npm

3,968 tracked vulnerabilities.

CVE-2026-33896 HIGH
Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
Mar 27, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-33895 HIGH
Forge has signature forgery in Ed25519 due to missing S > L check
Mar 27, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33894 HIGH
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field
Mar 27, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33891 HIGH
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
Mar 27, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33750 MEDIUM
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
Mar 27, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33672 MEDIUM
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
Mar 26, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33671 HIGH
Picomatch has a ReDoS vulnerability via extglob quantifiers
Mar 26, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33532 MEDIUM
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
Mar 26, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-4926 HIGH
path-to-regexp vulnerable to Denial of Service via sequential optional groups
Mar 26, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-4923 MEDIUM
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards
Mar 26, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-33732 MEDIUM
srvx is vulnerable to middleware bypass via absolute URI in request line
Mar 26, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-33490 LOW
h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes
Mar 26, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-4867 HIGH
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
Mar 26, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33468 HIGH
Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings
Mar 26, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-33442 HIGH
Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.
Mar 26, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-32846 HIGH
OpenClaw Media Parsing Path Traversal to Arbitrary File Read
Mar 26, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33287 HIGH
LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern
Mar 26, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33285 HIGH
LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash
Mar 26, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33751 MEDIUM
n8n Vulnerable to LDAP Filter Injection in LDAP Node
Mar 25, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-33749 CRITICAL
n8n Vulnerable to XSS via Binary Data Inline HTML Rendering
Mar 25, 2026
CVSS 9.0
EPSS 0.00
CVE-2026-33724 HIGH
n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no
Mar 25, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-33722 MEDIUM
n8n Has External Secrets Authorization Bypass in Credential Saving
Mar 25, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33720 MEDIUM
n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK
Mar 25, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-33713 HIGH
n8n Vulnerable to SQL Injection in Data Table Node via orderByColumn Expression
Mar 25, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-33696 HIGH
n8n Vulnerable to Prototype Pollution in XML & GSuiteAdmin node parameters lead to RCE
Mar 25, 2026
CVSS 8.8
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV