HIGH
npm
CVE published 2026-05-26
CVE-2026-9496
CVE-2026-9496 documents a Denial of Service (DoS) vulnerability in the pacote npm package, affecting versions from 11.2.7 onward. The flaw resides in the addGitSha function, where a maliciously crafted spec.rawSpec value can trigger inefficient regex replacement and string-manipulation logic, leading to excessive CPU consumption and potential process stalling or crash. The vulnerability was published to t [truncated]