npm
4,193 tracked vulnerabilities.
CVE-2026-44495
HIGH
Axios: Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
Jun 11, 2026
CVSS 7.0
EPSS 0.00
CVE-2026-44494
HIGH
Axios: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
Jun 11, 2026
CVSS 8.7
EPSS 0.01
CVE-2026-44492
HIGH
Axios < 0.32.0 and 1.0.0-1.15.x - NO_PROXY Bypass via IPv4-Mapped IPv6
Jun 11, 2026
CVSS 8.6
EPSS 0.01
CVE-2026-44490
MEDIUM
Axios: DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
Jun 11, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-44489
LOW
Axios: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix
Jun 11, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-44488
HIGH
Axios: Allocation of Resources Without Limits or Throttling in axios
Jun 11, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-44487
HIGH
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
Jun 11, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-44486
HIGH
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
Jun 11, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-46625
HIGH
JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
Jun 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-11417
HIGH
Aws Cloud Development Kit Library < 2.245.0 - Command Injection
Jun 10, 2026
CVSS 7.3
EPSS 0.01
CVE-2026-46492
HIGH
md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)
Jun 09, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-42599
MEDIUM
Cross-site scripting via spread attributes in Svelte SSR
Jun 09, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-42573
MEDIUM
Svelte: XSS via DOM Clobbering of Internal Framework State
Jun 09, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-42570
HIGH
Svelte devalue: DoS via sparse array deserialization
Jun 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42567
HIGH
Svelte: ReDoS in `<svelte:element>` Tag Validation
Jun 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-46490
HIGH
samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions
Jun 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-46480
HIGH
Flowise: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover
Jun 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-46479
HIGH
Flowise: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover
Jun 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-46478
HIGH
Flowise: DatasetRow create+update mass-assignment allows cross-workspace row takeover
Jun 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-46477
HIGH
Flowise: Dataset create+update mass-assignment allows cross-workspace dataset takeover
Jun 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-46476
HIGH
Flowise: CustomTemplate create+update mass-assignment allows cross-workspace template takeover
Jun 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-46475
HIGH
Flowise: Assistant create+update mass-assignment allows cross-workspace assistant takeover
Jun 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-46444
HIGH
Flowise: Vector Store No Permission Checks
Jun 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-46443
MEDIUM
Flowise: Credential Data Leak
Jun 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-46442
CRITICAL
Flowise: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape
Jun 08, 2026
CVSS 9.9
EPSS 0.01
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters