npm
4,193 tracked vulnerabilities.
CVE-2026-25533
HIGH
enclave-vm < 2.10.1 - Denial of Service via Infinite Loop
Feb 06, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-25631
MEDIUM
NPM N8n < 1.121.0 - Improper Input Validation
Feb 06, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-25593
HIGH
OpenClaw < 2026.1.20 - Unauthenticated OS Command Injection via Gateway WebSocket API
Feb 06, 2026
CVSS 8.4
EPSS 0.01
CVE-2026-25581
MEDIUM
SCEditor < 3.2.1 - Cross-Site Scripting via Configuration Options
Feb 06, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-25752
CRITICAL
FUXA < 1.2.10 - Unauthenticated Authorization Bypass via WebSocket Device Tag Modification
Feb 06, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-25751
HIGH
FUXA < 1.2.10 - Unauthenticated Information Disclosure of Database Credentials
Feb 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-25651
MEDIUM
client-certificate-auth 0.2.1-0.3.0 - Open Redirect via Host Header
Feb 06, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-25521
HIGH
locutus 2.0.12-2.0.38 - Prototype Pollution via String.prototype
Feb 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-25475
MEDIUM
OpenClaw < 2026.1.30 - Unauthenticated Arbitrary File Read via MEDIA Path Traversal
Feb 04, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-25157
HIGH
OpenClaw < 2026.1.29 - OS Command Injection via Project Root Path in sshNodeCommand
Feb 04, 2026
CVSS 7.7
EPSS 0.01
CVE-2026-24884
HIGH
compressing < 2.0.1 and < 1.10.4 - Arbitrary File Write via Symbolic Link Extraction
Feb 04, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-23897
HIGH
Apollo Server 2.0.0-3.13.0, 4.2.0-4.12.9, 5.0.0-5.3.9 - Denial of Service via Exotic Character Set Encoding
Feb 04, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-21893
HIGH
NPM N8n < 1.120.3 - OS Command Injection
Feb 04, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-25115
CRITICAL
n8n < 2.4.8 - Authenticated Remote Code Execution via Python Code Node Sandbox Escape
Feb 04, 2026
CVSS 9.9
EPSS 0.01
CVE-2026-25056
HIGH
n8n < 1.118.0 - Authenticated Arbitrary File Write and Remote Code Execution via Merge Node SQL Query Mode
Feb 04, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-25055
HIGH
n8n < 1.123.12 and 2.0.0-2.4.0 - Unauthenticated Path Traversal and Remote Code Execution via SSH Node File Transfer
Feb 04, 2026
CVSS 8.1
EPSS 0.02
CVE-2026-25054
MEDIUM
n8n < 1.123.9 and 2.0.0-2.2.1 - Authenticated Stored Cross-Site Scripting in Markdown Renderer
Feb 04, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-25053
CRITICAL
n8n < 1.123.10 and 2.0.0-2.5.0 - Authenticated OS Command Injection and Arbitrary File Read via Git Node
Feb 04, 2026
CVSS 9.9
EPSS 0.01
CVE-2026-25052
CRITICAL
n8n < 1.123.18 and 2.0.0-2.5.0 - Authenticated Sensitive File Read via Workflow File Access
Feb 04, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-25051
MEDIUM
n8n < 1.123.2 - Authenticated Stored Cross-Site Scripting via Webhook Response Handling
Feb 04, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-25049
CRITICAL
n8n <1.123.17, <2.5.2 - Command Injection
Feb 04, 2026
CVSS 9.9
EPSS 0.01
CVE-2026-25224
LOW
fastify < 5.7.3 - Denial of Service via Web Streams Response Handling
Feb 03, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-25223
HIGH
fastify < 5.7.2 - Request Body Validation Bypass via Content-Type Header Tab Injection
Feb 03, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-1664
MEDIUM
npm agents < 0.3.7 - Insecure Direct Object Reference via Email Header Spoofing
Feb 03, 2026
EPSS 0.00
CVE-2026-25228
MEDIUM
Signal K Server < 2.20.3 - Authenticated Path Traversal via Backslash Bypass
Feb 02, 2026
CVSS 5.0
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters