npm

4,193 tracked vulnerabilities.

CVE-2026-22819 MEDIUM
Outray ngrok alternative <0.1.5 - Info Disclosure
Jan 14, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-22787 MEDIUM
html2pdf.js < 0.14.0 - Cross-Site Scripting via Text Source Input
Jan 14, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-22820 LOW
outray < 0.1.5 - Time-of-check Time-of-use Race Condition
Jan 14, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-22686 CRITICAL
enclave-vm < 2.7.0 - Sandbox Escape via Host Error Prototype Chain Traversal
Jan 14, 2026
CVSS 10.0
EPSS 0.01
CVE-2026-22818 HIGH
Hono < 4.11.4 - JWT Algorithm Confusion via JWK/JWKS Middleware
Jan 13, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-22817 HIGH
Hono < 4.11.4 - JWT Algorithm Confusion via Untrusted Header alg Value
Jan 13, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-22809 MEDIUM
Amauri Tarteaucitronjs < 1.29.0 - Denial of Service
Jan 13, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-22813 MEDIUM
OpenCode < 1.1.10 - Stored Cross-Site Scripting via Markdown Renderer
Jan 12, 2026
CVSS 6.1
EPSS 0.01
CVE-2026-22812 HIGH NUCLEI
OpenCode <1.0.216 - Command Injection
Jan 12, 2026
CVSS 8.8
EPSS 0.17
CVE-2026-22597 LOW
Ghost 5.38.0-5.130.5 and 6.0.0-6.10.3 - Authenticated Server-Side Request Forgery via Media Inliner
Jan 10, 2026
CVSS 2.7
EPSS 0.00
CVE-2026-22596 MEDIUM
Ghost 5.90.0-5.130.5 and 6.0.0-6.10.3 - Authenticated SQL Injection via Admin API Members Events Endpoint
Jan 10, 2026
CVSS 6.7
EPSS 0.00
CVE-2026-22595 HIGH
Ghost 5.121.0-5.130.5 and 6.0.0-6.10.3 - Incorrect Authorization via Staff Token Authentication
Jan 10, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-22594 HIGH
Ghost 5.105.0-5.130.5 and 6.0.0-6.10.3 - Authenticated 2FA Bypass via Email Verification Skip
Jan 10, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-22030 MEDIUM
React Router 7.0.0-7.11.0 and Remix Server Runtime < 2.17.3 - Cross-Site Request Forgery via Document POST Requests
Jan 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-22029 HIGH
React Router < 1.23.2 and 7.0.0-7.11.0 - Cross-Site Scripting via Open Navigation Redirect
Jan 10, 2026
CVSS 8.0
EPSS 0.01
CVE-2026-21884 HIGH
React Router 7.0.0-7.11.0 & @remix-run/react < 2.17.3 - XSS via ScrollRestoration API
Jan 10, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-22032 MEDIUM
Directus < 11.14.0 - Unauthenticated Open Redirect via SAML RelayState Parameter
Jan 08, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-22028 MEDIUM
Preact 10.26.5-10.26.10 - HTML Injection via JSON Payload Type Confusion
Jan 08, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-21894 MEDIUM
n8n 0.150.0-2.2.1 - Unauthenticated Workflow Trigger via Stripe Webhook Spoofing
Jan 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-21877 CRITICAL NUCLEI
n8n 0.123.0-1.121.2 - Authenticated Remote Code Execution via Git Node
Jan 08, 2026
CVSS 9.9
EPSS 0.05
CVE-2026-21858 CRITICAL NUCLEI
n8n 1.65.0-1.120.9 - Unauthenticated Arbitrary File Read via Form-Based Workflow Execution
Jan 08, 2026
CVSS 10.0
EPSS 0.72
CVE-2025-71332 MEDIUM
Flowise - SQL Injection in importChatflows API via chatflow.id Parameter
Jun 24, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-71319 HIGH
image-size < 1.2.1, 2.0.2 - Denial of Service via Infinite Loop in findBox Function
Jun 09, 2026
CVSS 7.5
EPSS 0.01
CVE-2025-57282 HIGH
ngrok 4.3.3/5.0.0-beta.2 - Command Injection
May 18, 2026
CVSS 8.8
EPSS 0.01
CVE-2025-65719 CRITICAL
Kubectl MCP Server 1.1.1 - Remote Code Execution
May 12, 2026
CVSS 9.8
EPSS 0.01