npm
5,182,580 packages · npmjs.org
Security Advisories in npm
Moderate
about 18 hours ago
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration
npm
@strapi/core
Moderate
about 19 hours ago
Strapi Password Hashing Missing Maximum Password Length Validation
npm
@strapi/core
High
about 19 hours ago
Strapi Allows Unauthorized Access to Private Fields via parms.lookup
npm
@strapi/core
Critical
1 day ago
happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
npm
happy-dom
High
1 day ago
`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`
npm
sveltekit-superforms
Moderate
3 days ago
Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
npm
parse
High
3 days ago
Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
npm
flowise
Moderate
4 days ago
CommandKit has incorrect command name exposure in context object for message command aliases
npm
commandkit
High
7 days ago
Flowise is vulnerable to arbitrary file exposure through its ReadFileTool
npm
flowise-components, flowise
High
7 days ago
cross-zip is vulnerable to Directory Traversal through selective use of zip/unzip operations
npm
cross-zip
Critical
8 days ago
Better Auth: Unauthenticated API key creation through api-key plugin
npm
better-auth
High
8 days ago
n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host
npm
n8n, n8n-nodes-base
Critical
8 days ago
Flowise is vulnerable to arbitrary file write through its WriteFileTool
npm
flowise-components, flowise
Moderate
10 days ago
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
npm
nodemailer
High
10 days ago
pdfmake is vulnerable to Throttling via repeatedly redirecting URL in file embedding
npm
pdfmake
Critical
11 days ago
Flowise vulnerable to RCE via Dynamic function constructor injection
npm
flowise
Moderate
12 days ago
MCPHub has an Improper Authorization vulnerability via its handleSseConnection function
npm
@samanhappy/mcphub
Critical
14 days ago
Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
npm
flowise
High
14 days ago
Claude Code can execute commands prior to the startup trust dialog
npm
@anthropic-ai/claude-code
High
16 days ago
@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user
npm
@plone/volto
Moderate
17 days ago
validator.js has a URL validation bypass vulnerability in its isURL function
npm
validator
High
17 days ago
figma-developer-mcp vulnerable to command injection in get_figma_data tool
npm
figma-developer-mcp
High
17 days ago
@nubosoftware/node-static failure to catch exception can result in server crash
npm
@nubosoftware/node-static
Moderate
20 days ago
algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
npm
algoliasearch-helper
High
21 days ago
Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
npm
@apollo/explorer, @apollo/sandbox
Moderate
21 days ago
express-xss-sanitizer has an unbounded recursion depth
npm
express-xss-sanitizer
Critical
21 days ago
get-jwks: poisoned JWKS cache allows post-fetch issuer validation bypass
npm
get-jwks
Moderate
23 days ago
json-schema-editor-visual vulnerable to prototype pollution
npm
json-schema-editor-visual
Low
23 days ago
web3-core-subscriptions has a Prototype Pollution vulnerability
npm
web3-core-subscriptions
Moderate
23 days ago
Mastra Docs MCP Server `@mastra/mcp-docs-server` Leads to Information Exposure
npm
@mastra/mcp-docs-server
High
23 days ago
Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions
npm
@anthropic-ai/claude-code
High
23 days ago
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
npm
tar-fs
High
25 days ago
Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink
npm
@meshconnect/web-link-sdk
Moderate
25 days ago
@conventional-changelog/git-client has Argument Injection vulnerability
npm
@conventional-changelog/git-client
Moderate
28 days ago
@digitalocean/do-markdownit has Type Confusion vulnerability
npm
@digitalocean/do-markdownit
Moderate
29 days ago
Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages
npm
@lobehub/chat
Moderate
30 days ago
@sequa-ai/sequa-mcp has Command Injection vulnerability
npm
@sequa-ai/sequa-mcp
Moderate
30 days ago
Parcel has an Origin Validation Error vulnerability
npm
@parcel/reporter-dev-server
Moderate
about 1 month ago
matrix-js-sdk has insufficient validation when considering a room to be upgraded by another
npm
matrix-js-sdk
High
about 1 month ago
@executeautomation/database-server does not properly restrict access, bypassing a "read-only" mode
npm
@executeautomation/database-server
High
about 1 month ago
is-arrayish@0.3.3 contains malware after npm account takeover
npm
is-arrayish
High
about 1 month ago
color-convert@3.1.1 contains malware after npm account takeover
npm
color-convert
High
about 1 month ago
color-string@2.1.1 contains malware after npm account takeover
npm
color-string
High
about 1 month ago
simple-swizzle@0.2.3 contains malware after npm account takeover
npm
simple-swizzle
Moderate
about 1 month ago
HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability
npm
hackmd-mcp
Moderate
about 1 month ago
Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark
npm
ghost
Critical
about 1 month ago
Flowise has arbitrary file access due to missing chat flow id validation
npm
flowise
High
about 1 month ago
FlowiseAI/Flowise has Server-Side Request Forgery (SSRF) vulnerability
npm
flowise
Filter by Severity
Filter by Package
directus
39
parse-server
33
flowise
31
next
29
electron
28
@openzeppelin/contracts
21
@openzeppelin/contracts-upgradeable
20
tinymce
16
sequelize
16
ghost
16
undici
15
vite
15
angular
14
joplin
14
ckeditor4
14
nodebb
14
swagger-ui
13
strapi
13
vm2
12
marked
12
matrix-js-sdk
12
tinymce/tinymce
11
handlebars
11
n8n
11
TinyMCE
11
nocodb
11
bootstrap
10
@strapi/strapi
10
@anthropic-ai/claude-code
10
next-auth
9
validator
9
matrix-appservice-irc
9
uptime-kuma
9
matrix-react-sdk
9
@evershop/evershop
9
systeminformation
9
serve
9
editor.md
8
steal
8
elliptic
8
url-parse
8
npm
8
shescape
8
jsrsasign
8
dompurify
8
@directus/api
8
node-forge
8
sanitize-html
8
urijs
8
express-cart
8
@haxtheweb/haxcms-nodejs
8
axios
7
hermes-engine
7
snyk-broker
7
jQuery.UI.Combined
7
hapi
7
mermaid
7
total.js
7
vega
7
org.webjars.npm:jquery-ui
7
mongoose
7
@lobehub/chat
7
tar
7
jquery-ui
7
parse-url
6
aaptjs
6
openpgp
6
tarteaucitronjs
6
better-auth
6
@sveltejs/kit
6
mattermost-desktop
6
lodash
6
rsshub
6
prismjs
6
hono
6
jquery
6
astro
6
@strapi/plugin-users-permissions
6
safe-eval
6
katex
5
express
5
froala-editor
5
jspdf
5
total4
5
nuxt
5
rendertron
5
mysql2
5
trix
5
vditor
5
aws-cdk-lib
5
passport-wsfed-saml2
5
sweetalert2
5
xlsx
5
ws
5
keystone
5
ua-parser-js
5
public
5
dojo
5
yarn
5
@keystone-6/core
5
fastify
5
ejs
5
@saltcorn/server
5
@backstage/plugin-scaffolder-backend
5
valine
4
materialize-css
4
mongosh
4
meshcentral
4
auth0-js
4
erxes
4
nodemailer
4
jsonwebtoken
4
hummus
4
auth0-lock
4
ses
4
tar-fs
4
safer-eval
4
moment
4
aws-iot-device-sdk-v2
4
mongo-express
4
bootstrap
4
code-server
4
generator-jhipster
4
pnpm
4
ecstatic
4
apostrophe
4
@auth0/nextjs-auth0
4
apollo-server-core
4
vue-i18n
4
simple-git
4
realms-shim
4
lodash-es
4
fast-xml-parser
4
glance
4
muhammara
4
payload
4
vega-functions
4
qs
4
jQuery
4
simple-markdown
4
yui
4
jquery-validation
4
follow-redirects
4
software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk
4
engine.io
4
convert-svg-core
4
remarkable
4
snyk
4
@finos/git-proxy
4
multer
4
xml-crypto
4
@apollo/gateway
4
bootstrap-sass
4
awsiotsdk
4
@node-saml/node-saml
4
highcharts
3
blamer
3
dns-sync
3
dset
3
@intlify/core-base
3
jose
3
xdLocalStorage
3
mxgraph
3
yapi-vendor
3
jquery-ui-rails
3
postcss
3
sails
3
docsify
3
open-webui
3
connect
3
m-server
3
llhttp
3
ftp-srv
3
flowise-components
3
socket.io-file
3
@soketi/soketi
3
stimulsoft-dashboards-js
3
uap-core
3
parse
3
localhost-now
3
dojox
3
serialize-javascript
3
@intlify/vue-i18n-core
3
mailgen
3
libxmljs
3
@backstage/techdocs-common
3
jointjs
3
@cubejs-backend/api-gateway
3
locutus
3
webpack-dev-server
3
@janhq/core
3
socket.io
3
mcp-markdownify-server
3
slp-validate
3
parsel
3
simplehttpserver
3
mysql
3
ids-enterprise
3
node-red-dashboard
3
@commercial/subtext
3
Filter by Repository
https://github.com/directus/directus
41
https://github.com/parse-community/parse-server
33
https://github.com/strapi/strapi
29
https://github.com/FlowiseAI/Flowise
28
https://github.com/electron/electron
28
https://github.com/vercel/next.js
25
https://github.com/OpenZeppelin/openzeppelin-contracts
21
https://github.com/backstage/backstage
19
https://github.com/sequelize/sequelize
16
https://github.com/tinymce/tinymce
16
https://github.com/vitejs/vite
15
https://github.com/nodejs/undici
15
https://github.com/TryGhost/Ghost
14
https://github.com/laurent22/joplin
13
https://github.com/ckeditor/ckeditor4
13
https://github.com/patriksimek/vm2
12
https://github.com/VulnSageAgent/PoCs
12
https://github.com/swagger-api/swagger-ui
12
https://github.com/NodeBB/NodeBB
12
https://github.com/matrix-org/matrix-js-sdk
12
https://github.com/n8n-io/n8n
11
https://github.com/nocodb/nocodb
11
https://github.com/keystonejs/keystone
11
https://github.com/anthropics/claude-code
10
https://github.com/nextauthjs/next-auth
10
https://github.com/matrix-org/matrix-appservice-irc
9
https://github.com/sebhildebrandt/systeminformation
9
https://github.com/haxtheweb/issues
9
https://github.com/louislam/uptime-kuma
9
https://github.com/matrix-org/matrix-react-sdk
9
https://github.com/evershopcommerce/evershop
9
https://github.com/indutny/elliptic
8
https://github.com/stealjs/steal
8
https://github.com/pandao/editor.md
8
https://github.com/kjur/jsrsasign
8
https://github.com/cure53/DOMPurify
8
https://github.com/vega/vega
8
https://github.com/apollographql/apollo-server
8
https://github.com/nuxt/nuxt
8
https://github.com/digitalbazaar/forge
8
https://github.com/jquery/jquery
8
https://github.com/ericcornelissen/shescape
8
https://github.com/withastro/astro
8
https://github.com/twbs/bootstrap
7
https://github.com/saltcorn/saltcorn
7
https://github.com/unshiftio/url-parse
7
https://github.com/aws/aws-cdk
7
https://github.com/axios/axios
7
https://github.com/lobehub/lobe-chat
7
https://github.com/markedjs/marked
6
https://github.com/shenzhim/aaptjs
6
https://github.com/facebook/hermes
6
https://github.com/sveltejs/kit
6
https://github.com/ionicabizau/parse-url
6
https://github.com/honojs/hono
6
https://github.com/lodash/lodash
6
https://github.com/DIYgod/RSSHub
6
https://github.com/eclipse-theia/theia
6
https://github.com/panva/jose
6
https://github.com/totaljs/framework
6
https://github.com/npm/node-tar
6
https://github.com/better-auth/better-auth
6
https://github.com/apostrophecms/sanitize-html
6
https://github.com/ckeditor/ckeditor5
6
https://github.com/openpgpjs/openpgpjs
6
https://github.com/jquery/jquery-ui
6
https://github.com/gatsbyjs/gatsby
5
https://github.com/faisalman/ua-parser-js
5
https://github.com/KaTeX/KaTeX
5
https://github.com/basecamp/trix
5
https://github.com/AmauriC/tarteaucitron.js
5
https://github.com/auth0/passport-wsfed-saml2
5
https://github.com/hacksparrow/safe-eval
5
https://github.com/GoogleChrome/rendertron
5
https://github.com/handlebars-lang/handlebars.js
5
https://github.com/PrismJS/prism
5
https://github.com/fastify/fastify
5
https://github.com/mermaid-js/mermaid
5
https://github.com/sweetalert2/sweetalert2
5
https://github.com/npm/cli
5
https://github.com/BlackFan/client-side-prototype-pollution
5
https://github.com/sidorares/node-mysql2
5
https://github.com/Automattic/mongoose
5
https://github.com/cloudflare/workers-sdk
5
https://github.com/auth0/node-jsonwebtoken
4
https://github.com/follow-redirects/follow-redirects
4
https://github.com/Ylianst/MeshCentral
4
https://github.com/mrvautin/expressCart
4
https://github.com/Dogfalo/materialize
4
https://github.com/payloadcms/payload
4
https://github.com/balderdashy/sails
4
https://github.com/yarnpkg/yarn
4
https://github.com/jhipster/generator-jhipster
4
https://github.com/ofirdagan/cross-domain-local-storage
4
https://github.com/NaturalIntelligence/fast-xml-parser
4
https://github.com/auth0/nextjs-auth0
4
https://github.com/npm/npm
4
https://github.com/hapijs/hapi
4
https://github.com/websockets/ws
4
https://github.com/steveukx/git-js
4
https://github.com/vendure-ecommerce/vendure
4
https://github.com/mde/ejs
4
https://github.com/getsentry/sentry-javascript
4
https://github.com/auth0/lock
4
https://github.com/mafintosh/tar-fs
4
https://github.com/pnpm/pnpm
4
https://github.com/finos/git-proxy
4
https://github.com/nodemailer/nodemailer
4
https://github.com/intlify/vue-i18n
4
https://github.com/expressjs/multer
4
https://github.com/xCss/Valine
4
https://github.com/angular/angular.js
4
https://github.com/medialize/uri.js
4
https://github.com/medialize/URI.js
4
https://github.com/node-saml/node-saml
4
https://github.com/socketio/engine.io
4
https://github.com/jonschlinkert/remarkable
4
https://github.com/node-opcua/node-opcua
4
https://github.com/erxes/erxes
4
https://github.com/jquery-validation/jquery-validation
4
https://github.com/aws/aws-iot-device-sdk-java-v2
4
https://github.com/expressjs/express
4
https://github.com/dojo/dojo
3
https://github.com/skoranga/node-dns-sync
3
https://github.com/xmldom/xmldom
3
https://github.com/HackAllSec/CVEs
3
https://github.com/dojo/dojox
3
https://github.com/ag-grid/ag-grid
3
https://github.com/mongo-express/mongo-express
3
https://github.com/zestedesavoir/zmarkdown
3
https://github.com/node-fetch/node-fetch
3
https://github.com/micromatch/braces
3
https://github.com/mongodb/js-bson
3
https://github.com/zcaceres/markdownify-mcp
3
https://github.com/facebook/react
3
https://github.com/capricorn86/happy-dom
3
https://github.com/agnaistic/agnai
3
https://github.com/eladnava/mailgen
3
https://github.com/infor-design/enterprise-ng
3
https://github.com/Marak/colors.js
3
https://github.com/moment/moment
3
https://github.com/postcss/postcss
3
https://github.com/froala/wysiwyg-editor
3
https://github.com/chjj/marked
3
https://github.com/hapijs/subtext
3
https://github.com/snyk/cli
3
https://github.com/endojs/endo
3
https://github.com/clientIO/joint
3
https://github.com/simpleledger/slpjs
3
https://github.com/mariocasciaro/object-path
3
https://github.com/beerpwn/CVE
3
https://github.com/typeorm/typeorm
3
https://github.com/cisco/node-jose
3
https://github.com/jfhbrook/node-ecstatic
3
https://github.com/webpack/webpack-dev-server
3
https://github.com/feathersjs-ecosystem/feathers-sequelize
3
https://github.com/ChainSafe/lodestar
3
https://github.com/thlorenz/browserify-shim
3
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable
3
https://github.com/ua-parser/uap-core
3
https://github.com/validatorjs/validator.js
3
https://github.com/soketi/soketi
3
https://github.com/kujirahand/nadesiko3
3
https://github.com/docsifyjs/docsify
3
https://github.com/socketio/socket.io-parser
3
https://github.com/josdejong/mathjs
3
https://github.com/jasonraimondi/url-to-png
3
https://github.com/fastify/fastify-multipart
3
https://github.com/MrRio/jsPDF
3
https://github.com/dwisiswant0/advisory
3
https://github.com/RIAEvangelist/node-ipc
3
https://github.com/nasa/openmct
3
https://github.com/vriteio/vrite
3
https://github.com/vanessa219/vditor
3
https://github.com/YMFE/yapi
3
https://github.com/snowflakedb/snowflake-connector-nodejs
3
https://github.com/actions/toolkit
3
https://github.com/webpack/loader-utils
3
https://github.com/salesforce/tough-cookie
3
https://github.com/plone/volto
3
https://github.com/mozilla/node-convict
3
https://github.com/transloadit/uppy
3
https://github.com/koajs/koa
3
https://github.com/chimurai/http-proxy-middleware
3
https://github.com/gruntjs/grunt
3
https://github.com/Escape-Technologies/graphql-armor
3
https://github.com/apostrophecms/apostrophe
3
https://github.com/mozilla/pdf.js
3
https://github.com/zeit/next.js
3
https://github.com/peerigon/angular-expressions
3
https://github.com/yahoo/serialize-javascript
3
https://github.com/renovatebot/renovate
3
https://github.com/remix-run/react-router
3
https://github.com/lukeed/dset
3
https://github.com/udecode/plate
3
https://github.com/adaltas/node-mixme
3
https://github.com/nestjs/nest
3
https://github.com/highcharts/highcharts
3
https://github.com/koush/scrypted
3