npm

4,193 tracked vulnerabilities.

CVE-2026-26831 CRITICAL
textract through 2.5.0 - Command Injection
Mar 25, 2026
CVSS 9.8
EPSS 0.02
CVE-2026-26830 CRITICAL
pdf-image through 2.0.0 - Command Injection
Mar 25, 2026
CVSS 9.8
EPSS 0.02
CVE-2026-33349 MEDIUM
fast-xml-parser: Entity Expansion Limits Bypassed When Set to Zero Due to JavaScript Falsy Evaluation
Mar 24, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-33769 MEDIUM
Astro: Remote allowlist bypass via unanchored matchPathname wildcard
Mar 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33627 MEDIUM
Parse Server: Auth data exposed via /users/me endpoint
Mar 24, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33624 LOW
Parse Server: MFA recovery code single-use bypass via concurrent requests
Mar 24, 2026
CVSS 2.7
EPSS 0.00
CVE-2026-33539 HIGH
Parse Server: SQL injection via aggregate and distinct field names in PostgreSQL adapter
Mar 24, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-33538 HIGH
Parse Server: Denial of service via unindexed database query for unconfigured auth providers
Mar 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33527 MEDIUM
Parse Server: Session update endpoint allows overwriting server-generated session fields
Mar 24, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-33508 HIGH
Parse Server: LiveQuery subscription query depth bypass
Mar 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33498 HIGH
Parse Server: Query condition depth bypass via pre-validation transform pipeline
Mar 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33429 MEDIUM
Parse Server: Protected field change detection oracle via LiveQuery watch parameter
Mar 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33421 MEDIUM
Parse Server: LiveQuery bypasses CLP pointer permission enforcement
Mar 24, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33409 CRITICAL
Parse Server: Auth provider validation bypass on login via partial authData
Mar 24, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-33323 MEDIUM
Parse Server: Email verification resend page leaks user existence
Mar 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32913 CRITICAL
OpenClaw < 2026.3.7 - Custom Authorization Header Leakage via Cross-Origin Redirects
Mar 23, 2026
CVSS 9.3
EPSS 0.00
CVE-2026-27646 MEDIUM
OpenClaw <2026.3.7 - Sandbox Escape
Mar 23, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-27183 MEDIUM
OpenClaw < 2026.3.7 - Shell Approval Gating Bypass via Dispatch Wrapper Depth Mismatch
Mar 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-3635 MEDIUM
Fastify request.protocol and request.host spoofable via X-Forwarded-Proto/Host from untrusted connections when trustProxy uses restrictive trust function
Mar 23, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-4603 MEDIUM
jsrsasign <11.1.1 - Division by Zero
Mar 23, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-4602 HIGH
jsrsasign <11.1.1 - Incorrect Conversion
Mar 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-4601 HIGH
jsrsasign <11.1.1 - Missing Cryptographic Step
Mar 23, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-4600 HIGH
jsrsasign <11.1.1 - Improper Verification of Cryptographic Signature
Mar 23, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-4599 CRITICAL
jsrsasign <11.1.1 - Incomplete Comparison
Mar 23, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-4598 HIGH
jsrsasign < 11.1.1 - Denial of Service via Infinite Loop in bnModInverse
Mar 23, 2026
CVSS 7.5
EPSS 0.01