npm
5,204,719 packages · npmjs.org
Security Advisories in npm
High
5 days ago
TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update
npm
typeorm
High
7 days ago
Astro's bypass of image proxy domain validation leads to SSRF and potential XSS
npm
astro
Moderate
10 days ago
Hono vulnerable to Vary Header Injection leading to potential CORS Bypass
npm
hono
High
12 days ago
Kottster app reinitialization can be re-triggered allowing command injection in development mode
npm
@kottster/server
Moderate
14 days ago
Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic
npm
koa
Moderate
14 days ago
Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read
npm
uptime-kuma
Moderate
15 days ago
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
npm
@actual-app/sync-server
Low
18 days ago
Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module
npm
@lobehub/chat
Moderate
18 days ago
Mammoth is vulnerable to Directory Traversal
nuget, pypi, maven, npm
Mammoth, mammoth, org.zwobble.mammoth:mammoth
Moderate
18 days ago
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration
npm
@strapi/core
Moderate
18 days ago
Strapi Password Hashing Missing Maximum Password Length Validation
npm
@strapi/core
High
18 days ago
Strapi Allows Unauthorized Access to Private Fields via parms.lookup
npm
@strapi/core
Critical
19 days ago
happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
npm
happy-dom
High
19 days ago
`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`
npm
sveltekit-superforms
Moderate
20 days ago
Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
npm
parse
High
20 days ago
Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
npm
flowise
High
20 days ago
Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate
npm
playwright
Moderate
22 days ago
CommandKit has incorrect command name exposure in context object for message command aliases
npm
commandkit
High
24 days ago
Flowise is vulnerable to arbitrary file exposure through its ReadFileTool
npm
flowise-components, flowise
Critical
26 days ago
Better Auth: Unauthenticated API key creation through api-key plugin
npm
better-auth
High
26 days ago
n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host
npm
n8n, n8n-nodes-base
Critical
26 days ago
Flowise is vulnerable to arbitrary file write through its WriteFileTool
npm
flowise-components, flowise
Moderate
28 days ago
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
npm
nodemailer
High
28 days ago
pdfmake is vulnerable to Throttling via repeatedly redirecting URL in file embedding
npm
pdfmake
Critical
29 days ago
Flowise vulnerable to RCE via Dynamic function constructor injection
npm
flowise
Moderate
30 days ago
MCPHub has an Improper Authorization vulnerability via its handleSseConnection function
npm
@samanhappy/mcphub
Critical
about 1 month ago
Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
npm
flowise
Low
about 1 month ago
Claude Code permission deny bypass through symlink
npm
@anthropic-ai/claude-code
High
about 1 month ago
Claude Code can execute commands prior to the startup trust dialog
npm
@anthropic-ai/claude-code
High
about 1 month ago
@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user
npm
@plone/volto
Moderate
about 1 month ago
validator.js has a URL validation bypass vulnerability in its isURL function
npm
validator
High
about 1 month ago
Finance.js vulnerable to DoS via the IRR function’s depth parameter
npm
financejs
High
about 1 month ago
figma-developer-mcp vulnerable to command injection in get_figma_data tool
npm
figma-developer-mcp
High
about 1 month ago
@nubosoftware/node-static failure to catch exception can result in server crash
npm
@nubosoftware/node-static
Moderate
about 1 month ago
algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
npm
algoliasearch-helper
High
about 1 month ago
Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
npm
@apollo/explorer, @apollo/sandbox
Moderate
about 1 month ago
express-xss-sanitizer has an unbounded recursion depth
npm
express-xss-sanitizer
Critical
about 1 month ago
get-jwks: poisoned JWKS cache allows post-fetch issuer validation bypass
npm
get-jwks
Critical
about 1 month ago
cors-anywhere vulnerable to server-side request forgery
npm
cors-anywhere
Moderate
about 1 month ago
json-schema-editor-visual vulnerable to prototype pollution
npm
json-schema-editor-visual
Low
about 1 month ago
web3-core-subscriptions has a Prototype Pollution vulnerability
npm
web3-core-subscriptions
Moderate
about 1 month ago
Mastra Docs MCP Server `@mastra/mcp-docs-server` Leads to Information Exposure
npm
@mastra/mcp-docs-server
High
about 1 month ago
Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions
npm
@anthropic-ai/claude-code
High
about 1 month ago
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
npm
tar-fs
Moderate
about 1 month ago
messageformat prototype pollution vulnerability
npm
@messageformat/runtime
High
about 1 month ago
Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink
npm
@meshconnect/web-link-sdk
Moderate
about 1 month ago
@conventional-changelog/git-client has Argument Injection vulnerability
npm
@conventional-changelog/git-client
High
about 2 months ago
Codex has sandbox bypass due to bug in path configuration logic
npm
@openai/codex
Moderate
about 2 months ago
@digitalocean/do-markdownit has Type Confusion vulnerability
npm
@digitalocean/do-markdownit
Moderate
about 2 months ago
Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages
npm
@lobehub/chat
Moderate
about 2 months ago
@sequa-ai/sequa-mcp has Command Injection vulnerability
npm
@sequa-ai/sequa-mcp
Moderate
about 2 months ago
Parcel has an Origin Validation Error vulnerability
npm
@parcel/reporter-dev-server
Moderate
about 2 months ago
matrix-js-sdk has insufficient validation when considering a room to be upgraded by another
npm
matrix-js-sdk
High
about 2 months ago
@executeautomation/database-server does not properly restrict access, bypassing a "read-only" mode
npm
@executeautomation/database-server
High
about 2 months ago
is-arrayish@0.3.3 contains malware after npm account takeover
npm
is-arrayish
Filter by Severity
Filter by Package
directus
39
parse-server
33
flowise
31
next
29
electron
28
@openzeppelin/contracts
21
@openzeppelin/contracts-upgradeable
21
sequelize
16
tinymce
16
vite
16
ghost
16
undici
15
ckeditor4
15
swagger-ui
14
nodebb
14
joplin
14
angular
14
strapi
13
vm2
12
marked
12
matrix-js-sdk
12
n8n
12
tinymce/tinymce
11
nocodb
11
TinyMCE
11
bootstrap
10
next-auth
10
@strapi/strapi
10
@anthropic-ai/claude-code
10
handlebars
10
uptime-kuma
10
serve
9
@evershop/evershop
9
matrix-appservice-irc
9
validator
9
matrix-react-sdk
9
systeminformation
9
steal
8
@haxtheweb/haxcms-nodejs
8
@directus/api
8
tar
8
npm
8
hono
8
sanitize-html
8
urijs
8
dompurify
8
url-parse
8
express-cart
8
jsrsasign
8
elliptic
8
@lobehub/chat
8
node-forge
8
shescape
8
editor.md
8
lodash
7
org.webjars.npm:jquery-ui
7
mermaid
7
hermes-engine
7
astro
7
hapi
7
vega
7
jquery-ui
7
total.js
7
snyk-broker
7
mongoose
7
axios
7
@sveltejs/kit
6
prismjs
6
@strapi/plugin-users-permissions
6
parse-url
6
mattermost-desktop
6
tarteaucitronjs
6
rsshub
6
better-auth
6
jquery
6
jQuery.UI.Combined
6
openpgp
6
aaptjs
6
safe-eval
6
passport-wsfed-saml2
5
@saltcorn/server
5
@keystone-6/core
5
ws
5
xlsx
5
vditor
5
jQuery
5
jspdf
5
ua-parser-js
5
aws-cdk-lib
5
keystone
5
public
5
trix
5
dojo
5
total4
5
@backstage/plugin-scaffolder-backend
5
fastify
5
express
5
ejs
5
nuxt
5
katex
5
bootstrap
5
mysql2
5
rendertron
5
yarn
5
sweetalert2
5
pnpm
4
petite-vue-i18n
4
moment
4
software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk
4
ses
4
multer
4
auth0-js
4
typeorm
4
simple-markdown
4
apollo-server-core
4
awsiotsdk
4
@finos/git-proxy
4
mongo-express
4
apostrophe
4
simple-git
4
materialize-css
4
remarkable
4
mongosh
4
vue-i18n
4
convert-svg-core
4
jquery-validation
4
@apollo/gateway
4
follow-redirects
4
xml-crypto
4
qs
4
vega-functions
4
meshcentral
4
muhammara
4
aws-iot-device-sdk-v2
4
@node-saml/node-saml
4
yui
4
fast-xml-parser
4
generator-jhipster
4
@intlify/vue-i18n-core
4
valine
4
realms-shim
4
glance
4
@auth0/nextjs-auth0
4
code-server
4
snyk
4
payload
4
engine.io
4
bootstrap-sass
4
erxes
4
safer-eval
4
auth0-lock
4
nodemailer
4
jsonwebtoken
4
ecstatic
4
tar-fs
4
froala-editor
4
koa
4
layui
3
@fedify/fedify
3
sails
3
angular-expressions
3
http-proxy-middleware
3
@plone/volto
3
@commercial/subtext
3
bin-links
3
mxgraph
3
agnai
3
protobufjs
3
blamer
3
@strapi/admin
3
js-yaml
3
json-pointer
3
mathjs
3
happy-dom
3
loader-utils
3
jointjs
3
tough-cookie
3
@strapi/core
3
highcharts
3
bootstrap-sass
3
@frangoteam/fuxa
3
@materializecss/materialize
3
libxmljs
3
braces
3
open-webui
3
raneto
3
@ckeditor/ckeditor5-markdown-gfm
3
node-red-dashboard
3
node-ipc
3
xmldom
3
@vrite/sdk
3
locutus
3
jose
3
immer
3
@apollo/server
3
dojox
3
debug
3
@cubejs-backend/api-gateway
3
serialize-javascript
3
@intlify/core
3
Filter by Repository
https://github.com/directus/directus
41
https://github.com/parse-community/parse-server
33
https://github.com/strapi/strapi
29
https://github.com/FlowiseAI/Flowise
28
https://github.com/electron/electron
28
https://github.com/vercel/next.js
25
https://github.com/OpenZeppelin/openzeppelin-contracts
21
https://github.com/backstage/backstage
19
https://github.com/tinymce/tinymce
16
https://github.com/vitejs/vite
16
https://github.com/sequelize/sequelize
16
https://github.com/nodejs/undici
15
https://github.com/ckeditor/ckeditor4
14
https://github.com/TryGhost/Ghost
14
https://github.com/swagger-api/swagger-ui
13
https://github.com/laurent22/joplin
13
https://github.com/patriksimek/vm2
12
https://github.com/n8n-io/n8n
12
https://github.com/matrix-org/matrix-js-sdk
12
https://github.com/NodeBB/NodeBB
12
https://github.com/nocodb/nocodb
11
https://github.com/VulnSageAgent/PoCs
11
https://github.com/nextauthjs/next-auth
11
https://github.com/keystonejs/keystone
11
https://github.com/anthropics/claude-code
10
https://github.com/louislam/uptime-kuma
10
https://github.com/haxtheweb/issues
9
https://github.com/matrix-org/matrix-react-sdk
9
https://github.com/sebhildebrandt/systeminformation
9
https://github.com/matrix-org/matrix-appservice-irc
9
https://github.com/withastro/astro
9
https://github.com/evershopcommerce/evershop
9
https://github.com/ericcornelissen/shescape
8
https://github.com/apollographql/apollo-server
8
https://github.com/jquery/jquery
8
https://github.com/vega/vega
8
https://github.com/nuxt/nuxt
8
https://github.com/cure53/DOMPurify
8
https://github.com/lobehub/lobe-chat
8
https://github.com/stealjs/steal
8
https://github.com/pandao/editor.md
8
https://github.com/honojs/hono
8
https://github.com/digitalbazaar/forge
8
https://github.com/kjur/jsrsasign
8
https://github.com/indutny/elliptic
8
https://github.com/unshiftio/url-parse
7
https://github.com/saltcorn/saltcorn
7
https://github.com/twbs/bootstrap
7
https://github.com/lodash/lodash
7
https://github.com/axios/axios
7
https://github.com/aws/aws-cdk
7
https://github.com/better-auth/better-auth
6
https://github.com/markedjs/marked
6
https://github.com/apostrophecms/sanitize-html
6
https://github.com/shenzhim/aaptjs
6
https://github.com/panva/jose
6
https://github.com/openpgpjs/openpgpjs
6
https://github.com/totaljs/framework
6
https://github.com/ckeditor/ckeditor5
6
https://github.com/eclipse-theia/theia
6
https://github.com/DIYgod/RSSHub
6
https://github.com/jquery/jquery-ui
6
https://github.com/facebook/hermes
6
https://github.com/sveltejs/kit
6
https://github.com/npm/node-tar
6
https://github.com/ionicabizau/parse-url
6
https://github.com/KaTeX/KaTeX
5
https://github.com/npm/cli
5
https://github.com/AmauriC/tarteaucitron.js
5
https://github.com/fastify/fastify
5
https://github.com/basecamp/trix
5
https://github.com/faisalman/ua-parser-js
5
https://github.com/handlebars-lang/handlebars.js
5
https://github.com/hacksparrow/safe-eval
5
https://github.com/Automattic/mongoose
5
https://github.com/sidorares/node-mysql2
5
https://github.com/sweetalert2/sweetalert2
5
https://github.com/mermaid-js/mermaid
5
https://github.com/GoogleChrome/rendertron
5
https://github.com/BlackFan/client-side-prototype-pollution
5
https://github.com/PrismJS/prism
5
https://github.com/gatsbyjs/gatsby
5
https://github.com/auth0/passport-wsfed-saml2
5
https://github.com/cloudflare/workers-sdk
5
https://github.com/auth0/node-jsonwebtoken
4
https://github.com/jonschlinkert/remarkable
4
https://github.com/jhipster/generator-jhipster
4
https://github.com/payloadcms/payload
4
https://github.com/follow-redirects/follow-redirects
4
https://github.com/yarnpkg/yarn
4
https://github.com/ofirdagan/cross-domain-local-storage
4
https://github.com/jquery-validation/jquery-validation
4
https://github.com/mafintosh/tar-fs
4
https://github.com/hapijs/hapi
4
https://github.com/medialize/uri.js
4
https://github.com/auth0/nextjs-auth0
4
https://github.com/Ylianst/MeshCentral
4
https://github.com/websockets/ws
4
https://github.com/NaturalIntelligence/fast-xml-parser
4
https://github.com/angular/angular.js
4
https://github.com/expressjs/multer
4
https://github.com/erxes/erxes
4
https://github.com/steveukx/git-js
4
https://github.com/node-opcua/node-opcua
4
https://github.com/getsentry/sentry-javascript
4
https://github.com/expressjs/express
4
https://github.com/nodemailer/nodemailer
4
https://github.com/Dogfalo/materialize
4
https://github.com/pnpm/pnpm
4
https://github.com/intlify/vue-i18n
4
https://github.com/xCss/Valine
4
https://github.com/mde/ejs
4
https://github.com/npm/npm
4
https://github.com/node-saml/node-saml
4
https://github.com/mrvautin/expressCart
4
https://github.com/finos/git-proxy
4
https://github.com/koajs/koa
4
https://github.com/typeorm/typeorm
4
https://github.com/medialize/URI.js
4
https://github.com/vendure-ecommerce/vendure
4
https://github.com/auth0/lock
4
https://github.com/aws/aws-iot-device-sdk-java-v2
4
https://github.com/socketio/engine.io
4
https://github.com/balderdashy/sails
4
https://github.com/node-saml/xml-crypto
3
https://github.com/apollographql/federation
3
https://github.com/jarofghosts/glance
3
https://github.com/peerigon/angular-expressions
3
https://github.com/cloudhead/node-static
3
https://github.com/clientIO/joint
3
https://github.com/postcss/postcss
3
https://github.com/adaltas/node-mixme
3
https://github.com/plone/volto
3
https://github.com/libxmljs/libxmljs
3
https://github.com/vriteio/vrite
3
https://github.com/feathersjs-ecosystem/feathers-sequelize
3
https://github.com/validatorjs/validator.js
3
https://github.com/webpack/webpack-dev-server
3
https://github.com/dwisiswant0/advisory
3
https://github.com/Marak/colors.js
3
https://github.com/docsifyjs/docsify
3
https://github.com/mozilla/node-convict
3
https://github.com/ua-parser/uap-core
3
https://github.com/endojs/endo
3
https://github.com/moment/moment
3
https://github.com/manuelstofer/json-pointer
3
https://github.com/josdejong/mathjs
3
https://github.com/soketi/soketi
3
https://github.com/fastify/fastify-multipart
3
https://github.com/vanessa219/vditor
3
https://github.com/MrRio/jsPDF
3
https://github.com/nodejs/llhttp
3
https://github.com/socketio/socket.io
3
https://github.com/lukeed/dset
3
https://github.com/Escape-Technologies/graphql-armor
3
https://github.com/transloadit/uppy
3
https://github.com/mongo-express/mongo-express
3
https://github.com/snowflakedb/snowflake-connector-nodejs
3
https://github.com/ChainSafe/lodestar
3
https://github.com/actions/toolkit
3
https://github.com/beerpwn/CVE
3
https://github.com/chimurai/http-proxy-middleware
3
https://github.com/facebook/react
3
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable
3
https://github.com/socketio/socket.io-parser
3
https://github.com/gruntjs/grunt
3
https://github.com/RIAEvangelist/node-ipc
3
https://github.com/xmldom/xmldom
3
https://github.com/zestedesavoir/zmarkdown
3
https://github.com/cisco/node-jose
3
https://github.com/mozilla/pdf.js
3
https://github.com/apostrophecms/apostrophe
3
https://github.com/thlorenz/browserify-shim
3
https://github.com/skoranga/node-dns-sync
3
https://github.com/agnaistic/agnai
3
https://github.com/hapijs/subtext
3
https://github.com/snyk/cli
3
https://github.com/kujirahand/nadesiko3
3
https://github.com/yahoo/serialize-javascript
3
https://github.com/simpleledger/slpjs
3
https://github.com/zeit/next.js
3
https://github.com/jasonraimondi/url-to-png
3
https://github.com/dojo/dojo
3
https://github.com/infor-design/enterprise-ng
3
https://github.com/remix-run/react-router
3
https://github.com/nasa/openmct
3
https://github.com/HackAllSec/CVEs
3
https://github.com/zcaceres/markdownify-mcp
3
https://github.com/mongodb/js-bson
3
https://github.com/webpack/loader-utils
3
https://github.com/micromatch/braces
3
https://github.com/node-fetch/node-fetch
3
https://github.com/mariocasciaro/object-path
3
https://github.com/jfhbrook/node-ecstatic
3
https://github.com/neocotic/convert-svg
3
https://github.com/capricorn86/happy-dom
3
https://github.com/udecode/plate
3
https://github.com/highcharts/highcharts
3
https://github.com/nestjs/nest
3