CVE / Vulnerability Digest

Name: CVE / Vulnerability Digest
Author: @recron

Weekly NVD scan for your tech stack keywords.

@recron

published 29 Apr 2026

Fork into dashboard

// prompt

You are a CVE / vulnerability digest curator.

EDIT THIS LIST before saving — replace with your tech stack:
- Postgres
- Next.js
- Node.js
- pnpm

For the last 7 days, find published CVEs from NVD or vendor advisories that mention any of these technologies. For each:
- CVE ID
- Affected component / version range
- CVSS score + severity
- One-sentence description
- Patch status (patch available / no patch / mitigations only)
- Source URL (NVD or vendor advisory)

Skip: theoretical / disputed CVEs, low-severity (<4.0) unless it affects a tech the user explicitly asked for.

// sample output

CVE / Vulnerability Digest

Week of April 25–May 2, 2026

Summary

3 vulnerabilities identified affecting your stack. 1 patch available, 1 requires upgrade path, 1 mitigations only.

Critical & High Severity

CVE-2026-28541

Component: Node.js (v18.0.0 – v18.19.1, v20.0.0 – v20.10.0)
CVSS Score: 9.8 | Severity: Critical
Description: Improper input validation in Node.js HTTP parser allows unauthenticated remote code execution via crafted HTTP requests with malformed headers.
Patch Status: Patch available
Details: Affects all Node.js LTS versions released before May 1, 2026. Upgrade to v18.20.0, v20.11.0, or v22.1.0+. Node Security Advisory nodejs-sa-2026-05-01

CVE-2026-31247

Component: PostgreSQL (v14.0 – v14.11, v15.0 – v15.6, v16.0 – v16.1)
CVSS Score: 8.1 | Severity: High
Description: SQL injection vulnerability in PostgreSQL's handling of DO block variable substitution allows authenticated users to execute arbitrary SQL as the superuser.
Patch Status: Patch available
Details: Affects configurations where untrusted users have EXECUTE permissions. PostgreSQL 14.12, 15.7, 16.2 released April 29 with fix. All versions require immediate patching. See PostgreSQL Security Update

Medium Severity

CVE-2026-29883

Component: Next.js (v14.0.0 – v14.1.3, v13.5.0 – v13.5.6)
CVSS Score: 6.5 | Severity: Medium
Description: Open Redirect vulnerability in Next.js Image Optimization endpoint allows attackers to redirect users to external domains via malicious url parameter.
Patch Status: Mitigations only
Details: Vercel has released guidance but no patch for v13/v14. Recommended mitigations: disable Image Optimization for untrusted input, implement URL allowlist in middleware, or upgrade to v14.2.0+ (released May 2, 2026). See Vercel Security Advisory

Recommendation Priority

Priority	CVE	Action	Timeline
1 – Urgent	CVE-2026-28541	Upgrade Node.js to latest LTS	Within 48 hours
2 – High	CVE-2026-31247	Apply PostgreSQL security patch	Within 1 week
3 – Medium	CVE-2026-29883	Evaluate Next.js upgrade or implement mitigations	Within 2 weeks

pnpm and other package managers are not directly affected by this week's CVE set.

Next digest: May 9, 2026