npm

4,193 tracked vulnerabilities.

CVE-2026-44495 HIGH
Axios: Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
Jun 11, 2026
CVSS 7.0
EPSS 0.00
CVE-2026-44494 HIGH
Axios: Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
Jun 11, 2026
CVSS 8.7
EPSS 0.01
CVE-2026-44492 HIGH
Axios < 0.32.0 and 1.0.0-1.15.x - NO_PROXY Bypass via IPv4-Mapped IPv6
Jun 11, 2026
CVSS 8.6
EPSS 0.01
CVE-2026-44490 MEDIUM
Axios: DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
Jun 11, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-44489 LOW
Axios: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix
Jun 11, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-44488 HIGH
Axios: Allocation of Resources Without Limits or Throttling in axios
Jun 11, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-44487 HIGH
Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
Jun 11, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-44486 HIGH
Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
Jun 11, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-46625 HIGH
JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
Jun 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-11417 HIGH
Aws Cloud Development Kit Library < 2.245.0 - Command Injection
Jun 10, 2026
CVSS 7.3
EPSS 0.01
CVE-2026-46492 HIGH
md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)
Jun 09, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-42599 MEDIUM
Cross-site scripting via spread attributes in Svelte SSR
Jun 09, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-42573 MEDIUM
Svelte: XSS via DOM Clobbering of Internal Framework State
Jun 09, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-42570 HIGH
Svelte devalue: DoS via sparse array deserialization
Jun 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42567 HIGH
Svelte: ReDoS in `<svelte:element>` Tag Validation
Jun 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-46490 HIGH
samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions
Jun 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-46480 HIGH
Flowise: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover
Jun 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-46479 HIGH
Flowise: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover
Jun 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-46478 HIGH
Flowise: DatasetRow create+update mass-assignment allows cross-workspace row takeover
Jun 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-46477 HIGH
Flowise: Dataset create+update mass-assignment allows cross-workspace dataset takeover
Jun 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-46476 HIGH
Flowise: CustomTemplate create+update mass-assignment allows cross-workspace template takeover
Jun 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-46475 HIGH
Flowise: Assistant create+update mass-assignment allows cross-workspace assistant takeover
Jun 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-46444 HIGH
Flowise: Vector Store No Permission Checks
Jun 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-46443 MEDIUM
Flowise: Credential Data Leak
Jun 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-46442 CRITICAL
Flowise: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape
Jun 08, 2026
CVSS 9.9
EPSS 0.01