npm
3,968 tracked vulnerabilities.
CVE-2026-35442
HIGH
Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries
Apr 06, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-35441
MEDIUM
Directus Affected by GraphQL Alias Amplification Denial-of-Service Due to Missing Query Cost/Complexity Limits
Apr 06, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35413
MEDIUM
Directus GraphQL Schema SDL Disclosure Setting
Apr 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35412
HIGH
Directus has a TUS Upload Authorization Bypass Allows Arbitrary File Overwrite
Apr 06, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-35411
MEDIUM
Directus is an Open Redirect in Admin 2FA Setup Page
Apr 06, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-35410
MEDIUM
Directus has an Open Redirect via Parser Bypass in OAuth2/SAML Authentication Flow
Apr 06, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-35409
HIGH
Directus has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import
Apr 06, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-35408
HIGH
Directus is Missing Cross-Origin Opener Policy
Apr 06, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-35200
MEDIUM
Parse Server has a file upload Content-Type override via extension mismatch
Apr 06, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-35209
HIGH
defu: Prototype pollution via `__proto__` key in defaults argument
Apr 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-35042
HIGH
fast-jwt accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
Apr 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-35039
CRITICAL
fast-jwt Affected by Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)
Apr 06, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-34950
CRITICAL
fast-jwt <=6.1.0 - JWT Algorithm Confusion
Apr 06, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-34764
LOW
Electron has a use-after-free in offscreen shared texture release() callback
Apr 06, 2026
CVSS 2.3
EPSS 0.00
CVE-2026-34780
HIGH
Electron: Context Isolation bypass via contextBridge VideoFrame transfer
Apr 04, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-34779
MEDIUM
Electron: AppleScript injection in app.moveToApplicationsFolder on macOS
Apr 04, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34778
MEDIUM
Electron: Service worker can spoof executeJavaScript IPC replies
Apr 04, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-34777
MEDIUM
Electron: Incorrect origin passed to permission request handler for iframe requests
Apr 04, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34776
MEDIUM
Electron: Out-of-bounds read in second-instance IPC on macOS and Linux
Apr 04, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34775
MEDIUM
Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes
Apr 04, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-34774
HIGH
Electron: Use-after-free in offscreen child window paint callback
Apr 04, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-34773
MEDIUM
Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows
Apr 04, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-34772
MEDIUM
Electron: Use-after-free in download save dialog callback
Apr 04, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-34771
HIGH
Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks
Apr 04, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34770
HIGH
Electron: Use-after-free in PowerMonitor on Windows and macOS
Apr 04, 2026
CVSS 7.0
EPSS 0.00
Products
openclaw 393
parse-server 92
n8n 62
directus 53
electron 48
flowise 48
next 47
vm2 32
hono 25
nocodb 25
axios 24
undici 22
ghost 21
vite 19
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
nodebb 14
sequelize 14
tinymce 14
flowise-components 13
signalk-server 13
angular 12
dompurify 12
handlebars 12
jsrsasign 12
matrix-js-sdk 12
Quick Filters