npm

4,193 tracked vulnerabilities.

CVE-2026-25533 HIGH
enclave-vm < 2.10.1 - Denial of Service via Infinite Loop
Feb 06, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-25631 MEDIUM
NPM N8n < 1.121.0 - Improper Input Validation
Feb 06, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-25593 HIGH
OpenClaw < 2026.1.20 - Unauthenticated OS Command Injection via Gateway WebSocket API
Feb 06, 2026
CVSS 8.4
EPSS 0.01
CVE-2026-25581 MEDIUM
SCEditor < 3.2.1 - Cross-Site Scripting via Configuration Options
Feb 06, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-25752 CRITICAL
FUXA < 1.2.10 - Unauthenticated Authorization Bypass via WebSocket Device Tag Modification
Feb 06, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-25751 HIGH
FUXA < 1.2.10 - Unauthenticated Information Disclosure of Database Credentials
Feb 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-25651 MEDIUM
client-certificate-auth 0.2.1-0.3.0 - Open Redirect via Host Header
Feb 06, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-25521 HIGH
locutus 2.0.12-2.0.38 - Prototype Pollution via String.prototype
Feb 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-25475 MEDIUM
OpenClaw < 2026.1.30 - Unauthenticated Arbitrary File Read via MEDIA Path Traversal
Feb 04, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-25157 HIGH
OpenClaw < 2026.1.29 - OS Command Injection via Project Root Path in sshNodeCommand
Feb 04, 2026
CVSS 7.7
EPSS 0.01
CVE-2026-24884 HIGH
compressing < 2.0.1 and < 1.10.4 - Arbitrary File Write via Symbolic Link Extraction
Feb 04, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-23897 HIGH
Apollo Server 2.0.0-3.13.0, 4.2.0-4.12.9, 5.0.0-5.3.9 - Denial of Service via Exotic Character Set Encoding
Feb 04, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-21893 HIGH
NPM N8n < 1.120.3 - OS Command Injection
Feb 04, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-25115 CRITICAL
n8n < 2.4.8 - Authenticated Remote Code Execution via Python Code Node Sandbox Escape
Feb 04, 2026
CVSS 9.9
EPSS 0.01
CVE-2026-25056 HIGH
n8n < 1.118.0 - Authenticated Arbitrary File Write and Remote Code Execution via Merge Node SQL Query Mode
Feb 04, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-25055 HIGH
n8n < 1.123.12 and 2.0.0-2.4.0 - Unauthenticated Path Traversal and Remote Code Execution via SSH Node File Transfer
Feb 04, 2026
CVSS 8.1
EPSS 0.02
CVE-2026-25054 MEDIUM
n8n < 1.123.9 and 2.0.0-2.2.1 - Authenticated Stored Cross-Site Scripting in Markdown Renderer
Feb 04, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-25053 CRITICAL
n8n < 1.123.10 and 2.0.0-2.5.0 - Authenticated OS Command Injection and Arbitrary File Read via Git Node
Feb 04, 2026
CVSS 9.9
EPSS 0.01
CVE-2026-25052 CRITICAL
n8n < 1.123.18 and 2.0.0-2.5.0 - Authenticated Sensitive File Read via Workflow File Access
Feb 04, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-25051 MEDIUM
n8n < 1.123.2 - Authenticated Stored Cross-Site Scripting via Webhook Response Handling
Feb 04, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-25049 CRITICAL
n8n <1.123.17, <2.5.2 - Command Injection
Feb 04, 2026
CVSS 9.9
EPSS 0.01
CVE-2026-25224 LOW
fastify < 5.7.3 - Denial of Service via Web Streams Response Handling
Feb 03, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-25223 HIGH
fastify < 5.7.2 - Request Body Validation Bypass via Content-Type Header Tab Injection
Feb 03, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-1664 MEDIUM
npm agents < 0.3.7 - Insecure Direct Object Reference via Email Header Spoofing
Feb 03, 2026
EPSS 0.00
CVE-2026-25228 MEDIUM
Signal K Server < 2.20.3 - Authenticated Path Traversal via Backslash Bypass
Feb 02, 2026
CVSS 5.0
EPSS 0.00