npm

4,193 tracked vulnerabilities.

CVE-2026-59800 CRITICAL
9Router < 0.4.44 - OS Command Injection via sudoPassword Parameter in Tailscale Install Endpoint
Jul 07, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-55700 HIGH
pnpm: stage download writes outside destination via manifest version traversal
Jun 25, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-55699 MEDIUM
pnpm: reserved bin name deletes PNPM_HOME during global remove
Jun 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-55698 HIGH
pnpm < 10.34.2 and 11.0.0-11.5.2 - Lockfile-Selected Code Execution
Jun 25, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-55697 HIGH
pnpm: Repository-controlled configDependencies can select a pacquet native install engine
Jun 25, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-55487 HIGH
pnpm: manifest identity spoof satisfies allowBuilds and runs attacker lifecycle
Jun 25, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-55180 MEDIUM
pnpm: Repository config can expand victim environment secrets into registry requests before scripts run
Jun 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-50573 MEDIUM
pnpm: Unsafe default behavior breaks integrity check
Jun 25, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-50021 MEDIUM
pnpm: Integrity Check Bypass via Missing Lockfile Integrity Field
Jun 25, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-50017 MEDIUM
pnpm binds unscoped user-level npm auth credentials to a repository-selected registry
Jun 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-50016 HIGH
pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement
Jun 25, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-50015 HIGH
pnpm: Arbitrary File Write/Delete via Malicious Patch File (Path Traversal)
Jun 25, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-50014 MEDIUM
pnpm: Git Fetch Argument Injection via Lockfile resolution.commit
Jun 25, 2026
CVSS 6.4
EPSS 0.00
CVE-2026-48995 HIGH
pnpm: Tarball hash of GitHub git dependencies is not stored in lockfile
Jun 25, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-53943 CRITICAL
Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header
Jun 24, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-56761 MEDIUM
hono - HTML Injection via Improper JSX Attribute Name Handling in SSR
Jun 24, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-56358 MEDIUM
n8n - Stored Cross-Site Scripting in Form Trigger Node
Jun 24, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-56351 HIGH
n8n - SQL Injection in MySQL, PostgreSQL, and Microsoft SQL Nodes
Jun 24, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-56272 MEDIUM
Flowise - Insufficient Password Salt Rounds in Bcrypt Hashing
Jun 24, 2026
CVSS 4.1
EPSS 0.00
CVE-2026-56270 HIGH
Flowise - Unauthenticated OAuth Secrets Disclosure via /api/v1/loginmethod Endpoint
Jun 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-56269 MEDIUM
Flowise - Weak Default Token Hash Secret in JWT Token Encryption
Jun 24, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-54307 CRITICAL
n8n: Credential Exfiltration via Permission Bypass
Jun 23, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-56357 MEDIUM
n8n - Webhook Forgery via Missing HMAC-SHA256 Signature Verification in GitHub Webhook Trigger
Jun 22, 2026
CVSS 4.0
EPSS 0.00
CVE-2026-56348 CRITICAL
n8n - Credential Exfiltration via Allowed HTTP Request Domains Bypass in Dynamic Node Parameters Endpoint
Jun 22, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-56326 MEDIUM
Nuxt - Server-Side Open Redirect via Path-Normalization Bypass in navigateTo
Jun 22, 2026
CVSS 6.1
EPSS 0.00