npm

3,968 tracked vulnerabilities.

CVE-2026-5833 MEDIUM
awwaiid mcp-server-taskwarrior index.ts server.setRequestHandler command injection
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-5832 HIGH
atototo api-lab-mcp HTTP http-server.ts test_http_endpoint server-side request forgery
Apr 09, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-5831 MEDIUM
Agions taskflow-ai terminal_execute handlers.ts os command injection
Apr 09, 2026
CVSS 6.3
EPSS 0.02
CVE-2026-40037 MEDIUM
OpenClaw < 2026.3.31 - Unsafe Request Body Replay via fetchWithSsrFGuard Cross-Origin Redirects
Apr 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-39885 HIGH
FrontMCP Affected by SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications
Apr 08, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-39859 HIGH
LiquidJS has a renderFile() / parseFile() bypass configured root and allow arbitrary file read
Apr 08, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-39412 MEDIUM
LiquidJS has an ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel
Apr 08, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35525 HIGH
LiquidJS has a root restriction bypass for partial and layout loading through symlinked templates
Apr 08, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-23869 HIGH
React Server Components 19.0.0-19.0.4 19.1.0-19.1.5 19.2.0-19.2.4 - Denial of Service via Crafted HTTP Requests
Apr 08, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-34166 LOW
LiquidJS has a Memory Limit Bypass via Quadratic Amplification in `replace` Filter
Apr 08, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-39865 MEDIUM
Axios HTTP/2 Session Cleanup State Corruption Vulnerability
Apr 08, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-39410 MEDIUM
Hono has a non-breaking space prefix bypass in cookie name handling in getCookie()
Apr 08, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-39409 MEDIUM
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
Apr 08, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-39408 HIGH
Hono has a path traversal in toSSG() allows writing files outside the output directory
Apr 08, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-39407 MEDIUM
Hono has a middleware bypass via repeated slashes in serveStatic
Apr 08, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34781 LOW
Electron crashes in clipboard.readImage() on malformed clipboard image data
Apr 07, 2026
CVSS 2.8
EPSS 0.00
CVE-2026-34765 MEDIUM
Electron named window.open targets not scoped to the opener's browsing context
Apr 07, 2026
CVSS 6.0
EPSS 0.00
CVE-2026-39381 MEDIUM
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
Apr 07, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-39371 HIGH
RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests
Apr 07, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-39365 MEDIUM NUCLEI
Vite has a Path Traversal in Optimized Deps `.map` Handling
Apr 07, 2026
CVSS 5.3
EPSS 0.02
CVE-2026-39364 HIGH NUCLEI
Vite has a `server.fs.deny` bypass with queries
Apr 07, 2026
CVSS 7.5
EPSS 0.07
CVE-2026-39363 HIGH NUCLEI
Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket
Apr 07, 2026
CVSS 7.5
EPSS 0.09
CVE-2026-39356 HIGH
SQL Injection via escapeName() in all Drizzle ORM SQL dialects
Apr 07, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-39321 LOW
Parse Server has a login timing side-channel reveals user existence
Apr 07, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-35613 MEDIUM
Path traversal in coursevault-preview due to improper base-directory boundary validation
Apr 07, 2026
CVSS 5.1
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV