npm

4,193 tracked vulnerabilities.

CVE-2026-45736 MEDIUM
Node.js ws - Uninitialized Memory Disclosure
May 15, 2026
CVSS 4.4
EPSS 0.01
CVE-2026-38728 HIGH
Nodemailer smtp_server <3.18.3 - DoS
May 15, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-44589 LOW
nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect)
May 14, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-42334 HIGH
Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection
May 14, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44503 HIGH
Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect
May 14, 2026
EPSS 0.01
CVE-2026-42281 HIGH NUCLEI
MagicMirror²: Unauthenticated SSRF via /cors endpoint
May 14, 2026
CVSS 8.6
EPSS 0.02
CVE-2026-44373 MEDIUM
Nitro: Proxy scope bypass via percent-encoded path traversal in `routeRules`
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44372 MEDIUM
Nitro: Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules
May 13, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44351 CRITICAL
fast-jwt: Empty HMAC secret accepted via async key resolver - JWT auth bypass
May 13, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-45411 CRITICAL
vm2: Sandbox Breakout Using Async Generator
May 13, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-45109 HIGH
Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
May 13, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-44582 LOW
Next.js: Cache poisoning via collisions in React Server Component cache-busting
May 13, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-44581 MEDIUM
Next.js: Cross-site scripting in App Router applications using CSP nonces
May 13, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-44580 MEDIUM
Next.js: Cross-site scripting in beforeInteractive scripts with untrusted input
May 13, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44579 HIGH
Next.js: Denial of Service via connection exhaustion in applications using Cache Components
May 13, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-44578 HIGH NUCLEI
Next.js: Server-side request forgery in applications using WebSocket upgrades
May 13, 2026
CVSS 8.6
EPSS 0.39
CVE-2026-44009 CRITICAL
vm2: Sandbox Breakout Through Null Proto Exception
May 13, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-44008 CRITICAL
vm2: Snabox breakout via `neutralizeArraySpeciesBatch`
May 13, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-44007 CRITICAL
vm2: nesting: true bypasses require: false, allowing sandbox escape to arbitrary OS command execution
May 13, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-44006 CRITICAL
vm2: Sandbox Escape
May 13, 2026
CVSS 10.0
EPSS 0.01
CVE-2026-44005 CRITICAL
vm2: Sandbox escape
May 13, 2026
CVSS 10.0
EPSS 0.01
CVE-2026-44004 HIGH
vm2: Host Process OOM DoS via Buffer.alloc (Timeout Bypass)
May 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44003 MEDIUM
vm2: Transformer Fast-Path Bypass Exposes Internal State Variable
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44002 MEDIUM
vm2: Host File Path Disclosure via Stack Trace Information Leak
May 13, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-44001 HIGH
vm2: Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)
May 13, 2026
CVSS 8.6
EPSS 0.00