npm

3,968 tracked vulnerabilities.

CVE-2025-13465 MEDIUM
lodash 4.0.0-4.17.22 - Prototype Pollution via _.unset and _.omit Functions
Jan 21, 2026
CVSS 5.3
EPSS 0.00
CVE-2025-15536 MEDIUM
OpenCC < 1.1.9 - Heap-Based Buffer Overflow in MaxMatchSegmentation
Jan 18, 2026
CVSS 5.3
EPSS 0.00
CVE-2025-15104 MEDIUM
Nu Html Checker (validator.nu) - Server-Side Request Forgery via DNS Rebinding Bypass
Jan 16, 2026
CVSS 5.3
EPSS 0.00
CVE-2025-15265 MEDIUM
Svelte 5.46.0-5.46.2 - Server-Side Rendering Cross-Site Scripting via Async Hydration Key Injection
Jan 15, 2026
CVSS 6.1
EPSS 0.00
CVE-2025-15056 MEDIUM
Quill 2.0.3 - Cross-Site Scripting in HTML Export Feature
Jan 13, 2026
CVSS 6.1
EPSS 0.00
CVE-2025-68949 MEDIUM
n8n 1.36.0-2.1.9 - IP Whitelist Bypass via Partial String Matching
Jan 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2025-68470 MEDIUM
React Router 6.0.0-6.30.1 and 7.0.0-7.9.5 - Open Redirect via navigate() or Link Component
Jan 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-59057 HIGH
React Router 7.0.0-7.8.2 & @remix-run/react 1.15.0-2.17.0 XSS via meta()/<Meta> APIs
Jan 10, 2026
CVSS 7.6
EPSS 0.00
CVE-2025-14505 MEDIUM
Elliptic <unknown> - Info Disclosure
Jan 08, 2026
CVSS 5.6
EPSS 0.00
CVE-2025-69262 HIGH
pnpm 6.25.0-10.26.2 - Remote Code Execution via .npmrc Environment Variable Substitution
Jan 07, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-69264 HIGH
pnpm 10.0.0-10.25 - Remote Code Execution via Git Dependency Lifecycle Scripts
Jan 07, 2026
CVSS 8.8
EPSS 0.00
CVE-2025-69263 HIGH
pnpm < 10.26.0 - Download of Code Without Integrity Check via HTTP Tarball Dependencies
Jan 07, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-67364 HIGH
fast-filesystem-mcp 3.4.0 - Path Traversal via Symlink Bypass in safePath and isPathAllowed
Jan 07, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-68428 HIGH
jsPDF < 4.0.0 - Path Traversal via loadFile Method
Jan 05, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-66648 HIGH
vega-functions < 6.1.1 - Cross-Site Scripting via Internal Function
Jan 05, 2026
CVSS 7.2
EPSS 0.00
CVE-2025-65110 HIGH
Vega < 5.6.3 - DOM Cross-Site Scripting via Malicious Vega Specification
Jan 05, 2026
CVSS 8.1
EPSS 0.00
CVE-2025-69203 MEDIUM
Signal K Server < 2.19.0 - Authentication Bypass via X-Forwarded-For Spoofing
Jan 01, 2026
CVSS 6.3
EPSS 0.00
CVE-2025-68620 CRITICAL
Signal K Server <2.19.0 - Auth Bypass
Jan 01, 2026
CVSS 9.1
EPSS 0.00
CVE-2025-68619 HIGH
Signal K Server <2.19.0 - Code Injection
Jan 01, 2026
CVSS 7.2
EPSS 0.00
CVE-2025-68273 MEDIUM
Signal K Server < 2.19.0 - Unauthenticated Exposure of Sensitive System Information
Jan 01, 2026
CVSS 5.3
EPSS 0.00
CVE-2025-68272 HIGH
Signal K Server < 2.19.0 - Unauthenticated Denial of Service via Access Request Endpoint Flooding
Jan 01, 2026
CVSS 7.5
EPSS 0.00
CVE-2025-66398 CRITICAL
Signal K Server < 2.19.0 - Unauthenticated Remote Code Execution via Backup Validation Endpoint
Jan 01, 2026
CVSS 9.6
EPSS 0.00
CVE-2025-69256 HIGH
Serverless Framework 4.29.0-4.29.3 - Remote Code Execution via MCP Server Input Injection
Dec 30, 2025
CVSS 7.5
EPSS 0.00
CVE-2025-15284 LOW
NPM QS < 6.14.1 - Improper Input Validation
Dec 29, 2025
CVSS 3.7
EPSS 0.00
CVE-2025-69202 MEDIUM
Axios Cache Interceptor <1.11.1 - Auth Bypass
Dec 29, 2025
CVSS 6.5
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV