npm

4,198 tracked vulnerabilities.

CVE-2024-39943 CRITICAL
rejetto HFS < 0.52.10 - Authenticated OS Command Injection via df Command Execution
Jul 04, 2024
CVSS 9.9
EPSS 0.48
CVE-2024-39309 CRITICAL
Parse Server < 6.5.7 and 7.0.0-7.1.0 - SQL Injection via PostgreSQL Configuration
Jul 01, 2024
CVSS 9.8
EPSS 0.20
CVE-2024-37146 MEDIUM
Flowise < 1.4.3 - Unauthenticated Reflected Cross-Site Scripting via /api/v1/credentials/id Endpoint
Jul 01, 2024
CVSS 6.1
EPSS 0.00
CVE-2024-37145 MEDIUM
Flowise < 1.4.3 - Unauthenticated Reflected Cross-Site Scripting via Chatflow ID Parameter
Jul 01, 2024
CVSS 6.1
EPSS 0.00
CVE-2024-36423 MEDIUM
Flowise < 1.4.3 - Unauthenticated Reflected Cross-Site Scripting via Public Chatflows Endpoint
Jul 01, 2024
CVSS 6.1
EPSS 0.00
CVE-2024-36422 MEDIUM
Flowise 1.4.3 - Unauthenticated Reflected Cross-Site Scripting via Chatflow ID Parameter
Jul 01, 2024
CVSS 6.1
EPSS 0.00
CVE-2024-36421 HIGH
Flowise 1.4.3 - Unauthenticated Origin Validation Error via CORS Misconfiguration
Jul 01, 2024
CVSS 7.5
EPSS 0.06
CVE-2024-36420 HIGH NUCLEI
Flowise 1.4.3 - Arbitrary File Read via OpenAI Assistants File Endpoint
Jul 01, 2024
CVSS 7.5
EPSS 0.02
CVE-2024-39008 CRITICAL
fast-loops < 1.1.4 - Prototype Pollution via objectMergeDeep Function
Jul 01, 2024
CVSS 10.0
EPSS 0.01
CVE-2024-39001 MEDIUM
ag-grid < 31.3.4 - Prototype Pollution via _ModuleSupport.jsonApply
Jul 01, 2024
CVSS 6.3
EPSS 0.01
CVE-2024-38999 CRITICAL
requirejs < 2.3.7 - Prototype Pollution via s.contexts._.configure Function
Jul 01, 2024
CVSS 10.0
EPSS 0.01
CVE-2024-38996 CRITICAL
ag-grid < 31.3.4 - Prototype Pollution via _.mergeDeep Function
Jul 01, 2024
CVSS 9.8
EPSS 0.01
CVE-2024-38993 CRITICAL
jsonic - Prototype Pollution via empty Function
Jul 01, 2024
CVSS 9.8
EPSS 0.01
CVE-2024-38357 MEDIUM
TinyMCE <7.2.0, <6.8.4, <5.11.0 - XSS
Jun 19, 2024
CVSS 6.1
EPSS 0.01
CVE-2024-38356 MEDIUM
TinyMCE <7.2.0, <6.8.4, <5.11.0 - XSS
Jun 19, 2024
CVSS 6.1
EPSS 0.01
CVE-2024-38355 HIGH
Socket.IO < 2.5.1 and 3.0.0-4.6.2 - Denial of Service via Crafted Packet
Jun 19, 2024
CVSS 7.3
EPSS 0.01
CVE-2024-37890 HIGH
NPM WS < 5.2.4 - NULL Pointer Dereference
Jun 17, 2024
CVSS 7.5
EPSS 0.01
CVE-2024-37182 MEDIUM
Mattermost Desktop App <=5.7.0 - RCE
Jun 14, 2024
CVSS 4.7
EPSS 0.00
CVE-2024-36287 LOW
Mattermost Desktop App <=5.7.0 - Auth Bypass
Jun 14, 2024
CVSS 3.8
EPSS 0.00
CVE-2024-37629 MEDIUM
summernote v0.9.1 - Cross-Site Scripting via Code View Function
Jun 12, 2024
CVSS 6.1
EPSS 0.00
CVE-2024-37166 HIGH
ghtml < 2.0.0 - Cross-Site Scripting via Tagged Template Injection
Jun 10, 2024
CVSS 8.9
EPSS 0.00
CVE-2024-5389 HIGH
lunary < 1.4.9 - Insufficient Granularity of Access Control for Dataset Prompts
Jun 09, 2024
CVSS 8.1
EPSS 0.00
CVE-2024-4146 CRITICAL
lunary < 1.2.26 - Incorrect Authorization in checkProjectAccess Method
Jun 08, 2024
CVSS 9.8
EPSS 0.01
CVE-2024-37162 MEDIUM
zsa < 0.3.3 - Sensitive Information Exposure via Production Parse Error Stack
Jun 07, 2024
CVSS 4.0
EPSS 0.00
CVE-2024-5478 MEDIUM
lunary 1.2.7 - Stored Cross-Site Scripting via SAML Metadata Endpoint orgId Parameter
Jun 06, 2024
CVSS 6.1
EPSS 0.00