npm

4,193 tracked vulnerabilities.

CVE-2026-46441 CRITICAL
Flowise: Mass Assignment in Assistant Update Endpoint Allows Cross-Workspace Resource Reassignment
Jun 08, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-46440 CRITICAL
Flowise: Basic Auth Credentials Exposed via API
Jun 08, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-42863 HIGH
Flowise: Mass Assignment in Chatflow Update Endpoint Allows Cross-Workspace AgentFlow Reassignment
Jun 08, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-42862 MEDIUM
Flowise: Mass Assignment in Tool Update Endpoint Allows Cross-Workspace Resource Reassignment
Jun 08, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-42861 CRITICAL
Flowise: Mass Assignment in Variable Update Endpoint Allows Cross-Workspace Resource Reassignment
Jun 08, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-47430 HIGH
Apache Cordova InAppBrowser iOS 3.1.0-6.0.0 - Callback ID Spoofing
Jun 08, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-5078 MEDIUM
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user
Jun 03, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-49144 MEDIUM
BrowserStack Runner 0.9.5 Path Traversal via _default HTTP Handler
Jun 02, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-49143 HIGH
BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler
Jun 02, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42342 HIGH
React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
Jun 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42211 HIGH
React Router 7.0.0-7.14.1 - Framework Mode Deserialization Remote Code Execution
Jun 02, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-40181 MEDIUM
React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation
Jun 02, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-34077 HIGH
React Router vulnerable to Denial of Service via reflected user input in single-fetch
Jun 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33245 HIGH
React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
Jun 02, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-42074 CRITICAL
OpenClaude: Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input
Jun 02, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-33244 MEDIUM
React Router has stored XSS via unescaped Location header in prerendered redirect HTML
Jun 02, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-45302 HIGH
parse-nested-form-data < 1.0.1 - Prototype Pollution via FormData Field Name Traversal
Jun 01, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-44211 CRITICAL
Cline Kanban Server <=2.13.0 - Cross-Origin WebSocket Hijacking
Jun 01, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-45149 MEDIUM
brace-expansion: Large numeric range defeats documented `max` DoS protection
May 29, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-46372 HIGH NUCLEI
SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl
May 29, 2026
CVSS 8.5
EPSS 0.01
CVE-2026-44652 MEDIUM
SillyTavern CORS Proxy - Server-Side Request Forgery
May 29, 2026
EPSS 0.00
CVE-2026-44651 MEDIUM
SillyTavern CORS Proxy - Reflected Cross-Site Scripting
May 29, 2026
EPSS 0.00
CVE-2026-44649 CRITICAL
SillyTavern: Authentication Bypass via SSO Header Injection
May 29, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-44648 HIGH
SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover
May 29, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-45577 MEDIUM
Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass
May 29, 2026
EPSS 0.00