npm

4,193 tracked vulnerabilities.

CVE-2026-35630 HIGH
OpenClaw < 2026.5.18 - QQBot Missing Approver Identity Enforcement in Native Approval Buttons
May 29, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-41159 MEDIUM
Mermaid: Improper sanitization of configuration leads to CSS injection
May 29, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41150 MEDIUM
Mermaid Gantt Charts - Infinite Loop Denial of Service
May 29, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-46510 HIGH
Prototype pollution in form-data-objectizer via bracket-notation form keys
May 29, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-45707 HIGH
n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete
May 29, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-45582 MEDIUM
n8n-MCP: Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters
May 29, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-45364 HIGH
Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation
May 28, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-45787 CRITICAL
electerm's encrypt method not safe enough
May 28, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-45353 HIGH
electerm: Local code through electerm's single-instance socket
May 28, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-45311 CRITICAL
CodeWhale: run_tests Tool Enables RCE via Malicious Repository Without Approval
May 28, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-45310 HIGH
CodeWhale: SSRF via HTTP Redirect Bypass in fetch_url Tool
May 28, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-45058 CRITICAL
electerm: Import unsafe bookmark data could lead to unsafe operation when click local type bookmark
May 28, 2026
EPSS 0.00
CVE-2026-47676 MEDIUM
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
May 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-47675 MEDIUM
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
May 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-47674 MEDIUM
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
May 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-47673 MEDIUM
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
May 28, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-47762 HIGH
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments
May 28, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-47761 HIGH
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection
May 28, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-47760 HIGH
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs
May 28, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-47759 HIGH
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes
May 28, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-9673 MEDIUM
json-2-csv < 5.5.11 - Improper Neutralization of Formula Elements in a CSV File
May 28, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-44720 MEDIUM
OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover
May 27, 2026
EPSS 0.00
CVE-2026-45136 HIGH
claude-code-cache-fix: Local code execution via Python triple-quote injection in tools/quota-statusline.sh
May 27, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-45134 HIGH
LangSmith Client SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
May 27, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-44724 HIGH
systeminformation: Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name
May 27, 2026
CVSS 7.8
EPSS 0.01