npm

4,193 tracked vulnerabilities.

CVE-2026-34426 HIGH
OpenClaw - Approval Bypass via Environment Variable Normalization
Apr 02, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-34425 MEDIUM
OpenClaw - Shell-Bleed Protection Preflight Validation Bypass
Apr 02, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34725 HIGH
dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration
Apr 02, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-34601 HIGH
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34526 MEDIUM
SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6
Apr 02, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-34524 HIGH
SillyTavern: Path traversal in `/api/chats/export` and `/api/chats/delete` allows arbitrary file read/delete within user data root
Apr 02, 2026
CVSS 8.3
EPSS 0.01
CVE-2026-34523 MEDIUM
SillyTavern: Path traversal allows file existence oracle
Apr 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34522 HIGH
SillyTavern: Path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory
Apr 02, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-35038 MEDIUM
signalk-server: Arbitrary Prototype Read via `from` Field Bypass
Apr 02, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34083 MEDIUM
signalk-server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow
Apr 02, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-33951 HIGH
signalk-server: Unauthenticated Source Priorities Manipulation
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33950 CRITICAL
signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity
Apr 02, 2026
CVSS 9.4
EPSS 0.00
CVE-2026-5327 MEDIUM
efforthye fast-filesystem-mcp index.ts handleGetDiskUsage command injection
Apr 02, 2026
CVSS 6.3
EPSS 0.01
CVE-2026-5323 MEDIUM
priyankark a11y-mcp index.js A11yServer server-side request forgery
Apr 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34749 MEDIUM
Payload <3.79.1 Authentication Flow - CSRF Protection Bypass
Apr 01, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34747 HIGH
Payload <3.79.1 Query Handling - SQL Injection
Apr 01, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-34746 HIGH
Payload has Authenticated SSRF via Upload Functionality
Apr 01, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-34751 CRITICAL
Payload has Unvalidated Input in Password Recovery Endpoints
Apr 01, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-2265 MEDIUM
Replicator 1.0.5 is vulnerable to Remote Code Execution through Insecure Deserialization
Apr 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34405 MEDIUM
Nuxt OG Image vulnerable to reflected XSS via query parameter injection into HTML attributes
Mar 31, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-34404 HIGH
Nuxt OG Image vulnerable to DoS via image generation
Mar 31, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-4800 HIGH
lodash vulnerable to Code Injection via `_.template` imports key names
Mar 31, 2026
CVSS 8.1
EPSS 0.02
CVE-2026-34784 HIGH
Parse Server: Streaming file download bypasses afterFind file trigger authorization
Mar 31, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34215 MEDIUM
Parse Server: Auth data exposed via verify password endpoint
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-2950 MEDIUM
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
Mar 31, 2026
CVSS 6.5
EPSS 0.00