npm

4,193 tracked vulnerabilities.

CVE-2026-39412 MEDIUM
LiquidJS <10.25.4 sort_natural - Prototype Property Disclosure
Apr 08, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35525 HIGH
LiquidJS <10.25.3 Symlinked Templates - Root Restriction Bypass
Apr 08, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-23869 HIGH
React Server Components 19.0.0-19.0.4 19.1.0-19.1.5 19.2.0-19.2.4 - Denial of Service via Crafted HTTP Requests
Apr 08, 2026
CVSS 7.5
EPSS 0.02
CVE-2026-34166 LOW
LiquidJS <10.25.3 replace Filter - Memory Limit Bypass
Apr 08, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-39865 MEDIUM
Axios HTTP/2 Session Cleanup State Corruption Vulnerability
Apr 08, 2026
CVSS 5.9
EPSS 0.01
CVE-2026-39410 MEDIUM
Hono <4.12.12 getCookie() - Cookie Prefix Bypass
Apr 08, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-39409 MEDIUM
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
Apr 08, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-39408 HIGH
Hono <4.12.12 toSSG() - Path Traversal
Apr 08, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-39407 MEDIUM
Hono <4.12.12 serveStatic - Middleware Bypass
Apr 08, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34781 LOW
Electron crashes in clipboard.readImage() on malformed clipboard image data
Apr 07, 2026
CVSS 2.8
EPSS 0.00
CVE-2026-34765 MEDIUM
Electron named window.open targets not scoped to the opener's browsing context
Apr 07, 2026
CVSS 6.0
EPSS 0.00
CVE-2026-39381 MEDIUM
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
Apr 07, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-39371 HIGH
RedwoodSDK <1.0.6 Server Function Dispatch - Cross-Site Request Forgery
Apr 07, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-39365 MEDIUM NUCLEI
Vite Optimized Dependency Source Maps - Path Traversal
Apr 07, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-39364 HIGH NUCLEI
Vite Dev Server server.fs.deny - File Access Bypass
Apr 07, 2026
CVSS 7.5
EPSS 0.02
CVE-2026-39363 HIGH NUCLEI
Vite Affected by Arbitrary File Read via Vite Dev Server WebSocket
Apr 07, 2026
CVSS 7.5
EPSS 0.03
CVE-2026-39356 HIGH
SQL Injection via escapeName() in all Drizzle ORM SQL dialects
Apr 07, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-39321 LOW
Parse Server Login Endpoint - User Enumeration Timing Side-Channel
Apr 07, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-35613 MEDIUM
Path traversal in coursevault-preview due to improper base-directory boundary validation
Apr 07, 2026
CVSS 5.1
EPSS 0.00
CVE-2026-35442 HIGH
Directus: Authenticated Users Can Extract Concealed Fields via Aggregate Queries
Apr 06, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-35441 MEDIUM
Directus Affected by GraphQL Alias Amplification Denial-of-Service Due to Missing Query Cost/Complexity Limits
Apr 06, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35413 MEDIUM
Directus GraphQL Schema SDL Disclosure Setting
Apr 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35412 HIGH
Directus <11.16.1 TUS Uploads - Arbitrary File Overwrite
Apr 06, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-35411 MEDIUM
Directus is an Open Redirect in Admin 2FA Setup Page
Apr 06, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-35410 MEDIUM
Directus <11.16.1 OAuth2/SAML Login - Open Redirect
Apr 06, 2026
CVSS 6.1
EPSS 0.00