npm

4,193 tracked vulnerabilities.

CVE-2026-44635 HIGH
Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`
May 27, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-48128 MEDIUM
Budibase: SSRF via User-Controlled queryId in Automation Execute Query Step
May 27, 2026
EPSS 0.00
CVE-2026-46426 HIGH
Budibase: Unrestricted Upload of File with Dangerous Type
May 27, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-45718 MEDIUM
Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows
May 27, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-45061 HIGH
Budibase: SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`)
May 27, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-42553 HIGH
Cinny: Access token disclosure via invalidated emoji pack avatar URL in service worker
May 27, 2026
EPSS 0.00
CVE-2026-42280 HIGH
auth0.js - Improper Permission Checking in Auth.js SDK
May 27, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-44966 HIGH
Velocity.js: Prototype Pollution in #set path assignment
May 26, 2026
CVSS 8.3
EPSS 0.01
CVE-2026-44214 MEDIUM
eventsource-encoder: SSE event injection via unsanitized event and id fields
May 26, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-9520 MEDIUM
blitz-js blitz Sign-in LoginForm.tsx cross site scripting
May 26, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-45249 MEDIUM
Apache ECharts: XSS in Lines series tooltip rendering
May 25, 2026
CVSS 6.1
EPSS 0.01
CVE-2026-41149 MEDIUM
Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection
May 22, 2026
EPSS 0.00
CVE-2026-41148 MEDIUM
Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection
May 22, 2026
EPSS 0.00
CVE-2026-9277 HIGH
shell-quote `quote()` does not validate object-token shapes, allowing command injection via line terminators in `.op`
May 22, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-47099 MEDIUM
TeleJSON < 6.0.0 DOM-based XSS via parse() Function
May 20, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-26028 MEDIUM
CryptPad: Sanitizer Bypass in Diffmarked.js Allows Arbitrary HTML Injection and Potential XSS
May 20, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-8814 MEDIUM
Exifreader < 4.39.0 - Improper Handling of Highly Compressed Data (Data Amplification)
May 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-8813 HIGH
exifreader < 4.39.0 - Denial of Service via ICC mluc Tag Parsing
May 19, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-8723 MEDIUM
qs.stringify crashes on null/undefined entries in comma-format arrays under encodeValuesOnly
May 17, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-45665 HIGH
Open WebUI: Stored XSS in Banner Component via Improper Sanitization Order
May 15, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-45346 MEDIUM
Open WebUI: Stored Cross-Site Scripting in SVG Renderer
May 15, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-45395 HIGH
Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution
May 15, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-44721 HIGH
Open WebUI: Stored XSS via Model Description
May 15, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-45773 MEDIUM
Turborepo: Login callback CSRF/session fixation
May 15, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-45772 CRITICAL
Turborepo: Unexpected local code execution during Yarn Berry detection
May 15, 2026
CVSS 9.8
EPSS 0.00