npm
5,251,290 packages · npmjs.org
Security Advisories in npm
Low
2 days ago
Anthropic Sandbox Runtime Incorrectly Implemented Network Sandboxing
npm
@anthropic-ai/sandbox-runtime
Moderate
3 days ago
mcp-server-kubernetes has potential security issue in exec_in_pod tool
npm
mcp-server-kubernetes
Critical
3 days ago
React Server Components are Vulnerable to RCE
npm
react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack
High
3 days ago
Claude Code Command Validation Bypass Allows Arbitrary Code Execution
npm
@anthropic-ai/claude-code
High
4 days ago
Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default
npm
@modelcontextprotocol/sdk
High
5 days ago
Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes
npm
@angular/compiler
Moderate
5 days ago
Portkey.ai Gateway: Server-Side Request Forgery (SSRF) in Custom Host
npm
@portkey-ai/gateway
Moderate
5 days ago
fastify-reply-from affected by bypass of reply forwarding
npm
@fastify/reply-from
Critical
5 days ago
MCP Watch has a Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL
npm
mcp-watch
Low
5 days ago
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls
npm
nodemailer
Moderate
7 days ago
Tryton sao allows XSS because it does not escape completion values
npm
tryton-sao
High
10 days ago
Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements
npm
validator
High
10 days ago
Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client
npm
@angular/common
Low
10 days ago
Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions
npm
better-auth
High
10 days ago
node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
npm
node-forge
Moderate
11 days ago
OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation
npm
@oneuptime/common
High
11 days ago
Better Auth Passkey Plugin allows passkey deletion through IDOR
npm
@better-auth/passkey
Moderate
12 days ago
body-parser is vulnerable to denial of service when url encoding is used
npm
body-parser
Moderate
12 days ago
Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`
npm
@sentry/sveltekit, @sentry/solidstart, @sentry/remix, @sentry/nuxt, @sentry/node-core, @sentry/nextjs, @sentry/nestjs, @sentry/google-cloud-serverless, @sentry/bun, @sentry/aws-serverless, @sentry/astro, @sentry/node
Moderate
16 days ago
Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage
npm
@clerk/clerk-js
High
16 days ago
authkit-nextjs may let session cookies be cached in CDNs
npm
@workos-inc/authkit-nextjs
High
16 days ago
@anthropic-ai/claude-code has Sed Command Validation Bypass that Allows Arbitrary File Writes
npm
@anthropic-ai/claude-code
Critical
16 days ago
md-to-pdf vulnerable to arbitrary JavaScript code execution when parsing front matter
npm
md-to-pdf
Moderate
16 days ago
@perfood/couch-auth may expose session tokens, passwords
npm
@perfood/couch-auth
High
17 days ago
Claude Code vulnerable to command execution prior to startup trust dialog
npm
@anthropic-ai/claude-code
Moderate
17 days ago
Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
npm
astro
Moderate
17 days ago
Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
npm
astro
High
19 days ago
Flowise has Authentication Bypass Using Unprotected Registration Endpoint (/register)
npm
flowise
Moderate
19 days ago
@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message
npm
@dependencytrack/frontend
High
22 days ago
Apollo Federation has Improper Enforcement of Access Control on Transitive Fields
npm
@apollo/composition
High
22 days ago
Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change
npm
flowise-ui
High
22 days ago
Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials)
npm
flowise-ui
High
22 days ago
@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields
npm
@apollo/composition
Moderate
23 days ago
Directus Vulnerable to Information Leakage in Existing Collections
npm
@directus/api, directus
Moderate
23 days ago
Directus's conceal fields are searchable if read permissions enabled
npm
@directus/api, directus
Moderate
23 days ago
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
npm
astro
Low
23 days ago
Astro development server error page is vulnerable to reflected Cross-site Scripting
npm
astro
High
23 days ago
Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable
npm
vega, vega-expression, vega-interpreter
High
23 days ago
AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance
npm
aws-advanced-nodejs-wrapper
Moderate
24 days ago
Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details
npm
parse-server
High
27 days ago
Cloudinary Node SDK is vulnerable to Arbitrary Argument Injection through parameters that include an ampersand
npm
cloudinary
Low
27 days ago
EverShop is vulnerable to Unauthorized Order Information Access (IDOR)
npm
@evershop/evershop
High
29 days ago
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
pypi, npm
open-webui
High
29 days ago
Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE
pypi, npm
open-webui
High
about 1 month ago
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format
npm
parse-server
High
about 1 month ago
expr-eval does not restrict functions passed to the evaluate function
npm
expr-eval
Critical
about 1 month ago
@react-native-community/cli has arbitrary OS command injection
npm
@react-native-community/cli
Moderate
about 1 month ago
node-tar has a race condition leading to uninitialized memory exposure
npm
tar
High
about 1 month ago
TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update
npm
typeorm
High
about 1 month ago
Astro's bypass of image proxy domain validation leads to SSRF and potential XSS
npm
astro
Moderate
about 1 month ago
Hono vulnerable to Vary Header Injection leading to potential CORS Bypass
npm
hono
High
about 1 month ago
Kottster app reinitialization can be re-triggered allowing command injection in development mode
npm
@kottster/server
Moderate
about 2 months ago
Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic
npm
koa
Moderate
about 2 months ago
Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read
npm
uptime-kuma
Moderate
about 2 months ago
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
npm
@actual-app/sync-server
Low
about 2 months ago
Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module
npm
@lobehub/chat
Moderate
about 2 months ago
Mammoth is vulnerable to Directory Traversal
nuget, pypi, maven, npm
Mammoth, mammoth, org.zwobble.mammoth:mammoth
Moderate
about 2 months ago
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration
npm
@strapi/core
Moderate
about 2 months ago
Strapi Password Hashing is Missing Maximum Password Length Validation
npm
@strapi/core
High
about 2 months ago
Strapi Allows Unauthorized Access to Private Fields via parms.lookup
npm
@strapi/core
Moderate
about 2 months ago
Strapi is vulnerable to Insufficient Session Expiration
npm
@strapi/strapi
Critical
about 2 months ago
happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
npm
happy-dom
High
about 2 months ago
`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`
npm
sveltekit-superforms
Low
about 2 months ago
Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails
npm
mailgen
Moderate
about 2 months ago
Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
npm
parse
High
about 2 months ago
Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
npm
flowise
Low
about 2 months ago
Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails
npm
mailgen
High
about 2 months ago
Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate
npm
playwright
Moderate
about 2 months ago
CommandKit has incorrect command name exposure in context object for message command aliases
npm
commandkit
Filter by Severity
Filter by Package
directus
43
parse-server
35
flowise
33
next
30
electron
28
@openzeppelin/contracts
21
@openzeppelin/contracts-upgradeable
20
ghost
16
tinymce
16
sequelize
16
vite
16
ckeditor4
15
undici
15
joplin
14
angular
14
nodebb
14
swagger-ui
14
astro
13
@anthropic-ai/claude-code
13
strapi
13
vm2
12
matrix-js-sdk
12
marked
12
n8n
12
tinymce/tinymce
11
node-forge
11
TinyMCE
11
nocodb
11
@directus/api
10
bootstrap
10
@strapi/strapi
10
uptime-kuma
10
@evershop/evershop
10
validator
10
next-auth
10
handlebars
10
matrix-appservice-irc
9
matrix-react-sdk
9
serve
9
systeminformation
9
steal
8
url-parse
8
dompurify
8
jsrsasign
8
vega
8
urijs
8
better-auth
8
tar
8
shescape
8
editor.md
8
sanitize-html
8
@lobehub/chat
8
hono
8
elliptic
8
@haxtheweb/haxcms-nodejs
8
npm
8
express-cart
8
org.webjars.npm:jquery-ui
7
snyk-broker
7
mongoose
7
hermes-engine
7
jQuery.UI.Combined
7
jquery-ui
7
total.js
7
lodash
7
axios
7
hapi
7
mermaid
7
safe-eval
6
@sveltejs/kit
6
aaptjs
6
@strapi/plugin-users-permissions
6
rsshub
6
prismjs
6
mattermost-desktop
6
jquery
6
parse-url
6
tarteaucitronjs
6
open-webui
6
openpgp
6
rendertron
5
dojo
5
xlsx
5
ejs
5
public
5
sweetalert2
5
mysql2
5
nodemailer
5
@backstage/plugin-scaffolder-backend
5
fastify
5
ua-parser-js
5
express
5
jspdf
5
@keystone-6/core
5
aws-cdk-lib
5
open-webui
5
katex
5
nuxt
5
@saltcorn/server
5
ws
5
yarn
5
vditor
5
jQuery
5
total4
5
keystone
5
passport-wsfed-saml2
5
trix
5
bootstrap
5
moment
4
apollo-server-core
4
js-yaml
4
pnpm
4
@auth0/nextjs-auth0
4
mongosh
4
jsonwebtoken
4
auth0-js
4
@node-saml/node-saml
4
snyk
4
bootstrap-sass
4
software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk
4
typeorm
4
realms-shim
4
remarkable
4
aws-iot-device-sdk-v2
4
engine.io
4
follow-redirects
4
petite-vue-i18n
4
vega-functions
4
vue-i18n
4
convert-svg-core
4
@apollo/gateway
4
awsiotsdk
4
code-server
4
koa
4
simple-git
4
xml-crypto
4
auth0-lock
4
fast-xml-parser
4
payload
4
multer
4
ecstatic
4
tar-fs
4
meshcentral
4
lodash-es
4
simple-markdown
4
ses
4
mongo-express
4
apostrophe
4
valine
4
yui
4
erxes
4
@intlify/vue-i18n-core
4
safer-eval
4
qs
4
generator-jhipster
4
muhammara
4
materialize-css
4
@finos/git-proxy
4
glance
4
froala-editor
4
jquery-validation
4
keycloak-connect
3
@plone/volto
3
@sentry/nextjs
3
@sequelize/core
3
node-jose
3
mathjs
3
yapi-vendor
3
mysql
3
loader-utils
3
tough-cookie
3
buttle
3
openmct
3
browserify-shim
3
dojox
3
grunt
3
socket.io
3
parse
3
@ckeditor/ckeditor5-markdown-gfm
3
json-ptr
3
@apollo/server
3
jose
3
@builder.io/qwik
3
postcss
3
layui
3
statics-server
3
localhost-now
3
blamer
3
@vrite/sdk
3
angular-expressions
3
serialize-to-js
3
@sentry/astro
3
mixme
3
@materializecss/materialize
3
node-saml
3
highcharts
3
json-pointer
3
braces
3
@strapi/core
3
serialize-javascript
3
Filter by Repository
https://github.com/directus/directus
41
https://github.com/parse-community/parse-server
34
https://github.com/strapi/strapi
29
https://github.com/FlowiseAI/Flowise
28
https://github.com/electron/electron
28
https://github.com/vercel/next.js
25
https://github.com/OpenZeppelin/openzeppelin-contracts
21
https://github.com/backstage/backstage
19
https://github.com/vitejs/vite
16
https://github.com/tinymce/tinymce
16
https://github.com/sequelize/sequelize
16
https://github.com/nodejs/undici
15
https://github.com/TryGhost/Ghost
14
https://github.com/ckeditor/ckeditor4
14
https://github.com/swagger-api/swagger-ui
13
https://github.com/laurent22/joplin
13
https://github.com/NodeBB/NodeBB
12
https://github.com/n8n-io/n8n
12
https://github.com/matrix-org/matrix-js-sdk
12
https://github.com/patriksimek/vm2
12
https://github.com/nextauthjs/next-auth
11
https://github.com/keystonejs/keystone
11
https://github.com/nocodb/nocodb
11
https://github.com/louislam/uptime-kuma
10
https://github.com/anthropics/claude-code
10
https://github.com/VulnSageAgent/PoCs
10
https://github.com/haxtheweb/issues
9
https://github.com/withastro/astro
9
https://github.com/matrix-org/matrix-react-sdk
9
https://github.com/sebhildebrandt/systeminformation
9
https://github.com/evershopcommerce/evershop
9
https://github.com/matrix-org/matrix-appservice-irc
9
https://github.com/jquery/jquery
8
https://github.com/kjur/jsrsasign
8
https://github.com/indutny/elliptic
8
https://github.com/pandao/editor.md
8
https://github.com/honojs/hono
8
https://github.com/lobehub/lobe-chat
8
https://github.com/stealjs/steal
8
https://github.com/ericcornelissen/shescape
8
https://github.com/apollographql/apollo-server
8
https://github.com/cure53/DOMPurify
8
https://github.com/digitalbazaar/forge
8
https://github.com/vega/vega
8
https://github.com/nuxt/nuxt
8
https://github.com/aws/aws-cdk
7
https://github.com/axios/axios
7
https://github.com/twbs/bootstrap
7
https://github.com/saltcorn/saltcorn
7
https://github.com/unshiftio/url-parse
7
https://github.com/lodash/lodash
7
https://github.com/markedjs/marked
6
https://github.com/ckeditor/ckeditor5
6
https://github.com/totaljs/framework
6
https://github.com/facebook/hermes
6
https://github.com/shenzhim/aaptjs
6
https://github.com/DIYgod/RSSHub
6
https://github.com/panva/jose
6
https://github.com/npm/node-tar
6
https://github.com/better-auth/better-auth
6
https://github.com/eclipse-theia/theia
6
https://github.com/jquery/jquery-ui
6
https://github.com/apostrophecms/sanitize-html
6
https://github.com/openpgpjs/openpgpjs
6
https://github.com/ionicabizau/parse-url
6
https://github.com/sveltejs/kit
6
https://github.com/mermaid-js/mermaid
5
https://github.com/KaTeX/KaTeX
5
https://github.com/auth0/passport-wsfed-saml2
5
https://github.com/GoogleChrome/rendertron
5
https://github.com/faisalman/ua-parser-js
5
https://github.com/PrismJS/prism
5
https://github.com/Automattic/mongoose
5
https://github.com/hacksparrow/safe-eval
5
https://github.com/fastify/fastify
5
https://github.com/sidorares/node-mysql2
5
https://github.com/cloudflare/workers-sdk
5
https://github.com/BlackFan/client-side-prototype-pollution
5
https://github.com/sweetalert2/sweetalert2
5
https://github.com/AmauriC/tarteaucitron.js
5
https://github.com/handlebars-lang/handlebars.js
5
https://github.com/basecamp/trix
5
https://github.com/gatsbyjs/gatsby
5
https://github.com/npm/cli
5
https://github.com/NaturalIntelligence/fast-xml-parser
4
https://github.com/erxes/erxes
4
https://github.com/node-opcua/node-opcua
4
https://github.com/jhipster/generator-jhipster
4
https://github.com/ofirdagan/cross-domain-local-storage
4
https://github.com/Dogfalo/materialize
4
https://github.com/open-webui/open-webui
4
https://github.com/auth0/nextjs-auth0
4
https://github.com/vendure-ecommerce/vendure
4
https://github.com/Ylianst/MeshCentral
4
https://github.com/getsentry/sentry-javascript
4
https://github.com/hapijs/hapi
4
https://github.com/websockets/ws
4
https://github.com/yarnpkg/yarn
4
https://github.com/follow-redirects/follow-redirects
4
https://github.com/auth0/lock
4
https://github.com/finos/git-proxy
4
https://github.com/mafintosh/tar-fs
4
https://github.com/pnpm/pnpm
4
https://github.com/expressjs/multer
4
https://github.com/medialize/URI.js
4
https://github.com/medialize/uri.js
4
https://github.com/node-saml/node-saml
4
