npm

4,193 tracked vulnerabilities.

CVE-2026-33671 HIGH
Picomatch Extglob Quantifiers - Regular Expression Denial of Service
Mar 26, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33532 MEDIUM
yaml is vulnerable to Stack Overflow via deeply nested YAML collections
Mar 26, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-4926 HIGH
path-to-regexp vulnerable to Denial of Service via sequential optional groups
Mar 26, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-4923 MEDIUM
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple wildcards
Mar 26, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-33732 MEDIUM
srvx is vulnerable to middleware bypass via absolute URI in request line
Mar 26, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-33490 LOW
h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes
Mar 26, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-4867 HIGH
path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
Mar 26, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33468 HIGH
Kysely <0.28.14 MySQL String Literals - SQL Injection
Mar 26, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-33442 HIGH
Kysely 0.28.12-0.28.13 MySQL JSON Path Keys - SQL Injection
Mar 26, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-32846 HIGH
OpenClaw Media Parsing Path Traversal to Arbitrary File Read
Mar 26, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33287 HIGH
LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern
Mar 26, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33285 HIGH
LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash
Mar 26, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33751 MEDIUM
n8n Vulnerable to LDAP Filter Injection in LDAP Node
Mar 25, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-33749 CRITICAL
n8n Vulnerable to XSS via Binary Data Inline HTML Rendering
Mar 25, 2026
CVSS 9.0
EPSS 0.00
CVE-2026-33724 HIGH
n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no
Mar 25, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-33722 MEDIUM
n8n Has External Secrets Authorization Bypass in Credential Saving
Mar 25, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33720 MEDIUM
n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK
Mar 25, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-33713 HIGH
n8n Vulnerable to SQL Injection in Data Table Node via orderByColumn Expression
Mar 25, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-33696 HIGH
n8n Vulnerable to Prototype Pollution in XML & GSuiteAdmin node parameters lead to RCE
Mar 25, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-33665 HIGH
n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover
Mar 25, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33663 MEDIUM
n8n Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition
Mar 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33660 HIGH
n8n Has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode
Mar 25, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-27496 MEDIUM
n8n has In-Process Memory Disclosure in its Task Runner
Mar 25, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-26833 CRITICAL
thumbler <=1.1.2 - Command Injection
Mar 25, 2026
CVSS 9.8
EPSS 0.02
CVE-2026-26832 CRITICAL
node-tesseract-ocr through 2.2.1 - Command Injection
Mar 25, 2026
CVSS 9.8
EPSS 0.02