npm
4,193 tracked vulnerabilities.
CVE-2026-59800
CRITICAL
9Router < 0.4.44 - OS Command Injection via sudoPassword Parameter in Tailscale Install Endpoint
Jul 07, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-55700
HIGH
pnpm: stage download writes outside destination via manifest version traversal
Jun 25, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-55699
MEDIUM
pnpm: reserved bin name deletes PNPM_HOME during global remove
Jun 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-55698
HIGH
pnpm < 10.34.2 and 11.0.0-11.5.2 - Lockfile-Selected Code Execution
Jun 25, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-55697
HIGH
pnpm: Repository-controlled configDependencies can select a pacquet native install engine
Jun 25, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-55487
HIGH
pnpm: manifest identity spoof satisfies allowBuilds and runs attacker lifecycle
Jun 25, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-55180
MEDIUM
pnpm: Repository config can expand victim environment secrets into registry requests before scripts run
Jun 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-50573
MEDIUM
pnpm: Unsafe default behavior breaks integrity check
Jun 25, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-50021
MEDIUM
pnpm: Integrity Check Bypass via Missing Lockfile Integrity Field
Jun 25, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-50017
MEDIUM
pnpm binds unscoped user-level npm auth credentials to a repository-selected registry
Jun 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-50016
HIGH
pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement
Jun 25, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-50015
HIGH
pnpm: Arbitrary File Write/Delete via Malicious Patch File (Path Traversal)
Jun 25, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-50014
MEDIUM
pnpm: Git Fetch Argument Injection via Lockfile resolution.commit
Jun 25, 2026
CVSS 6.4
EPSS 0.00
CVE-2026-48995
HIGH
pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile
Jun 25, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-53943
CRITICAL
Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header
Jun 24, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-56761
MEDIUM
hono - HTML Injection via Improper JSX Attribute Name Handling in SSR
Jun 24, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-56358
MEDIUM
n8n - Stored Cross-Site Scripting in Form Trigger Node
Jun 24, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-56351
HIGH
n8n - SQL Injection in MySQL, PostgreSQL, and Microsoft SQL Nodes
Jun 24, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-56272
MEDIUM
Flowise - Insufficient Password Salt Rounds in Bcrypt Hashing
Jun 24, 2026
CVSS 4.1
EPSS 0.00
CVE-2026-56270
HIGH
Flowise - Unauthenticated OAuth Secrets Disclosure via /api/v1/loginmethod Endpoint
Jun 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-56269
MEDIUM
Flowise - Weak Default Token Hash Secret in JWT Token Encryption
Jun 24, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-54307
CRITICAL
n8n: Credential Exfiltration via Permission Bypass
Jun 23, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-56357
MEDIUM
n8n - Webhook Forgery via Missing HMAC-SHA256 Signature Verification in GitHub Webhook Trigger
Jun 22, 2026
CVSS 4.0
EPSS 0.00
CVE-2026-56348
CRITICAL
n8n - Credential Exfiltration via Allowed HTTP Request Domains Bypass in Dynamic Node Parameters Endpoint
Jun 22, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-56326
MEDIUM
Nuxt - Server-Side Open Redirect via Path-Normalization Bypass in navigateTo
Jun 22, 2026
CVSS 6.1
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters