npm
4,193 tracked vulnerabilities.
CVE-2026-35630
HIGH
OpenClaw < 2026.5.18 - QQBot Missing Approver Identity Enforcement in Native Approval Buttons
May 29, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-41159
MEDIUM
Mermaid: Improper sanitization of configuration leads to CSS injection
May 29, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41150
MEDIUM
Mermaid Gantt Charts - Infinite Loop Denial of Service
May 29, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-46510
HIGH
Prototype pollution in form-data-objectizer via bracket-notation form keys
May 29, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-45707
HIGH
n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete
May 29, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-45582
MEDIUM
n8n-MCP: Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters
May 29, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-45364
HIGH
Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation
May 28, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-45787
CRITICAL
electerm's encrypt method not safe enough
May 28, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-45353
HIGH
electerm: Local code through electerm's single-instance socket
May 28, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-45311
CRITICAL
CodeWhale: run_tests Tool Enables RCE via Malicious Repository Without Approval
May 28, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-45310
HIGH
CodeWhale: SSRF via HTTP Redirect Bypass in fetch_url Tool
May 28, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-45058
CRITICAL
electerm: Import unsafe bookmark data could lead to unsafe operation when click local type bookmark
May 28, 2026
EPSS 0.00
CVE-2026-47676
MEDIUM
Hono: app.mount() strips mount prefix using undecoded path, causing incorrect routing for percent-encoded paths
May 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-47675
MEDIUM
Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
May 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-47674
MEDIUM
Hono: IP Restriction bypasses static deny rules for non-canonical IPv6
May 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-47673
MEDIUM
Hono: JWT middleware accepts any Authorization scheme, not only Bearer
May 28, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-47762
HIGH
TinyMCE Cross-Site Scripting (XSS) vulnerability through `mce:protected` comments
May 28, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-47761
HIGH
TinyMCE Cross-Site Scripting (XSS) vulnerability using media plugin `data-mce-object` injection
May 28, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-47760
HIGH
TinyMCE Cross-Site Scripting (XSS) vulnerability using sanitization bypass through nested SVGs
May 28, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-47759
HIGH
TinyMCE Cross-Site Scripting (XSS) vulnerability using through data-mce- prefixed src, href, style attributes
May 28, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-9673
MEDIUM
json-2-csv < 5.5.11 - Improper Neutralization of Formula Elements in a CSV File
May 28, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-44720
MEDIUM
OpenLearnX: Critical Authentication Bypass via JWT Signature Verification Disabled Leading to Account Takeover
May 27, 2026
EPSS 0.00
CVE-2026-45136
HIGH
claude-code-cache-fix: Local code execution via Python triple-quote injection in tools/quota-statusline.sh
May 27, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-45134
HIGH
LangSmith Client SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning
May 27, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-44724
HIGH
systeminformation: Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name
May 27, 2026
CVSS 7.8
EPSS 0.01
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters