npm

3,968 tracked vulnerabilities.

CVE-2026-23634 NONE
Pepr < 1.0.5 - Excessive Privilege Assignment via Default Cluster-Admin RBAC
Jan 16, 2026
EPSS 0.00
CVE-2026-23527 HIGH
h3 < 1.15.5 - HTTP Request Smuggling via Transfer-Encoding Header Case Mismatch
Jan 15, 2026
CVSS 8.9
EPSS 0.00
CVE-2026-22775 HIGH
Svelte devalue 5.1.0-5.6.1 - Denial of Service via Malformed ArrayBuffer Input
Jan 15, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-22774 HIGH
Svelte devalue 5.3.0-5.6.1 - Denial of Service via Typed Array Hydration
Jan 15, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-22036 MEDIUM
Undici < 6.23.0 and 7.0.0-7.17.2 - Denial of Service via Decompression Chain Exhaustion
Jan 14, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-22819 MEDIUM
Outray ngrok alternative <0.1.5 - Info Disclosure
Jan 14, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-22787 MEDIUM
html2pdf.js < 0.14.0 - Cross-Site Scripting via Text Source Input
Jan 14, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-22820 LOW
outray < 0.1.5 - Time-of-check Time-of-use Race Condition
Jan 14, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-22686 CRITICAL
enclave-vm < 2.7.0 - Sandbox Escape via Host Error Prototype Chain Traversal
Jan 14, 2026
CVSS 10.0
EPSS 0.00
CVE-2026-22818 HIGH
Hono < 4.11.4 - JWT Algorithm Confusion via JWK/JWKS Middleware
Jan 13, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-22817 HIGH
Hono < 4.11.4 - JWT Algorithm Confusion via Untrusted Header alg Value
Jan 13, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-22809 MEDIUM
Amauri Tarteaucitronjs < 1.29.0 - Denial of Service
Jan 13, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-22813 MEDIUM
OpenCode < 1.1.10 - Stored Cross-Site Scripting via Markdown Renderer
Jan 12, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-22812 HIGH NUCLEI
OpenCode <1.0.216 - Command Injection
Jan 12, 2026
CVSS 8.8
EPSS 0.06
CVE-2026-22597 LOW
Ghost 5.38.0-5.130.5 and 6.0.0-6.10.3 - Authenticated Server-Side Request Forgery via Media Inliner
Jan 10, 2026
CVSS 2.7
EPSS 0.00
CVE-2026-22596 MEDIUM
Ghost 5.90.0-5.130.5 and 6.0.0-6.10.3 - Authenticated SQL Injection via Admin API Members Events Endpoint
Jan 10, 2026
CVSS 6.7
EPSS 0.00
CVE-2026-22595 HIGH
Ghost 5.121.0-5.130.5 and 6.0.0-6.10.3 - Incorrect Authorization via Staff Token Authentication
Jan 10, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-22594 HIGH
Ghost 5.105.0-5.130.5 and 6.0.0-6.10.3 - Authenticated 2FA Bypass via Email Verification Skip
Jan 10, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-22030 MEDIUM
React Router 7.0.0-7.11.0 and Remix Server Runtime < 2.17.3 - Cross-Site Request Forgery via Document POST Requests
Jan 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-22029 HIGH
React Router < 1.23.2 and 7.0.0-7.11.0 - Cross-Site Scripting via Open Navigation Redirect
Jan 10, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-21884 HIGH
React Router 7.0.0-7.11.0 & @remix-run/react < 2.17.3 - XSS via ScrollRestoration API
Jan 10, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-22032 MEDIUM
Directus < 11.14.0 - Unauthenticated Open Redirect via SAML RelayState Parameter
Jan 08, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-22028 MEDIUM
Preact 10.26.5-10.26.10 - HTML Injection via JSON Payload Type Confusion
Jan 08, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-21894 MEDIUM
n8n 0.150.0-2.2.1 - Unauthenticated Workflow Trigger via Stripe Webhook Spoofing
Jan 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-21877 CRITICAL NUCLEI
n8n 0.123.0-1.121.2 - Authenticated Remote Code Execution via Git Node
Jan 08, 2026
CVSS 9.9
EPSS 0.11
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV