npm
4,193 tracked vulnerabilities.
CVE-2026-27978
MEDIUM
Next.js: null origin can bypass Server Actions CSRF checks
Mar 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-27977
MEDIUM
Next.js: null origin can bypass dev HMR websocket CSRF checks
Mar 18, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-4258
HIGH
sjcl - Improper Verification of Cryptographic Signature
Mar 17, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32774
MEDIUM
Vulnogram - Stored Cross-Site Scripting via Comment Hypertext
Mar 16, 2026
CVSS 6.4
EPSS 0.00
CVE-2026-32630
MEDIUM
file-type affected by ZIP Decompression Bomb DoS via [Content_Types].xml entry
Mar 16, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32594
HIGH
Parse Server GraphQL WebSocket endpoint bypasses security middleware
Mar 16, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-32598
MEDIUM
OneUptime <10.0.24 - Info Disclosure
Mar 13, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32308
HIGH
OneUptime < 10.0.23 - Stored Cross-Site Scripting via Mermaid Diagram Click Directive
Mar 13, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-32306
CRITICAL
OneUptime < 10.0.23 - Authenticated SQL Injection via Telemetry API Parameters
Mar 13, 2026
CVSS 9.9
EPSS 0.01
CVE-2026-32304
CRITICAL
locutus < 3.0.14 - Remote Code Execution via create_function
Mar 13, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-32302
HIGH
OpenClaw < 2026.3.11 - Unauthenticated Privilege Escalation via WebSocket Origin Validation Bypass
Mar 13, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-31882
HIGH
dagu < 2.2.4 - Unauthenticated Information Disclosure via Server-Sent Events Endpoints
Mar 13, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-2581
MEDIUM
Undici 6.24.0-7.23.9 - Denial of Service via Deduplication Interceptor Memory Accumulation
Mar 12, 2026
CVSS 5.9
EPSS 0.01
CVE-2026-2229
HIGH
undici < 6.24.0 and 7.0.0-7.24.0 - Denial of Service via Invalid server_max_window_bits Parameter
Mar 12, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-1528
HIGH
undici 6.0.0-6.23.9 7.0.0-7.23.9 - Denial of Service via WebSocket Frame Length Overflow
Mar 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-1527
MEDIUM
undici < 6.24.0 and 7.0.0-7.23.9 - HTTP Request Smuggling via CRLF Injection in Upgrade Header
Mar 12, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-1526
HIGH
undici < 6.24.0 and 7.0.0-7.24.0 - Denial of Service via PerMessageDeflate Decompression Bomb
Mar 12, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-32269
MEDIUM
Parse Server <9.6.0-alpha.13/8.6.39 - Auth Bypass
Mar 12, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32248
CRITICAL
Parse Server <9.6.0-alpha.12/8.6.38 - Auth Bypass
Mar 12, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-1525
MEDIUM
Undici < 6.24.0 - HTTP Request Smuggling via Duplicate Content-Length Headers
Mar 12, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32242
HIGH
Parse Server <9.6.0-alpha.11/8.6.37 - Auth Bypass
Mar 12, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-32230
MEDIUM
NUCLEI
Uptime Kuma 2.0.0-2.1.3 - Info Disclosure
Mar 12, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-32141
HIGH
flatted < 3.4.0 - Denial of Service via Uncontrolled Recursion in parse() Function
Mar 12, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-31988
MEDIUM
yauzl 3.2.0 - Denial of Service via Off-by-One Error in NTFS Timestamp Parser
Mar 11, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32106
MEDIUM
StudioCMS <0.4.3 - Privilege Escalation
Mar 11, 2026
CVSS 4.7
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters