npm

4,193 tracked vulnerabilities.

CVE-2026-43995 CRITICAL
Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)
May 11, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-42856 HIGH
Network-AI: Missing authentication on MCP HTTP endpoint allows unauthenticated privileged tool calls
May 11, 2026
EPSS 0.00
CVE-2026-30635 HIGH
automagik-genie 2.5.27 - Command Injection
May 11, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-44643 CRITICAL
Angular Expressions - Remote Code Execution using filters
May 11, 2026
CVSS 10.0
EPSS 0.00
CVE-2026-41893 HIGH
Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)
May 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41311 HIGH
LiquidJS is vulnerable to Denial of Service via circular block reference in layout
May 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44694 CRITICAL
n8n-MCP: Authenticated SSRF in n8n-mcp webhook and API client paths
May 08, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-42282 MEDIUM
n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode
May 08, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-42190 MEDIUM
RedwoodSDK: Same-site CSRF in in server actions
May 08, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41495 MEDIUM
n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests
May 08, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-42353 HIGH
Path traversal / SSRF in i18next-http-middleware via user-controlled language and namespace parameters
May 08, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-41886 HIGH
locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor
May 08, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41885 MEDIUM
Path traversal / URL injection via unsanitised lng/ns/projectId/version in i18next-locize-backend
May 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41693 HIGH
i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite
May 08, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-41690 HIGH
Prototype pollution and path traversal in i18next-http-middleware via user-controlled language and namespace parameters
May 08, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-41683 HIGH
HTTP response splitting and DoS in i18next-http-middleware via unsanitised Content-Language header
May 08, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-41591 MEDIUM
Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping
May 08, 2026
CVSS 6.4
EPSS 0.00
CVE-2026-41507 CRITICAL
Remote Code Execution (RCE) via String Literal Injection into math-codegen
May 08, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-43944 CRITICAL
electerm: dangerous code can be run through links or command line
May 08, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-43943 HIGH
electerm: RCE via malicious SSH server filename in openFileWithEditor
May 08, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-43942 MEDIUM
electerm: Full process.env exposed to renderer via window.pre.env in electerm
May 08, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-43941 CRITICAL
Unvalidated shell.openExternal in electerm allows arbitrary protocol execution via terminal link click
May 08, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-43940 HIGH
electerm: Path traversal in electerm runWidget leads to arbitrary code execution
May 08, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-42264 HIGH
Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking
May 08, 2026
CVSS 7.4
EPSS 0.01
CVE-2026-41900 HIGH
OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Environment
May 08, 2026
CVSS 8.8
EPSS 0.01