npm
4,198 tracked vulnerabilities.
CVE-2025-26791
MEDIUM
DOMPurify < 3.2.4 - Cross-Site Scripting via Incorrect Template Literal Regular Expression
Feb 14, 2025
CVSS 4.5
EPSS 0.01
CVE-2025-25283
HIGH
parse-duraton <2.1.3 - Memory Corruption
Feb 12, 2025
CVSS 7.5
EPSS 0.01
CVE-2025-25200
HIGH
Koa <0.21.2, 1.7.1, 2.15.4, 3.0.0-alpha.3 - DoS
Feb 12, 2025
CVSS 7.5
EPSS 0.01
CVE-2025-24964
CRITICAL
Vitest API Server - Cross-Site WebSocket Hijacking Code Execution
Feb 04, 2025
CVSS 9.6
EPSS 0.01
CVE-2025-24959
LOW
zx <8.3.2 - Command Injection
Feb 03, 2025
EPSS 0.00
CVE-2025-24791
MEDIUM
Snowflake NodeJS Driver <2.0.1 - Privilege Escalation
Jan 29, 2025
CVSS 4.4
EPSS 0.00
CVE-2025-24353
MEDIUM
Directus < 11.2.0 - Improper Privilege Management via Share Feature
Jan 23, 2025
CVSS 5.0
EPSS 0.00
CVE-2025-22150
MEDIUM
Undici <5.28.5,6.21.1,7.2.3 - Info Disclosure
Jan 21, 2025
CVSS 6.8
EPSS 0.01
CVE-2025-24010
MEDIUM
vitejs/vite < 4.5.5, 6.0.0-6.0.9 - Origin Validation Error via CORS and WebSocket
Jan 20, 2025
CVSS 6.5
EPSS 0.00
CVE-2025-23207
MEDIUM
KaTeX 0.12.0-0.16.20 - Cross-Site Scripting via \htmlData Command
Jan 17, 2025
CVSS 6.3
EPSS 0.00
CVE-2025-23206
HIGH
AWS Cloud Development Kit < 2.177.0 - Improper Certificate Validation in OIDC Custom Resource Provider
Jan 17, 2025
CVSS 8.1
EPSS 0.00
CVE-2025-23061
CRITICAL
NUCLEI
mongoose < 6.13.6 and 8.0.0-rc0-8.9.5 - Search Injection via Nested $where Filter with Populate Match
Jan 15, 2025
CVSS 9.0
EPSS 0.07
CVE-2025-21610
MEDIUM
Trix < 2.1.12 - Cross-Site Scripting via Malicious Link Field Paste
Jan 03, 2025
CVSS 5.3
EPSS 0.00
CVE-2024-52011
HIGH
launch-editor < 2.9.0 - OS Command Injection via File Argument
Jun 01, 2026
CVSS 8.3
EPSS 0.01
CVE-2024-14020
MEDIUM
carbone < 3.5.6 - Prototype Pollution in Formatter Handler
Jan 07, 2026
CVSS 5.0
EPSS 0.00
CVE-2024-49365
HIGH
tiny-secp256k1 < 1.1.7 - Improper Verification of Cryptographic Signature via Buffer.isBuffer Bypass
Jul 01, 2025
EPSS 0.00
CVE-2024-49364
HIGH
tiny-secp256k1 < 1.1.7 - Private Key Extraction via Malicious JSON-Stringifiable Object
Jul 01, 2025
EPSS 0.00
CVE-2024-46993
MEDIUM
Electron <28.3.2, 29.0.0-alpha.1-29.3.2, 30.0.0-alpha.1-30.0.2 - Heap-based Buffer Overflow
Jul 01, 2025
EPSS 0.00
CVE-2024-46992
HIGH
Electron <30.0.5-31.0.0-beta.1 - ASAR Integrity Bypass
Jul 01, 2025
CVSS 7.8
EPSS 0.00
CVE-2024-57190
CRITICAL
erxes < 1.6.1 - Unauthenticated Authentication Bypass via User HTTP Header
Jun 10, 2025
CVSS 9.8
EPSS 0.01
CVE-2024-57189
MEDIUM
erxes < 1.6.2 - Authenticated Path Traversal and Arbitrary File Write via importHistoriesCreate GraphQL Mutation
Jun 10, 2025
CVSS 5.4
EPSS 0.00
CVE-2024-57186
MEDIUM
erxes < 1.6.2 - Unauthenticated Path Traversal via /read-file Endpoint
Jun 10, 2025
CVSS 5.4
EPSS 0.00
CVE-2024-47829
MEDIUM
pnpm < 10.0.0 - Use of Weak Hash via MD5 Path Shortening
Apr 23, 2025
CVSS 6.5
EPSS 0.00
CVE-2024-57083
HIGH
redocly/redoc < 2.2.0 and npm/redoc < 2.4.0 - Denial of Service via Prototype Pollution in Module.mergeObjects
Mar 28, 2025
CVSS 7.5
EPSS 0.01
CVE-2024-38985
CRITICAL
janrywang depath and cool-path - Prototype Pollution via setIn Method
Mar 28, 2025
CVSS 9.8
EPSS 0.01
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 21
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
protobufjs 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
Quick Filters