all versions of the package angularjs are vulnerable to Cross-site Scripting (XSS) due to insecure page caching in the Internet Explorer browser, which allows interpolation of <textarea> elements.
Reference: https://avd.aquasec.com/nvd/cve-2022-25869
CVE-2023-26116 - angular
Severity: MEDIUM
Installed Version: 1.8.2
Fixed Version:
Target: webapps/frontend/package-lock.json
Title: angularjs: Regular Expression Denial of Service via angular.copy()
Description:
Versions of the package angular from 1.2.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the angular.copy() utility function due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
Reference: https://avd.aquasec.com/nvd/cve-2023-26116
CVE-2023-26117 - angular
Severity: MEDIUM
Installed Version: 1.8.2
Fixed Version:
Target: webapps/frontend/package-lock.json
Title: angularjs: Regular expression denial of service via the $resource service
Description:
Versions of the package angular from 1.0.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the $resource service due to the usage of an insecure regular expression. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
Reference: https://avd.aquasec.com/nvd/cve-2023-26117
CVE-2023-26118 - angular
Severity: MEDIUM
Installed Version: 1.8.2
Fixed Version:
Target: webapps/frontend/package-lock.json
Title: angularjs: Regular Expression Denial of Service via the <input type="url"> element
Description:
Versions of the package angular from 1.4.9 are vulnerable to Regular Expression Denial of Service (ReDoS) via the <input type="url"> element due to the usage of an insecure regular expression in the input[url] functionality. Exploiting this vulnerability is possible by a large carefully-crafted input, which can result in catastrophic backtracking.
Reference: https://avd.aquasec.com/nvd/cve-2023-26118
CVE-2025-2336 - angular-sanitize
Severity: MEDIUM
Installed Version: 1.8.2
Fixed Version:
Target: webapps/frontend/package-lock.json
Title: Improper sanitization of the value of the 'href' and 'xlink:href' attr ...
Description:
Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '<image>' SVG elements in AngularJS's 'ngSanitize' module allows attackers to bypass common image source restrictions. This can lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing and also negatively affect the application's performance and behavior by using too large or slow-to-load images.
This issue affects AngularJS versions greater than or equal to 1.3.1.
Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
Reference: https://avd.aquasec.com/nvd/cve-2025-2336
CVE-2024-6485 - bootstrap
Severity: MEDIUM
Installed Version: 3.4.1
Fixed Version:
Target: webapps/frontend/package-lock.json
Title: A security vulnerability has been discovered in bootstrap that could e ...
Description:
A security vulnerability has been discovered in bootstrap that could enable Cross-Site Scripting (XSS) attacks. The vulnerability is associated with the data-loading-text attribute within the button plugin. This vulnerability can be exploited by injecting malicious JavaScript code into the attribute, which would then be executed when the button's loading state is triggered.
Reference: https://avd.aquasec.com/nvd/cve-2024-6485
CVE-2025-1647 - bootstrap
Severity: MEDIUM
Installed Version: 3.4.1
Fixed Version:
Target: webapps/frontend/package-lock.json
Title: Improper Neutralization of Input During Web Page Generation (XSS or 'C ...
Description:
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Bootstrap allows Cross-Site Scripting (XSS).This issue affects Bootstrap: from 3.4.1 before 4.0.0.
Reference: https://avd.aquasec.com/nvd/cve-2025-1647
CVE-2026-33349 - fast-xml-parser
Severity: MEDIUM
Installed Version: 5.4.2
Fixed Version: 4.5.5, 5.5.7
Target: webapps/frontend/package-lock.json
Title: fast-xml-parser: fast-xml-parser: Denial of Service via unbounded entity expansion due to incorrect configuration limit handling
Description:
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. From version 4.0.0-beta.3 to before version 5.5.7, the DocTypeReader in fast-xml-parser uses JavaScript truthy checks to evaluate maxEntityCount and maxEntitySize configuration limits. When a developer explicitly sets either limit to 0 — intending to disallow all entities or restrict entity size to zero bytes — the falsy nature of 0 in JavaScript causes the guard conditions to short-circuit, completely bypassing the limits. An attacker who can supply XML input to such an application can trigger unbounded entity expansion, leading to memory exhaustion and denial of service. This issue has been patched in version 5.5.7.
