npm

3,968 tracked vulnerabilities.

CVE-2026-25639 HIGH
axios < 0.30.3 and 1.0.0-1.13.5 - Denial of Service via __proto__ Property in Configuration Object
Feb 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-25528 MEDIUM
LangSmith SDK - Server-Side Request Forgery via Baggage Header Injection
Feb 09, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-1615 CRITICAL
jsonpath < 1.3.0 - Arbitrary Code Injection via JSON Path Expression Evaluation
Feb 09, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-2178 MEDIUM
r-huijts xcode-mcp-server <f3419f00117aa9949e326f78cc940166c88f18cb...
Feb 08, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-2130 MEDIUM
mcp-maigret < 1.0.13 - Command Injection via Username Argument
Feb 08, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-25574 MEDIUM
Payload < 3.74.0 - Authenticated Insecure Direct Object Reference in Preferences Collection
Feb 06, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-25533 HIGH
enclave-vm < 2.10.1 - Denial of Service via Infinite Loop
Feb 06, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-25631 MEDIUM
NPM N8n < 1.121.0 - Improper Input Validation
Feb 06, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-25593 HIGH
OpenClaw < 2026.1.20 - Unauthenticated OS Command Injection via Gateway WebSocket API
Feb 06, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-25581 MEDIUM
SCEditor < 3.2.1 - Cross-Site Scripting via Configuration Options
Feb 06, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-25752 CRITICAL
FUXA < 1.2.10 - Unauthenticated Authorization Bypass via WebSocket Device Tag Modification
Feb 06, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-25751 HIGH
FUXA < 1.2.10 - Unauthenticated Information Disclosure of Database Credentials
Feb 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-25651 MEDIUM
client-certificate-auth 0.2.1-0.3.0 - Open Redirect via Host Header
Feb 06, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-25521 HIGH
locutus 2.0.12-2.0.38 - Prototype Pollution via String.prototype
Feb 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-25475 MEDIUM
OpenClaw < 2026.1.30 - Unauthenticated Arbitrary File Read via MEDIA Path Traversal
Feb 04, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-25157 HIGH
OpenClaw < 2026.1.29 - OS Command Injection via Project Root Path in sshNodeCommand
Feb 04, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-24884 HIGH
compressing < 2.0.1 and < 1.10.4 - Arbitrary File Write via Symbolic Link Extraction
Feb 04, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-23897 HIGH
Apollo Server 2.0.0-3.13.0, 4.2.0-4.12.9, 5.0.0-5.3.9 - Denial of Service via Exotic Character Set Encoding
Feb 04, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-21893 HIGH
NPM N8n < 1.120.3 - OS Command Injection
Feb 04, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-25115 CRITICAL
n8n < 2.4.8 - Authenticated Remote Code Execution via Python Code Node Sandbox Escape
Feb 04, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-25056 HIGH
n8n < 1.118.0 - Authenticated Arbitrary File Write and Remote Code Execution via Merge Node SQL Query Mode
Feb 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-25055 HIGH
n8n < 1.123.12 and 2.0.0-2.4.0 - Unauthenticated Path Traversal and Remote Code Execution via SSH Node File Transfer
Feb 04, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-25054 MEDIUM
n8n < 1.123.9 and 2.0.0-2.2.1 - Authenticated Stored Cross-Site Scripting in Markdown Renderer
Feb 04, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-25053 CRITICAL
n8n < 1.123.10 and 2.0.0-2.5.0 - Authenticated OS Command Injection and Arbitrary File Read via Git Node
Feb 04, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-25052 CRITICAL
n8n < 1.123.18 and 2.0.0-2.5.0 - Authenticated Sensitive File Read via Workflow File Access
Feb 04, 2026
CVSS 9.9
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV