Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

npm Security Advisories

Browse all Security Advisories for npm

Loading...
Moderate
GSA_kwCzR0hTQS0zd2Y0LTY4Z3gtbXBoOM4ABBdB
Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server
Ecosystems: npm
Packages: firebase
Source: GitHub Advisory Database
Blast Radius: 29.0
Published: 3 days ago
Low
GSA_kwCzR0hTQS03cTdnLTR4bTgtODljcc4ABBaa
Regular Expression Denial of Service (ReDoS) in @eslint/plugin-kit
Ecosystems: npm
Packages: @eslint/plugin-kit
Source: GitHub Advisory Database
Blast Radius: 1.0
Published: 5 days ago
High
GSA_kwCzR0hTQS1oZmY4LWhqd3YtajlxN84ABBW0
Remote Code Execution on click of <a> Link in markdown preview
Ecosystems: npm
Packages: joplin
Source: GitHub Advisory Database
Blast Radius: 11.0
Published: 7 days ago
Moderate
GSA_kwCzR0hTQS1qcnZtLW1jeGMtbWY2bc4ABBSa
dom-iterator code execution vulnerability
Ecosystems: npm
Packages: dom-iterator
Source: GitHub Advisory Database
Blast Radius: 28.2
Published: 8 days ago
Moderate
GSA_kwCzR0hTQS14dmc4LW00eDMtdzZ4cs4ABBP2
matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal
Ecosystems: npm
Packages: matrix-js-sdk
Source: GitHub Advisory Database
Blast Radius: 0.0
Published: 8 days ago
High
GSA_kwCzR0hTQS0zeGdxLTQ1amotdjI3Nc4ABBFi
Regular Expression Denial of Service (ReDoS) in cross-spawn
Ecosystems: npm
Packages: cross-spawn
Source: GitHub Advisory Database
Blast Radius: 47.1
Published: 13 days ago
Critical
GSA_kwCzR0hTQS05Nmc3LWc3Zzktanh3OM4ABBBh
happy-dom allows for server side code to be executed by a <script> tag
Ecosystems: npm
Packages: happy-dom
Source: GitHub Advisory Database
Blast Radius: 0.0
Published: 15 days ago
Low
GSA_kwCzR0hTQS12MnFoLWY1ODQtNmhqOM4ABA_S
@workos-inc/authkit-remix refresh tokens are logged when the debug flag is enabled
Ecosystems: npm
Packages: @workos-inc/authkit-remix
Source: GitHub Advisory Database
Blast Radius: 1.0
Published: 16 days ago
Low
GSA_kwCzR0hTQS01d21nLTljdmgtcXcyNc4ABA_R
@workos-inc/authkit-nextjs refresh tokens are logged when the debug flag is enabled
Ecosystems: npm
Packages: @workos-inc/authkit-nextjs
Source: GitHub Advisory Database
Blast Radius: 1.0
Published: 16 days ago
High
GSA_kwCzR0hTQS1xbTkyLTkzZnYtdmg3bc4ABA6P
Path traversal in oak allows transfer of hidden files within the served root directory
Ecosystems: npm
Packages: @oakserver/oak
Source: GitHub Advisory Database
Blast Radius: 0.0
Published: 19 days ago
Moderate
GSA_kwCzR0hTQS1oaGh2LWdnangtcTlqMs4ABA2O
Glossarizer Cross-site Scripting vulnerability
Ecosystems: npm
Packages: glossarizer
Source: GitHub Advisory Database
Blast Radius: 3.7
Published: 20 days ago
Critical
GSA_kwCzR0hTQS1wM3ZmLXY4cWMtY3djcs4ABA13
DOMPurify vulnerable to tampering by prototype polution
Ecosystems: npm
Packages: dompurify
Source: GitHub Advisory Database
Blast Radius: 43.3
Published: 21 days ago
High
GSA_kwCzR0hTQS1mcTltLXYyNnYtMm00Zs4ABA1p
lilconfig Code Injection vulnerability
Ecosystems: npm
Packages: lilconfig
Source: GitHub Advisory Database
Blast Radius: 53.6
Published: 21 days ago
Low
GSA_kwCzR0hTQS02bTU5LThmbXYtbTVmOc4ABAyK
@langchain/community SQL Injection vulnerability
Ecosystems: npm
Packages: @langchain/community
Source: GitHub Advisory Database
Blast Radius: 1.0
Published: 23 days ago
Moderate
GSA_kwCzR0hTQS1oYzV3LWM5ZjgtOWNjNM4ABAyR
Langchain Path Traversal vulnerability
Ecosystems: npm
Packages: langchain
Source: GitHub Advisory Database
Blast Radius: 22.6
Published: 23 days ago
Moderate
GSA_kwCzR0hTQS1oeGYzLXZncG0tZnY5cM4ABAsl
CycloneDX cdxgen may execute code contained within build-related files
Ecosystems: npm
Packages: @cyclonedx/cdxgen
Source: GitHub Advisory Database
Blast Radius: 0.0
Published: 24 days ago
Moderate
GSA_kwCzR0hTQS1tZ2Z2LW00N3gtNHdxcM4ABAsG
useragent Regular Expression Denial of Service vulnerability
Ecosystems: npm
Packages: useragent
Source: GitHub Advisory Database
Blast Radius: 42.5
Published: 25 days ago
Moderate
GSA_kwCzR0hTQS1ydjczLTljOHctanA0Y84ABAsE
validate.js Regular Expression Denial of Service vulnerability
Ecosystems: npm
Packages: validate.js
Source: GitHub Advisory Database
Blast Radius: 0.0
Published: 25 days ago
Moderate
GSA_kwCzR0hTQS02OHFnLWc3ODctM3JwNc4ABAsI
Knwl.js Regular Expression Denial of Service vulnerability
Ecosystems: npm
Packages: knwl.js
Source: GitHub Advisory Database
Blast Radius: 0.0
Published: 25 days ago
Moderate
GSA_kwCzR0hTQS1wbXZ2LTU3cmctNWc4Ns4ABAsF
CommonRegexJS Regular Expression Denial of Service vulnerability
Ecosystems: npm
Packages: commonregex
Source: GitHub Advisory Database
Blast Radius: 0.0
Published: 25 days ago
Moderate
GSA_kwCzR0hTQS13NDU1LW1mcTktaGY3NM4ABAsC
insane vulnerable to Regular Expression Denial of Service
Ecosystems: npm
Packages: insane
Source: GitHub Advisory Database
Blast Radius: 21.0
Published: 25 days ago
Moderate
GSA_kwCzR0hTQS0zcGh2LTgzY2otcDhwN84ABAsK
nope-validator Regular Expression Denial of Service vulnerability
Ecosystems: npm
Packages: nope-validator
Source: GitHub Advisory Database
Blast Radius: 0.0
Published: 25 days ago
Moderate
GSA_kwCzR0hTQS1wOHBjLTNmN3ctanI1cc4ABAsH
Foundation Regular Expression Denial of Service vulnerability
Ecosystems: npm
Packages: foundation-sites
Source: GitHub Advisory Database
Blast Radius: 31.6
Published: 25 days ago
High
GSA_kwCzR0hTQS1xcXF3LWdtOTMtcWY2bc4ABAnQ
OS Command Injection in Snyk gradle plugin
Ecosystems: npm
Packages: snyk-gradle-plugin
Source: GitHub Advisory Database
Blast Radius: 28.7
Published: 28 days ago
High
GSA_kwCzR0hTQS02OWY5LWg4ZjktN3ZqZs4ABAnP
OS Command Injection in Snyk php plugin
Ecosystems: npm
Packages: snyk-php-plugin
Source: GitHub Advisory Database
Blast Radius: 28.6
Published: 28 days ago
High
GSA_kwCzR0hTQS1tNGdxLXgyNGotanBtZs4ABAkl
Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify
Ecosystems: npm
Packages: mermaid
Source: GitHub Advisory Database
Blast Radius: 28.9
Published: 30 days ago
Moderate
GSA_kwCzR0hTQS1jNWc2LTZ4ZjctcXhwM84ABAkf
Umbraco CMS vulnerable to stored Cross-site Scripting in the "dictionary name" on Dictionary section
Ecosystems: npm, nuget
Packages: @umbraco-cms/backoffice, Umbraco.Cms.StaticAssets
Source: GitHub Advisory Database
Blast Radius: 1.0
Published: 30 days ago
High
GSA_kwCzR0hTQS01ODRxLTZqOGotcjVwbc4ABAe_
secp256k1-node allows private key extraction over ECDH
Ecosystems: npm
Packages: secp256k1
Source: GitHub Advisory Database
Blast Radius: 0.0
Published: about 1 month ago
High
GSA_kwCzR0hTQS1jN3F2LXE5NXEtOHYyN84ABAbv
Denial of service in http-proxy-middleware
Ecosystems: npm
Packages: http-proxy-middleware
Source: GitHub Advisory Database
Blast Radius: 48.6
Published: about 1 month ago
Low
GSA_kwCzR0hTQS01ajRjLThwMmctdjRqeM4ABARn
ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
Ecosystems: npm
Packages: vue
Source: GitHub Advisory Database
Blast Radius: 22.0
Published: about 1 month ago
High
GSA_kwCzR0hTQS1xY3ZoLXA5anEtd3A4ds4ABARg
Malicious homeservers can steal message keys when the matrix-react-sdk user invites another user to a room
Ecosystems: npm
Packages: matrix-react-sdk
Source: GitHub Advisory Database
Blast Radius: 0.0
Published: about 1 month ago
High
GSA_kwCzR0hTQS00amY4LWc4d3AtY3g3Y84ABARf
Matrix JavaScript SDK's key history sharing could share keys to malicious devices
Ecosystems: npm
Packages: matrix-js-sdk
Source: GitHub Advisory Database
Blast Radius: 0.0
Published: about 1 month ago
Critical
GSA_kwCzR0hTQS1yOW1xLTNjOXItZm1qcc4ABARd
Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy
Ecosystems: npm
Packages: @vendure/asset-server-plugin
Source: GitHub Advisory Database
Blast Radius: 16.4
Published: about 1 month ago
Moderate
GSA_kwCzR0hTQS0yMjM0LWZtdzctNDN3cs4ABARc
Hono allows bypass of CSRF Middleware by a request without Content-Type header.
Ecosystems: npm
Packages: hono
Source: GitHub Advisory Database
Blast Radius: 16.7
Published: about 1 month ago
Low
GSA_kwCzR0hTQS1mYzloLXdocTItdjc0N84ABARZ
Valid ECDSA signatures erroneously rejected in Elliptic
Ecosystems: npm
Packages: elliptic
Source: GitHub Advisory Database
Blast Radius: 28.0
Published: about 1 month ago
Moderate
GSA_kwCzR0hTQS00d3gzLTU0Z2gtOWZyOc4ABAQx
Cross site scripting in markdown-to-jsx
Ecosystems: npm
Packages: markdown-to-jsx
Source: GitHub Advisory Database
Blast Radius: 29.0
Published: about 1 month ago
Moderate
GSA_kwCzR0hTQS1tODV3LTNoOTUtaGNmOc4ABAQP
DOM Clobbering Gadget found in astro's client-side router that leads to XSS
Ecosystems: npm
Packages: astro
Source: GitHub Advisory Database
Blast Radius: 25.2
Published: about 1 month ago
Moderate
GSA_kwCzR0hTQS1nNzd4LTQ0eHgtNTMybc4ABAQO
Denial of Service condition in Next.js image optimization
Ecosystems: npm
Packages: next
Source: GitHub Advisory Database
Blast Radius: 32.7
Published: about 1 month ago
Critical
GSA_kwCzR0hTQS12Z3hxLTZyY2YtcXdyd84ABANd
angular-base64-upload vulnerable to unauthenticated remote code execution
Ecosystems: npm
Packages: angular-base64-upload
Source: GitHub Advisory Database
Blast Radius: 19.7
Published: about 1 month ago
High
GSA_kwCzR0hTQS1neDltLXdoam0tODVqZs4ABANT
DOMpurify has a nesting-based mXSS
Ecosystems: npm
Packages: dompurify
Source: GitHub Advisory Database
Blast Radius: 47.5
Published: about 1 month ago
Critical
GSA_kwCzR0hTQS1wcHBnLWNwZnEtaDd3cs4ABAM3
JSONPath Plus Remote Code Execution (RCE) Vulnerability
Ecosystems: maven, npm
Packages: org.webjars.npm:jsonpath-plus, jsonpath-plus
Source: GitHub Advisory Database
Blast Radius: 42.8
Published: about 1 month ago
Low
GSA_kwCzR0hTQS00MzRnLTI2MzctcW1xcs4ABAJS
Elliptic's verify function omits uniqueness validation
Ecosystems: npm
Packages: elliptic
Source: GitHub Advisory Database
Blast Radius: 30.9
Published: about 1 month ago
Moderate
GSA_kwCzR0hTQS1wcjQ1LWNnNHgtZmY0bc4ABACN
ggit is vulnerable to Arbitrary Argument Injection via the clone() API
Ecosystems: npm
Packages: ggit
Source: GitHub Advisory Database
Blast Radius: 19.0
Published: about 1 month ago
Moderate
GSA_kwCzR0hTQS02MzM5LWd2N3ctZzVmNM4ABACE
SAP HANA Node.js client package vulnerable to Prototype Pollution
Ecosystems: npm
Packages: @sap/hana-client
Source: GitHub Advisory Database
Blast Radius: 10.9
Published: about 1 month ago
Moderate
GSA_kwCzR0hTQS02MmN4LTV4ajQtd2ZtNM4ABACL
ggit is vulnerable to Command Injection via the fetchTags(branch) API
Ecosystems: npm
Packages: ggit
Source: GitHub Advisory Database
Blast Radius: 21.4
Published: about 1 month ago
Moderate
GSA_kwCzR0hTQS1wZjU2LWg5cWYtcnhxNM4ABAA4
Saltcorn Server Stored Cross-Site Scripting (XSS) in event logs page
Ecosystems: npm
Packages: @saltcorn/server
Source: GitHub Advisory Database
Blast Radius: 6.8
Published: about 1 month ago
High
GSA_kwCzR0hTQS00M2YzLWg2M3ctcDZmNs4ABAA3
Saltcorn Server allows logged-in users to delete arbitrary files because of a path traversal vulnerability
Ecosystems: npm
Packages: @saltcorn/server
Source: GitHub Advisory Database
Blast Radius: 7.2
Published: about 1 month ago
Low
GSA_kwCzR0hTQS1weGc2LXBmNTIteGg4eM4AA_9q
cookie accepts cookie name, path, and domain with out of bounds characters
Ecosystems: npm
Packages: cookie
Source: GitHub Advisory Database
Blast Radius: 0.0
Published: about 2 months ago
High
GSA_kwCzR0hTQS04eHE5LWc3Y2gtMzVoZ84AA_9o
Parse Server's custom object ID allows to acquire role privileges
Ecosystems: npm
Packages: parse-server
Source: GitHub Advisory Database
Blast Radius: 25.0
Published: about 2 months ago
High
GSA_kwCzR0hTQS1mbTc2LXc4ancteGY4bc4AA_8h
@saltcorn/plugins-loader unsanitized plugin name leads to a remote code execution (RCE) vulnerability when creating plugins using git source
Ecosystems: npm
Packages: @saltcorn/plugins-loader
Source: GitHub Advisory Database
Blast Radius: 1.0
Published: about 2 months ago
Low
GSA_kwCzR0hTQS1qajc4LTVmbXYtbXYyOM4AA_8a
Express Open Redirect vulnerability
Ecosystems: npm
Packages: express
Source: GitHub Advisory Database
Blast Radius: 29.5
Published: about 2 months ago
High
GSA_kwCzR0hTQS03OHAzLWZ3Y3EtNjJjMs4AA_8Q
@saltcorn/server Remote Code Execution (RCE) / SQL injection via prototype pollution by manipulating `lang` and `defstring` parameters when setting localizer strings
Ecosystems: npm
Packages: @saltcorn/server
Source: GitHub Advisory Database
Blast Radius: 8.0
Published: about 2 months ago
Moderate
GSA_kwCzR0hTQS1jZnF4LWY0M20tdmZoN84AA_8P
@saltcorn/server arbitrary file and directory listing when accessing build mobile app results
Ecosystems: npm
Packages: @saltcorn/server
Source: GitHub Advisory Database
Blast Radius: 5.5
Published: about 2 months ago
Moderate
GSA_kwCzR0hTQS0yNzdoLXB4NG0tNjJxOM4AA_8O
@saltcorn/server arbitrary file zip read and download when downloading auto backups
Ecosystems: npm
Packages: @saltcorn/server
Source: GitHub Advisory Database
Blast Radius: 4.9
Published: about 2 months ago
Moderate
GSA_kwCzR0hTQS01OTNtLTU1aGgtajhnds4AA_74
Sentry SDK Prototype Pollution gadget in JavaScript SDKs
Ecosystems: npm
Packages: @sentry/browser
Source: GitHub Advisory Database
Blast Radius: 24.4
Published: about 2 months ago
Moderate
GSA_kwCzR0hTQS1xYzR2LXhxMm0tNjV3Y84AA_7x
Unexpected visibility of environment variable configurations in @backstage/plugin-app-backend
Ecosystems: npm
Packages: @backstage/plugin-app-backend
Source: GitHub Advisory Database
Blast Radius: 15.1
Published: about 2 months ago
Moderate
GSA_kwCzR0hTQS1xdnF2LW1jeHIteDhxd84AA_7h
Slim Select has potential Cross-site Scripting issue
Ecosystems: npm
Packages: slim-select
Source: GitHub Advisory Database
Blast Radius: 13.2
Published: about 2 months ago
Moderate
GSA_kwCzR0hTQS00eHF2LTQ3cm0tMzdtbc4AA_7R
OpenC3 stores passwords in clear text (`GHSL-2024-129`)
Ecosystems: pypi, npm, rubygems
Packages: openc3, @openc3/tool-common
Source: GitHub Advisory Database
Blast Radius: 1.0
Published: about 2 months ago
Moderate
GSA_kwCzR0hTQS12Zmo4LTVwajctMmY5Z84AA_7P
OpenC3 Cross-site Scripting in Login functionality (`GHSL-2024-128`)
Ecosystems: pypi, npm, rubygems
Packages: openc3, @openc3/tool-common
Source: GitHub Advisory Database
Blast Radius: 1.0
Published: about 2 months ago
High
GSA_kwCzR0hTQS0zNHE4LWpjcTYtbWMzN84AA_4i
uPlot Prototype Pollution vulnerability
Ecosystems: npm
Packages: uplot
Source: GitHub Advisory Database
Blast Radius: 30.0
Published: about 2 months ago
Moderate
GSA_kwCzR0hTQS1xd3JxLXZ4dnctNTM3cs4AA_4l
git-shallow-clone Argument Injection vulnerability
Ecosystems: npm
Packages: git-shallow-clone
Source: GitHub Advisory Database
Blast Radius: 3.2
Published: about 2 months ago
High
GSA_kwCzR0hTQS03cDg5LXA2aHgtcTRmd84AA_30
basic-auth-connect's callback uses time unsafe string comparison
Ecosystems: npm
Packages: basic-auth-connect
Source: GitHub Advisory Database
Blast Radius: 36.4
Published: about 2 months ago
Low
GSA_kwCzR0hTQS1najNwLWo3NHYtM3g1N84AA_14
ReLaXed Cross-site Scripting vulnerability
Ecosystems: npm
Packages: relaxedjs
Source: GitHub Advisory Database
Blast Radius: 3.7
Published: about 2 months ago
Low
GSA_kwCzR0hTQS1nNTRmLTY2bXctaHY2Ns4AA_zF
Agnai vulnerable to Relative Path Traversal in Image Upload
Ecosystems: npm
Packages: agnai
Source: GitHub Advisory Database
Blast Radius: 1.0
Published: about 2 months ago
Low
GSA_kwCzR0hTQS1oMzU1LWhtNWgtY204aM4AA_zE
Agnai File Disclosure Vulnerability: JSON via Path Traversal
Ecosystems: npm
Packages: agnai
Source: GitHub Advisory Database
Blast Radius: 1.0
Published: about 2 months ago
Critical
GSA_kwCzR0hTQS1tcGNoLTg5Z20taG04M84AA_zD
Agnai vulnerable to Remote Code Execution via JS Upload using Directory Traversal
Ecosystems: npm
Packages: agnai
Source: GitHub Advisory Database
Blast Radius: 1.0
Published: about 2 months ago
Moderate
GSA_kwCzR0hTQS1qODI3LTZyZ2YtOTYyOc4AA_zC
Layui has DOM Clobbering gadgets that leads to Cross-site Scripting
Ecosystems: npm
Packages: layui
Source: GitHub Advisory Database
Blast Radius: 9.8
Published: about 2 months ago
High
GSA_kwCzR0hTQS12cmN4LWd4M2ctajNoOM4AA_xx
Heap-based Buffer Overflow in sqlite-vec
Ecosystems: cargo, rubygems, npm, pypi
Packages: sqlite-vec
Source: GitHub Advisory Database
Blast Radius: 4.0
Published: about 2 months ago
High
GSA_kwCzR0hTQS1od3hwLTZxZjctcTNyY84AA_x9
Remote command execution in promptr
Ecosystems: npm
Packages: @ifnotnowwhen/promptr
Source: GitHub Advisory Database
Blast Radius: 1.0
Published: about 2 months ago
Moderate
GSA_kwCzR0hTQS1yZ2c4LWc1eDgtd3I5ds4AA_xh
Cross-site scripting (XSS) in the clipboard package
Ecosystems: npm
Packages: @ckeditor/ckeditor5-clipboard, ckeditor5
Source: GitHub Advisory Database
Blast Radius: 25.7
Published: about 2 months ago
Moderate
GSA_kwCzR0hTQS02Mzc1LXBnNWotOHdwaM4AA_wF
Denial of service in rocket chat message parser
Ecosystems: npm
Packages: @rocket.chat/message-parser
Source: GitHub Advisory Database
Blast Radius: 18.4
Published: about 2 months ago
Moderate
GSA_kwCzR0hTQS1tNXA5LXh2eGotNjRjOM4AA_wR
Flowise and Flowise Chat Embed vulnerable to Stored Cross-site Scripting
Ecosystems: npm
Packages: flowise, flowise-embed
Source: GitHub Advisory Database
Blast Radius: 17.6
Published: about 2 months ago
High
GSA_kwCzR0hTQS1nY3g0LW13NjItZzh3bc4AA_u0
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS
Ecosystems: npm
Packages: rollup
Source: GitHub Advisory Database
Blast Radius: 38.7
Published: about 2 months ago
Moderate
GSA_kwCzR0hTQS0zZmM4LTJyM2YtOHdyZ84AA_um
lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964)
Ecosystems: npm
Packages: @lobehub/chat
Source: GitHub Advisory Database
Blast Radius: 1.0
Published: about 2 months ago
High
GSA_kwCzR0hTQS03M3JnLWY5NGoteHZoeM4AA_tC
Plate allows arbitrary DOM attributes in element.attributes and leaf.attributes
Ecosystems: npm
Packages: @udecode/plate-core
Source: GitHub Advisory Database
Blast Radius: 23.2
Published: 2 months ago
Moderate
GSA_kwCzR0hTQS04NGp3LWc0M3YtOGdqbc4AA_sX
DOM Clobbering Gadget found in Rspack's AutoPublicPathRuntimeModule that leads to XSS
Ecosystems: npm
Packages: @rspack/core
Source: GitHub Advisory Database
Blast Radius: 8.0
Published: 2 months ago
Moderate
GSA_kwCzR0hTQS02OGc4LWMyNzUteGYybc4AA_rG
Directus vulnerable to SSRF Loopback IP filter bypass
Ecosystems: npm
Packages: @directus/api, directus
Source: GitHub Advisory Database
Blast Radius: 10.3
Published: 2 months ago
High
GSA_kwCzR0hTQS1ycnI4LWY4OHItaDhxNs4AA_rF
find-my-way has a ReDoS vulnerability in multiparametric routes
Ecosystems: npm
Packages: find-my-way
Source: GitHub Advisory Database
Blast Radius: 32.0
Published: 2 months ago
High
GSA_kwCzR0hTQS1ncDhmLThtM2ctcXZqOc4AA_nS
Next.js Cache Poisoning
Ecosystems: npm
Packages: next
Source: GitHub Advisory Database
Blast Radius: 41.5
Published: 2 months ago
Moderate
GSA_kwCzR0hTQS01ajk0LWYzbWYtODY4Nc4AA_nQ
@backstage/plugin-techdocs-backend vulnerable to circumvention of cross site scripting protection
Ecosystems: npm
Packages: @backstage/plugin-techdocs-backend
Source: GitHub Advisory Database
Blast Radius: 17.0
Published: 2 months ago
High
GSA_kwCzR0hTQS0zOXYzLWYyNzgtdmozZ84AA_m8
@backstage/plugin-techdocs-backend storage bucket Directory Traversal vulnerability
Ecosystems: npm
Packages: @backstage/plugin-techdocs-backend
Source: GitHub Advisory Database
Blast Radius: 17.0
Published: 2 months ago
High
GSA_kwCzR0hTQS0zeDNmLWpjcDMtZzIyas4AA_m7
@backstage/plugin-catalog-backend Prototype Pollution vulnerability
Ecosystems: npm
Packages: @backstage/plugin-catalog-backend
Source: GitHub Advisory Database
Blast Radius: 17.2
Published: 2 months ago
Moderate
GSA_kwCzR0hTQS02NHZyLWc0NTItcXZwM84AA_m5
Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
Ecosystems: npm
Packages: vite
Source: GitHub Advisory Database
Blast Radius: 35.6
Published: 2 months ago
Moderate
GSA_kwCzR0hTQS05Y3d4LTI4ODMtNHdmeM4AA_m4
Vite's `server.fs.deny` is bypassed when using `?import&raw`
Ecosystems: npm
Packages: vite
Source: GitHub Advisory Database
Blast Radius: 29.5
Published: 2 months ago
High
GSA_kwCzR0hTQS1tbWh4LWhtanItcjY3NM4AA_kd
DOMPurify allows tampering by prototype pollution
Ecosystems: npm
Packages: dompurify
Source: GitHub Advisory Database
Blast Radius: 33.3
Published: 2 months ago
Low
GSA_kwCzR0hTQS14Z3E5LTdndzYtanI1cs4AA_j6
Mattermost Desktop App fails to sufficiently configure Electron Fuses
Ecosystems: npm
Packages: mattermost-desktop
Source: GitHub Advisory Database
Blast Radius: 0.0
Published: 2 months ago
Moderate
GSA_kwCzR0hTQS01Nzc3LXJjamotOXAyMs4AA_j9
Mattermost Desktop App fails to safeguard screen capture functionality
Ecosystems: npm
Packages: mattermost-desktop
Source: GitHub Advisory Database
Blast Radius: 0.0
Published: 2 months ago
Moderate
GSA_kwCzR0hTQS13ajRqLXFjMm0tZmdoN84AA_jS
Mattermost Desktop App Uncontrolled Search Path Vulnerability
Ecosystems: npm
Packages: mattermost-desktop
Source: GitHub Advisory Database
Blast Radius: 0.0
Published: 2 months ago
High
GSA_kwCzR0hTQS13NzNyLThtbTQtY2Z2Zs4AA_iR
Lunary Improper Authentication vulnerability
Ecosystems: npm
Packages: lunary
Source: GitHub Advisory Database
Blast Radius: 1.0
Published: 2 months ago
High
GSA_kwCzR0hTQS02cDJxLThxZnEtd3E3eM4AA_iU
Lunary improper access control vulnerability
Ecosystems: npm
Packages: lunary
Source: GitHub Advisory Database
Blast Radius: 1.0
Published: 2 months ago
Moderate
GSA_kwCzR0hTQS12Nng2LTR2NHgtMmZ4Oc4AA_iV
Lunary Cross-Site Request Forgery (CSRF) vulnerability
Ecosystems: npm
Packages: lunary
Source: GitHub Advisory Database
Blast Radius: 1.0
Published: 2 months ago
Moderate
GSA_kwCzR0hTQS05am1wLWo2M2ctOHg2bc4AA_iQ
Lunary information disclosure vulnerability
Ecosystems: npm
Packages: lunary
Source: GitHub Advisory Database
Blast Radius: 1.0
Published: 2 months ago
Moderate
GSA_kwCzR0hTQS1td2hmLXZocjUtN2oyM84AA_gO
whatsapp-api-js fails to validate message's signature
Ecosystems: npm
Packages: whatsapp-api-js
Source: GitHub Advisory Database
Blast Radius: 5.8
Published: 2 months ago
High
GSA_kwCzR0hTQS1mNnY0LWNmNWotdmYzd84AA_c_
dset Prototype Pollution vulnerability
Ecosystems: npm
Packages: dset
Source: GitHub Advisory Database
Blast Radius: 35.6
Published: 2 months ago
High
GSA_kwCzR0hTQS1jZmY4LXg3anYtNGZtOM4AA_cb
Session is cached for OpenID and OAuth2 if `redirect` is not used
Ecosystems: npm
Packages: @directus/api, directus
Source: GitHub Advisory Database
Blast Radius: 15.2
Published: 2 months ago
Low
GSA_kwCzR0hTQS1tNmZ2LWptY2ctNGpmZ84AA_cZ
send vulnerable to template injection that can lead to XSS
Ecosystems: npm
Packages: send
Source: GitHub Advisory Database
Blast Radius: 33.5
Published: 2 months ago
Low
GSA_kwCzR0hTQS1jbTIyLTRnN3ctMzQ4cM4AA_cY
serve-static vulnerable to template injection that can lead to XSS
Ecosystems: npm
Packages: serve-static
Source: GitHub Advisory Database
Blast Radius: 33.5
Published: 2 months ago
Low
GSA_kwCzR0hTQS1xdzZoLXZnaDktajZ3eM4AA_cW
express vulnerable to XSS via response.redirect()
Ecosystems: npm
Packages: express
Source: GitHub Advisory Database
Blast Radius: 31.3
Published: 2 months ago
High
GSA_kwCzR0hTQS1xd2NyLXIyZm0tcXJjN84AA_a1
body-parser vulnerable to denial of service when url encoding is enabled
Ecosystems: npm
Packages: body-parser
Source: GitHub Advisory Database
Blast Radius: 46.7
Published: 2 months ago
High
GSA_kwCzR0hTQS1nOTc0LWh4dm0teDY4Oc4AA_ZX
node-gettext vulnerable to Prototype Pollution
Ecosystems: npm
Packages: node-gettext
Source: GitHub Advisory Database
Blast Radius: 19.8
Published: 2 months ago
Statistics
Advisories: 20,668
Packages: 9,040
Repositories: 1,490
Ecosystems: 12
Filter by Severity
Moderate 8,836 High 7,269 Critical 3,070 Low 1,144
Filter by Ecosystem
maven 5,864 packagist 4,634 pypi 4,352 npm 3,812 go 2,295 nuget 1,552 cargo 882 rubygems 880 swift 33 hex 32 actions 20 pub 9
Filter by Package
parse-server 31 electron 26 directus 26 @openzeppelin/contracts-upgradeable 21 @openzeppelin/contracts 20 next 18 sequelize 16 tinymce 16 ghost 15 ckeditor4 15 swagger-ui 14 joplin 14 angular 13 undici 13 strapi 13 vm2 12 nodebb 12 matrix-js-sdk 11 handlebars 11 marked 11 tinymce/tinymce 11 TinyMCE 11 bootstrap 11 nocodb 10 flowise 10 @strapi/strapi 9 bootstrap 9 twbs/bootstrap 9 org.webjars:bootstrap 9 bootstrap 9 @evershop/evershop 9 matrix-react-sdk 9 next-auth 9 serve 9 express-cart 8 validator 8 editor.md 8 matrix-appservice-irc 8 npm 8 jsrsasign 8 tar 8 node-forge 8 systeminformation 8 steal 8 urijs 8 jquery-rails 8 jquery 8 org.webjars.npm:jquery 8 url-parse 8 jquery-ui 7 elliptic 7 dompurify 7 jquery-ui-rails 7 hapi 7 sanitize-html 7 snyk-broker 7 jQuery 7 bootstrap-sass 7 bootstrap.sass 7 total.js 7 org.webjars.npm:jquery-ui 7 uptime-kuma 7 shescape 7 hermes-engine 7 jQuery.UI.Combined 7 vite 7 lodash 7 bootstrap-sass 6 @strapi/plugin-users-permissions 6 safe-eval 6 rsshub 6 parse-url 6 aaptjs 6 @saltcorn/server 5 keystone 5 public 5 mermaid 5 prismjs 5 lodash-es 5 mysql2 5 xlsx 5 ejs 5 axios 5 ua-parser-js 5 dojo 5 mongoose 5 yarn 5 total4 5 vditor 5 rendertron 5 mattermost-desktop 5 ws 5 lunary 5 openpgp 5 sweetalert2 5 aws-iot-device-sdk-v2 4 engine.io 4 generator-jhipster 4 software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk 4 realms-shim 4 awsiotsdk 4 @backstage/plugin-scaffolder-backend 4 ecstatic 4 valine 4 convert-svg-core 4 meshcentral 4 fast-xml-parser 4 follow-redirects 4 @lobehub/chat 4 apollo-server-core 4 mongo-express 4 hummus 4 muhammara 4 vega 4 auth0-js 4 moment 4 materialize-css 4 simple-git 4 glance 4 express 4 remarkable 4 jsonwebtoken 4 hono 4 simple-markdown 4 auth0-lock 4 safer-eval 4 apostrophe 4 katex 4 qs 4 fastify 4 @keystone-6/core 4 socket.io-parser 3 object-path 3 renovate 3 @commercial/subtext 3 parsel 3 django-tinymce 3 @strapi/utils 3 nuxt 3 socket.io 3 localhost-now 3 ses 3 typeorm 3 lodash.defaultsdeep 3 dset 3 xmldom 3 @sveltejs/kit 3 convict 3 protobufjs 3 node-fetch 3 loader-utils 3 @materializecss/materialize 3 @backstage/techdocs-common 3 uap-core 3 jointjs 3 tough-cookie 3 @ckeditor/ckeditor5-markdown-gfm 3 n8n 3 buttle 3 snyk 3 docsify 3 dojox 3 fuxa-server 3 statics-server 3 express-fileupload 3 mxgraph 3 simplehttpserver 3 bson 3 notevil 3 raneto 3 jspdf 3 layui 3 code-server 3 grunt 3 @hapi/subtext 3 subtext 3 bin-links 3 sails 3 @apollo/server 3 @sequelize/core 3 node-opcua 3 @uppy/companion 3 @frangoteam/fuxa 3 @strapi/plugin-content-manager 3 @soketi/soketi 3 stimulsoft-dashboards-js 3 @janhq/core 3 node-red-dashboard 3 json-ptr 3 @jmondi/url-to-png 3 feathers-sequelize 3 jquery-validation 3 postcss 3 jose-node-esm-runtime 3 jose-node-cjs-runtime 3 codecov 3 jose 3 nadesiko3 3 passport-wsfed-saml2 3 node-ipc 3
Filter by Repository
https://github.com/parse-community/parse-server 31 https://github.com/electron/electron 25 https://github.com/directus/directus 25 https://github.com/strapi/strapi 24 https://github.com/OpenZeppelin/openzeppelin-contracts 20 https://github.com/sequelize/sequelize 16 https://github.com/tinymce/tinymce 16 https://github.com/backstage/backstage 16 https://github.com/ckeditor/ckeditor4 14 https://github.com/vercel/next.js 14 https://github.com/TryGhost/Ghost 13 https://github.com/nodejs/undici 13 https://github.com/swagger-api/swagger-ui 13 https://github.com/laurent22/joplin 13 https://github.com/patriksimek/vm2 12 https://github.com/matrix-org/matrix-js-sdk 11 https://github.com/NodeBB/NodeBB 11 https://github.com/keystonejs/keystone 10 https://github.com/jquery/jquery 10 https://github.com/nocodb/nocodb 10 https://github.com/nextauthjs/next-auth 10 https://github.com/evershopcommerce/evershop 9 https://github.com/matrix-org/matrix-react-sdk 9 https://github.com/sebhildebrandt/systeminformation 8 https://github.com/stealjs/steal 8 https://github.com/digitalbazaar/forge 8 https://github.com/matrix-org/matrix-appservice-irc 8 https://github.com/kjur/jsrsasign 8 https://github.com/apollographql/apollo-server 8 https://github.com/pandao/editor.md 8 https://github.com/FlowiseAI/Flowise 8 https://github.com/louislam/uptime-kuma 7 https://github.com/ericcornelissen/shescape 7 https://github.com/lodash/lodash 7 https://github.com/vitejs/vite 7 https://github.com/cure53/DOMPurify 7 https://github.com/saltcorn/saltcorn 7 https://github.com/unshiftio/url-parse 7 https://github.com/twbs/bootstrap 7 https://github.com/indutny/elliptic 7 https://github.com/facebook/hermes 6 https://github.com/npm/node-tar 6 https://github.com/jquery/jquery-ui 6 https://github.com/ionicabizau/parse-url 6 https://github.com/eclipse-theia/theia 6 https://github.com/shenzhim/aaptjs 6 https://github.com/DIYgod/RSSHub 6 https://github.com/panva/jose 6 https://github.com/totaljs/framework 6 https://github.com/hacksparrow/safe-eval 5 https://github.com/handlebars-lang/handlebars.js 5 https://github.com/GoogleChrome/rendertron 5 https://github.com/markedjs/marked 5 https://github.com/lunary-ai/lunary 5 https://github.com/gatsbyjs/gatsby 5 https://github.com/vega/vega 5 https://github.com/faisalman/ua-parser-js 5 https://github.com/sweetalert2/sweetalert2 5 https://github.com/apostrophecms/sanitize-html 5 https://github.com/BlackFan/client-side-prototype-pollution 5 https://github.com/sidorares/node-mysql2 5 https://github.com/openpgpjs/openpgpjs 5 https://github.com/npm/cli 5 https://github.com/axios/axios 5 https://github.com/socketio/engine.io 4 https://github.com/xCss/Valine 4 https://github.com/follow-redirects/follow-redirects 4 https://github.com/balderdashy/sails 4 https://github.com/lobehub/lobe-chat 4 https://github.com/jhipster/generator-jhipster 4 https://github.com/aws/aws-iot-device-sdk-java-v2 4 https://github.com/Ylianst/MeshCentral 4 https://github.com/jonschlinkert/remarkable 4 https://github.com/npm/npm 4 https://github.com/fastify/fastify 4 https://github.com/vendure-ecommerce/vendure 4 https://github.com/nuxt/nuxt 4 https://github.com/yarnpkg/yarn 4 https://github.com/auth0/node-jsonwebtoken 4 https://github.com/KaTeX/KaTeX 4 https://github.com/auth0/lock 4 https://github.com/ofirdagan/cross-domain-local-storage 4 https://github.com/websockets/ws 4 https://github.com/hapijs/hapi 4 https://github.com/PrismJS/prism 4 https://github.com/cloudflare/workers-sdk 4 https://github.com/medialize/URI.js 4 