These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
A vulnerability in Vercel AI SDK versions up to 3.0.97 allows remote attackers to cause resource consumption through the createJsonResponseHandler and createJsonErrorResponseHandler functions in packages/provider-utils/src/response-handler.ts. The issue was publicly disclosed on 2026-05-17 with an exploit available, and the vendor was reportedly contacted but did not respond. The vulnerability is rated LO [truncated]
CVE-2026-8768 is a server-side request forgery (SSRF) vulnerability in the vercel ai package’s provider-utils component, specifically the validateDownloadUrl function in packages/provider-utils/src/download-blob.ts. The issue is described as remotely exploitable and affecting versions up to 3.0.97. The vulnerability was published on 2026-05-17 and is rated medium severity (CVSS 5.5). The disclosure also s [truncated]
A command injection vulnerability exists in Vercel AI SDK versions up to 3.0.97, specifically within a GitHub Actions workflow file. The vulnerability resides in the `run` function of `.github/workflows/prettier-on-automerge.yml`, where PR branch name interpolation allows for OS command injection. The attack vector is remote but requires high complexity and difficult exploitability conditions. The CVSS 4. [truncated]
CVE-2026-46508 is a high-severity (CVSS 8.4) command injection vulnerability in the Turborepo Language Server Protocol (LSP) VS Code extension, published 2026-05-15 and last modified 2026-05-19. The extension, prior to version 2.9.14000, used string-based command execution for daemon commands and task runs, allowing malicious workspace-controlled values—such as crafted task names or workspace settings—to [truncated]
CVE-2026-45773 is a medium-severity authentication flow flaw in Turborepo’s self-hosted login and SSO browser flows. Before 2.9.14, the localhost callback did not validate a CSRF state value. If a user was waiting for authentication in the CLI, a malicious web page could send a request to the local callback server with an attacker-controlled token. If that request arrived before the legitimate callback, t [truncated]
A medium-severity vulnerability, CVE-2026-44479, was discovered in Vercel's AI Cloud platform. The issue affects versions 50.16.0 to 52.0.0 of the Vercel CLI. When running in non-interactive mode, commands that cannot complete autonomously emit JSON payloads with suggested follow-up commands. If the user authenticated via --token or -t on the command line, the token value is included verbatim in those sug [truncated]
CVE-2015-8315 describes a regular expression denial of service (ReDoS) in the Node.js ms package before version 0.7.1. An attacker who can supply a long version string may trigger excessive CPU consumption, resulting in denial of service. NVD rates the issue High with a CVSS 3.1 vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H.