npm

4,198 tracked vulnerabilities.

CVE-2025-26791 MEDIUM
DOMPurify < 3.2.4 - Cross-Site Scripting via Incorrect Template Literal Regular Expression
Feb 14, 2025
CVSS 4.5
EPSS 0.01
CVE-2025-25283 HIGH
parse-duraton <2.1.3 - Memory Corruption
Feb 12, 2025
CVSS 7.5
EPSS 0.01
CVE-2025-25200 HIGH
Koa <0.21.2, 1.7.1, 2.15.4, 3.0.0-alpha.3 - DoS
Feb 12, 2025
CVSS 7.5
EPSS 0.01
CVE-2025-24964 CRITICAL
Vitest API Server - Cross-Site WebSocket Hijacking Code Execution
Feb 04, 2025
CVSS 9.6
EPSS 0.01
CVE-2025-24959 LOW
zx <8.3.2 - Command Injection
Feb 03, 2025
EPSS 0.00
CVE-2025-24791 MEDIUM
Snowflake NodeJS Driver <2.0.1 - Privilege Escalation
Jan 29, 2025
CVSS 4.4
EPSS 0.00
CVE-2025-24353 MEDIUM
Directus < 11.2.0 - Improper Privilege Management via Share Feature
Jan 23, 2025
CVSS 5.0
EPSS 0.00
CVE-2025-22150 MEDIUM
Undici <5.28.5,6.21.1,7.2.3 - Info Disclosure
Jan 21, 2025
CVSS 6.8
EPSS 0.01
CVE-2025-24010 MEDIUM
vitejs/vite < 4.5.5, 6.0.0-6.0.9 - Origin Validation Error via CORS and WebSocket
Jan 20, 2025
CVSS 6.5
EPSS 0.00
CVE-2025-23207 MEDIUM
KaTeX 0.12.0-0.16.20 - Cross-Site Scripting via \htmlData Command
Jan 17, 2025
CVSS 6.3
EPSS 0.00
CVE-2025-23206 HIGH
AWS Cloud Development Kit < 2.177.0 - Improper Certificate Validation in OIDC Custom Resource Provider
Jan 17, 2025
CVSS 8.1
EPSS 0.00
CVE-2025-23061 CRITICAL NUCLEI
mongoose < 6.13.6 and 8.0.0-rc0-8.9.5 - Search Injection via Nested $where Filter with Populate Match
Jan 15, 2025
CVSS 9.0
EPSS 0.07
CVE-2025-21610 MEDIUM
Trix < 2.1.12 - Cross-Site Scripting via Malicious Link Field Paste
Jan 03, 2025
CVSS 5.3
EPSS 0.00
CVE-2024-52011 HIGH
launch-editor < 2.9.0 - OS Command Injection via File Argument
Jun 01, 2026
CVSS 8.3
EPSS 0.01
CVE-2024-14020 MEDIUM
carbone < 3.5.6 - Prototype Pollution in Formatter Handler
Jan 07, 2026
CVSS 5.0
EPSS 0.00
CVE-2024-49365 HIGH
tiny-secp256k1 < 1.1.7 - Improper Verification of Cryptographic Signature via Buffer.isBuffer Bypass
Jul 01, 2025
EPSS 0.00
CVE-2024-49364 HIGH
tiny-secp256k1 < 1.1.7 - Private Key Extraction via Malicious JSON-Stringifiable Object
Jul 01, 2025
EPSS 0.00
CVE-2024-46993 MEDIUM
Electron <28.3.2, 29.0.0-alpha.1-29.3.2, 30.0.0-alpha.1-30.0.2 - Heap-based Buffer Overflow
Jul 01, 2025
EPSS 0.00
CVE-2024-46992 HIGH
Electron <30.0.5-31.0.0-beta.1 - ASAR Integrity Bypass
Jul 01, 2025
CVSS 7.8
EPSS 0.00
CVE-2024-57190 CRITICAL
erxes < 1.6.1 - Unauthenticated Authentication Bypass via User HTTP Header
Jun 10, 2025
CVSS 9.8
EPSS 0.01
CVE-2024-57189 MEDIUM
erxes < 1.6.2 - Authenticated Path Traversal and Arbitrary File Write via importHistoriesCreate GraphQL Mutation
Jun 10, 2025
CVSS 5.4
EPSS 0.00
CVE-2024-57186 MEDIUM
erxes < 1.6.2 - Unauthenticated Path Traversal via /read-file Endpoint
Jun 10, 2025
CVSS 5.4
EPSS 0.00
CVE-2024-47829 MEDIUM
pnpm < 10.0.0 - Use of Weak Hash via MD5 Path Shortening
Apr 23, 2025
CVSS 6.5
EPSS 0.00
CVE-2024-57083 HIGH
redocly/redoc < 2.2.0 and npm/redoc < 2.4.0 - Denial of Service via Prototype Pollution in Module.mergeObjects
Mar 28, 2025
CVSS 7.5
EPSS 0.01
CVE-2024-38985 CRITICAL
janrywang depath and cool-path - Prototype Pollution via setIn Method
Mar 28, 2025
CVSS 9.8
EPSS 0.01