https://github.com/medialize/uri.js 4 https://github.com/mde/ejs 4 https://github.com/ckeditor/ckeditor5 4 https://github.com/mrvautin/expressCart 4 https://github.com/honojs/hono 4 https://github.com/NaturalIntelligence/fast-xml-parser 4 https://github.com/angular/angular.js 4 https://github.com/Dogfalo/materialize 4 https://github.com/steveukx/git-js 4 https://github.com/immerjs/immer 3 https://github.com/salesforce/tough-cookie 3 https://github.com/RIAEvangelist/node-ipc 3 https://github.com/renovatebot/renovate 3 https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable 3 https://github.com/infor-design/enterprise-ng 3 https://github.com/josdejong/mathjs 3 https://github.com/hapijs/subtext 3 https://github.com/transloadit/uppy 3 https://github.com/jarofghosts/glance 3 https://github.com/highcharts/highcharts 3 https://github.com/thlorenz/browserify-shim 3 https://github.com/simpleledger/slpjs 3 https://github.com/jasonraimondi/url-to-png 3 https://github.com/postcss/postcss 3 https://github.com/jfhbrook/node-ecstatic 3 https://github.com/mozilla/pdf.js 3 https://github.com/mozilla/node-convict 3 https://github.com/mongo-express/mongo-express 3 https://github.com/mongodb/js-bson 3 https://github.com/moment/moment 3 https://github.com/micromatch/braces 3 https://github.com/mermaid-js/mermaid 3 https://github.com/MrRio/jsPDF 3 https://github.com/soketi/soketi 3 https://github.com/n8n-io/n8n 3 https://github.com/nasa/openmct 3 https://github.com/socketio/socket.io-parser 3 https://github.com/socketio/socket.io 3 https://github.com/mariocasciaro/object-path 3 https://github.com/Marak/colors.js 3 https://github.com/manuelstofer/json-pointer 3 https://github.com/neocotic/convert-svg 3 https://github.com/lukeed/dset 3 https://github.com/node-fetch/node-fetch 3 https://github.com/nodejs/llhttp 3 https://github.com/libxmljs/libxmljs 3 https://github.com/nodemailer/nodemailer 3 https://github.com/sveltejs/kit 3 https://github.com/skoranga/node-dns-sync 3 https://github.com/node-opcua/node-opcua 3 https://github.com/kujirahand/nadesiko3 3 https://github.com/koush/scrypted 3 https://github.com/jquery-validation/jquery-validation 3 https://github.com/getsentry/sentry-javascript 3 https://github.com/cisco/node-jose 3 https://github.com/xmldom/xmldom 3 https://github.com/ag-grid/ag-grid 3 https://github.com/YMFE/yapi 3 https://github.com/chjj/marked 3 https://github.com/agnaistic/agnai 3 https://github.com/docsifyjs/docsify 3 https://github.com/beerpwn/CVE 3 https://github.com/zestedesavoir/zmarkdown 3 https://github.com/dojo/dojo 3 https://github.com/dojo/dojox 3 https://github.com/vriteio/vrite 3 https://github.com/feathersjs-ecosystem/feathers-sequelize 3 https://github.com/dwisiswant0/advisory 3 https://github.com/apostrophecms/apostrophe 3 https://github.com/vanessa219/vditor 3 https://github.com/zeit/next.js 3 https://github.com/HackAllSec/CVEs 3 https://github.com/gruntjs/grunt 3 https://github.com/webpack/loader-utils 3 https://github.com/actions/toolkit 3 https://github.com/expressjs/express 3 https://github.com/facebook/react 3 https://github.com/typeorm/typeorm 3 https://github.com/adaltas/node-mixme 3 https://github.com/Automattic/mongoose 3 https://github.com/auth0/passport-wsfed-saml2 3 https://github.com/clientIO/joint 3 https://github.com/ua-parser/uap-core 3 https://github.com/udecode/plate 3 https://github.com/bcoin-org/bcoin 2 https://github.com/node-red/node-red-dashboard 2 https://github.com/node-red/node-red 2 https://github.com/nodeca/js-yaml 2 https://github.com/node-saml/node-saml 2 https://github.com/basecamp/trix 2 https://github.com/autovance/ftp-srv 2 https://github.com/aws/aws-cdk 2 https://github.com/node-saml/passport-saml 2 https://github.com/monsterkodi/sds 2 https://github.com/moscajs/aedes 2 https://github.com/mout/mout 2 https://github.com/moxiecode/plupload 2 https://github.com/codecov/codecov-node 2 https://github.com/mozilla/nunjucks 2 https://github.com/cloudhead/node-static 2 https://github.com/mqttjs/MQTT.js 2 https://github.com/MrSwitch/hello.js 2 https://github.com/mysqljs/mysql 2 https://github.com/christian-bromann/rgb2hex 2 https://github.com/chriso/validator.js 2 https://github.com/chocobozzz/peertube 2 https://github.com/cdr/code-server 2 https://github.com/caolan/forms 2 https://github.com/builderio/qwik 2 https://github.com/brix/crypto-js 2 https://github.com/braintree/sanitize-url 2 https://github.com/bpmn-io/min-dash 2