npm
4,193 tracked vulnerabilities.
CVE-2026-43995
CRITICAL
Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)
May 11, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-42856
HIGH
Network-AI: Missing authentication on MCP HTTP endpoint allows unauthenticated privileged tool calls
May 11, 2026
EPSS 0.00
CVE-2026-30635
HIGH
automagik-genie 2.5.27 - Command Injection
May 11, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-44643
CRITICAL
Angular Expressions - Remote Code Execution using filters
May 11, 2026
CVSS 10.0
EPSS 0.00
CVE-2026-41893
HIGH
Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)
May 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41311
HIGH
LiquidJS is vulnerable to Denial of Service via circular block reference in layout
May 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44694
CRITICAL
n8n-MCP: Authenticated SSRF in n8n-mcp webhook and API client paths
May 08, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-42282
MEDIUM
n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode
May 08, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-42190
MEDIUM
RedwoodSDK: Same-site CSRF in in server actions
May 08, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41495
MEDIUM
n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests
May 08, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-42353
HIGH
Path traversal / SSRF in i18next-http-middleware via user-controlled language and namespace parameters
May 08, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-41886
HIGH
locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor
May 08, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41885
MEDIUM
Path traversal / URL injection via unsanitised lng/ns/projectId/version in i18next-locize-backend
May 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41693
HIGH
i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite
May 08, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-41690
HIGH
Prototype pollution and path traversal in i18next-http-middleware via user-controlled language and namespace parameters
May 08, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-41683
HIGH
HTTP response splitting and DoS in i18next-http-middleware via unsanitised Content-Language header
May 08, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-41591
MEDIUM
Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping
May 08, 2026
CVSS 6.4
EPSS 0.00
CVE-2026-41507
CRITICAL
Remote Code Execution (RCE) via String Literal Injection into math-codegen
May 08, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-43944
CRITICAL
electerm: dangerous code can be run through links or command line
May 08, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-43943
HIGH
electerm: RCE via malicious SSH server filename in openFileWithEditor
May 08, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-43942
MEDIUM
electerm: Full process.env exposed to renderer via window.pre.env in electerm
May 08, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-43941
CRITICAL
Unvalidated shell.openExternal in electerm allows arbitrary protocol execution via terminal link click
May 08, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-43940
HIGH
electerm: Path traversal in electerm runWidget leads to arbitrary code execution
May 08, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-42264
HIGH
Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking
May 08, 2026
CVSS 7.4
EPSS 0.01
CVE-2026-41900
HIGH
OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Environment
May 08, 2026
CVSS 8.8
EPSS 0.01
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters