npm
4,193 tracked vulnerabilities.
CVE-2026-56268
HIGH
Flowise - Cross-Workspace Information Disclosure via chatflows/apikey Endpoint
Jun 22, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-55602
HIGH
http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass
Jun 22, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-53550
MEDIUM
js-yaml: Quadratic-complexity DoS in merge key handling via repeated aliases
Jun 22, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-49293
HIGH
CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals
Jun 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-49357
HIGH
Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication
Jun 19, 2026
EPSS 0.00
CVE-2026-12644
MEDIUM
Ts-deepmerge < 8.0.0 - Uncaught Exception
Jun 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-45617
HIGH
LiquidJS: ReDoS via Quadratic Backtracking in `strip_html` Filter Regex
Jun 17, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-45357
HIGH
LiquidJS: Memory and render limit bypass via unbounded width padding in `date` filter (strftime)
Jun 17, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44646
MEDIUM
LiquidJS: `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`
Jun 17, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44645
MEDIUM
LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
Jun 17, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-44644
MEDIUM
LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS
Jun 17, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-48814
CRITICAL
Network-AI: Empty default secret still authorizes all requests (Incomplete fix for CVE-2026-46701)
Jun 17, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-9697
HIGH
undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent
Jun 17, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-9679
MEDIUM
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding
Jun 17, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-9678
MEDIUM
undici vulnerable to cross-user information disclosure via shared cache whitespace bypass
Jun 17, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-6734
HIGH
undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse
Jun 17, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-6733
LOW
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
Jun 17, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-11525
LOW
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching
Jun 17, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-9675
HIGH
undici WebSocket client vulnerable to denial of service via cumulative fragment bypass
Jun 17, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-12151
HIGH
undici WebSocket client vulnerable to denial of service via fragment count bypass
Jun 17, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-48779
HIGH
ws: Memory exhaustion DoS from tiny fragments and data chunks
Jun 17, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-53866
HIGH
OpenClaw < 2026.5.12 - Allowlist Bypass in Shell Inline-Command Parsing
Jun 16, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-53865
HIGH
OpenClaw < 2026.5.2 - Arbitrary Command Execution via Workspace-Derived Service PATH
Jun 16, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-53864
HIGH
OpenClaw < 2026.5.26 - Insufficient Environment Variable Sanitization in Node.js Control Variables
Jun 16, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-53863
HIGH
OpenClaw < 2026.4.25 - Unvalidated Group ID Acceptance in Tool Group Policy
Jun 16, 2026
CVSS 7.1
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters