npm
3,968 tracked vulnerabilities.
CVE-2026-44455
MEDIUM
Hono: Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection
May 13, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-44295
HIGH
protobufjs-cli: Code injection in pbjs static output from crafted schema names
May 13, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-44294
MEDIUM
protobufjs: Denial of service from crafted field names in generated code
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44292
MEDIUM
protobufjs: Prototype injection in generated message constructors
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44291
HIGH
protobufjs: Code generation gadget after prototype pollution
May 13, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-44290
HIGH
protobufjs: Process-wide denial of service through unsafe option paths
May 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44289
HIGH
protobufjs: Denial of service through unbounded protobuf recursion
May 13, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44288
MEDIUM
protobufjs: Overlong UTF-8 decoding
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-42290
HIGH
protobufjs-cli: OS Command Injection
May 13, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-44240
HIGH
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
May 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44217
MEDIUM
sse-channel: SSE Injection via unsanitized event fields
May 12, 2026
EPSS 0.00
CVE-2026-42338
MEDIUM
ip-address: XSS in Address6 HTML-emitting methods
May 12, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-43929
HIGH
ssrfcheck: Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs
May 12, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-42260
HIGH
Open-WebSearch: SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname`
May 12, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-45091
CRITICAL
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)
May 12, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-43930
LOW
Parse Server: MFA SMS one-time password accepted twice under concurrent login
May 12, 2026
EPSS 0.00
CVE-2026-8162
HIGH
multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing
May 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-8161
HIGH
multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception
May 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-8159
HIGH
multiparty vulnerable to ReDoS via filename parsing
May 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-6402
MEDIUM
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
May 12, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-43897
HIGH
Link Preview JS: vunerable to IPv6 and internal loopback attacks
May 11, 2026
EPSS 0.00
CVE-2026-43893
HIGH
exiftool-vendored: Argument injection via newline characters in tag names
May 11, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-45005
MEDIUM
OpenClaw < 2026.4.23 - Webhook Route Secret Cache Not Invalidated After Rotation
May 11, 2026
CVSS 6.0
EPSS 0.00
CVE-2026-45004
HIGH
OpenClaw < 2026.4.23 - Arbitrary Code Execution via setup-api.js in Current Working Directory
May 11, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-45003
MEDIUM
OpenClaw < 2026.4.22 - Connector Endpoint Host Override via Workspace dotenv Files
May 11, 2026
CVSS 5.0
EPSS 0.00
Products
openclaw 393
parse-server 92
n8n 62
directus 53
electron 48
flowise 48
next 47
vm2 32
hono 25
nocodb 25
axios 24
undici 22
ghost 21
vite 19
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
nodebb 14
sequelize 14
tinymce 14
flowise-components 13
signalk-server 13
angular 12
dompurify 12
handlebars 12
jsrsasign 12
matrix-js-sdk 12
Quick Filters