npm
4,193 tracked vulnerabilities.
CVE-2026-48713
CRITICAL
i18next-fs-backend: Prototype pollution via crafted missing-key string
Jun 15, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-48017
HIGH
DbGate: Remote Code Execution via functionName injection in loadReader endpoint
Jun 15, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-30121
CRITICAL
remotion-dev remotion v4.0.409 - Arbitrary File Write
Jun 15, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-30120
CRITICAL
remotion-dev remotion v4.0.409 - Remote Code Execution
Jun 15, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-9595
MEDIUM
webpack-dev-server vulnerable to HMR WebSocket interception via permissive user proxies
Jun 15, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-5038
MEDIUM
multer vulnerable to Denial of Service via incomplete cleanup of aborted uploads
Jun 15, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-5079
HIGH
multer vulnerable to Denial of Service via deeply nested field names
Jun 15, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-45013
HIGH
Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation
Jun 12, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-45012
HIGH
Apostrophe has authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget
Jun 12, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-45011
HIGH
Apostrophe has stored XSS via javascript: URL in Image Widget Link
Jun 12, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-44990
CRITICAL
Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
Jun 12, 2026
CVSS 9.3
EPSS 0.00
CVE-2026-42890
MEDIUM
actual Allows Electron to Run As Node
Jun 12, 2026
EPSS 0.00
CVE-2026-53726
MEDIUM
Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL
Jun 12, 2026
EPSS 0.00
CVE-2026-53725
MEDIUM
Parse Server: Endpoints `/login` and `/verifyPassword` disclose MFA secrets and protected fields when `_User` get is denied
Jun 12, 2026
EPSS 0.00
CVE-2026-53724
LOW
Parse Server: Stored XSS via trailing-dot filename bypassing file upload extension blocklist
Jun 12, 2026
EPSS 0.00
CVE-2026-50008
MEDIUM
Parse Server: Server option routeAllowList is bypassable through batch sub-requests
Jun 12, 2026
EPSS 0.00
CVE-2026-47248
MEDIUM
Parse Server: GraphQL "Did you mean" validation suggestions disclose schema to unauthenticated callers
Jun 12, 2026
EPSS 0.00
CVE-2026-47138
HIGH
Parse Server: Pre-authentication denial of service via client version header regex backtracking
Jun 12, 2026
EPSS 0.01
CVE-2026-12143
HIGH
form-data does not escape CR/LF/quote in multipart field names and filenames (CRLF injection)
Jun 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-53722
MEDIUM
Nuxt: Reflected XSS in `<NuxtLink>` via unsanitised `javascript:` or `data:` URL
Jun 12, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-53721
HIGH
Nuxt: Route-rule middleware bypass via case-sensitivity mismatch between vue-router and the routeRules matcher
Jun 12, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-47210
CRITICAL
vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass
Jun 12, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-47209
HIGH
vm2: Bridge Proxy set trap ignores receiver parameter, enabling host object property injection via prototype chain
Jun 12, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-47208
CRITICAL
vm2: Sandbox Breakout Using Promise Species
Jun 12, 2026
CVSS 10.0
EPSS 0.01
CVE-2026-47141
MEDIUM
vm2: NodeVM observability builtins leak host process and HTTP request data
Jun 12, 2026
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters