npm

4,193 tracked vulnerabilities.

CVE-2026-26278 HIGH
fast-xml-parser 4.1.3-5.3.5 - XML External Entity Injection via Unrestricted Entity Expansion
Feb 19, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-25940 HIGH
jspdf < 4.2.0 - Arbitrary PDF Object Injection via Acroform Module
Feb 19, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-25755 HIGH
jsPDF < 4.2.0 - Code Injection via addJS Method
Feb 19, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-25535 HIGH
jsPDF < 4.2.0 - Denial of Service via GIF Image Header Parsing
Feb 19, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-25474 HIGH
OpenClaw < 2026.2.1 - Insufficient Verification of Telegram Webhook Secret Token
Feb 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-24764 LOW
OpenClaw <=2026.2.2 - Command Injection
Feb 19, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-26226 MEDIUM
beautiful-mermaid < 0.1.3 - Cross-Site Scripting via SVG Attribute Injection
Feb 13, 2026
EPSS 0.01
CVE-2026-1721 MEDIUM
npm agents < 0.3.10 - Reflected Cross-Site Scripting via OAuth Callback Error Description
Feb 13, 2026
EPSS 0.00
CVE-2026-26185 MEDIUM
Directus < 11.14.1 - Timing-Based User Enumeration via Password Reset
Feb 12, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-2327 MEDIUM
markdown-it 13.0.0-14.1.0 - Regular Expression Denial of Service via Linkify Function
Feb 12, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-2391 LOW
qs 6.7.0-6.14.2 - Comma Array Limit Denial of Service
Feb 12, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-0969 HIGH
next-mdx-remote 4.3.0-5.9.9 - Remote Code Execution via MDX Content Deserialization
Feb 12, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-26021 CRITICAL
set-in 2.0.1-2.0.4 - Prototype Pollution via Array.prototype
Feb 11, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-25951 HIGH
FUXA < 1.2.11 - Authenticated Path Traversal and Remote Code Execution via Nested Traversal Sequences
Feb 09, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-25939 CRITICAL
FUXA 1.2.8-1.2.10 - Unauthenticated Authorization Bypass via Scheduler Modification
Feb 09, 2026
CVSS 9.1
EPSS 0.11
CVE-2026-25938 CRITICAL
FUXA 1.2.8-1.2.10 - Unauthenticated Remote Code Execution via Node-RED Plugin
Feb 09, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-25895 CRITICAL
FUXA < 1.2.10 - Unauthenticated Path Traversal and Arbitrary File Write
Feb 09, 2026
CVSS 9.8
EPSS 0.03
CVE-2026-25894 CRITICAL
FUXA <1.2.9 - Remote Code Execution
Feb 09, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-25893 CRITICAL
FUXA < 1.2.10 - Unauthenticated Authentication Bypass via Heartbeat Refresh API
Feb 09, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-25639 HIGH
axios < 0.30.3 and 1.0.0-1.13.5 - Denial of Service via __proto__ Property in Configuration Object
Feb 09, 2026
CVSS 7.5
EPSS 0.03
CVE-2026-25528 MEDIUM
LangSmith SDK - Server-Side Request Forgery via Baggage Header Injection
Feb 09, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-1615 CRITICAL
jsonpath < 1.3.0 - Arbitrary Code Injection via JSON Path Expression Evaluation
Feb 09, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-2178 MEDIUM
r-huijts xcode-mcp-server <f3419f00117aa9949e326f78cc940166c88f18cb...
Feb 08, 2026
CVSS 6.3
EPSS 0.03
CVE-2026-2130 MEDIUM
mcp-maigret < 1.0.13 - Command Injection via Username Argument
Feb 08, 2026
CVSS 6.3
EPSS 0.02
CVE-2026-25574 MEDIUM
Payload < 3.74.0 - Authenticated Insecure Direct Object Reference in Preferences Collection
Feb 06, 2026
CVSS 5.4
EPSS 0.00