npm
4,193 tracked vulnerabilities.
CVE-2026-44635
HIGH
Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`
May 27, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-48128
MEDIUM
Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step
May 27, 2026
EPSS 0.00
CVE-2026-46426
HIGH
Budibase: Unrestricted Upload of File with Dangerous Type
May 27, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-45718
MEDIUM
Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows
May 27, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-45061
HIGH
Budibase: SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`)
May 27, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-42553
HIGH
Cinny: Access token disclosure via invalidated emoji pack avatar URL in service worker
May 27, 2026
EPSS 0.00
CVE-2026-42280
HIGH
auth0.js - Improper Permission Checking in Auth.js SDK
May 27, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-44966
HIGH
Velocity.js: Prototype Pollution in #set path assignment
May 26, 2026
CVSS 8.3
EPSS 0.01
CVE-2026-44214
MEDIUM
eventsource-encoder: SSE event injection via unsanitized event and id fields
May 26, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-9520
MEDIUM
blitz-js blitz Sign-in LoginForm.tsx cross site scripting
May 26, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-45249
MEDIUM
Apache ECharts: XSS in Lines series tooltip rendering
May 25, 2026
CVSS 6.1
EPSS 0.01
CVE-2026-41149
MEDIUM
Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection
May 22, 2026
EPSS 0.00
CVE-2026-41148
MEDIUM
Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection
May 22, 2026
EPSS 0.00
CVE-2026-9277
HIGH
shell-quote `quote()` does not validate object-token shapes, allowing command injection via line terminators in `.op`
May 22, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-47099
MEDIUM
TeleJSON < 6.0.0 DOM-based XSS via parse() Function
May 20, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-26028
MEDIUM
CryptPad: Sanitizer Bypass in Diffmarked.js Allows Arbitrary HTML Injection and Potential XSS
May 20, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-8814
MEDIUM
Exifreader < 4.39.0 - Improper Handling of Highly Compressed Data (Data Amplification)
May 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-8813
HIGH
exifreader < 4.39.0 - Denial of Service via ICC mluc Tag Parsing
May 19, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-8723
MEDIUM
qs.stringify crashes on null/undefined entries in comma-format arrays under encodeValuesOnly
May 17, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-45665
HIGH
Open WebUI: Stored XSS in Banner Component via Improper Sanitization Order
May 15, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-45346
MEDIUM
Open WebUI: Stored Cross-Site Scripting in SVG Renderer
May 15, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-45395
HIGH
Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution
May 15, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-44721
HIGH
Open WebUI: Stored XSS via Model Description
May 15, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-45773
MEDIUM
Turborepo: Login callback CSRF/session fixation
May 15, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-45772
CRITICAL
Turborepo: Unexpected local code execution during Yarn Berry detection
May 15, 2026
CVSS 9.8
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters