npm

4,193 tracked vulnerabilities.

CVE-2026-35409 HIGH
Directus <11.16.0 File Import - Server-Side Request Forgery Bypass
Apr 06, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-35408 HIGH
Directus is Missing Cross-Origin Opener Policy
Apr 06, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-35200 MEDIUM
Parse Server File Uploads - Content-Type Override
Apr 06, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-35209 HIGH
defu: Prototype pollution via `__proto__` key in defaults argument
Apr 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-35042 HIGH
fast-jwt accepts unknown `crit` header extensions (RFC 7515 §4.1.11 MUST violation)
Apr 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-35039 CRITICAL
fast-jwt Affected by Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)
Apr 06, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-34950 CRITICAL
fast-jwt <=6.1.0 - JWT Algorithm Confusion
Apr 06, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-34764 LOW
Electron Offscreen Shared Texture release() - Use-After-Free
Apr 06, 2026
CVSS 2.3
EPSS 0.00
CVE-2026-34780 HIGH
Electron: Context Isolation bypass via contextBridge VideoFrame transfer
Apr 04, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-34779 MEDIUM
Electron: AppleScript injection in app.moveToApplicationsFolder on macOS
Apr 04, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34778 MEDIUM
Electron: Service worker can spoof executeJavaScript IPC replies
Apr 04, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-34777 MEDIUM
Electron: Incorrect origin passed to permission request handler for iframe requests
Apr 04, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34776 MEDIUM
Electron: Out-of-bounds read in second-instance IPC on macOS and Linux
Apr 04, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34775 MEDIUM
Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes
Apr 04, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-34774 HIGH
Electron: Use-after-free in offscreen child window paint callback
Apr 04, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-34773 MEDIUM
Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows
Apr 04, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-34772 MEDIUM
Electron: Use-after-free in download save dialog callback
Apr 04, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-34771 HIGH
Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks
Apr 04, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34770 HIGH
Electron: Use-after-free in PowerMonitor on Windows and macOS
Apr 04, 2026
CVSS 7.0
EPSS 0.00
CVE-2026-34769 HIGH
Electron: Renderer command-line switch injection via undocumented commandLineSwitches webPreference
Apr 04, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-34768 LOW
Electron: Unquoted executable path in app.setLoginItemSettings on Windows
Apr 04, 2026
CVSS 3.9
EPSS 0.00
CVE-2026-34767 MEDIUM
Electron: HTTP Response Header Injection in custom protocol handlers and webRequest
Apr 04, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-34766 LOW
Electron: USB device selection not validated against filtered device list
Apr 04, 2026
CVSS 3.3
EPSS 0.00
CVE-2026-34511 MEDIUM
OpenClaw < 2026.4.2 - PKCE Verifier Exposure via OAuth State Parameter
Apr 03, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34752 HIGH
Haraka affected by DoS via `__proto__` email header
Apr 02, 2026
CVSS 7.5
EPSS 0.00