Reference: https://avd.aquasec.com/nvd/cve-2026-33349
CVE-2026-41650 - fast-xml-parser
Severity: MEDIUM
Installed Version: 5.4.2
Fixed Version: 5.7.0
Target: webapps/frontend/package-lock.json
Title: fast-xml-parser: fast-xml-parser: XML injection via improper escaping of comment and CDATA sequences
Description:
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Prior to version 5.7.0, XMLBuilder does not escape the "-->" sequence in comment content or the "]]>" sequence in CDATA sections when building XML from JavaScript objects. This allows XML injection when user-controlled data flows into comments or CDATA elements, leading to XSS, SOAP injection, or data manipulation. This issue has been patched in version 5.7.0.
Reference: https://avd.aquasec.com/nvd/cve-2026-41650
CVE-2026-8723 - qs
Severity: MEDIUM
Installed Version: 6.15.0
Fixed Version: 6.15.2
Target: webapps/frontend/package-lock.json
Title: ### Summary `qs.stringify` throws `TypeError` when called with `arr ...
Description:
### Summary
`qs.stringify` throws `TypeError` when called with `arrayFormat: 'comma'` and `encodeValuesOnly: true` on an array containing `null` or `undefined`. The throw is synchronous and not handled by any of qs's null-related options (`skipNulls`, `strictNullHandling`).
### Details
In the comma + `encodeValuesOnly` branch, `lib/stringify.js:145` mapped the array through the raw encoder before joining:
```js
obj = utils.maybeMap(obj, encoder);
```
`utils.encode` (`lib/utils.js:195`) reads `str.length` with no null guard, so a `null` or `undefined` element throws `TypeError`. `skipNulls` and `strictNullHandling` are both checked in the per-element loop below this line and never get a chance to run.
Same class of bug as the filter-array path fixed in 0c180a4. The vulnerable shape of the comma + `encodeValuesOnly` branch was introduced in 4c4b23d ("encode comma values more consistently", PR #463, 2023-01-19), first released in v6.11.1.
#### PoC
```js
const qs = require('qs');
qs.stringify({ a: [null, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true });
qs.stringify({ a: [undefined, 'b'] }, { arrayFormat: 'comma', encodeValuesOnly: true });
qs.stringify({ a: [null] }, { arrayFormat: 'comma', encodeValuesOnly: true });
// TypeError: Cannot read properties of null (reading 'length')
// at encode (lib/utils.js:195:13)
// at Object.maybeMap (lib/utils.js:322:37)
// at stringify (lib/stringify.js:145:25)
```
#### Fix
`lib/stringify.js:145`, applied in 21f80b3 on `main` and released as v6.15.2:
```diff
- obj = utils.maybeMap(obj, encoder);
+ obj = utils.maybeMap(obj, function (v) {
+ return v == null ? v : encoder(v);
+ });
```
`null` and `undefined` now pass through `maybeMap` unchanged and reach the `join(',')` step as-is. For `{ a: [null, 'b'] }` this produces `a=,b`, matching the non-`encodeValuesOnly` comma path (which already joins before encoding and produces `a=%2Cb` for the same input). Single-element `[null]` arrays still collapse via the existing `obj.join(',') || null` and remain subject to `skipNulls` / `strictNullHandling` in the main loop.
### Affected versions
`>=6.11.1 <6.15.2` — fixed in v6.15.2.
The vulnerable code shape was introduced in 4c4b23d and first shipped in v6.11.1. Earlier versions — including all of 6.7.x, 6.8.x, 6.9.x, 6.10.x, and 6.11.0 — implemented the comma + `encodeValuesOnly` path differently (joining before encoding) and are not affected. Empirically verified across released versions.
### Impact
Application code that calls `qs.stringify` with both `arrayFormat: 'comma'` and `encodeValuesOnly: true` (both non-default) on input that may contain a `null` or `undefined` array element will throw synchronously instead of producing a query string. In a typical Node.js HTTP framework (Express, Fastify, Koa, hapi) the sync throw is caught by the framework's error boundary and the affected request returns a 500; the worker process does not exit and subsequent requests are unaffected. The "kills the worker process" framing applies only to call sites outside a request-handler error boundary (background jobs, startup paths, stream pipelines) or to deployments with framework error handling explicitly disabled.
The vulnerable input is a `null` or `undefined` entry inside an array; this is reachable from JSON request bodies or from application code constructing arrays from user input, but not from standard HTML form submissions (which produce strings or omitted fields, not literal `null`).
Reference: https://avd.aquasec.com/nvd/cve-2026-8723
CVE-2026-43514 - org.apache.tomcat:tomcat
Severity: LOW
Installed Version: 10.1.54
Fixed Version: 9.0.118, 10.1.55, 11.0.22
Target: distro/tomcat/assembly/pom.xml
Title: Observable Timing Discrepancy vulnerabilitywhen comparing AJP secret i ...
