Vulnerabilities > Openjsf > Express
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2024-10-29 | CVE-2024-10491 | Unspecified vulnerability in Openjsf Express A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used. The issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources. This vulnerability is especially relevant for dynamic parameters. | 5.3 |
| 2024-09-10 | CVE-2024-43796 | Cross-site Scripting vulnerability in Openjsf Express Express.js minimalist web framework for node. | 4.7 |
| 2022-11-26 | CVE-2022-24999 | qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. | 7.5 |
| 2017-08-09 | CVE-2014-6393 | Cross-site Scripting vulnerability in Openjsf Express The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to conduct cross-site scripting (XSS) attacks via characters in a non-standard encoding. | 6.1 |