https://github.com/jquery-validation/jquery-validation
4
https://github.com/jonschlinkert/remarkable
4
https://github.com/payloadcms/payload
4
https://github.com/typeorm/typeorm
4
https://github.com/balderdashy/sails
4
https://github.com/steveukx/git-js
4
https://github.com/npm/npm
4
https://github.com/mde/ejs
4
https://github.com/mrvautin/expressCart
4
https://github.com/auth0/node-jsonwebtoken
4
https://github.com/nodemailer/nodemailer
4
https://github.com/expressjs/express
4
https://github.com/angular/angular.js
4
https://github.com/xCss/Valine
4
https://github.com/aws/aws-iot-device-sdk-java-v2
4
https://github.com/intlify/vue-i18n
4
https://github.com/koajs/koa
4
https://github.com/socketio/engine.io
4
https://github.com/dojo/dojox
3
https://github.com/Marak/colors.js
3
https://github.com/clientIO/joint
3
https://github.com/infor-design/enterprise-ng
3
https://github.com/ChainSafe/lodestar
3
https://github.com/node-fetch/node-fetch
3
https://github.com/facebook/react
3
https://github.com/mongodb/js-bson
3
https://github.com/zcaceres/markdownify-mcp
3
https://github.com/xmldom/xmldom
3
https://github.com/capricorn86/happy-dom
3
https://github.com/dojo/dojo
3
https://github.com/zestedesavoir/zmarkdown
3
https://github.com/agnaistic/agnai
3
https://github.com/webpack/webpack-dev-server
3
https://github.com/hapijs/subtext
3
https://github.com/micromatch/braces
3
https://github.com/ag-grid/ag-grid
3
https://github.com/postcss/postcss
3
https://github.com/skoranga/node-dns-sync
3
https://github.com/mongo-express/mongo-express
3
https://github.com/cisco/node-jose
3
https://github.com/snyk/cli
3
https://github.com/simpleledger/slpjs
3
https://github.com/endojs/endo
3
https://github.com/chjj/marked
3
https://github.com/moment/moment
3
https://github.com/jfhbrook/node-ecstatic
3
https://github.com/eladnava/mailgen
3
https://github.com/beerpwn/CVE
3
https://github.com/feathersjs-ecosystem/feathers-sequelize
3
https://github.com/mariocasciaro/object-path
3
https://github.com/HackAllSec/CVEs
3
https://github.com/manuelstofer/json-pointer
3
https://github.com/soketi/soketi
3
https://github.com/ua-parser/uap-core
3
https://github.com/kujirahand/nadesiko3
3
https://github.com/socketio/socket.io-parser
3
https://github.com/docsifyjs/docsify
3
https://github.com/validatorjs/validator.js
3
https://github.com/fastify/fastify-multipart
3
https://github.com/MrRio/jsPDF
3
https://github.com/nasa/openmct
3
https://github.com/jasonraimondi/url-to-png
3
https://github.com/RIAEvangelist/node-ipc
3
https://github.com/snowflakedb/snowflake-connector-nodejs
3
https://github.com/actions/toolkit
3
https://github.com/vanessa219/vditor
3
https://github.com/webpack/loader-utils
3
https://github.com/YMFE/yapi
3
https://github.com/vriteio/vrite
3
https://github.com/chimurai/http-proxy-middleware
3
https://github.com/salesforce/tough-cookie
3
https://github.com/plone/volto
3
https://github.com/dwisiswant0/advisory
3
https://github.com/transloadit/uppy
3
https://github.com/libxmljs/libxmljs
3
https://github.com/cloudhead/node-static
3
https://github.com/jarofghosts/glance
3
https://github.com/mozilla/node-convict
3
https://github.com/adaltas/node-mixme
3
https://github.com/peerigon/angular-expressions
3
https://github.com/zeit/next.js
3
https://github.com/mozilla/pdf.js
3
https://github.com/Escape-Technologies/graphql-armor
3
https://github.com/apostrophecms/apostrophe
3
https://github.com/udecode/plate
3
https://github.com/gruntjs/grunt
3
https://github.com/renovatebot/renovate
3
https://github.com/highcharts/highcharts
3
https://github.com/koush/scrypted
3
https://github.com/yahoo/serialize-javascript
3
https://github.com/lukeed/dset
3
https://github.com/nestjs/nest
3