npm
4,193 tracked vulnerabilities.
CVE-2026-46441
CRITICAL
Flowise: Mass Assignment in Assistant Update Endpoint Allows Cross-Workspace Resource Reassignment
Jun 08, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-46440
CRITICAL
Flowise: Basic Auth Credentials Exposed via API
Jun 08, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-42863
HIGH
Flowise: Mass Assignment in Chatflow Update Endpoint Allows Cross-Workspace AgentFlow Reassignment
Jun 08, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-42862
MEDIUM
Flowise: Mass Assignment in Tool Update Endpoint Allows Cross-Workspace Resource Reassignment
Jun 08, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-42861
CRITICAL
Flowise: Mass Assignment in Variable Update Endpoint Allows Cross-Workspace Resource Reassignment
Jun 08, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-47430
HIGH
Apache Cordova InAppBrowser iOS 3.1.0-6.0.0 - Callback ID Spoofing
Jun 08, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-5078
MEDIUM
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user
Jun 03, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-49144
MEDIUM
BrowserStack Runner 0.9.5 Path Traversal via _default HTTP Handler
Jun 02, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-49143
HIGH
BrowserStack Runner 0.9.5 Unauthenticated RCE via /_log HTTP Handler
Jun 02, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42342
HIGH
React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
Jun 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42211
HIGH
React Router 7.0.0-7.14.1 - Framework Mode Deserialization Remote Code Execution
Jun 02, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-40181
MEDIUM
React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation
Jun 02, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-34077
HIGH
React Router vulnerable to Denial of Service via reflected user input in single-fetch
Jun 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33245
HIGH
React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
Jun 02, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-42074
CRITICAL
OpenClaude: Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input
Jun 02, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-33244
MEDIUM
React Router has stored XSS via unescaped Location header in prerendered redirect HTML
Jun 02, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-45302
HIGH
parse-nested-form-data < 1.0.1 - Prototype Pollution via FormData Field Name Traversal
Jun 01, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-44211
CRITICAL
Cline Kanban Server <=2.13.0 - Cross-Origin WebSocket Hijacking
Jun 01, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-45149
MEDIUM
brace-expansion: Large numeric range defeats documented `max` DoS protection
May 29, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-46372
HIGH
NUCLEI
SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl
May 29, 2026
CVSS 8.5
EPSS 0.01
CVE-2026-44652
MEDIUM
SillyTavern CORS Proxy - Server-Side Request Forgery
May 29, 2026
EPSS 0.00
CVE-2026-44651
MEDIUM
SillyTavern CORS Proxy - Reflected Cross-Site Scripting
May 29, 2026
EPSS 0.00
CVE-2026-44649
CRITICAL
SillyTavern: Authentication Bypass via SSO Header Injection
May 29, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-44648
HIGH
SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover
May 29, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-45577
MEDIUM
Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass
May 29, 2026
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters