npm

3,968 tracked vulnerabilities.

CVE-2026-44007 CRITICAL
vm2: nesting: true bypasses require: false, allowing sandbox escape to arbitrary OS command execution
May 13, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-44006 CRITICAL
vm2: Sandbox Escape
May 13, 2026
CVSS 10.0
EPSS 0.00
CVE-2026-44005 CRITICAL
vm2: Sandbox escape
May 13, 2026
CVSS 10.0
EPSS 0.00
CVE-2026-44004 HIGH
vm2: Host Process OOM DoS via Buffer.alloc (Timeout Bypass)
May 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44003 MEDIUM
vm2: Transformer Fast-Path Bypass Exposes Internal State Variable
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44002 MEDIUM
vm2: Host File Path Disclosure via Stack Trace Information Leak
May 13, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-44001 HIGH
vm2: Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)
May 13, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-44000 MEDIUM
vm2: sandbox boundary bypass via host Promise resolution preserving host object identity
May 13, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-43999 CRITICAL
vm2: NodeVM builtin allowlist bypass via `module` builtin's `Module._load` allows sandbox escape
May 13, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-43998 HIGH
vm2: NodeVM require.root bypass via symlink traversal allows sandbox escape
May 13, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-43997 CRITICAL
vm2: Sandbox Escape
May 13, 2026
CVSS 10.0
EPSS 0.00
CVE-2026-44577 MEDIUM
Next.js: Denial of Service in the Image Optimization API
May 13, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-44576 MEDIUM
Next.js: Cache poisoning in React Server Component responses
May 13, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-44575 HIGH
Next.js: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
May 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44574 HIGH
Next.js: Middleware / Proxy bypass through dynamic route parameter injection
May 13, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-44573 HIGH
Next.js: Middleware / Proxy bypass in Pages Router applications using i18n
May 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-45740 MEDIUM
protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-45028 MEDIUM
Astro: Server island encrypted parameters vulnerable to cross-component replay
May 13, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44665 MEDIUM
fast-xml-builder: Attribute values with unwanted quotes can bypass malicious or unwanted attributes
May 13, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44664 MEDIUM
fast-xml-builder: Comment Value bypass regex
May 13, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-44572 LOW
Next.js: Middleware / Proxy redirects can be cache-poisoned
May 13, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-44479 MEDIUM
Vercel: Non-interactive mode includes CLI arguments in suggested command output
May 13, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-44459 LOW
Hono: Improper validation of NumericDate claims (exp, nbf, iat) in JWT verify()
May 13, 2026
CVSS 3.8
EPSS 0.00
CVE-2026-44457 MEDIUM
Hono: Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44456 MEDIUM
Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
May 13, 2026
CVSS 6.5
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV