npm
4,193 tracked vulnerabilities.
CVE-2026-23889
MEDIUM
pnpm < 10.28.1 - Path Traversal via Backslash Directory Separator on Windows
Jan 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-23888
MEDIUM
pnpm < 10.28.1 - Path Traversal and Arbitrary File Write via Binary Fetcher
Jan 26, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-22709
CRITICAL
NPM Vm2 < 3.10.2 - Code Injection
Jan 26, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-23864
HIGH
React Server Components 19.0.0-19.0.3, 19.1.0-19.1.4, 19.2.0-19.2.3 - DoS via Crafted HTTP Requests
Jan 26, 2026
CVSS 7.5
EPSS 0.02
CVE-2026-0775
HIGH
npm - Incorrect Permission Assignment for Critical Resource
Jan 23, 2026
CVSS 7.0
EPSS 0.00
CVE-2026-0755
CRITICAL
gemini-mcp-tool - Command Injection
Jan 23, 2026
CVSS 9.8
EPSS 0.03
CVE-2026-24006
HIGH
seroval < 1.4.1 - Denial of Service via Deep Object Serialization
Jan 22, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-24001
HIGH
jsdiff <8.0.3, 5.2.2, 4.0.4, 3.5.1 - DoS
Jan 22, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-23967
HIGH
sm-crypto <0.3.14 - Signature Malleability
Jan 22, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-23966
CRITICAL
sm-crypto <0.3.14 - Private Key Recovery
Jan 22, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-23965
HIGH
sm-crypto <0.4.0 - Signature Forgery
Jan 22, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-23957
HIGH
seroval < 1.4.1 - Denial of Service via Array Length Manipulation
Jan 22, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-23956
HIGH
seroval 0.2.0-1.4.0 - Regular Expression Denial of Service via RegExp Serialization Override
Jan 22, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-23737
HIGH
seroval < 1.4.1 - Remote Code Execution via JSON Deserialization
Jan 21, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-23736
HIGH
seroval <1.4.1 - Prototype Pollution
Jan 21, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-0933
CRITICAL
Cloudflare Wrangler 2.0.15-3.114.17 - OS Command Injection via --commit-hash Parameter
Jan 20, 2026
CVSS 9.9
EPSS 0.01
CVE-2026-1245
MEDIUM
binary-parser < 2.3.0 - Remote Code Execution via Parser Field Name or Encoding Parameter
Jan 20, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-23950
HIGH
node-tar <= 7.5.3 - Arbitrary File Overwrite via Unicode Path Collision Race Condition
Jan 20, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-23745
MEDIUM
tar < 7.5.3 - Arbitrary File Overwrite and Symlink Poisoning via Hardlink and SymbolicLink Entries
Jan 16, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-23735
HIGH
GraphQL Modules <3.1.1 - Info Disclosure
Jan 16, 2026
EPSS 0.00
CVE-2026-23634
NONE
Pepr < 1.0.5 - Excessive Privilege Assignment via Default Cluster-Admin RBAC
Jan 16, 2026
EPSS 0.00
CVE-2026-23527
HIGH
h3 < 1.15.5 - HTTP Request Smuggling via Transfer-Encoding Header Case Mismatch
Jan 15, 2026
CVSS 8.9
EPSS 0.01
CVE-2026-22775
HIGH
Svelte devalue 5.1.0-5.6.1 - Denial of Service via Malformed ArrayBuffer Input
Jan 15, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-22774
HIGH
Svelte devalue 5.3.0-5.6.1 - Denial of Service via Typed Array Hydration
Jan 15, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-22036
MEDIUM
Undici < 6.23.0 and 7.0.0-7.17.2 - Denial of Service via Decompression Chain Exhaustion
Jan 14, 2026
CVSS 5.9
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters