npm
5,162,107 packages · npmjs.org
Security Advisories in npm
High
about 20 hours ago
Finance.js vulnerable to DoS via the IRR function’s depth parameter
npm
financejs
High
about 22 hours ago
figma-developer-mcp vulnerable to command injection in get_figma_data tool
npm
figma-developer-mcp
Moderate
4 days ago
algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
npm
algoliasearch-helper
High
5 days ago
Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
npm
@apollo/explorer, @apollo/sandbox
Moderate
5 days ago
express-xss-sanitizer has an unbounded recursion depth
npm
express-xss-sanitizer
Critical
5 days ago
get-jwks: poisoned JWKS cache allows post-fetch issuer validation bypass
npm
get-jwks
Low
7 days ago
web3-core-subscriptions has a Prototype Pollution vulnerability
npm
web3-core-subscriptions
Moderate
7 days ago
json-schema-editor-visual vulnerable to prototype pollution
npm
json-schema-editor-visual
Moderate
7 days ago
Mastra Docs MCP Server `@mastra/mcp-docs-server` Leads to Information Exposure
npm
@mastra/mcp-docs-server
High
7 days ago
Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions
npm
@anthropic-ai/claude-code
High
7 days ago
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
npm
tar-fs
High
9 days ago
Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink
npm
@meshconnect/web-link-sdk
Moderate
9 days ago
@conventional-changelog/git-client has Argument Injection vulnerability
npm
@conventional-changelog/git-client
Moderate
12 days ago
@digitalocean/do-markdownit has Type Confusion vulnerability
npm
@digitalocean/do-markdownit
Moderate
13 days ago
Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages
npm
@lobehub/chat
Moderate
14 days ago
@sequa-ai/sequa-mcp has Command Injection vulnerability
npm
@sequa-ai/sequa-mcp
Moderate
14 days ago
Parcel has an Origin Validation Error vulnerability
npm
@parcel/reporter-dev-server
Moderate
15 days ago
matrix-js-sdk has insufficient validation when considering a room to be upgraded by another
npm
matrix-js-sdk
High
15 days ago
@executeautomation/database-server does not properly restrict access, bypassing a "read-only" mode
npm
@executeautomation/database-server
High
16 days ago
simple-swizzle@0.2.3 contains malware after npm account takeover
npm
simple-swizzle
Moderate
16 days ago
HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability
npm
hackmd-mcp
Moderate
16 days ago
Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark
npm
ghost
Critical
16 days ago
Flowise has arbitrary file access due to missing chat flow id validation
npm
flowise
Moderate
16 days ago
Stored XSS in n8n LangChain Chat Trigger Node via initialMessages Parameter
npm
n8n
Moderate
16 days ago
MetaMask SDK indirectly exposed via malicious debug@4.4.2 dependency
npm
@metamask/sdk-communication-layer, @metamask/sdk-react, @metamask/sdk
Critical
19 days ago
Flowise Cloud and Local Deployments have Unauthenticated Password Reset Token Disclosure that Leads to Account Takeover
npm
flowise
Critical
20 days ago
Prebid-universal-creative latest on npm briefly compromised
npm
prebid-universal-creative
Moderate
20 days ago
jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin
npm
jsondiffpatch
High
21 days ago
Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage
npm
@nguniversal/common, @angular/ssr, @angular/platform-server
Critical
21 days ago
interactive-git-checkout has a Command Injection vulnerability
npm
interactive-git-checkout
High
21 days ago
Claude Code vulnerable to arbitrary code execution caused by maliciously configured git email
npm
@anthropic-ai/claude-code
High
21 days ago
Webrecorder packages are vulnerable to XSS through 404 error handling logic
npm
@webrecorder/archivewebpage, replaywebpage, @webrecorder/wabac
High
21 days ago
Claude Code rg vulnerability does not protect against approval prompt bypass
npm
@anthropic-ai/claude-code
Low
22 days ago
Vite middleware may serve files starting with the same name with the public directory
npm
vite
High
22 days ago
Cattown is Vulnerable to Uncontrolled Resource Consumption through Inefficient Regular Expression Complexity
npm
cattown
Moderate
22 days ago
Element Plus Link component (el-link) implements insufficient input validation for the href attribute
npm
element-plus
High
22 days ago
DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware
npm
@duckdb/duckdb-wasm, @duckdb/node-bindings, @duckdb/node-api, duckdb
High
23 days ago
MCP Inspector is Vulnerable to Potential Command Execution via XSS When Connecting to an Untrusted MCP Server
npm
@modelcontextprotocol/inspector
Critical
23 days ago
@akoskm/create-mcp-server-stdio is vulnerable to MCP Server Command Injection through `exec` API
npm
@akoskm/create-mcp-server-stdio
Critical
23 days ago
CodeceptJS's incomprehensive sanitation can lead to Command Injection
npm
codeceptjs
Moderate
23 days ago
SimStudioAI: A function in route.ts is vulnerable to Code Injection
npm
simstudio
Moderate
23 days ago
sanitize-html is vulnerable to XSS through incomprehensive sanitization
npm
sanitize-html
High
27 days ago
Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter
npm
@astrojs/cloudflare
High
28 days ago
Claude Code Vulnerable to Arbitrary Code Execution Due to Insufficient Startup Warning
npm
@anthropic-ai/claude-code
Low
28 days ago
CKEditor 5 cross-site scripting (XSS) vulnerability in the clipboard package
npm
ckeditor5
High
29 days ago
mcp-markdownify-server vulnerable to command injection in pptx-to-markdown tool
npm
mcp-markdownify-server
Moderate
about 1 month ago
Next.js Affected by Cache Key Confusion for Image Optimization API Routes
npm
next
Moderate
about 1 month ago
AiondaDotCom mcp-ssh command injection vulnerability in SSH operations
npm
@aiondadotcom/mcp-ssh
Filter by Severity
Filter by Package
directus
38
parse-server
33
next
29
electron
28
flowise
24
@openzeppelin/contracts-upgradeable
21
@openzeppelin/contracts
21
tinymce
16
ghost
16
sequelize
16
undici
15
ckeditor4
15
vite
15
swagger-ui
14
angular
14
joplin
14
nodebb
14
strapi
13
vm2
12
matrix-js-sdk
12
marked
12
tinymce/tinymce
11
TinyMCE
11
nocodb
11
n8n
10
handlebars
10
bootstrap
10
matrix-react-sdk
9
next-auth
9
@evershop/evershop
9
systeminformation
9
@strapi/strapi
9
matrix-appservice-irc
9
serve
9
uptime-kuma
9
jsrsasign
8
elliptic
8
validator
8
sanitize-html
8
shescape
8
steal
8
node-forge
8
dompurify
8
npm
8
@haxtheweb/haxcms-nodejs
8
url-parse
8
express-cart
8
@directus/api
8
editor.md
8
@anthropic-ai/claude-code
8
urijs
8
lodash
7
jquery-ui
7
axios
7
jQuery.UI.Combined
7
hapi
7
hermes-engine
7
@lobehub/chat
7
tar
7
total.js
7
vega
7
mongoose
7
snyk-broker
7
org.webjars.npm:jquery-ui
7
mermaid
7
tarteaucitronjs
6
prismjs
6
safe-eval
6
aaptjs
6
@sveltejs/kit
6
parse-url
6
mattermost-desktop
6
hono
6
@strapi/plugin-users-permissions
6
openpgp
6
rsshub
6
ejs
5
jspdf
5
aws-cdk-lib
5
ws
5
yarn
5
dojo
5
passport-wsfed-saml2
5
jquery
5
total4
5
ua-parser-js
5
nuxt
5
express
5
xlsx
5
fastify
5
@saltcorn/server
5
keystone
5
bootstrap
5
astro
5
trix
5
better-auth
5
rendertron
5
public
5
katex
5
@keystone-6/core
5
sweetalert2
5
vditor
5
mysql2
5
@backstage/plugin-scaffolder-backend
5
jquery-validation
4
mongosh
4
muhammara
4
yui
4
convert-svg-core
4
remarkable
4
snyk
4
qs
4
tar-fs
4
apostrophe
4
simple-markdown
4
code-server
4
engine.io
4
ses
4
froala-editor
4
follow-redirects
4
software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk
4
payload
4
erxes
4
petite-vue-i18n
4
@finos/git-proxy
4
awsiotsdk
4
lodash-es
4
vue-i18n
4
vega-functions
4
pnpm
4
auth0-lock
4
hummus
4
simple-git
4
valine
4
@node-saml/node-saml
4
generator-jhipster
4
xml-crypto
4
moment
4
safer-eval
4
@intlify/vue-i18n-core
4
ecstatic
4
materialize-css
4
@auth0/nextjs-auth0
4
meshcentral
4
jsonwebtoken
4
auth0-js
4
multer
4
mongo-express
4
aws-iot-device-sdk-v2
4
apollo-server-core
4
glance
4
fast-xml-parser
4
jQuery
4
realms-shim
4
protobufjs
3
snowflake-sdk
3
bootstrap
3
nodemailer
3
org.webjars.npm:jquery
3
object-path
3
highcharts
3
parsel
3
feathers-sequelize
3
node-ipc
3
statics-server
3
locutus
3
webpack-dev-server
3
notevil
3
serialize-to-js
3
@strapi/utils
3
js-yaml
3
mcp-markdownify-server
3
@cubejs-backend/api-gateway
3
angular-expressions
3
mysql
3
agnai
3
@apollo/gateway
3
layui
3
@strapi/admin
3
koa
3
jquery-ui-rails
3
connect
3
keycloak-connect
3
raneto
3
sails
3
mixme
3
braces
3
wrangler
3
@janhq/core
3
grunt
3
socket.io
3
jose-node-cjs-runtime
3
bson
3
@uppy/companion
3
buttle
3
bin-links
3
dset
3
open-webui
3
ftp-srv
3
@soketi/soketi
3
Filter by Repository
https://github.com/directus/directus
41
https://github.com/parse-community/parse-server
33
https://github.com/electron/electron
28
https://github.com/strapi/strapi
25
https://github.com/vercel/next.js
25
https://github.com/OpenZeppelin/openzeppelin-contracts
21
https://github.com/FlowiseAI/Flowise
20
https://github.com/backstage/backstage
19
https://github.com/tinymce/tinymce
16
https://github.com/sequelize/sequelize
16
https://github.com/nodejs/undici
15
https://github.com/vitejs/vite
15
https://github.com/ckeditor/ckeditor4
14
https://github.com/TryGhost/Ghost
14
https://github.com/laurent22/joplin
13
https://github.com/swagger-api/swagger-ui
13
https://github.com/patriksimek/vm2
12
https://github.com/matrix-org/matrix-js-sdk
12
https://github.com/VulnSageAgent/PoCs
12
https://github.com/NodeBB/NodeBB
12
https://github.com/keystonejs/keystone
11
https://github.com/nocodb/nocodb
11
https://github.com/nextauthjs/next-auth
10
https://github.com/n8n-io/n8n
10
https://github.com/haxtheweb/issues
9
https://github.com/matrix-org/matrix-react-sdk
9
https://github.com/sebhildebrandt/systeminformation
9
https://github.com/matrix-org/matrix-appservice-irc
9
https://github.com/louislam/uptime-kuma
9
https://github.com/evershopcommerce/evershop
9
https://github.com/kjur/jsrsasign
8
https://github.com/pandao/editor.md
8
https://github.com/digitalbazaar/forge
8
https://github.com/cure53/DOMPurify
8
https://github.com/indutny/elliptic
8
https://github.com/ericcornelissen/shescape
8
https://github.com/stealjs/steal
8
https://github.com/apollographql/apollo-server
8
https://github.com/anthropics/claude-code
8
https://github.com/vega/vega
8
https://github.com/nuxt/nuxt
8
https://github.com/lobehub/lobe-chat
7
https://github.com/axios/axios
7
https://github.com/aws/aws-cdk
7
https://github.com/saltcorn/saltcorn
7
https://github.com/unshiftio/url-parse
7
https://github.com/lodash/lodash
7
https://github.com/withastro/astro
7
https://github.com/jquery/jquery
7
https://github.com/panva/jose
6
https://github.com/jquery/jquery-ui
6
https://github.com/twbs/bootstrap
6
https://github.com/eclipse-theia/theia
6
https://github.com/ckeditor/ckeditor5
6
https://github.com/shenzhim/aaptjs
6
https://github.com/markedjs/marked
6
https://github.com/openpgpjs/openpgpjs
6
https://github.com/npm/node-tar
6
https://github.com/apostrophecms/sanitize-html
6
https://github.com/sveltejs/kit
6
https://github.com/facebook/hermes
6
https://github.com/ionicabizau/parse-url
6
https://github.com/honojs/hono
6
https://github.com/totaljs/framework
6
https://github.com/DIYgod/RSSHub
6
https://github.com/gatsbyjs/gatsby
5
https://github.com/npm/cli
5
https://github.com/AmauriC/tarteaucitron.js
5
https://github.com/handlebars-lang/handlebars.js
5
https://github.com/PrismJS/prism
5
https://github.com/sidorares/node-mysql2
5
https://github.com/KaTeX/KaTeX
5
https://github.com/hacksparrow/safe-eval
5
https://github.com/Automattic/mongoose
5
https://github.com/auth0/passport-wsfed-saml2
5
https://github.com/mermaid-js/mermaid
5
https://github.com/GoogleChrome/rendertron
5
https://github.com/faisalman/ua-parser-js
5
https://github.com/fastify/fastify
5
https://github.com/better-auth/better-auth
5
https://github.com/cloudflare/workers-sdk
5
https://github.com/basecamp/trix
5
https://github.com/sweetalert2/sweetalert2
5
https://github.com/BlackFan/client-side-prototype-pollution
5
https://github.com/expressjs/multer
4
https://github.com/auth0/lock
4
https://github.com/xCss/Valine
4
https://github.com/intlify/vue-i18n
4
https://github.com/auth0/nextjs-auth0
4
https://github.com/mde/ejs
4
https://github.com/Ylianst/MeshCentral
4
https://github.com/Dogfalo/materialize
4
https://github.com/payloadcms/payload
4
https://github.com/finos/git-proxy
4
https://github.com/medialize/URI.js
4
https://github.com/npm/npm
4
https://github.com/steveukx/git-js
4
https://github.com/jhipster/generator-jhipster
4
https://github.com/hapijs/hapi
4
https://github.com/expressjs/express
4
https://github.com/medialize/uri.js
4
https://github.com/pnpm/pnpm
4
https://github.com/balderdashy/sails
4
https://github.com/node-saml/node-saml
4
https://github.com/follow-redirects/follow-redirects
4
https://github.com/mrvautin/expressCart
4
https://github.com/node-opcua/node-opcua
4
https://github.com/NaturalIntelligence/fast-xml-parser
4
https://github.com/aws/aws-iot-device-sdk-java-v2
4
https://github.com/socketio/engine.io
4
https://github.com/auth0/node-jsonwebtoken
4
https://github.com/yarnpkg/yarn
4
https://github.com/ofirdagan/cross-domain-local-storage
4
https://github.com/vendure-ecommerce/vendure
4
https://github.com/erxes/erxes
4
https://github.com/websockets/ws
4
https://github.com/jonschlinkert/remarkable
4
https://github.com/angular/angular.js
4
https://github.com/getsentry/sentry-javascript
4
https://github.com/mafintosh/tar-fs
4
https://github.com/jquery-validation/jquery-validation
4
https://github.com/chimurai/http-proxy-middleware
3
https://github.com/highcharts/highcharts
3
https://github.com/udecode/plate
3
https://github.com/feathersjs-ecosystem/feathers-sequelize
3
https://github.com/postcss/postcss
3
https://github.com/peerigon/angular-expressions
3
https://github.com/jarofghosts/glance
3
https://github.com/dojo/dojo
3
https://github.com/yahoo/serialize-javascript
3
https://github.com/infor-design/enterprise-ng
3
https://github.com/beerpwn/CVE
3
https://github.com/remix-run/react-router
3
https://github.com/cloudhead/node-static
3
https://github.com/adaltas/node-mixme
3
https://github.com/apostrophecms/apostrophe
3
https://github.com/agnaistic/agnai
3
https://github.com/mongo-express/mongo-express
3
https://github.com/typeorm/typeorm
3
https://github.com/libxmljs/libxmljs
3
https://github.com/zestedesavoir/zmarkdown
3
https://github.com/xmldom/xmldom
3
https://github.com/HackAllSec/CVEs
3
https://github.com/dwisiswant0/advisory
3
https://github.com/zcaceres/markdownify-mcp
3
https://github.com/josdejong/mathjs
3
https://github.com/mongodb/js-bson
3
https://github.com/moment/moment
3
https://github.com/endojs/endo
3
https://github.com/mozilla/node-convict
3
https://github.com/node-fetch/node-fetch
3
https://github.com/vriteio/vrite
3
https://github.com/mariocasciaro/object-path
3
https://github.com/transloadit/uppy
3
https://github.com/koajs/koa
3
https://github.com/facebook/react
3
https://github.com/socketio/socket.io
3
https://github.com/neocotic/convert-svg
3
https://github.com/renovatebot/renovate
3
https://github.com/gruntjs/grunt
3
https://github.com/jfhbrook/node-ecstatic
3
https://github.com/socketio/socket.io-parser
3
https://github.com/RIAEvangelist/node-ipc
3
https://github.com/micromatch/braces
3
https://github.com/MrRio/jsPDF
3
https://github.com/vanessa219/vditor
3
https://github.com/soketi/soketi
3
https://github.com/nodejs/llhttp
3
https://github.com/mozilla/pdf.js
3
https://github.com/ChainSafe/lodestar
3
https://github.com/thlorenz/browserify-shim
3
https://github.com/jasonraimondi/url-to-png
3
https://github.com/node-saml/xml-crypto
3
https://github.com/dojo/dojox
3
https://github.com/zeit/next.js
3
https://github.com/kujirahand/nadesiko3
3
https://github.com/ua-parser/uap-core
3
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable
3
https://github.com/docsifyjs/docsify
3
https://github.com/clientIO/joint
3
https://github.com/chjj/marked
3
https://github.com/Marak/colors.js
3
https://github.com/webpack/loader-utils
3
https://github.com/fastify/fastify-multipart
3
https://github.com/snowflakedb/snowflake-connector-nodejs
3
https://github.com/webpack/webpack-dev-server
3
https://github.com/actions/toolkit
3
https://github.com/hapijs/subtext
3
https://github.com/Escape-Technologies/graphql-armor
3
https://github.com/skoranga/node-dns-sync
3
https://github.com/YMFE/yapi
3
https://github.com/koush/scrypted
3
https://github.com/cisco/node-jose
3
https://github.com/nestjs/nest
3
https://github.com/salesforce/tough-cookie
3
https://github.com/immerjs/immer
3
https://github.com/simpleledger/slpjs
3
https://github.com/nodemailer/nodemailer
3
https://github.com/snyk/cli
3