Search for packages
| purl | pkg:npm/express@2.4.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1xx6-zucb-4ffq
Aliases: CVE-2014-6393 GHSA-gpvr-g6gh-9mc2 |
No Charset in Content-Type Header in express Vulnerable versions of express do not specify a charset field in the content-type header while displaying 400 level response messages. The lack of enforcing user's browser to set correct charset, could be leveraged by an attacker to perform a cross-site scripting attack, using non-standard encodings, like UTF-7. ## Recommendation For express 3.x, update express to version 3.11 or later. For express 4.x, update express to version 4.5 or later. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-w1zf-uvrh-7uc7
Aliases: CVE-2022-24999 GHSA-hrpp-h998-j3pp |
express: "qs" prototype poisoning causes the hang of the node process |
Affected by 0 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-05-30T05:51:57.231776+00:00 | GitLab Importer | Affected by | VCID-w1zf-uvrh-7uc7 | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/express/CVE-2022-24999.yml | 38.6.0 |
| 2026-05-30T03:43:47.878425+00:00 | GitLab Importer | Affected by | VCID-1xx6-zucb-4ffq | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/express/CVE-2014-6393.yml | 38.6.0 |