npm
4,193 tracked vulnerabilities.
CVE-2026-22819
MEDIUM
Outray ngrok alternative <0.1.5 - Info Disclosure
Jan 14, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-22787
MEDIUM
html2pdf.js < 0.14.0 - Cross-Site Scripting via Text Source Input
Jan 14, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-22820
LOW
outray < 0.1.5 - Time-of-check Time-of-use Race Condition
Jan 14, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-22686
CRITICAL
enclave-vm < 2.7.0 - Sandbox Escape via Host Error Prototype Chain Traversal
Jan 14, 2026
CVSS 10.0
EPSS 0.01
CVE-2026-22818
HIGH
Hono < 4.11.4 - JWT Algorithm Confusion via JWK/JWKS Middleware
Jan 13, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-22817
HIGH
Hono < 4.11.4 - JWT Algorithm Confusion via Untrusted Header alg Value
Jan 13, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-22809
MEDIUM
Amauri Tarteaucitronjs < 1.29.0 - Denial of Service
Jan 13, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-22813
MEDIUM
OpenCode < 1.1.10 - Stored Cross-Site Scripting via Markdown Renderer
Jan 12, 2026
CVSS 6.1
EPSS 0.01
CVE-2026-22812
HIGH
NUCLEI
OpenCode <1.0.216 - Command Injection
Jan 12, 2026
CVSS 8.8
EPSS 0.17
CVE-2026-22597
LOW
Ghost 5.38.0-5.130.5 and 6.0.0-6.10.3 - Authenticated Server-Side Request Forgery via Media Inliner
Jan 10, 2026
CVSS 2.7
EPSS 0.00
CVE-2026-22596
MEDIUM
Ghost 5.90.0-5.130.5 and 6.0.0-6.10.3 - Authenticated SQL Injection via Admin API Members Events Endpoint
Jan 10, 2026
CVSS 6.7
EPSS 0.00
CVE-2026-22595
HIGH
Ghost 5.121.0-5.130.5 and 6.0.0-6.10.3 - Incorrect Authorization via Staff Token Authentication
Jan 10, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-22594
HIGH
Ghost 5.105.0-5.130.5 and 6.0.0-6.10.3 - Authenticated 2FA Bypass via Email Verification Skip
Jan 10, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-22030
MEDIUM
React Router 7.0.0-7.11.0 and Remix Server Runtime < 2.17.3 - Cross-Site Request Forgery via Document POST Requests
Jan 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-22029
HIGH
React Router < 1.23.2 and 7.0.0-7.11.0 - Cross-Site Scripting via Open Navigation Redirect
Jan 10, 2026
CVSS 8.0
EPSS 0.01
CVE-2026-21884
HIGH
React Router 7.0.0-7.11.0 & @remix-run/react < 2.17.3 - XSS via ScrollRestoration API
Jan 10, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-22032
MEDIUM
Directus < 11.14.0 - Unauthenticated Open Redirect via SAML RelayState Parameter
Jan 08, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-22028
MEDIUM
Preact 10.26.5-10.26.10 - HTML Injection via JSON Payload Type Confusion
Jan 08, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-21894
MEDIUM
n8n 0.150.0-2.2.1 - Unauthenticated Workflow Trigger via Stripe Webhook Spoofing
Jan 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-21877
CRITICAL
NUCLEI
n8n 0.123.0-1.121.2 - Authenticated Remote Code Execution via Git Node
Jan 08, 2026
CVSS 9.9
EPSS 0.05
CVE-2026-21858
CRITICAL
NUCLEI
n8n 1.65.0-1.120.9 - Unauthenticated Arbitrary File Read via Form-Based Workflow Execution
Jan 08, 2026
CVSS 10.0
EPSS 0.72
CVE-2025-71332
MEDIUM
Flowise - SQL Injection in importChatflows API via chatflow.id Parameter
Jun 24, 2026
CVSS 6.5
EPSS 0.00
CVE-2025-71319
HIGH
image-size < 1.2.1, 2.0.2 - Denial of Service via Infinite Loop in findBox Function
Jun 09, 2026
CVSS 7.5
EPSS 0.01
CVE-2025-57282
HIGH
ngrok 4.3.3/5.0.0-beta.2 - Command Injection
May 18, 2026
CVSS 8.8
EPSS 0.01
CVE-2025-65719
CRITICAL
Kubectl MCP Server 1.1.1 - Remote Code Execution
May 12, 2026
CVSS 9.8
EPSS 0.01
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters