npm

3,968 tracked vulnerabilities.

CVE-2026-25051 MEDIUM
n8n < 1.123.2 - Authenticated Stored Cross-Site Scripting via Webhook Response Handling
Feb 04, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-25049 CRITICAL
n8n <1.123.17, <2.5.2 - Command Injection
Feb 04, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-25224 LOW
fastify < 5.7.3 - Denial of Service via Web Streams Response Handling
Feb 03, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-25223 HIGH
fastify < 5.7.2 - Request Body Validation Bypass via Content-Type Header Tab Injection
Feb 03, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-1664 MEDIUM
npm agents < 0.3.7 - Insecure Direct Object Reference via Email Header Spoofing
Feb 03, 2026
EPSS 0.00
CVE-2026-25228 MEDIUM
Signal K Server < 2.20.3 - Authenticated Path Traversal via Backslash Bypass
Feb 02, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-24763 HIGH
OpenClaw < 2026.1.29 - Authenticated OS Command Injection via PATH Environment Variable
Feb 02, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-24737 HIGH
jsPDF < 4.1.0 - Arbitrary PDF Object Injection via Acroform Module
Feb 02, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-24133 MEDIUM
jsPDF < 4.1.0 - Denial of Service via BMP Image Header Processing
Feb 02, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-24043 MEDIUM
jsPDF < 4.1.0 - XML Injection via addMetadata Function
Feb 02, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-24040 MEDIUM
jsPDF < 4.1.0 - Cross-User Data Leakage via Shared Module Variable
Feb 02, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-25253 HIGH
OpenClaw <2026.1.29 - Info Disclosure
Feb 01, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-25128 HIGH
fast-xml-parser 5.0.9-5.3.3 - Denial of Service via Out-of-Range XML Entity Code Points
Jan 30, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-25047 HIGH
deephas < 1.0.8 - Prototype Pollution
Jan 29, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-24888 MEDIUM
maker.js <= 0.19.1 - Prototype Pollution via makerjs.extendObject
Jan 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-24769 CRITICAL
NocoDB < 0.301.0 - Authenticated Stored Cross-Site Scripting via SVG Attachment Upload
Jan 28, 2026
CVSS 9.0
EPSS 0.00
CVE-2026-24768 MEDIUM
NocoDB < 0.301.0 - Open Redirect via continueAfterSignIn Parameter
Jan 28, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-24767 MEDIUM
NocoDB < 0.301.0 - Server-Side Request Forgery via UploadViaURL HEAD Request
Jan 28, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-24766 MEDIUM
NocoDB < 0.301.0 - Authenticated Prototype Pollution via /api/v2/meta/connection/test Endpoint
Jan 28, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-1513 MEDIUM
billboard.js < 3.18.0 - Cross-Site Scripting via Chart Option Binding
Jan 28, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-24842 HIGH
isaacs/tar < 7.5.7 - Path Traversal via Hardlink Entry Mismatch
Jan 28, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-24134 MEDIUM
StudioCMS <0.2.0 - Privilege Escalation
Jan 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-24778 HIGH
Ghost 5.43.0-5.120.4 6.0.0-6.14.0 - Stored Cross-Site Scripting via Crafted Link
Jan 27, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-24771 MEDIUM
Hono < 4.11.7 - Cross-Site Scripting in ErrorBoundary Component
Jan 27, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-24473 MEDIUM
Hono < 4.11.7 - Information Disclosure via Serve Static Middleware Path Validation
Jan 27, 2026
CVSS 5.3
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV