npm
3,969 tracked vulnerabilities.
CVE-2025-24964
CRITICAL
Vitest API Server - Cross-Site WebSocket Hijacking Code Execution
Feb 04, 2025
CVSS 9.6
EPSS 0.02
CVE-2025-24959
LOW
zx <8.3.2 - Command Injection
Feb 03, 2025
EPSS 0.00
CVE-2025-24791
MEDIUM
Snowflake NodeJS Driver <2.0.1 - Privilege Escalation
Jan 29, 2025
CVSS 4.4
EPSS 0.00
CVE-2025-24353
MEDIUM
Directus < 11.2.0 - Improper Privilege Management via Share Feature
Jan 23, 2025
CVSS 5.0
EPSS 0.00
CVE-2025-22150
MEDIUM
Undici <5.28.5,6.21.1,7.2.3 - Info Disclosure
Jan 21, 2025
CVSS 6.8
EPSS 0.01
CVE-2025-24010
MEDIUM
vitejs/vite < 4.5.5, 6.0.0-6.0.9 - Origin Validation Error via CORS and WebSocket
Jan 20, 2025
CVSS 6.5
EPSS 0.00
CVE-2025-23207
MEDIUM
KaTeX 0.12.0-0.16.20 - Cross-Site Scripting via \htmlData Command
Jan 17, 2025
CVSS 6.3
EPSS 0.00
CVE-2025-23206
HIGH
AWS Cloud Development Kit < 2.177.0 - Improper Certificate Validation in OIDC Custom Resource Provider
Jan 17, 2025
CVSS 8.1
EPSS 0.00
CVE-2025-23061
CRITICAL
NUCLEI
mongoose < 6.13.6 and 8.0.0-rc0-8.9.5 - Search Injection via Nested $where Filter with Populate Match
Jan 15, 2025
CVSS 9.0
EPSS 0.55
CVE-2025-21610
MEDIUM
Trix < 2.1.12 - Cross-Site Scripting via Malicious Link Field Paste
Jan 03, 2025
CVSS 5.3
EPSS 0.00
CVE-2024-14020
MEDIUM
carbone < 3.5.6 - Prototype Pollution in Formatter Handler
Jan 07, 2026
CVSS 5.0
EPSS 0.00
CVE-2024-49365
HIGH
tiny-secp256k1 < 1.1.7 - Improper Verification of Cryptographic Signature via Buffer.isBuffer Bypass
Jul 01, 2025
EPSS 0.00
CVE-2024-49364
HIGH
tiny-secp256k1 < 1.1.7 - Private Key Extraction via Malicious JSON-Stringifiable Object
Jul 01, 2025
EPSS 0.00
CVE-2024-46993
MEDIUM
Electron <28.3.2, 29.0.0-alpha.1-29.3.2, 30.0.0-alpha.1-30.0.2 - Heap-based Buffer Overflow
Jul 01, 2025
EPSS 0.00
CVE-2024-46992
HIGH
Electron <30.0.5-31.0.0-beta.1 - ASAR Integrity Bypass
Jul 01, 2025
CVSS 7.8
EPSS 0.00
CVE-2024-57190
CRITICAL
erxes < 1.6.1 - Unauthenticated Authentication Bypass via User HTTP Header
Jun 10, 2025
CVSS 9.8
EPSS 0.00
CVE-2024-57189
MEDIUM
erxes < 1.6.2 - Authenticated Path Traversal and Arbitrary File Write via importHistoriesCreate GraphQL Mutation
Jun 10, 2025
CVSS 5.4
EPSS 0.01
CVE-2024-57186
MEDIUM
erxes < 1.6.2 - Unauthenticated Path Traversal via /read-file Endpoint
Jun 10, 2025
CVSS 5.4
EPSS 0.01
CVE-2024-47829
MEDIUM
pnpm < 10.0.0 - Use of Weak Hash via MD5 Path Shortening
Apr 23, 2025
CVSS 6.5
EPSS 0.00
CVE-2024-57083
HIGH
redocly/redoc < 2.2.0 and npm/redoc < 2.4.0 - Denial of Service via Prototype Pollution in Module.mergeObjects
Mar 28, 2025
CVSS 7.5
EPSS 0.00
CVE-2024-38985
CRITICAL
janrywang depath and cool-path - Prototype Pollution via setIn Method
Mar 28, 2025
CVSS 9.8
EPSS 0.00
CVE-2024-12905
HIGH
tar-fs < 1.16.4, 2.0.0-2.1.2, 3.0.0-3.0.8 - Path Traversal and Arbitrary File Write via Malicious Tar Extraction
Mar 27, 2025
CVSS 7.5
EPSS 0.01
CVE-2024-12537
HIGH
open-webui 0.3.32 - Unauthenticated Denial of Service via Code Format Endpoint
Mar 20, 2025
CVSS 7.5
EPSS 0.03
CVE-2024-12534
HIGH
open-webui v0.3.32 - Unauthenticated Denial of Service via Large Payload Submission
Mar 20, 2025
CVSS 7.5
EPSS 0.01
CVE-2024-53384
MEDIUM
tsup 8.3.4 - Remote Code Execution via DOM Clobbering in cjs_shims.js
Mar 03, 2025
CVSS 5.1
EPSS 0.00
Products
openclaw 393
parse-server 92
n8n 62
directus 53
electron 48
flowise 48
next 47
vm2 32
hono 25
nocodb 25
axios 24
undici 22
ghost 21
vite 19
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
nodebb 14
sequelize 14
tinymce 14
flowise-components 13
signalk-server 13
angular 12
dompurify 12
handlebars 12
jsrsasign 12
matrix-js-sdk 12
Quick Filters