PackageFix / Blog / Weekly CVE Digest March 2026

Weekly CVE Digest — March 22, 2026

March 22, 2026 · PackageFix · 7 CVEs this week across npm, PyPI, Ruby, Go, Rust, Java

Every week PackageFix monitors the OSV database and CISA KEV catalog for new entries. This week had 7 worth paying attention to — two of them are CRITICAL and one is actively being exploited in production systems right now. Here's what to patch first.

🔴 CISA KEV Update This Week

CVE-2022-1471 (SnakeYAML) confirmed actively exploited. Any Java application using SnakeYAML < 2.0 should be treated as critical priority.

This Week's CVEs

CVE-2024-29041 — express

npm MEDIUM

Affected: 4.17.1 · Fix: 4.19.2

Open redirect via response.redirect() with unsanitized input. If you accept user-controlled redirect targets, upgrade immediately.

Full fix guide →

CVE-2023-44487 — grpc-go / golang.org/x/net / Netty / hyper

Go + Java + Rust HIGH

Affected: multiple · Fix: see fix guides

HTTP/2 rapid reset attack enabling denial of service. Affects any server implementing HTTP/2. Multiple ecosystems affected simultaneously — check all your Go, Java, and Rust dependencies.

Full fix guide →

CVE-2024-27351 — Django

PyPI HIGH

Affected: < 4.2.13 / < 5.0.3 · Fix: 4.2.13 / 5.0.3

ReDoS in strip_tags() HTML sanitizer. If you use django.utils.html.strip_tags() on untrusted input, this can cause server hang under load.

Full fix guide →

CVE-2022-1471 — SnakeYAML

Java/Maven CRITICAL CISA KEV

Affected: < 2.0 · Fix: 2.0+

Remote code execution via unsafe YAML deserialization. Any application using new Yaml().load() with untrusted input is fully compromised. Appears on CISA KEV — actively exploited.

Full fix guide →

CVE-2024-21508 — mysql2

npm CRITICAL

Affected: < 3.9.7 · Fix: 3.9.7

Remote code execution via SQL injection in prepared statement handling. If you use mysql2 with user-controlled input in preparedStatement, upgrade immediately.

Full fix guide →

CVE-2024-35176 — rexml

Ruby HIGH

Affected: < 3.2.6 · Fix: 3.2.6

Denial of service via XML entity expansion. Affects any Ruby application parsing untrusted XML with rexml. Bundled with Ruby stdlib.

Full fix guide →

CVE-2024-1135 — gunicorn

PyPI HIGH

Affected: < 22.0.0 · Fix: 22.0.0

HTTP request smuggling via invalid Transfer-Encoding header. Any gunicorn deployment behind a reverse proxy is potentially affected.

Full fix guide →

Paste your manifest — get back a fixed version with all CVEs patched in seconds.

Open PackageFix →

No signup · No CLI · No GitHub · Runs 100% in your browser

Frequently Asked Questions

How do I scan for all CVEs listed in this digest?
Paste your manifest file into PackageFix. It queries the live OSV database and will flag any of these CVEs if your installed versions are affected.
How often is the weekly CVE digest published?
Every week. PackageFix monitors the OSV database and CISA KEV catalog for new entries across all 7 supported ecosystems.
Which CVE in this digest is most urgent?
CVE-2022-1471 (SnakeYAML) — it is on the CISA KEV catalog (actively exploited) and allows remote code execution. CVE-2024-21508 (mysql2) is also CRITICAL and should be patched immediately.

Related Guides

Supply Chain Attacks in package.json

5 attacks npm audit misses

CISA KEV Package List

All actively exploited packages

Fix SnakeYAML CVE-2022-1471

CRITICAL RCE fix guide

Fix mysql2 CVE-2024-21508

CRITICAL RCE fix guide