npm
4,193 tracked vulnerabilities.
CVE-2026-45736
MEDIUM
Node.js ws - Uninitialized Memory Disclosure
May 15, 2026
CVSS 4.4
EPSS 0.01
CVE-2026-38728
HIGH
Nodemailer smtp_server <3.18.3 - DoS
May 15, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-44589
LOW
nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect)
May 14, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-42334
HIGH
Mongoose: Improper Sanitization of $nor in sanitizeFilter May Allow NoSQL Injection
May 14, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44503
HIGH
Kiota abstractions RedirectHandler leaks Cookie/Proxy-Authorization headers on cross-host redirect
May 14, 2026
EPSS 0.01
CVE-2026-42281
HIGH
NUCLEI
MagicMirror²: Unauthenticated SSRF via /cors endpoint
May 14, 2026
CVSS 8.6
EPSS 0.02
CVE-2026-44373
MEDIUM
Nitro: Proxy scope bypass via percent-encoded path traversal in `routeRules`
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44372
MEDIUM
Nitro: Open Redirect via Protocol-Relative URL Bypass in Wildcard Route Rules
May 13, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44351
CRITICAL
fast-jwt: Empty HMAC secret accepted via async key resolver - JWT auth bypass
May 13, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-45411
CRITICAL
vm2: Sandbox Breakout Using Async Generator
May 13, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-45109
HIGH
Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
May 13, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-44582
LOW
Next.js: Cache poisoning via collisions in React Server Component cache-busting
May 13, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-44581
MEDIUM
Next.js: Cross-site scripting in App Router applications using CSP nonces
May 13, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-44580
MEDIUM
Next.js: Cross-site scripting in beforeInteractive scripts with untrusted input
May 13, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44579
HIGH
Next.js: Denial of Service via connection exhaustion in applications using Cache Components
May 13, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-44578
HIGH
NUCLEI
Next.js: Server-side request forgery in applications using WebSocket upgrades
May 13, 2026
CVSS 8.6
EPSS 0.39
CVE-2026-44009
CRITICAL
vm2: Sandbox Breakout Through Null Proto Exception
May 13, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-44008
CRITICAL
vm2: Snabox breakout via `neutralizeArraySpeciesBatch`
May 13, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-44007
CRITICAL
vm2: nesting: true bypasses require: false, allowing sandbox escape to arbitrary OS command execution
May 13, 2026
CVSS 9.1
EPSS 0.01
CVE-2026-44006
CRITICAL
vm2: Sandbox Escape
May 13, 2026
CVSS 10.0
EPSS 0.01
CVE-2026-44005
CRITICAL
vm2: Sandbox escape
May 13, 2026
CVSS 10.0
EPSS 0.01
CVE-2026-44004
HIGH
vm2: Host Process OOM DoS via Buffer.alloc (Timeout Bypass)
May 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44003
MEDIUM
vm2: Transformer Fast-Path Bypass Exposes Internal State Variable
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44002
MEDIUM
vm2: Host File Path Disclosure via Stack Trace Information Leak
May 13, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-44001
HIGH
vm2: Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)
May 13, 2026
CVSS 8.6
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters