npm
4,193 tracked vulnerabilities.
CVE-2026-35409
HIGH
Directus <11.16.0 File Import - Server-Side Request Forgery Bypass
Apr 06, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-35408
HIGH
Directus is Missing Cross-Origin Opener Policy
Apr 06, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-35200
MEDIUM
Parse Server File Uploads - Content-Type Override
Apr 06, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-35209
HIGH
defu: Prototype pollution via `__proto__` key in defaults argument
Apr 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-35042
HIGH
fast-jwt accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
Apr 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-35039
CRITICAL
fast-jwt Affected by Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)
Apr 06, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-34950
CRITICAL
fast-jwt <=6.1.0 - JWT Algorithm Confusion
Apr 06, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-34764
LOW
Electron Offscreen Shared Texture release() - Use-After-Free
Apr 06, 2026
CVSS 2.3
EPSS 0.00
CVE-2026-34780
HIGH
Electron: Context Isolation bypass via contextBridge VideoFrame transfer
Apr 04, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-34779
MEDIUM
Electron: AppleScript injection in app.moveToApplicationsFolder on macOS
Apr 04, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34778
MEDIUM
Electron: Service worker can spoof executeJavaScript IPC replies
Apr 04, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-34777
MEDIUM
Electron: Incorrect origin passed to permission request handler for iframe requests
Apr 04, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34776
MEDIUM
Electron: Out-of-bounds read in second-instance IPC on macOS and Linux
Apr 04, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34775
MEDIUM
Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes
Apr 04, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-34774
HIGH
Electron: Use-after-free in offscreen child window paint callback
Apr 04, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-34773
MEDIUM
Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows
Apr 04, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-34772
MEDIUM
Electron: Use-after-free in download save dialog callback
Apr 04, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-34771
HIGH
Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks
Apr 04, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34770
HIGH
Electron: Use-after-free in PowerMonitor on Windows and macOS
Apr 04, 2026
CVSS 7.0
EPSS 0.00
CVE-2026-34769
HIGH
Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference
Apr 04, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-34768
LOW
Electron: Unquoted executable path in app.setLoginItemSettings on Windows
Apr 04, 2026
CVSS 3.9
EPSS 0.00
CVE-2026-34767
MEDIUM
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest
Apr 04, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-34766
LOW
Electron: USB device selection not validated against filtered device list
Apr 04, 2026
CVSS 3.3
EPSS 0.00
CVE-2026-34511
MEDIUM
OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter
Apr 03, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34752
HIGH
Haraka affected by DoS via `__proto__` email header
Apr 02, 2026
CVSS 7.5
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters