npm

3,968 tracked vulnerabilities.

CVE-2026-24472 MEDIUM
Hono < 4.11.7 - Information Disclosure via Cache Middleware
Jan 27, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-24398 MEDIUM
Hono < 4.11.7 - IP Address Validation Bypass via Malformed IPv4 Octet Handling
Jan 27, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-1470 CRITICAL
NPM N8n < 1.123.17 - Remote Code Execution
Jan 27, 2026
CVSS 9.9
EPSS 0.02
CVE-2026-24131 MEDIUM
pnpm < 10.28.2 - Arbitrary File Permission Modification via directories.bin Path Traversal
Jan 26, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-24056 MEDIUM
pnpm < 10.28.2 - Unauthenticated Arbitrary File Read via Symlink in Local/Git Dependencies
Jan 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-23890 MEDIUM
pnpm < 10.28.1 - Path Traversal via Bin Linking with Scope Normalization Bypass
Jan 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-23889 MEDIUM
pnpm < 10.28.1 - Path Traversal via Backslash Directory Separator on Windows
Jan 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-23888 MEDIUM
pnpm < 10.28.1 - Path Traversal and Arbitrary File Write via Binary Fetcher
Jan 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-22709 CRITICAL
NPM Vm2 < 3.10.2 - Code Injection
Jan 26, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-23864 HIGH
React Server Components 19.0.0-19.0.3, 19.1.0-19.1.4, 19.2.0-19.2.3 - DoS via Crafted HTTP Requests
Jan 26, 2026
CVSS 7.5
EPSS 0.02
CVE-2026-0775 HIGH
npm - Incorrect Permission Assignment for Critical Resource
Jan 23, 2026
CVSS 7.0
EPSS 0.00
CVE-2026-24006 HIGH
seroval < 1.4.1 - Denial of Service via Deep Object Serialization
Jan 22, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-24001 HIGH
jsdiff <8.0.3, 5.2.2, 4.0.4, 3.5.1 - DoS
Jan 22, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-23967 HIGH
sm-crypto <0.3.14 - Signature Malleability
Jan 22, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-23966 CRITICAL
sm-crypto <0.3.14 - Private Key Recovery
Jan 22, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-23965 HIGH
sm-crypto <0.4.0 - Signature Forgery
Jan 22, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-23957 HIGH
seroval < 1.4.1 - Denial of Service via Array Length Manipulation
Jan 22, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-23956 HIGH
seroval 0.2.0-1.4.0 - Regular Expression Denial of Service via RegExp Serialization Override
Jan 22, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-23737 HIGH
seroval < 1.4.1 - Remote Code Execution via JSON Deserialization
Jan 21, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-23736 HIGH
seroval <1.4.1 - Prototype Pollution
Jan 21, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-0933 CRITICAL
Cloudflare Wrangler 2.0.15-3.114.17 - OS Command Injection via --commit-hash Parameter
Jan 20, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-1245 MEDIUM
binary-parser < 2.3.0 - Remote Code Execution via Parser Field Name or Encoding Parameter
Jan 20, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-23950 HIGH
node-tar <= 7.5.3 - Arbitrary File Overwrite via Unicode Path Collision Race Condition
Jan 20, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-23745 MEDIUM
tar < 7.5.3 - Arbitrary File Overwrite and Symlink Poisoning via Hardlink and SymbolicLink Entries
Jan 16, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-23735 HIGH
GraphQL Modules <3.1.1 - Info Disclosure
Jan 16, 2026
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV