npm

4,193 tracked vulnerabilities.

CVE-2026-48713 CRITICAL
i18next-fs-backend: Prototype pollution via crafted missing-key string
Jun 15, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-48017 HIGH
DbGate: Remote Code Execution via functionName injection in loadReader endpoint
Jun 15, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-30121 CRITICAL
remotion-dev remotion v4.0.409 - Arbitrary File Write
Jun 15, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-30120 CRITICAL
remotion-dev remotion v4.0.409 - Remote Code Execution
Jun 15, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-9595 MEDIUM
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
Jun 15, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-5038 MEDIUM
multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads
Jun 15, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-5079 HIGH
multer vulnerable to Denial of Service via deeply nested field names
Jun 15, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-45013 HIGH
Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation
Jun 12, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-45012 HIGH
Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget
Jun 12, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-45011 HIGH
Apostrophe has stored XSS via javascript: URL in Image Widget Link
Jun 12, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-44990 CRITICAL
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
Jun 12, 2026
CVSS 9.3
EPSS 0.00
CVE-2026-42890 MEDIUM
actual Allows Electron to Run As Node
Jun 12, 2026
EPSS 0.00
CVE-2026-53726 MEDIUM
Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
Jun 12, 2026
EPSS 0.00
CVE-2026-53725 MEDIUM
Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied
Jun 12, 2026
EPSS 0.00
CVE-2026-53724 LOW
Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
Jun 12, 2026
EPSS 0.00
CVE-2026-50008 MEDIUM
Parse Server: Server option routeAllowList is bypassable through batch sub-requests
Jun 12, 2026
EPSS 0.00
CVE-2026-47248 MEDIUM
Parse Server: GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers
Jun 12, 2026
EPSS 0.00
CVE-2026-47138 HIGH
Parse Server: Pre-authentication denial of service via client version header regex backtracking
Jun 12, 2026
EPSS 0.01
CVE-2026-12143 HIGH
form-data does not escape CR/LF/quote in multipart field names and filenames (CRLF injection)
Jun 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-53722 MEDIUM
Nuxt: Reflected XSS in `<NuxtLink>` via unsanitised `javascript:` or `data:` URL
Jun 12, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-53721 HIGH
Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher
Jun 12, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-47210 CRITICAL
vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass
Jun 12, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-47209 HIGH
vm2: Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain
Jun 12, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-47208 CRITICAL
vm2: Sandbox Breakout Using Promise Species
Jun 12, 2026
CVSS 10.0
EPSS 0.01
CVE-2026-47141 MEDIUM
vm2: NodeVM observability builtins leak host process and HTTP request data
Jun 12, 2026
EPSS 0.00