This page collects WhisperX intelligence signals tagged #JavaScript security. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A newly disclosed high-severity vulnerability, CVE-2026-4800, exposes a critical code injection path in the widely used lodash-es JavaScript library. The flaw resides in the `_.template` utility, where insufficient validation of the `options.imports` key names allows an attacker to inject and execute arbitrary code dur...
A critical security vulnerability in Webpack, the ubiquitous JavaScript module bundler, has been patched in version 5.94.0. The flaw, tracked as CVE-2024-43788, is a DOM Clobbering weakness within Webpack's `AutoPublicPathRuntimeModule`. This vulnerability creates a pathway for cross-site scripting (XSS) attacks, poten...
A critical path traversal vulnerability in the popular JavaScript CDN and ESM transpiler, esm.sh, has been publicly documented, allowing attackers to write arbitrary files to the server. The flaw, tracked as CVE-2025-59342, affects versions v136 and earlier. This is not a theoretical risk; the vulnerability template ha...
A critical security vulnerability has been disclosed in Axios, one of the most widely used HTTP clients in the JavaScript ecosystem. Tracked as CVE-2026-42035 and associated with GitHub Security Advisory GHSA-6chq-wfr3-2hj9, the flaw allows attackers to inject arbitrary HTTP headers into outgoing requests through a pro...
A prototype pollution vulnerability in axios, a widely used JavaScript HTTP client library, has been identified and addressed through version 1.15.2. The flaw, tracked as CVE-2026-42035 and documented as GHSA-6chq-wfr3-2hj9, exists in the library's HTTP adapter implementation (lib/adapters/http.js). The vulnerability e...
A code generation vulnerability in protobufjs-cli, the command line add-on for protobuf.js, exposes applications to risks through the emission of unsafe JavaScript identifiers. The flaw, tracked as CVE-2026-44295 and rated 8.7 on the CVSS scale (High severity), resides in pbjs static code generation functionality that ...