Express

This hub aggregates every CVE we track for Express, a product in the security products space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Express.

• CVE-2026-47370A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to execute a Command Injection wit...9.9Jun 12, 2026
• CVE-2026-47369A malicious actor with access to the network and low privileges could exploit an Improper Input Validation vulnerability found in certain devices running UniFi OS to escalate privileges within such...9.9Jun 12, 2026
• CVE-2026-47368A malicious actor with access to the network could exploit a Path Traversal vulnerability found in certain devices running UniFi OS to obtain data from such UniFi OS devices or instances.8.6Jun 12, 2026
• CVE-2026-34909A malicious actor with access to the network could exploit a Path Traversal vulnerability found in UniFi OS devices to access files on the underlying system that could be manipulated to access an u...10.0May 22, 2026
• CVE-2026-42349Clerk: Authorization bypass when combining organization, billing, or reverification checks8.1May 11, 2026
• CVE-2026-27508Smoothwall Express < 3.1 Update 13 Reflected XSS in redirect.cgi via url Parameter5.4Mar 30, 2026
• CVE-2026-26352Smoothwall Express < 3.1 Update 13 Stored XSS in vpnmain.cgi via VPN_IP Parameter5.4Mar 30, 2026
• BDU:2025-00076Уязвимость библиотеки просмотрщика документов в веб-версии клиента системы коммуникаций eXpress, вызванная недостаточной защитой структуры веб-страницы, позволяющая нарушителю выполнить произвольный Java Script-код8.0Jan 6, 2025
• CVE-2024-10491Preload arbitrary resources by injecting additional `Link` headers4.0Oct 29, 2024
• CVE-2024-9266Open Redirect4.7Oct 3, 2024
• CVE-2024-43796express vulnerable to XSS via response.redirect()5.0Sep 10, 2024
• CVE-2024-29041Express.js Open Redirect in malformed URLs6.1Mar 25, 2024
• CVE-2022-24999qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typica...7.5Nov 26, 2022
• CVE-2014-6393The Express web framework before 3.11 and 4.x before 4.5 for Node.js does not provide a charset field in HTTP Content-Type headers in 400 level responses, which might allow remote attackers to cond...6.1Aug 9, 2017
• CVE-2014-6887The EXPRESS (aka com.gpshopper.express.android) application 2.5.3 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obta...5.4Oct 11, 2014