npm

4,193 tracked vulnerabilities.

CVE-2026-56268 HIGH
Flowise - Cross-Workspace Information Disclosure via chatflows/apikey Endpoint
Jun 22, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-55602 HIGH
http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass
Jun 22, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-53550 MEDIUM
js-yaml: Quadratic-complexity DoS in merge key handling via repeated aliases
Jun 22, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-49293 HIGH
CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals
Jun 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-49357 HIGH
Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication
Jun 19, 2026
EPSS 0.00
CVE-2026-12644 MEDIUM
Ts-deepmerge < 8.0.0 - Uncaught Exception
Jun 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-45617 HIGH
LiquidJS: ReDoS via Quadratic Backtracking in `strip_html` Filter Regex
Jun 17, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-45357 HIGH
LiquidJS: Memory and render limit bypass via unbounded width padding in `date` filter (strftime)
Jun 17, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44646 MEDIUM
LiquidJS: `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`
Jun 17, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44645 MEDIUM
LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
Jun 17, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-44644 MEDIUM
LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS
Jun 17, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-48814 CRITICAL
Network-AI: Empty default secret still authorizes all requests (Incomplete fix for CVE-2026-46701)
Jun 17, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-9697 HIGH
undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent
Jun 17, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-9679 MEDIUM
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
Jun 17, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-9678 MEDIUM
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
Jun 17, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-6734 HIGH
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
Jun 17, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-6733 LOW
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
Jun 17, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-11525 LOW
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
Jun 17, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-9675 HIGH
undici WebSocket client vulnerable to denial of service via cumulative fragment bypass
Jun 17, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-12151 HIGH
undici WebSocket client vulnerable to denial of service via fragment count bypass
Jun 17, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-48779 HIGH
ws: Memory exhaustion DoS from tiny fragments and data chunks
Jun 17, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-53866 HIGH
OpenClaw < 2026.5.12 - Allowlist Bypass in Shell Inline-Command Parsing
Jun 16, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-53865 HIGH
OpenClaw < 2026.5.2 - Arbitrary Command Execution via Workspace-Derived Service PATH
Jun 16, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-53864 HIGH
OpenClaw < 2026.5.26 - Insufficient Environment Variable Sanitization in Node.js Control Variables
Jun 16, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-53863 HIGH
OpenClaw < 2026.4.25 - Unvalidated Group ID Acceptance in Tool Group Policy
Jun 16, 2026
CVSS 7.1
EPSS 0.00