[CLSA-2026:1778166918] Fix CVE(s): CVE-2026-21710

Type:

security

Severity:

Important

Release date:

2026-05-07 15:15:24 UTC

Description:

   * SECURITY UPDATE: HTTP server crash on __proto__ header
     - debian/patches/CVE-2026-21710.patch: initialise headersDistinct and
       trailersDistinct destination maps with { __proto__: null } so a
       __proto__ request header no longer resolves to Object.prototype and
       cause an uncaught TypeError when req.headersDistinct or
       req.trailersDistinct is accessed
     - CVE-2026-21710

Updated packages:

alt-nodejs18-docs_18.20.8-9_amd64.deb
sha:1a5f66184133935bd2663b01ddb95f64edcd299b
alt-nodejs18-nodejs_18.20.8-9_amd64.deb
sha:01c131946e2de9b8ef7d73962e7bcfd8add7df2c
alt-nodejs18-nodejs-devel_18.20.8-9_amd64.deb
sha:60bbd4e3ccd499fe0cadec728cd68040dcaefb6c
alt-nodejs18-npm_10.8.2-18.20.8.6_amd64.deb
sha:faf8feea9da500920f78b3df6091b9069380f3b1

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.