npm
4,193 tracked vulnerabilities.
CVE-2026-44000
MEDIUM
vm2: sandbox boundary bypass via host Promise resolution preserving host object identity
May 13, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-43999
CRITICAL
vm2: NodeVM builtin allowlist bypass via `module` builtin's `Module._load` allows sandbox escape
May 13, 2026
CVSS 9.9
EPSS 0.01
CVE-2026-43998
HIGH
vm2: NodeVM require.root bypass via symlink traversal allows sandbox escape
May 13, 2026
CVSS 8.5
EPSS 0.01
CVE-2026-43997
CRITICAL
vm2: Sandbox Escape
May 13, 2026
CVSS 10.0
EPSS 0.01
CVE-2026-44577
MEDIUM
Next.js: Denial of Service in the Image Optimization API
May 13, 2026
CVSS 5.9
EPSS 0.01
CVE-2026-44576
MEDIUM
Next.js: Cache poisoning in React Server Component responses
May 13, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-44575
HIGH
Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
May 13, 2026
CVSS 7.5
EPSS 0.02
CVE-2026-44574
HIGH
Next.js: Middleware / Proxy bypass through dynamic route parameter injection
May 13, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-44573
HIGH
Next.js: Middleware / Proxy bypass in Pages Router applications using i18n
May 13, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-45740
MEDIUM
protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-45028
MEDIUM
Astro: Server island encrypted parameters vulnerable to cross-component replay
May 13, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44665
MEDIUM
fast-xml-builder: Attribute values with unwanted quotes can bypass malicious or unwanted attributes
May 13, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44664
MEDIUM
fast-xml-builder: Comment Value bypass regex
May 13, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44572
LOW
Next.js: Middleware / Proxy redirects can be cache-poisoned
May 13, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-44479
MEDIUM
Vercel: Non-interactive mode includes CLI arguments in suggested command output
May 13, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-44459
LOW
Hono: Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
May 13, 2026
CVSS 3.8
EPSS 0.00
CVE-2026-44457
MEDIUM
Hono: Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44456
MEDIUM
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
May 13, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-44455
MEDIUM
Hono: Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection
May 13, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-44295
HIGH
protobufjs-cli: Code injection in pbjs static output from crafted schema names
May 13, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-44294
MEDIUM
protobufjs: Denial of service from crafted field names in generated code
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44292
MEDIUM
protobufjs: Prototype injection in generated message constructors
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44291
HIGH
protobufjs: Code generation gadget after prototype pollution
May 13, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-44290
HIGH
protobufjs: Process-wide denial of service through unsafe option paths
May 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44289
HIGH
protobufjs: Denial of service through unbounded protobuf recursion
May 13, 2026
CVSS 7.5
EPSS 0.01
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters