resolved
HTTP/2 sessions never clean up after GOAWAY on invalid protocol errors
Bug reported by Tim Perry was disclosed at June 18, 2026, 5:34 pm | Uncontrolled Resource Consumption
A flaw in the Node.js HTTP/2 server API was discovered that could cause servers to keep accepting data even after sending a GOAWAY frame. This vulnerability affected Node.js 22 and Node.js 24.
resolved
Permission Model Bypass via `process.report.writeReport()` Path Misvalidation
Bug reported by Joseph Semaan was disclosed at June 18, 2026, 2:48 pm | Improper Access Control - Generic
A flaw was discovered in the Node.js permission model that allowed bypassing of security controls via the `process.report.writeReport()` path misvalidation.
resolved
Reflected XSS in AI Chat Bot Greetings at help.shopify.com via Markdown Image Rendering
Bug reported by was disclosed at June 18, 2026, 12:48 pm | Cross-site Scripting (XSS) - Reflected
A reflected XSS vulnerability was reported in the AI chat bot greetings at help.shopify.com. The issue was caused by the rendering of a markdown image in the greeting, which allowed the attacker to inject a payload through the image URL. The vulnerability was addressed by removing the attacker-controlled greeting input path.