npm
4,193 tracked vulnerabilities.
CVE-2026-24763
HIGH
OpenClaw < 2026.1.29 - Authenticated OS Command Injection via PATH Environment Variable
Feb 02, 2026
CVSS 8.8
EPSS 0.05
CVE-2026-24737
HIGH
jsPDF < 4.1.0 - Arbitrary PDF Object Injection via Acroform Module
Feb 02, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-24133
MEDIUM
jsPDF < 4.1.0 - Denial of Service via BMP Image Header Processing
Feb 02, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-24043
MEDIUM
jsPDF < 4.1.0 - XML Injection via addMetadata Function
Feb 02, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-24040
MEDIUM
jsPDF < 4.1.0 - Cross-User Data Leakage via Shared Module Variable
Feb 02, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-25253
HIGH
OpenClaw <2026.1.29 - Info Disclosure
Feb 01, 2026
CVSS 8.8
EPSS 0.08
CVE-2026-25128
HIGH
fast-xml-parser 5.0.9-5.3.3 - Denial of Service via Out-of-Range XML Entity Code Points
Jan 30, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-25047
HIGH
deephas < 1.0.8 - Prototype Pollution
Jan 29, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-24888
MEDIUM
maker.js <= 0.19.1 - Prototype Pollution via makerjs.extendObject
Jan 28, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-24769
CRITICAL
NocoDB < 0.301.0 - Authenticated Stored Cross-Site Scripting via SVG Attachment Upload
Jan 28, 2026
CVSS 9.0
EPSS 0.00
CVE-2026-24768
MEDIUM
NocoDB < 0.301.0 - Open Redirect via continueAfterSignIn Parameter
Jan 28, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-24767
MEDIUM
NocoDB < 0.301.0 - Server-Side Request Forgery via UploadViaURL HEAD Request
Jan 28, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-24766
MEDIUM
NocoDB < 0.301.0 - Authenticated Prototype Pollution via /api/v2/meta/connection/test Endpoint
Jan 28, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-1513
MEDIUM
billboard.js < 3.18.0 - Cross-Site Scripting via Chart Option Binding
Jan 28, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-24842
HIGH
isaacs/tar < 7.5.7 - Path Traversal via Hardlink Entry Mismatch
Jan 28, 2026
CVSS 8.2
EPSS 0.01
CVE-2026-24134
MEDIUM
StudioCMS <0.2.0 - Privilege Escalation
Jan 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-24778
HIGH
Ghost 5.43.0-5.120.4 6.0.0-6.14.0 - Stored Cross-Site Scripting via Crafted Link
Jan 27, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-24771
MEDIUM
Hono < 4.11.7 - Cross-Site Scripting in ErrorBoundary Component
Jan 27, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-24473
MEDIUM
Hono < 4.11.7 - Information Disclosure via Serve Static Middleware Path Validation
Jan 27, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-24472
MEDIUM
Hono < 4.11.7 - Information Disclosure via Cache Middleware
Jan 27, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-24398
MEDIUM
Hono < 4.11.7 - IP Address Validation Bypass via Malformed IPv4 Octet Handling
Jan 27, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-1470
CRITICAL
NPM N8n < 1.123.17 - Remote Code Execution
Jan 27, 2026
CVSS 9.9
EPSS 0.18
CVE-2026-24131
MEDIUM
pnpm < 10.28.2 - Arbitrary File Permission Modification via directories.bin Path Traversal
Jan 26, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-24056
MEDIUM
pnpm < 10.28.2 - Unauthenticated Arbitrary File Read via Symlink in Local/Git Dependencies
Jan 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-23890
MEDIUM
pnpm < 10.28.1 - Path Traversal via Bin Linking with Scope Normalization Bypass
Jan 26, 2026
CVSS 6.5
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters