AikidoSec · olivmir · Mar 5, 2026 · Mar 4, 2026 · Mar 5, 2026 · Mar 5, 2026
diff --git a/vulnerabilities/AIKIDO-2026-10296.json b/vulnerabilities/AIKIDO-2026-10296.json
@@ -0,0 +1,26 @@
+{
+  "package_name": "node-catbox",
+  "patch_versions": [
+    "4.2.0"
+  ],
+  "vulnerable_ranges": [
+    [
+      "0.1.0",
+      "4.1.0"
+    ]
+  ],
+  "cwe": [
+    "CWE-20"
+  ],
+  "tldr": "Affected versions of this package are vulnerable to improper input validation. The `uploadURL` function does not sufficiently validate the user-supplied URL parameter and forwards it directly to the Catbox API. This allows malformed URLs or URLs with unsupported schemes to be processed, which can lead to unintended behavior in applications relying on the library. The issue is fixed by adding validation to ensure that only valid `http` or `https` URLs are accepted.",
+  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
+  "how_to_fix": "Upgrade the `node-catbox` library to the patch version.",
+  "vulnerable_to": "Improper Input Validation",
+  "related_cve_id": "",
+  "language": "JS",
+  "severity_class": "LOW",
+  "aikido_score": 30,
+  "changelog": "https://github.com/depthbomb/node-catbox/releases/tag/4.2.0",
+  "last_modified": "2026-03-05",
+  "published": "2026-03-05"
+}