npm
3,968 tracked vulnerabilities.
CVE-2026-47099
MEDIUM
TeleJSON < 6.0.0 DOM-based XSS via parse() Function
May 20, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-8723
MEDIUM
qs.stringify crashes on null/undefined entries in comma-format arrays under encodeValuesOnly
May 17, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-45665
HIGH
Open WebUI: Stored XSS in Banner Component via Improper Sanitization Order
May 15, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-45346
MEDIUM
Open WebUI: Stored Cross-Site Scripting in SVG Renderer
May 15, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-45395
HIGH
Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution
May 15, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-44721
HIGH
Open WebUI: Stored XSS via Model Description
May 15, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-45773
MEDIUM
Turborepo: Login callback CSRF/session fixation
May 15, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-45772
CRITICAL
Turborepo: Unexpected local code execution during Yarn Berry detection
May 15, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-45736
MEDIUM
Node.js ws - Uninitialized Memory Disclosure
May 15, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-44589
LOW
nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect)
May 14, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-42334
HIGH
Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection
May 14, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44503
HIGH
Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect
May 14, 2026
EPSS 0.00
CVE-2026-42281
HIGH
NUCLEI
MagicMirror²: Unauthenticated SSRF via /cors endpoint
May 14, 2026
CVSS 8.6
EPSS 0.03
CVE-2026-44373
MEDIUM
Nitro: Proxy scope bypass via percent-encoded path traversal in `routeRules`
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44372
MEDIUM
Nitro: Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules
May 13, 2026
EPSS 0.00
CVE-2026-44351
CRITICAL
fast-jwt: Empty HMAC secret accepted via async key resolver - JWT auth bypass
May 13, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-45411
CRITICAL
vm2: Sandbox Breakout Using Async Generator
May 13, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-45109
HIGH
Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
May 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44582
LOW
Next.js: Cache poisoning via collisions in React Server Component cache-busting
May 13, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-44581
MEDIUM
Next.js: Cross-site scripting in App Router applications using CSP nonces
May 13, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-44580
MEDIUM
Next.js: Cross-site scripting in beforeInteractive scripts with untrusted input
May 13, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44579
HIGH
Next.js: Denial of Service via connection exhaustion in applications using Cache Components
May 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44578
HIGH
NUCLEI
Next.js: Server-side request forgery in applications using WebSocket upgrades
May 13, 2026
CVSS 8.6
EPSS 0.05
CVE-2026-44009
CRITICAL
vm2: Sandbox Breakout Through Null Proto Exception
May 13, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-44008
CRITICAL
vm2: Snabox breakout via `neutralizeArraySpeciesBatch`
May 13, 2026
CVSS 9.8
EPSS 0.00
Products
openclaw 393
parse-server 92
n8n 62
directus 53
electron 48
flowise 48
next 47
vm2 32
hono 25
nocodb 25
axios 24
undici 22
ghost 21
vite 19
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
nodebb 14
sequelize 14
tinymce 14
flowise-components 13
signalk-server 13
angular 12
dompurify 12
handlebars 12
jsrsasign 12
matrix-js-sdk 12
Quick Filters