npm

4,193 tracked vulnerabilities.

CVE-2026-44000 MEDIUM
vm2: sandbox boundary bypass via host Promise resolution preserving host object identity
May 13, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-43999 CRITICAL
vm2: NodeVM builtin allowlist bypass via `module` builtin's `Module._load` allows sandbox escape
May 13, 2026
CVSS 9.9
EPSS 0.01
CVE-2026-43998 HIGH
vm2: NodeVM require.root bypass via symlink traversal allows sandbox escape
May 13, 2026
CVSS 8.5
EPSS 0.01
CVE-2026-43997 CRITICAL
vm2: Sandbox Escape
May 13, 2026
CVSS 10.0
EPSS 0.01
CVE-2026-44577 MEDIUM
Next.js: Denial of Service in the Image Optimization API
May 13, 2026
CVSS 5.9
EPSS 0.01
CVE-2026-44576 MEDIUM
Next.js: Cache poisoning in React Server Component responses
May 13, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-44575 HIGH
Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
May 13, 2026
CVSS 7.5
EPSS 0.02
CVE-2026-44574 HIGH
Next.js: Middleware / Proxy bypass through dynamic route parameter injection
May 13, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-44573 HIGH
Next.js: Middleware / Proxy bypass in Pages Router applications using i18n
May 13, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-45740 MEDIUM
protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-45028 MEDIUM
Astro: Server island encrypted parameters vulnerable to cross-component replay
May 13, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44665 MEDIUM
fast-xml-builder: Attribute values with unwanted quotes can bypass malicious or unwanted attributes
May 13, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44664 MEDIUM
fast-xml-builder: Comment Value bypass regex
May 13, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44572 LOW
Next.js: Middleware / Proxy redirects can be cache-poisoned
May 13, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-44479 MEDIUM
Vercel: Non-interactive mode includes CLI arguments in suggested command output
May 13, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-44459 LOW
Hono: Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
May 13, 2026
CVSS 3.8
EPSS 0.00
CVE-2026-44457 MEDIUM
Hono: Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44456 MEDIUM
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
May 13, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-44455 MEDIUM
Hono: Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection
May 13, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-44295 HIGH
protobufjs-cli: Code injection in pbjs static output from crafted schema names
May 13, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-44294 MEDIUM
protobufjs: Denial of service from crafted field names in generated code
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44292 MEDIUM
protobufjs: Prototype injection in generated message constructors
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44291 HIGH
protobufjs: Code generation gadget after prototype pollution
May 13, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-44290 HIGH
protobufjs: Process-wide denial of service through unsafe option paths
May 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44289 HIGH
protobufjs: Denial of service through unbounded protobuf recursion
May 13, 2026
CVSS 7.5
EPSS 0.01