Description:
Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
Older unsupported versions may also be affected.
Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
Reference: https://avd.aquasec.com/nvd/cve-2026-43514
CVE-2025-5889 - brace-expansion
Severity: LOW
Installed Version: 2.0.1
Fixed Version: 2.0.2, 1.1.12, 3.0.1, 4.0.1
Target: engine-rest/docs/package-lock.json
Title: A vulnerability was found in juliangruber brace-expansion up to 1.1.11 ...
Description:
A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.
Reference: https://avd.aquasec.com/nvd/cve-2025-5889
CVE-2026-27942 - fast-xml-parser
Severity: LOW
Installed Version: 4.5.3
Fixed Version: 5.3.8, 4.5.4
Target: engine-rest/docs/package-lock.json
Title: fast-xml-parser: fast-xml-parser: Stack overflow leads to Denial of Service
Description:
fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. Prior to version 5.3.8, the application crashes with stack overflow when user use XML builder with `preserveOrder:true`. Version 5.3.8 fixes the issue. As a workaround, use XML builder with `preserveOrder:false` or check the input data before passing to builder.
Reference: https://avd.aquasec.com/nvd/cve-2026-27942
CVE-2025-22233 - org.springframework:spring-context
Severity: LOW
Installed Version: 5.3.39
Fixed Version: 6.2.7, 6.1.20
Target: qa/integration-tests-engine/pom.xml
Title: CVE-2024-38820 ensured Locale-independent, lowercase conversion for bo ...
Description:
CVE-2024-38820 ensured Locale-independent, lowercase conversion for both the configured disallowedFields patterns and for request parameter names. However, there are still cases where it is possible to bypass the disallowedFields checks.
Affected Spring Products and Versions
Spring Framework:
* 6.2.0 - 6.2.6
* 6.1.0 - 6.1.19
* 6.0.0 - 6.0.27
* 5.3.0 - 5.3.42
* Older, unsupported versions are also affected
Mitigation
Users of affected versions should upgrade to the corresponding fixed version.
Affected version(s)Fix Version Availability 6.2.x
6.2.7
OSS6.1.x
6.1.20
OSS6.0.x
6.0.28
Commercial https://enterprise.spring.io/ 5.3.x
5.3.43
Commercial https://enterprise.spring.io/
No further mitigation steps are necessary.
Generally, we recommend using a dedicated model object with properties only for data binding, or using constructor binding since constructor arguments explicitly declare what to bind together with turning off setter binding through the declarativeBinding flag. See the Model Design section in the reference documentation.
For setting binding, prefer the use of allowedFields (an explicit list) over disallowedFields.
Credit
This issue was responsibly reported by the TERASOLUNA Framework Development Team from NTT DATA Group Corporation.
Reference: https://avd.aquasec.com/nvd/cve-2025-22233
CVE-2024-8372 - angular
Severity: LOW
Installed Version: 1.8.2
Fixed Version:
Target: webapps/frontend/package-lock.json
Title: Improper sanitization of the value of the 'srcset' attribute in Angula ...
Description:
Improper sanitization of the value of the 'srcset' attribute in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .
This issue affects AngularJS versions 1.3.0-rc.4 and greater.
Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
Reference: https://avd.aquasec.com/nvd/cve-2024-8372
CVE-2024-8373 - angular
Severity: LOW
Installed Version: 1.8.2
Fixed Version:
Target: webapps/frontend/package-lock.json
Title: Improper sanitization of the value of the [srcset] attribute in <sourc ...
Description:
Improper sanitization of the value of the [srcset] attribute in <source> HTML elements in AngularJS allows attackers to bypass common image source restrictions, which can also lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing .
This issue affects all versions of AngularJS.
Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
Reference: https://avd.aquasec.com/nvd/cve-2024-8373
CVE-2025-0716 - angular
Severity: LOW
Installed Version: 1.8.2
Fixed Version:
Target: webapps/frontend/package-lock.json
Title: Improper sanitization of the value of the 'href' and 'xlink:href' attr ...
Description:
Improper sanitization of the value of the 'href' and 'xlink:href' attributes in '<image>' SVG elements in AngularJS allows attackers to bypass common image source restrictions. This can lead to a form of Content Spoofing https://owasp.org/www-community/attacks/Content_Spoofing and also negatively affect the application's performance and behavior by using too large or slow-to-load images.
This issue affects all versions of AngularJS.
Note:
The AngularJS project is End-of-Life and will not receive any updates to address this issue. For more information see here https://docs.angularjs.org/misc/version-support-status .
Reference: https://avd.aquasec.com/nvd/cve-2025-0716