{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-23T22:39:46.065","vulnerabilities":[{"cve":{"id":"CVE-2024-10491","sourceIdentifier":"36c7be3b-2937-45df-85ea-ca7133ea542c","published":"2024-10-29T17:15:03.853","lastModified":"2026-06-17T06:55:47.223","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"A vulnerability has been identified in the Express response.links function, allowing for arbitrary resource injection in the Link header when unsanitized data is used.\n\nThe issue arises from improper sanitization in `Link` header values, which can allow a combination of characters like `,`, `;`, and `<>` to preload malicious resources.\n\nThis vulnerability is especially relevant for dynamic parameters."},{"lang":"es","value":" Se ha identificado una vulnerabilidad en la función response.links de Express, que permite la inyección arbitraria de recursos en el encabezado Link cuando se utilizan datos no desinfectados. El problema surge de una desinfección incorrecta en los valores del encabezado `Link`, que puede permitir una combinación de caracteres como `,`, `;` y `<>` para precargar recursos maliciosos. Esta vulnerabilidad es especialmente relevante para los parámetros dinámicos."}],"affected":[{"source":"36c7be3b-2937-45df-85ea-ca7133ea542c","affectedData":[{"vendor":"express","product":"express","defaultStatus":"unaffected","collectionURL":"https://www.npmjs.com/package/express","packageName":"express","repo":"https://github.com/expressjs/express","versions":[{"version":"3.0.0-alpha1","lessThanOrEqual":"3.21.2","versionType":"semver","status":"affected"}]}]},{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","affectedData":[{"vendor":"expressjs","product":"express","defaultStatus":"unknown","cpes":["cpe:2.3:a:expressjs:express:*:*:*:*:*:*:*:*"],"versions":[{"version":"3.0.0-alpha1","lessThanOrEqual":"3.21.2","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"36c7be3b-2937-45df-85ea-ca7133ea542c","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N","baseScore":4.0,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.2,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","baseScore":5.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":1.4}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2024-10-29T19:42:55.922371Z","id":"CVE-2024-10491","options":[{"exploitation":"poc"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"36c7be3b-2937-45df-85ea-ca7133ea542c","type":"Secondary","description":[{"lang":"en","value":"CWE-74"}]},{"source":"nvd@nist.gov","type":"Primary","description":[{"lang":"en","value":"NVD-CWE-noinfo"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openjsf:express:*:*:*:*:*:node.js:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.21.5","matchCriteriaId":"AE801416-30D2-4616-9933-65D020F892D8"}]}]}],"references":[{"url":"https://www.herodevs.com/vulnerability-directory/cve-2024-10491","source":"36c7be3b-2937-45df-85ea-ca7133ea542c","tags":["Exploit","Third Party Advisory"]}]}}]}