npm
5,239,834 packages · npmjs.org
Security Advisories in npm
High
2 days ago
Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client
npm
@angular/common
Low
2 days ago
Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions
npm
better-auth
High
2 days ago
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
npm
node-forge
Moderate
3 days ago
OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation
npm
@oneuptime/common
High
3 days ago
Better Auth Passkey Plugin allows passkey deletion through IDOR
npm
@better-auth/passkey
Moderate
3 days ago
body-parser is vulnerable to denial of service when url encoding is used
npm
body-parser
Moderate
4 days ago
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`
npm
@sentry/sveltekit, @sentry/solidstart, @sentry/remix, @sentry/nuxt, @sentry/node-core, @sentry/nextjs, @sentry/nestjs, @sentry/google-cloud-serverless, @sentry/bun, @sentry/aws-serverless, @sentry/astro, @sentry/node
Moderate
8 days ago
Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage
npm
@clerk/clerk-js
High
8 days ago
authkit-nextjs may let session cookies be cached in CDNs
npm
@workos-inc/authkit-nextjs
High
8 days ago
@anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes
npm
@anthropic-ai/claude-code
Critical
8 days ago
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
npm
md-to-pdf
Moderate
8 days ago
@perfood/couch-auth may expose session tokens, passwords
npm
@perfood/couch-auth
High
9 days ago
Claude Code vulnerable to command execution prior to startup trust dialog
npm
@anthropic-ai/claude-code
Moderate
9 days ago
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
npm
astro
Moderate
9 days ago
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
npm
astro
High
11 days ago
Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register)
npm
flowise
Moderate
11 days ago
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message
npm
@dependencytrack/frontend
High
14 days ago
Apollo Federation has Improper Enforcement of Access Control on Transitive Fields
npm
@apollo/composition
High
14 days ago
Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change
npm
flowise-ui
High
14 days ago
Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials)
npm
flowise-ui
High
14 days ago
@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields
npm
@apollo/composition
Moderate
15 days ago
Directus Vulnerable to Information Leakage in Existing Collections
npm
@directus/api, directus
Moderate
15 days ago
Directus's conceal fields are searchable if read permissions enabled
npm
@directus/api, directus
Moderate
15 days ago
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
npm
astro
Low
15 days ago
Astro development server error page is vulnerable to reflected Cross-site Scripting
npm
astro
High
15 days ago
Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable
npm
vega, vega-expression, vega-interpreter
High
15 days ago
AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance
npm
aws-advanced-nodejs-wrapper
Moderate
16 days ago
Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details
npm
parse-server
High
19 days ago
Cloudinary Node SDK is vulnerable to Arbitrary Argument Injection through parameters that include an ampersand
npm
cloudinary
Low
19 days ago
EverShop is vulnerable to Unauthorized Order Information Access (IDOR)
npm
@evershop/evershop
High
21 days ago
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
pypi, npm
open-webui
High
21 days ago
Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE
pypi, npm
open-webui
High
23 days ago
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format
npm
parse-server
High
24 days ago
expr-eval does not restrict functions passed to the evaluate function
npm
expr-eval
Critical
25 days ago
@react-native-community/cli has arbitrary OS command injection
npm
@react-native-community/cli
High
about 1 month ago
TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update
npm
typeorm
High
about 1 month ago
Astro's bypass of image proxy domain validation leads to SSRF and potential XSS
npm
astro
Moderate
about 1 month ago
Hono vulnerable to Vary Header Injection leading to potential CORS Bypass
npm
hono
High
about 1 month ago
Kottster app reinitialization can be re-triggered allowing command injection in development mode
npm
@kottster/server
Moderate
about 1 month ago
Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic
npm
koa
Moderate
about 1 month ago
Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read
npm
uptime-kuma
Moderate
about 1 month ago
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
npm
@actual-app/sync-server
Low
about 1 month ago
Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module
npm
@lobehub/chat
Moderate
about 1 month ago
Mammoth is vulnerable to Directory Traversal
nuget, pypi, maven, npm
Mammoth, mammoth, org.zwobble.mammoth:mammoth
Moderate
about 1 month ago
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration
npm
@strapi/core
Moderate
about 1 month ago
Strapi Password Hashing is Missing Maximum Password Length Validation
npm
@strapi/core
High
about 1 month ago
Strapi Allows Unauthorized Access to Private Fields via parms.lookup
npm
@strapi/core
Moderate
about 1 month ago
Strapi is vulnerable to Insufficient Session Expiration
npm
@strapi/strapi
Critical
about 1 month ago
happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
npm
happy-dom
High
about 1 month ago
`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`
npm
sveltekit-superforms
Low
about 1 month ago
Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails
npm
mailgen
Moderate
about 2 months ago
Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
npm
parse
High
about 2 months ago
Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
npm
flowise
Low
about 2 months ago
Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails
npm
mailgen
High
about 2 months ago
Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate
npm
playwright
Moderate
about 2 months ago
CommandKit has incorrect command name exposure in context object for message command aliases
npm
commandkit
Critical
about 2 months ago
Happy DOM: VM Context Escape can lead to Remote Code Execution
npm
happy-dom
High
about 2 months ago
Flowise is vulnerable to arbitrary file exposure through its ReadFileTool
npm
flowise-components, flowise
Critical
about 2 months ago
Better Auth: Unauthenticated API key creation through api-key plugin
npm
better-auth
High
about 2 months ago
n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host
npm
n8n, n8n-nodes-base
Critical
about 2 months ago
Flowise is vulnerable to arbitrary file write through its WriteFileTool
npm
flowise-components, flowise
Moderate
about 2 months ago
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
npm
nodemailer
High
about 2 months ago
pdfmake is vulnerable to Throttling via repeatedly redirecting URL in file embedding
npm
pdfmake
Critical
about 2 months ago
Flowise vulnerable to RCE via Dynamic function constructor injection
npm
flowise
Moderate
about 2 months ago
MCPHub has an Improper Authorization vulnerability via its handleSseConnection function
npm
@samanhappy/mcphub
Low
about 2 months ago
MCPHub's ServerController is vulnerable to Command Injection
npm
@samanhappy/mcphub
Critical
about 2 months ago
Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
npm
flowise
Low
about 2 months ago
Claude Code permission deny bypass through symlink
npm
@anthropic-ai/claude-code
High
about 2 months ago
Claude Code can execute commands prior to the startup trust dialog
npm
@anthropic-ai/claude-code
Filter by Severity
Filter by Package
directus
43
parse-server
35
flowise
33
next
29
electron
28
@openzeppelin/contracts
21
@openzeppelin/contracts-upgradeable
21
vite
16
sequelize
16
ghost
16
tinymce
16
undici
15
ckeditor4
15
swagger-ui
14
angular
14
nodebb
14
joplin
14
strapi
13
astro
13
vm2
12
marked
12
matrix-js-sdk
12
n8n
12
@anthropic-ai/claude-code
12
node-forge
11
nocodb
11
TinyMCE
11
tinymce/tinymce
11
next-auth
10
@strapi/strapi
10
@directus/api
10
bootstrap
10
uptime-kuma
10
handlebars
10
@evershop/evershop
10
matrix-react-sdk
9
matrix-appservice-irc
9
serve
9
systeminformation
9
validator
9
jsrsasign
8
shescape
8
tar
8
npm
8
express-cart
8
urijs
8
vega
8
hono
8
elliptic
8
@haxtheweb/haxcms-nodejs
8
sanitize-html
8
url-parse
8
steal
8
dompurify
8
editor.md
8
@lobehub/chat
8
jQuery.UI.Combined
7
mermaid
7
total.js
7
jquery-ui
7
snyk-broker
7
better-auth
7
hermes-engine
7
lodash
7
mongoose
7
axios
7
hapi
7
org.webjars.npm:jquery-ui
7
@strapi/plugin-users-permissions
6
rsshub
6
@sveltejs/kit
6
mattermost-desktop
6
aaptjs
6
parse-url
6
prismjs
6
safe-eval
6
tarteaucitronjs
6
jquery
6
openpgp
6
public
5
passport-wsfed-saml2
5
trix
5
@backstage/plugin-scaffolder-backend
5
ua-parser-js
5
yarn
5
open-webui
5
jspdf
5
rendertron
5
@keystone-6/core
5
sweetalert2
5
ws
5
fastify
5
ejs
5
katex
5
total4
5
mysql2
5
@saltcorn/server
5
dojo
5
aws-cdk-lib
5
vditor
5
nuxt
5
xlsx
5
jQuery
5
express
5
open-webui
5
keystone
5
generator-jhipster
4
auth0-js
4
@node-saml/node-saml
4
vue-i18n
4
bootstrap-sass
4
realms-shim
4
fast-xml-parser
4
awsiotsdk
4
snyk
4
typeorm
4
remarkable
4
@apollo/gateway
4
xml-crypto
4
apostrophe
4
software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk
4
convert-svg-core
4
engine.io
4
multer
4
nodemailer
4
follow-redirects
4
petite-vue-i18n
4
@finos/git-proxy
4
valine
4
tar-fs
4
vega-functions
4
aws-iot-device-sdk-v2
4
apollo-server-core
4
koa
4
auth0-lock
4
payload
4
simple-markdown
4
simple-git
4
hummus
4
ses
4
yui
4
lodash-es
4
ecstatic
4
froala-editor
4
qs
4
meshcentral
4
erxes
4
bootstrap
4
mongo-express
4
jquery-validation
4
@intlify/vue-i18n-core
4
jsonwebtoken
4
safer-eval
4
materialize-css
4
moment
4
muhammara
4
pnpm
4
js-yaml
4
glance
4
mongosh
4
code-server
4
@auth0/nextjs-auth0
4
mxgraph
3
webpack-dev-server
3
@soketi/soketi
3
mysql
3
ftp-srv
3
ids-enterprise
3
@cubejs-backend/api-gateway
3
keycloak-connect
3
m-server
3
socket.io
3
statics-server
3
serialize-to-js
3
parsel
3
@uppy/companion
3
codecov
3
bin-links
3
@strapi/utils
3
mailgen
3
@jmondi/url-to-png
3
node-saml
3
highcharts
3
flowise-components
3
layui
3
org.webjars.npm:jquery
3
stimulsoft-dashboards-js
3
@backstage/techdocs-common
3
jquery-ui-rails
3
postcss
3
@sentry/astro
3
simplehttpserver
3
uap-core
3
tough-cookie
3
fuxa-server
3
docsify
3
mathjs
3
snowflake-sdk
3
connect
3
debug
3
Filter by Repository
https://github.com/directus/directus
41
https://github.com/parse-community/parse-server
34
https://github.com/strapi/strapi
29
https://github.com/FlowiseAI/Flowise
28
https://github.com/electron/electron
28
https://github.com/vercel/next.js
25
https://github.com/OpenZeppelin/openzeppelin-contracts
21
https://github.com/backstage/backstage
19
https://github.com/vitejs/vite
16
https://github.com/tinymce/tinymce
16
https://github.com/sequelize/sequelize
16
https://github.com/nodejs/undici
15
https://github.com/TryGhost/Ghost
14
https://github.com/ckeditor/ckeditor4
14
https://github.com/swagger-api/swagger-ui
13
https://github.com/laurent22/joplin
13
https://github.com/NodeBB/NodeBB
12
https://github.com/n8n-io/n8n
12
https://github.com/matrix-org/matrix-js-sdk
12
https://github.com/patriksimek/vm2
12
https://github.com/nextauthjs/next-auth
11
https://github.com/keystonejs/keystone
11
https://github.com/nocodb/nocodb
11
https://github.com/louislam/uptime-kuma
10
https://github.com/anthropics/claude-code
10
https://github.com/VulnSageAgent/PoCs
10
https://github.com/haxtheweb/issues
9
https://github.com/withastro/astro
9
https://github.com/matrix-org/matrix-react-sdk
9
https://github.com/sebhildebrandt/systeminformation
9
https://github.com/evershopcommerce/evershop
9
https://github.com/matrix-org/matrix-appservice-irc
9
https://github.com/jquery/jquery
8
https://github.com/kjur/jsrsasign
8
https://github.com/nuxt/nuxt
8
https://github.com/vega/vega
8
https://github.com/indutny/elliptic
8
https://github.com/digitalbazaar/forge
8
https://github.com/pandao/editor.md
8
https://github.com/honojs/hono
8
https://github.com/lobehub/lobe-chat
8
https://github.com/cure53/DOMPurify
8
https://github.com/apollographql/apollo-server
8
https://github.com/stealjs/steal
8
https://github.com/ericcornelissen/shescape
8
https://github.com/unshiftio/url-parse
7
https://github.com/twbs/bootstrap
7
https://github.com/aws/aws-cdk
7
https://github.com/axios/axios
7
https://github.com/saltcorn/saltcorn
7
https://github.com/lodash/lodash
7
https://github.com/ckeditor/ckeditor5
6
https://github.com/totaljs/framework
6
https://github.com/facebook/hermes
6
https://github.com/markedjs/marked
6
https://github.com/DIYgod/RSSHub
6
https://github.com/shenzhim/aaptjs
6
https://github.com/panva/jose
6
https://github.com/npm/node-tar
6
https://github.com/better-auth/better-auth
6
https://github.com/eclipse-theia/theia
6
https://github.com/jquery/jquery-ui
6
https://github.com/apostrophecms/sanitize-html
6
https://github.com/openpgpjs/openpgpjs
6
https://github.com/ionicabizau/parse-url
6
https://github.com/sveltejs/kit
6
https://github.com/mermaid-js/mermaid
5
https://github.com/handlebars-lang/handlebars.js
5
https://github.com/auth0/passport-wsfed-saml2
5
https://github.com/GoogleChrome/rendertron
5
https://github.com/faisalman/ua-parser-js
5
https://github.com/PrismJS/prism
5
https://github.com/Automattic/mongoose
5
https://github.com/hacksparrow/safe-eval
5
https://github.com/fastify/fastify
5
https://github.com/sidorares/node-mysql2
5
https://github.com/cloudflare/workers-sdk
5
https://github.com/BlackFan/client-side-prototype-pollution
5
https://github.com/sweetalert2/sweetalert2
5
https://github.com/AmauriC/tarteaucitron.js
5
https://github.com/KaTeX/KaTeX
5
https://github.com/basecamp/trix
5
https://github.com/gatsbyjs/gatsby
5
https://github.com/npm/cli
5
https://github.com/NaturalIntelligence/fast-xml-parser
4
https://github.com/erxes/erxes
4
https://github.com/node-opcua/node-opcua
4
https://github.com/jhipster/generator-jhipster
4
https://github.com/ofirdagan/cross-domain-local-storage
4
https://github.com/Dogfalo/materialize
4
https://github.com/open-webui/open-webui
4
https://github.com/auth0/nextjs-auth0
4
https://github.com/vendure-ecommerce/vendure
4
https://github.com/Ylianst/MeshCentral
4
https://github.com/getsentry/sentry-javascript
4
https://github.com/hapijs/hapi
4
https://github.com/websockets/ws
4
https://github.com/yarnpkg/yarn
4
https://github.com/follow-redirects/follow-redirects
4
https://github.com/auth0/lock
4
https://github.com/finos/git-proxy
4
https://github.com/mafintosh/tar-fs
4
https://github.com/pnpm/pnpm
4
https://github.com/expressjs/multer
4
https://github.com/medialize/uri.js
4
https://github.com/node-saml/node-saml
4
https://github.com/jquery-validation/jquery-validation
4
https://github.com/jonschlinkert/remarkable
4
https://github.com/medialize/URI.js
4
https://github.com/payloadcms/payload
4
https://github.com/typeorm/typeorm
4
https://github.com/balderdashy/sails
4
https://github.com/steveukx/git-js
4
https://github.com/npm/npm
4
https://github.com/mde/ejs
4
https://github.com/mrvautin/expressCart
4
https://github.com/auth0/node-jsonwebtoken
4
https://github.com/nodemailer/nodemailer
4
https://github.com/expressjs/express
4
https://github.com/angular/angular.js
4
https://github.com/intlify/vue-i18n
4
https://github.com/koajs/koa
4
https://github.com/aws/aws-iot-device-sdk-java-v2
4
https://github.com/xCss/Valine
4
https://github.com/socketio/engine.io
4
https://github.com/dojo/dojox
3
https://github.com/Marak/colors.js
3
https://github.com/clientIO/joint
3
https://github.com/infor-design/enterprise-ng
3
https://github.com/ChainSafe/lodestar
3
https://github.com/node-fetch/node-fetch
3
https://github.com/facebook/react
3
https://github.com/mongodb/js-bson
3
https://github.com/zcaceres/markdownify-mcp
3
https://github.com/xmldom/xmldom
3
https://github.com/capricorn86/happy-dom
3
https://github.com/dojo/dojo
3
https://github.com/zestedesavoir/zmarkdown
3
https://github.com/agnaistic/agnai
3
https://github.com/webpack/webpack-dev-server
3
https://github.com/hapijs/subtext
3
https://github.com/micromatch/braces
3
https://github.com/ag-grid/ag-grid
3
https://github.com/skoranga/node-dns-sync
3
https://github.com/postcss/postcss
3
https://github.com/mongo-express/mongo-express
3
https://github.com/cisco/node-jose
3
https://github.com/eladnava/mailgen
3
https://github.com/snyk/cli
3
https://github.com/simpleledger/slpjs
3
https://github.com/endojs/endo
3
https://github.com/chjj/marked
3
https://github.com/moment/moment
3
https://github.com/jfhbrook/node-ecstatic
3
https://github.com/beerpwn/CVE
3
https://github.com/feathersjs-ecosystem/feathers-sequelize
3
https://github.com/mariocasciaro/object-path
3
https://github.com/HackAllSec/CVEs
3
https://github.com/manuelstofer/json-pointer
3
https://github.com/soketi/soketi
3
https://github.com/ua-parser/uap-core
3
https://github.com/kujirahand/nadesiko3
3
https://github.com/socketio/socket.io-parser
3
https://github.com/docsifyjs/docsify
3
https://github.com/validatorjs/validator.js
3
https://github.com/fastify/fastify-multipart
3
https://github.com/MrRio/jsPDF
3
https://github.com/nasa/openmct
3
https://github.com/jasonraimondi/url-to-png
3
https://github.com/RIAEvangelist/node-ipc
3
https://github.com/actions/toolkit
3
https://github.com/snowflakedb/snowflake-connector-nodejs
3
https://github.com/vanessa219/vditor
3
https://github.com/webpack/loader-utils
3
https://github.com/YMFE/yapi
3
https://github.com/vriteio/vrite
3
https://github.com/chimurai/http-proxy-middleware
3
https://github.com/salesforce/tough-cookie
3
https://github.com/plone/volto
3
https://github.com/dwisiswant0/advisory
3
https://github.com/transloadit/uppy
3
https://github.com/libxmljs/libxmljs
3
https://github.com/cloudhead/node-static
3
https://github.com/jarofghosts/glance
3
https://github.com/mozilla/node-convict
3
https://github.com/adaltas/node-mixme
3
https://github.com/peerigon/angular-expressions
3
https://github.com/zeit/next.js
3
https://github.com/mozilla/pdf.js
3
https://github.com/Escape-Technologies/graphql-armor
3
https://github.com/apostrophecms/apostrophe
3
https://github.com/udecode/plate
3
https://github.com/gruntjs/grunt
3
https://github.com/renovatebot/renovate
3
https://github.com/highcharts/highcharts
3
https://github.com/koush/scrypted
3
https://github.com/yahoo/serialize-javascript
3
https://github.com/lukeed/dset
3
https://github.com/nestjs/nest
3