npm

3,968 tracked vulnerabilities.

CVE-2026-21858 CRITICAL NUCLEI
n8n 1.65.0-1.120.9 - Unauthenticated Arbitrary File Read via Form-Based Workflow Execution
Jan 08, 2026
CVSS 10.0
EPSS 0.07
CVE-2025-65122 HIGH
youtube-regex < 1.0.5 - Regex Denial of Service
May 07, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-63704 CRITICAL
query-parser-string 1.0.0 - Prototype Pollution
May 07, 2026
CVSS 9.8
EPSS 0.00
CVE-2025-63703 CRITICAL
parse-ini 1.0.6 - Prototype Pollution
May 07, 2026
CVSS 9.8
EPSS 0.00
CVE-2025-63705 HIGH
node-ts-ocr 1.0.15 - Command Injection
May 07, 2026
CVSS 8.8
EPSS 0.00
CVE-2025-62718 CRITICAL
Axios <1.15.0 and <0.31.0 NO_PROXY - Server-Side Request Forgery
Apr 09, 2026
CVSS 9.9
EPSS 0.00
CVE-2025-56015 HIGH
GenieACS 1.2.13 - Unauthenticated Improper Access Control in NBI API Endpoint
Apr 07, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-64166 MEDIUM
mercurius < 16.4.0 - Cross-Site Request Forgery via Content-Type Header Misinterpretation
Mar 05, 2026
CVSS 5.4
EPSS 0.00
CVE-2025-68467 LOW
Dark Reader - Info Disclosure
Mar 04, 2026
CVSS 3.4
EPSS 0.00
CVE-2025-15599 MEDIUM
DOMPurify 3.1.3-3.2.6/2.5.3-2.5.8 - XSS
Mar 03, 2026
CVSS 6.1
EPSS 0.00
CVE-2025-70058 HIGH
YMFE yapi 1.12.0 - Improper Certificate Validation
Feb 23, 2026
CVSS 7.4
EPSS 0.00
CVE-2025-69873 LOW
ajv < 8.18.0 - Regular Expression Denial of Service via $data Reference
Feb 11, 2026
CVSS 2.9
EPSS 0.00
CVE-2025-69874 CRITICAL
nanotar <= 0.2.0 - Path Traversal and Arbitrary File Write via Crafted Tar Archive
Feb 11, 2026
CVSS 9.8
EPSS 0.00
CVE-2025-68458 LOW
webpack 5.49.0-5.104.1 - Server-Side Request Forgery via Crafted URL Userinfo Bypass
Feb 05, 2026
CVSS 3.7
EPSS 0.00
CVE-2025-68157 LOW
webpack 5.49.0-5.103.0 - Server-Side Request Forgery via HTTP Redirect Bypass
Feb 05, 2026
CVSS 3.7
EPSS 0.00
CVE-2025-61917 HIGH
NPM N8n < 1.114.3 - Information Disclosure
Feb 04, 2026
CVSS 7.7
EPSS 0.00
CVE-2025-69983 CRITICAL
FUXA v1.2.7 - Remote Code Execution via Project Import
Feb 03, 2026
CVSS 9.8
EPSS 0.00
CVE-2025-69981 CRITICAL
FUXA v1.2.7 - Unauthenticated Unrestricted File Upload via /api/upload Endpoint
Feb 03, 2026
CVSS 9.8
EPSS 0.00
CVE-2025-69971 CRITICAL NUCLEI
FUXA < 1.3.0 - Hard-coded JWT Secret Key
Feb 03, 2026
CVSS 9.8
EPSS 0.05
CVE-2025-69970 CRITICAL
FUXA - Insecure Default Configuration with Authentication Disabled
Feb 03, 2026
CVSS 9.3
EPSS 0.00
CVE-2025-61140 CRITICAL
dchester/jsonpath 1.1.1 - Prototype Pollution via Value Function
Jan 28, 2026
CVSS 9.8
EPSS 0.00
CVE-2025-57283 HIGH
browserstack-local 1.5.8 - OS Command Injection via Logfile Variable
Jan 28, 2026
CVSS 7.8
EPSS 0.00
CVE-2025-59472 MEDIUM
Next.js 15.0.0-15.5.9 & 16.0.0-beta.0-16.1.4 - DoS via PPR Resume Endpoint Memory Exhaustion
Jan 26, 2026
CVSS 5.9
EPSS 0.00
CVE-2025-59471 MEDIUM
Next.js 10.0.0-15.5.9 - Denial of Service via Image Optimizer Remote Patterns
Jan 26, 2026
CVSS 5.9
EPSS 0.00
CVE-2025-50537 MEDIUM
eslint < 9.26.0 - Denial of Service via Circular Reference Serialization
Jan 26, 2026
CVSS 5.5
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV