npm

4,193 tracked vulnerabilities.

CVE-2026-24763 HIGH
OpenClaw < 2026.1.29 - Authenticated OS Command Injection via PATH Environment Variable
Feb 02, 2026
CVSS 8.8
EPSS 0.05
CVE-2026-24737 HIGH
jsPDF < 4.1.0 - Arbitrary PDF Object Injection via Acroform Module
Feb 02, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-24133 MEDIUM
jsPDF < 4.1.0 - Denial of Service via BMP Image Header Processing
Feb 02, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-24043 MEDIUM
jsPDF < 4.1.0 - XML Injection via addMetadata Function
Feb 02, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-24040 MEDIUM
jsPDF < 4.1.0 - Cross-User Data Leakage via Shared Module Variable
Feb 02, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-25253 HIGH
OpenClaw <2026.1.29 - Info Disclosure
Feb 01, 2026
CVSS 8.8
EPSS 0.08
CVE-2026-25128 HIGH
fast-xml-parser 5.0.9-5.3.3 - Denial of Service via Out-of-Range XML Entity Code Points
Jan 30, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-25047 HIGH
deephas < 1.0.8 - Prototype Pollution
Jan 29, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-24888 MEDIUM
maker.js <= 0.19.1 - Prototype Pollution via makerjs.extendObject
Jan 28, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-24769 CRITICAL
NocoDB < 0.301.0 - Authenticated Stored Cross-Site Scripting via SVG Attachment Upload
Jan 28, 2026
CVSS 9.0
EPSS 0.00
CVE-2026-24768 MEDIUM
NocoDB < 0.301.0 - Open Redirect via continueAfterSignIn Parameter
Jan 28, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-24767 MEDIUM
NocoDB < 0.301.0 - Server-Side Request Forgery via UploadViaURL HEAD Request
Jan 28, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-24766 MEDIUM
NocoDB < 0.301.0 - Authenticated Prototype Pollution via /api/v2/meta/connection/test Endpoint
Jan 28, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-1513 MEDIUM
billboard.js < 3.18.0 - Cross-Site Scripting via Chart Option Binding
Jan 28, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-24842 HIGH
isaacs/tar < 7.5.7 - Path Traversal via Hardlink Entry Mismatch
Jan 28, 2026
CVSS 8.2
EPSS 0.01
CVE-2026-24134 MEDIUM
StudioCMS <0.2.0 - Privilege Escalation
Jan 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-24778 HIGH
Ghost 5.43.0-5.120.4 6.0.0-6.14.0 - Stored Cross-Site Scripting via Crafted Link
Jan 27, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-24771 MEDIUM
Hono < 4.11.7 - Cross-Site Scripting in ErrorBoundary Component
Jan 27, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-24473 MEDIUM
Hono < 4.11.7 - Information Disclosure via Serve Static Middleware Path Validation
Jan 27, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-24472 MEDIUM
Hono < 4.11.7 - Information Disclosure via Cache Middleware
Jan 27, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-24398 MEDIUM
Hono < 4.11.7 - IP Address Validation Bypass via Malformed IPv4 Octet Handling
Jan 27, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-1470 CRITICAL
NPM N8n < 1.123.17 - Remote Code Execution
Jan 27, 2026
CVSS 9.9
EPSS 0.18
CVE-2026-24131 MEDIUM
pnpm < 10.28.2 - Arbitrary File Permission Modification via directories.bin Path Traversal
Jan 26, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-24056 MEDIUM
pnpm < 10.28.2 - Unauthenticated Arbitrary File Read via Symlink in Local/Git Dependencies
Jan 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-23890 MEDIUM
pnpm < 10.28.1 - Path Traversal via Bin Linking with Scope Normalization Bypass
Jan 26, 2026
CVSS 6.5
EPSS 0.00