npm

3,968 tracked vulnerabilities.

CVE-2026-33665 HIGH
n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover
Mar 25, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33663 MEDIUM
n8n Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition
Mar 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33660 HIGH
n8n Has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode
Mar 25, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-27496 MEDIUM
n8n has In-Process Memory Disclosure in its Task Runner
Mar 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-26833 CRITICAL
thumbler <=1.1.2 - Command Injection
Mar 25, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-26832 CRITICAL
node-tesseract-ocr through 2.2.1 - Command Injection
Mar 25, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-26831 CRITICAL
textract through 2.5.0 - Command Injection
Mar 25, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-26830 CRITICAL
pdf-image through 2.0.0 - Command Injection
Mar 25, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-33349 MEDIUM
fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation
Mar 24, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-33769 MEDIUM
Astro: Remote allowlist bypass via unanchored matchPathname wildcard
Mar 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33627 MEDIUM
Parse Server: Auth data exposed via /users/me endpoint
Mar 24, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33624 LOW
Parse Server: MFA recovery code single-use bypass via concurrent requests
Mar 24, 2026
CVSS 2.7
EPSS 0.00
CVE-2026-33539 HIGH
Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter
Mar 24, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-33538 HIGH
Parse Server: Denial of service via unindexed database query for unconfigured auth providers
Mar 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33527 MEDIUM
Parse Server: Session update endpoint allows overwriting server-generated session fields
Mar 24, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-33508 HIGH
Parse Server: LiveQuery subscription query depth bypass
Mar 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33498 HIGH
Parse Server: Query condition depth bypass via pre-validation transform pipeline
Mar 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33429 MEDIUM
Parse Server: Protected field change detection oracle via LiveQuery watch parameter
Mar 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33421 MEDIUM
Parse Server: LiveQuery bypasses CLP pointer permission enforcement
Mar 24, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33409 CRITICAL
Parse Server: Auth provider validation bypass on login via partial authData
Mar 24, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-33323 MEDIUM
Parse Server: Email verification resend page leaks user existence
Mar 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32913 CRITICAL
OpenClaw < 2026.3.7 - Custom Authorization Header Leakage via Cross-Origin Redirects
Mar 23, 2026
CVSS 9.3
EPSS 0.00
CVE-2026-27646 MEDIUM
OpenClaw <2026.3.7 - Sandbox Escape
Mar 23, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-27183 MEDIUM
OpenClaw < 2026.3.7 - Shell Approval Gating Bypass via Dispatch Wrapper Depth Mismatch
Mar 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-3635 MEDIUM
Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function
Mar 23, 2026
CVSS 6.1
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV