npm
4,193 tracked vulnerabilities.
CVE-2026-26831
CRITICAL
textract through 2.5.0 - Command Injection
Mar 25, 2026
CVSS 9.8
EPSS 0.02
CVE-2026-26830
CRITICAL
pdf-image through 2.0.0 - Command Injection
Mar 25, 2026
CVSS 9.8
EPSS 0.02
CVE-2026-33349
MEDIUM
fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation
Mar 24, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-33769
MEDIUM
Astro: Remote allowlist bypass via unanchored matchPathname wildcard
Mar 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33627
MEDIUM
Parse Server: Auth data exposed via /users/me endpoint
Mar 24, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33624
LOW
Parse Server: MFA recovery code single-use bypass via concurrent requests
Mar 24, 2026
CVSS 2.7
EPSS 0.00
CVE-2026-33539
HIGH
Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter
Mar 24, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-33538
HIGH
Parse Server: Denial of service via unindexed database query for unconfigured auth providers
Mar 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33527
MEDIUM
Parse Server: Session update endpoint allows overwriting server-generated session fields
Mar 24, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-33508
HIGH
Parse Server: LiveQuery subscription query depth bypass
Mar 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33498
HIGH
Parse Server: Query condition depth bypass via pre-validation transform pipeline
Mar 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33429
MEDIUM
Parse Server: Protected field change detection oracle via LiveQuery watch parameter
Mar 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33421
MEDIUM
Parse Server: LiveQuery bypasses CLP pointer permission enforcement
Mar 24, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33409
CRITICAL
Parse Server: Auth provider validation bypass on login via partial authData
Mar 24, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-33323
MEDIUM
Parse Server: Email verification resend page leaks user existence
Mar 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32913
CRITICAL
OpenClaw < 2026.3.7 - Custom Authorization Header Leakage via Cross-Origin Redirects
Mar 23, 2026
CVSS 9.3
EPSS 0.00
CVE-2026-27646
MEDIUM
OpenClaw <2026.3.7 - Sandbox Escape
Mar 23, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-27183
MEDIUM
OpenClaw < 2026.3.7 - Shell Approval Gating Bypass via Dispatch Wrapper Depth Mismatch
Mar 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-3635
MEDIUM
Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function
Mar 23, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-4603
MEDIUM
jsrsasign <11.1.1 - Division by Zero
Mar 23, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-4602
HIGH
jsrsasign <11.1.1 - Incorrect Conversion
Mar 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-4601
HIGH
jsrsasign <11.1.1 - Missing Cryptographic Step
Mar 23, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-4600
HIGH
jsrsasign <11.1.1 - Improper Verification of Cryptographic Signature
Mar 23, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-4599
CRITICAL
jsrsasign <11.1.1 - Incomplete Comparison
Mar 23, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-4598
HIGH
jsrsasign < 11.1.1 - Denial of Service via Infinite Loop in bnModInverse
Mar 23, 2026
CVSS 7.5
EPSS 0.01
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters