Vendor
high
advisory
@asymmetric-effort/specifyjs: URL Parse Failure Silently Allows Request (CVE-2026-50288)
1 TTPA high-severity vulnerability, CVE-2026-50288, in the `@asymmetric-effort/specifyjs` npm package (versions prior to 0.2.136) allows for the silent bypass of HTTPS validation by mishandling URL parse errors in the `assertSecureUrl` function, which can lead to Server-Side Request Forgery (SSRF).
@asymmetric-effort/specifyjs
npm
supply-chain
vulnerability
ssrf
javascript
1t
high
advisory
Path Traversal Vulnerability in @asymmetric-effort/nogginlessdom Allows Arbitrary File Write
4 TTPsA path traversal vulnerability (GHSA-322x-v876-g883) in the `matchFileSnapshot` function of the `@asymmetric-effort/nogginlessdom` library allows an attacker to write arbitrary content to any filesystem path with write access when snapshot update mode is active, potentially leading to supply chain compromise in CI/CD environments.
nogginlessdom
path-traversal
supply-chain
ci/cd
npm
vulnerability
4t