npm

3,968 tracked vulnerabilities.

CVE-2026-34769 HIGH
Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference
Apr 04, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-34768 LOW
Electron: Unquoted executable path in app.setLoginItemSettings on Windows
Apr 04, 2026
CVSS 3.9
EPSS 0.00
CVE-2026-34767 MEDIUM
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest
Apr 04, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-34766 LOW
Electron: USB device selection not validated against filtered device list
Apr 04, 2026
CVSS 3.3
EPSS 0.00
CVE-2026-34511 MEDIUM
OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter
Apr 03, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34752 HIGH
Haraka affected by DoS via `__proto__` email header
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34426 HIGH
OpenClaw - Approval Bypass via Environment Variable Normalization
Apr 02, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-34425 MEDIUM
OpenClaw - Shell-Bleed Protection Preflight Validation Bypass
Apr 02, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34725 HIGH
dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration
Apr 02, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-34601 HIGH
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34526 MEDIUM
SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6
Apr 02, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-34524 HIGH
SillyTavern: Path traversal in `/api/chats/export` and `/api/chats/delete` allows arbitrary file read/delete within user data root
Apr 02, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-34523 MEDIUM
SillyTavern: Path traversal allows file existence oracle
Apr 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34522 HIGH
SillyTavern: Path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory
Apr 02, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-35038 MEDIUM
signalk-server: Arbitrary Prototype Read via `from` Field Bypass
Apr 02, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34083 MEDIUM
signalk-server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow
Apr 02, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-33951 HIGH
signalk-server: Unauthenticated Source Priorities Manipulation
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33950 CRITICAL
signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity
Apr 02, 2026
CVSS 9.4
EPSS 0.00
CVE-2026-5327 MEDIUM
efforthye fast-filesystem-mcp index.ts handleGetDiskUsage command injection
Apr 02, 2026
CVSS 6.3
EPSS 0.02
CVE-2026-5323 MEDIUM
priyankark a11y-mcp index.js A11yServer server-side request forgery
Apr 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34749 MEDIUM
Payload has a CSRF Protection Bypass in Authentication Flow
Apr 01, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34747 HIGH
Payload has an SQL Injection via Query Handling
Apr 01, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-34746 HIGH
Payload has Authenticated SSRF via Upload Functionality
Apr 01, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-34751 CRITICAL
Payload has Unvalidated Input in Password Recovery Endpoints
Apr 01, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-2265 MEDIUM
Replicator 1.0.5 is vulnerable to Remote Code Execution through Insecure Deserialization
Apr 01, 2026
CVSS 6.5
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV