npm
4,193 tracked vulnerabilities.
CVE-2026-26278
HIGH
fast-xml-parser 4.1.3-5.3.5 - XML External Entity Injection via Unrestricted Entity Expansion
Feb 19, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-25940
HIGH
jspdf < 4.2.0 - Arbitrary PDF Object Injection via Acroform Module
Feb 19, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-25755
HIGH
jsPDF < 4.2.0 - Code Injection via addJS Method
Feb 19, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-25535
HIGH
jsPDF < 4.2.0 - Denial of Service via GIF Image Header Parsing
Feb 19, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-25474
HIGH
OpenClaw < 2026.2.1 - Insufficient Verification of Telegram Webhook Secret Token
Feb 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-24764
LOW
OpenClaw <=2026.2.2 - Command Injection
Feb 19, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-26226
MEDIUM
beautiful-mermaid < 0.1.3 - Cross-Site Scripting via SVG Attribute Injection
Feb 13, 2026
EPSS 0.01
CVE-2026-1721
MEDIUM
npm agents < 0.3.10 - Reflected Cross-Site Scripting via OAuth Callback Error Description
Feb 13, 2026
EPSS 0.00
CVE-2026-26185
MEDIUM
Directus < 11.14.1 - Timing-Based User Enumeration via Password Reset
Feb 12, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-2327
MEDIUM
markdown-it 13.0.0-14.1.0 - Regular Expression Denial of Service via Linkify Function
Feb 12, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-2391
LOW
qs 6.7.0-6.14.2 - Comma Array Limit Denial of Service
Feb 12, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-0969
HIGH
next-mdx-remote 4.3.0-5.9.9 - Remote Code Execution via MDX Content Deserialization
Feb 12, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-26021
CRITICAL
set-in 2.0.1-2.0.4 - Prototype Pollution via Array.prototype
Feb 11, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-25951
HIGH
FUXA < 1.2.11 - Authenticated Path Traversal and Remote Code Execution via Nested Traversal Sequences
Feb 09, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-25939
CRITICAL
FUXA 1.2.8-1.2.10 - Unauthenticated Authorization Bypass via Scheduler Modification
Feb 09, 2026
CVSS 9.1
EPSS 0.11
CVE-2026-25938
CRITICAL
FUXA 1.2.8-1.2.10 - Unauthenticated Remote Code Execution via Node-RED Plugin
Feb 09, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-25895
CRITICAL
FUXA < 1.2.10 - Unauthenticated Path Traversal and Arbitrary File Write
Feb 09, 2026
CVSS 9.8
EPSS 0.03
CVE-2026-25894
CRITICAL
FUXA <1.2.9 - Remote Code Execution
Feb 09, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-25893
CRITICAL
FUXA < 1.2.10 - Unauthenticated Authentication Bypass via Heartbeat Refresh API
Feb 09, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-25639
HIGH
axios < 0.30.3 and 1.0.0-1.13.5 - Denial of Service via __proto__ Property in Configuration Object
Feb 09, 2026
CVSS 7.5
EPSS 0.03
CVE-2026-25528
MEDIUM
LangSmith SDK - Server-Side Request Forgery via Baggage Header Injection
Feb 09, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-1615
CRITICAL
jsonpath < 1.3.0 - Arbitrary Code Injection via JSON Path Expression Evaluation
Feb 09, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-2178
MEDIUM
r-huijts xcode-mcp-server <f3419f00117aa9949e326f78cc940166c88f18cb...
Feb 08, 2026
CVSS 6.3
EPSS 0.03
CVE-2026-2130
MEDIUM
mcp-maigret < 1.0.13 - Command Injection via Username Argument
Feb 08, 2026
CVSS 6.3
EPSS 0.02
CVE-2026-25574
MEDIUM
Payload < 3.74.0 - Authenticated Insecure Direct Object Reference in Preferences Collection
Feb 06, 2026
CVSS 5.4
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters