npm
5,216,746 packages · npmjs.org
Security Advisories in npm
High
about 2 hours ago
Apollo Federation has Improper Enforcement of Access Control on Transitive Fields
npm
@apollo/composition
High
about 2 hours ago
Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change
npm
flowise-ui
High
about 2 hours ago
Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials)
npm
flowise-ui
High
about 3 hours ago
Flowise Fails to Invalidate Existing Sessions After Password Changes
npm
flowise
High
about 6 hours ago
@apollo/composition has Improper Enforcement of Access Control on Interface Types and Fields
npm
@apollo/composition
Moderate
1 day ago
Directus Vulnerable to Information Leakage in Existing Collections
npm
@directus/api, directus
Moderate
1 day ago
Directus's conceal fields are searchable if read permissions enabled
npm
@directus/api, directus
Moderate
1 day ago
Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
npm
astro
Low
1 day ago
Astro development server error page vulnerable to reflected Cross-site Scripting
npm
astro
High
1 day ago
Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable
npm
vega, vega-expression, vega-interpreter
High
1 day ago
AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance
npm
aws-advanced-nodejs-wrapper
Moderate
2 days ago
Parse Server allows public `explain` queries which may expose sensitive database performance information and schema details
npm
parse-server
High
5 days ago
Cloudinary Node SDK is vulnerable to Arbitrary Argument Injection through parameters that include an ampersand
npm
cloudinary
Low
5 days ago
EverShop is vulnerable to Unauthorized Order Information Access (IDOR)
npm
@evershop/evershop
High
7 days ago
Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
pypi, npm
open-webui
High
7 days ago
Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE
npm
open-webui
High
9 days ago
Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format
npm
parse-server
High
10 days ago
expr-eval does not restrict functions passed to the evaluate function
npm
expr-eval
Critical
11 days ago
@react-native-community/cli has arbitrary OS command injection
npm
@react-native-community/cli
High
16 days ago
TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update
npm
typeorm
High
17 days ago
Astro's bypass of image proxy domain validation leads to SSRF and potential XSS
npm
astro
Moderate
21 days ago
Hono vulnerable to Vary Header Injection leading to potential CORS Bypass
npm
hono
High
22 days ago
Kottster app reinitialization can be re-triggered allowing command injection in development mode
npm
@kottster/server
Moderate
24 days ago
Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic
npm
koa
Moderate
25 days ago
Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read
npm
uptime-kuma
Moderate
25 days ago
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
npm
@actual-app/sync-server
Low
28 days ago
Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module
npm
@lobehub/chat
Moderate
29 days ago
Mammoth is vulnerable to Directory Traversal
nuget, pypi, maven, npm
Mammoth, mammoth, org.zwobble.mammoth:mammoth
Moderate
29 days ago
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration
npm
@strapi/core
Moderate
29 days ago
Strapi Password Hashing Missing Maximum Password Length Validation
npm
@strapi/core
High
29 days ago
Strapi Allows Unauthorized Access to Private Fields via parms.lookup
npm
@strapi/core
Critical
about 1 month ago
happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
npm
happy-dom
High
about 1 month ago
`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`
npm
sveltekit-superforms
Low
about 1 month ago
Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails
npm
mailgen
Moderate
about 1 month ago
Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
npm
parse
High
about 1 month ago
Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
npm
flowise
Low
about 1 month ago
Mailgen has HTML Injection and XSS Filter Bypass in Plaintext Emails
npm
mailgen
High
about 1 month ago
Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate
npm
playwright
Moderate
about 1 month ago
CommandKit has incorrect command name exposure in context object for message command aliases
npm
commandkit
Critical
about 1 month ago
Happy DOM: VM Context Escape can lead to Remote Code Execution
npm
happy-dom
High
about 1 month ago
Flowise is vulnerable to arbitrary file exposure through its ReadFileTool
npm
flowise-components, flowise
Critical
about 1 month ago
Better Auth: Unauthenticated API key creation through api-key plugin
npm
better-auth
High
about 1 month ago
n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host
npm
n8n, n8n-nodes-base
Critical
about 1 month ago
Flowise is vulnerable to arbitrary file write through its WriteFileTool
npm
flowise-components, flowise
Moderate
about 1 month ago
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
npm
nodemailer
High
about 1 month ago
pdfmake is vulnerable to Throttling via repeatedly redirecting URL in file embedding
npm
pdfmake
Critical
about 1 month ago
Flowise vulnerable to RCE via Dynamic function constructor injection
npm
flowise
Moderate
about 1 month ago
MCPHub has an Improper Authorization vulnerability via its handleSseConnection function
npm
@samanhappy/mcphub
Low
about 1 month ago
MCPHub's ServerController is vulnerable to Command Injection
npm
@samanhappy/mcphub
Critical
about 1 month ago
Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
npm
flowise
Low
about 1 month ago
Claude Code permission deny bypass through symlink
npm
@anthropic-ai/claude-code
High
about 1 month ago
Claude Code can execute commands prior to the startup trust dialog
npm
@anthropic-ai/claude-code
High
about 1 month ago
@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user
npm
@plone/volto
Moderate
about 2 months ago
validator.js has a URL validation bypass vulnerability in its isURL function
npm
validator
High
about 2 months ago
Finance.js vulnerable to DoS via the IRR function’s depth parameter
npm
financejs
High
about 2 months ago
figma-developer-mcp vulnerable to command injection in get_figma_data tool
npm
figma-developer-mcp
High
about 2 months ago
@nubosoftware/node-static failure to catch exception can result in server crash
npm
@nubosoftware/node-static
Moderate
about 2 months ago
algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
npm
algoliasearch-helper
High
about 2 months ago
Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
npm
@apollo/explorer, @apollo/sandbox
Moderate
about 2 months ago
express-xss-sanitizer has an unbounded recursion depth
npm
express-xss-sanitizer
Critical
about 2 months ago
get-jwks: poisoned JWKS cache allows post-fetch issuer validation bypass
npm
get-jwks
Critical
about 2 months ago
cors-anywhere vulnerable to server-side request forgery
npm
cors-anywhere
Moderate
about 2 months ago
json-schema-editor-visual vulnerable to prototype pollution
npm
json-schema-editor-visual
Filter by Severity
Filter by Package
directus
43
parse-server
35
flowise
32
next
29
electron
28
@openzeppelin/contracts-upgradeable
21
@openzeppelin/contracts
21
ghost
16
vite
16
sequelize
16
tinymce
16
undici
15
ckeditor4
15
swagger-ui
14
nodebb
14
joplin
14
angular
14
strapi
13
marked
12
vm2
12
matrix-js-sdk
12
n8n
12
tinymce/tinymce
11
TinyMCE
11
nocodb
11
@strapi/strapi
10
@anthropic-ai/claude-code
10
handlebars
10
next-auth
10
uptime-kuma
10
@evershop/evershop
10
bootstrap
10
astro
9
@directus/api
9
systeminformation
9
matrix-react-sdk
9
matrix-appservice-irc
9
validator
9
serve
9
node-forge
8
sanitize-html
8
shescape
8
express-cart
8
npm
8
dompurify
8
@haxtheweb/haxcms-nodejs
8
@lobehub/chat
8
editor.md
8
hono
8
vega
8
url-parse
8
steal
8
tar
8
elliptic
8
jsrsasign
8
urijs
8
total.js
7
hermes-engine
7
mermaid
7
jquery-ui
7
org.webjars.npm:jquery-ui
7
axios
7
jQuery.UI.Combined
7
hapi
7
mongoose
7
snyk-broker
7
lodash
7
mattermost-desktop
6
parse-url
6
openpgp
6
jquery
6
@strapi/plugin-users-permissions
6
safe-eval
6
prismjs
6
better-auth
6
@sveltejs/kit
6
tarteaucitronjs
6
aaptjs
6
rsshub
6
ws
5
ua-parser-js
5
sweetalert2
5
yarn
5
dojo
5
ejs
5
mysql2
5
bootstrap
5
xlsx
5
@saltcorn/server
5
total4
5
rendertron
5
nuxt
5
@keystone-6/core
5
passport-wsfed-saml2
5
fastify
5
trix
5
katex
5
jQuery
5
@backstage/plugin-scaffolder-backend
5
aws-cdk-lib
5
vditor
5
public
5
express
5
open-webui
5
keystone
5
jspdf
5
nodemailer
4
software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk
4
tar-fs
4
froala-editor
4
apollo-server-core
4
follow-redirects
4
yui
4
apostrophe
4
simple-markdown
4
convert-svg-core
4
ses
4
code-server
4
koa
4
payload
4
vega-functions
4
qs
4
auth0-lock
4
jquery-validation
4
hummus
4
lodash-es
4
erxes
4
simple-git
4
realms-shim
4
snyk
4
ecstatic
4
remarkable
4
muhammara
4
typeorm
4
meshcentral
4
generator-jhipster
4
mongosh
4
safer-eval
4
jsonwebtoken
4
auth0-js
4
mongo-express
4
multer
4
@intlify/vue-i18n-core
4
open-webui
4
materialize-css
4
moment
4
pnpm
4
vue-i18n
4
js-yaml
4
xml-crypto
4
fast-xml-parser
4
@apollo/gateway
4
bootstrap-sass
4
@auth0/nextjs-auth0
4
@finos/git-proxy
4
aws-iot-device-sdk-v2
4
glance
4
@node-saml/node-saml
4
engine.io
4
valine
4
jointjs
3
@strapi/utils
3
node-fetch
3
@jmondi/url-to-png
3
org.webjars.npm:jquery
3
feathers-sequelize
3
snowflake-sdk
3
@builder.io/qwik
3
jose-node-cjs-runtime
3
fuxa-server
3
nadesiko3
3
xdLocalStorage
3
postcss
3
mcp-markdownify-server
3
@intlify/core
3
ftp-srv
3
mysql
3
statics-server
3
serialize-to-js
3
apollo-server
3
@janhq/core
3
bootstrap
3
node-red-dashboard
3
layui
3
@frangoteam/fuxa
3
loader-utils
3
json-ptr
3
llhttp
3
uap-core
3
renovate
3
socket.io-parser
3
serialize-javascript
3
@fedify/fedify
3
@strapi/core
3
json-pointer
3
node-ipc
3
mxgraph
3
http-proxy-middleware
3
agnai
3
@materializecss/materialize
3
Filter by Repository
https://github.com/directus/directus
41
https://github.com/parse-community/parse-server
34
https://github.com/strapi/strapi
29
https://github.com/FlowiseAI/Flowise
28
https://github.com/electron/electron
28
https://github.com/vercel/next.js
25
https://github.com/OpenZeppelin/openzeppelin-contracts
21
https://github.com/backstage/backstage
19
https://github.com/vitejs/vite
16
https://github.com/tinymce/tinymce
16
https://github.com/sequelize/sequelize
16
https://github.com/nodejs/undici
15
https://github.com/TryGhost/Ghost
14
https://github.com/ckeditor/ckeditor4
14
https://github.com/swagger-api/swagger-ui
13
https://github.com/laurent22/joplin
13
https://github.com/NodeBB/NodeBB
12
https://github.com/n8n-io/n8n
12
https://github.com/matrix-org/matrix-js-sdk
12
https://github.com/patriksimek/vm2
12
https://github.com/nextauthjs/next-auth
11
https://github.com/keystonejs/keystone
11
https://github.com/nocodb/nocodb
11
https://github.com/VulnSageAgent/PoCs
11
https://github.com/louislam/uptime-kuma
10
https://github.com/anthropics/claude-code
10
https://github.com/withastro/astro
9
https://github.com/matrix-org/matrix-react-sdk
9
https://github.com/sebhildebrandt/systeminformation
9
https://github.com/evershopcommerce/evershop
9
https://github.com/matrix-org/matrix-appservice-irc
9
https://github.com/haxtheweb/issues
9
https://github.com/jquery/jquery
8
https://github.com/kjur/jsrsasign
8
https://github.com/indutny/elliptic
8
https://github.com/pandao/editor.md
8
https://github.com/honojs/hono
8
https://github.com/vega/vega
8
https://github.com/stealjs/steal
8
https://github.com/ericcornelissen/shescape
8
https://github.com/apollographql/apollo-server
8
https://github.com/cure53/DOMPurify
8
https://github.com/lobehub/lobe-chat
8
https://github.com/digitalbazaar/forge
8
https://github.com/nuxt/nuxt
8
https://github.com/aws/aws-cdk
7
https://github.com/twbs/bootstrap
7
https://github.com/saltcorn/saltcorn
7
https://github.com/unshiftio/url-parse
7
https://github.com/axios/axios
7
https://github.com/lodash/lodash
7
https://github.com/markedjs/marked
6
https://github.com/ckeditor/ckeditor5
6
https://github.com/totaljs/framework
6
https://github.com/facebook/hermes
6
https://github.com/DIYgod/RSSHub
6
https://github.com/shenzhim/aaptjs
6
https://github.com/panva/jose
6
https://github.com/npm/node-tar
6
https://github.com/better-auth/better-auth
6
https://github.com/eclipse-theia/theia
6
https://github.com/jquery/jquery-ui
6
https://github.com/apostrophecms/sanitize-html
6
https://github.com/openpgpjs/openpgpjs
6
https://github.com/ionicabizau/parse-url
6
https://github.com/sveltejs/kit
6
https://github.com/mermaid-js/mermaid
5
https://github.com/KaTeX/KaTeX
5
https://github.com/auth0/passport-wsfed-saml2
5
https://github.com/GoogleChrome/rendertron
5
https://github.com/faisalman/ua-parser-js
5
https://github.com/PrismJS/prism
5
https://github.com/Automattic/mongoose
5
https://github.com/hacksparrow/safe-eval
5
https://github.com/gatsbyjs/gatsby
5
https://github.com/fastify/fastify
5
https://github.com/cloudflare/workers-sdk
5
https://github.com/BlackFan/client-side-prototype-pollution
5
https://github.com/sweetalert2/sweetalert2
5
https://github.com/AmauriC/tarteaucitron.js
5
https://github.com/handlebars-lang/handlebars.js
5
https://github.com/npm/cli
5
https://github.com/sidorares/node-mysql2
5
https://github.com/basecamp/trix
5
https://github.com/erxes/erxes
4
https://github.com/NaturalIntelligence/fast-xml-parser
4
https://github.com/node-opcua/node-opcua
4
https://github.com/jhipster/generator-jhipster
4
https://github.com/ofirdagan/cross-domain-local-storage
4
https://github.com/Dogfalo/materialize
4
https://github.com/open-webui/open-webui
4
https://github.com/auth0/nextjs-auth0
4
https://github.com/vendure-ecommerce/vendure
4
https://github.com/follow-redirects/follow-redirects
4
https://github.com/getsentry/sentry-javascript
4
https://github.com/hapijs/hapi
4
https://github.com/websockets/ws
4
https://github.com/yarnpkg/yarn
4
https://github.com/Ylianst/MeshCentral
4
https://github.com/auth0/lock
4
https://github.com/finos/git-proxy
4
https://github.com/mafintosh/tar-fs
4
https://github.com/pnpm/pnpm
4
https://github.com/expressjs/multer
4
https://github.com/medialize/uri.js
4
https://github.com/node-saml/node-saml
4
https://github.com/jquery-validation/jquery-validation
4
https://github.com/medialize/URI.js
4
https://github.com/jonschlinkert/remarkable
4
https://github.com/payloadcms/payload
4
https://github.com/typeorm/typeorm
4
https://github.com/balderdashy/sails
4
https://github.com/steveukx/git-js
4
https://github.com/npm/npm
4
https://github.com/mde/ejs
4
https://github.com/mrvautin/expressCart
4
https://github.com/auth0/node-jsonwebtoken
4
https://github.com/nodemailer/nodemailer
4
https://github.com/aws/aws-iot-device-sdk-java-v2
4
https://github.com/angular/angular.js
4
https://github.com/intlify/vue-i18n
4
https://github.com/koajs/koa
4
https://github.com/socketio/engine.io
4
https://github.com/expressjs/express
4
https://github.com/xCss/Valine
4
https://github.com/dojo/dojox
3
https://github.com/clientIO/joint
3
https://github.com/infor-design/enterprise-ng
3
https://github.com/ChainSafe/lodestar
3
https://github.com/node-fetch/node-fetch
3
https://github.com/facebook/react
3
https://github.com/mongodb/js-bson
3
https://github.com/zcaceres/markdownify-mcp
3
https://github.com/xmldom/xmldom
3
https://github.com/capricorn86/happy-dom
3
https://github.com/webpack/webpack-dev-server
3
https://github.com/dojo/dojo
3
https://github.com/zestedesavoir/zmarkdown
3
https://github.com/agnaistic/agnai
3
https://github.com/Marak/colors.js
3
https://github.com/hapijs/subtext
3
https://github.com/micromatch/braces
3
https://github.com/ag-grid/ag-grid
3
https://github.com/postcss/postcss
3
https://github.com/skoranga/node-dns-sync
3
https://github.com/mongo-express/mongo-express
3
https://github.com/cisco/node-jose
3
https://github.com/eladnava/mailgen
3
https://github.com/snyk/cli
3
https://github.com/simpleledger/slpjs
3
https://github.com/endojs/endo
3
https://github.com/chjj/marked
3
https://github.com/moment/moment
3
https://github.com/jfhbrook/node-ecstatic
3
https://github.com/beerpwn/CVE
3
https://github.com/feathersjs-ecosystem/feathers-sequelize
3
https://github.com/mariocasciaro/object-path
3
https://github.com/HackAllSec/CVEs
3
https://github.com/manuelstofer/json-pointer
3
https://github.com/soketi/soketi
3
https://github.com/ua-parser/uap-core
3
https://github.com/kujirahand/nadesiko3
3
https://github.com/socketio/socket.io-parser
3
https://github.com/docsifyjs/docsify
3
https://github.com/validatorjs/validator.js
3
https://github.com/fastify/fastify-multipart
3
https://github.com/MrRio/jsPDF
3
https://github.com/nasa/openmct
3
https://github.com/jasonraimondi/url-to-png
3
https://github.com/RIAEvangelist/node-ipc
3
https://github.com/actions/toolkit
3
https://github.com/snowflakedb/snowflake-connector-nodejs
3
https://github.com/vanessa219/vditor
3
https://github.com/webpack/loader-utils
3
https://github.com/YMFE/yapi
3
https://github.com/vriteio/vrite
3
https://github.com/chimurai/http-proxy-middleware
3
https://github.com/salesforce/tough-cookie
3
https://github.com/plone/volto
3
https://github.com/dwisiswant0/advisory
3
https://github.com/transloadit/uppy
3
https://github.com/libxmljs/libxmljs
3
https://github.com/cloudhead/node-static
3
https://github.com/jarofghosts/glance
3
https://github.com/mozilla/node-convict
3
https://github.com/adaltas/node-mixme
3
https://github.com/zeit/next.js
3
https://github.com/Escape-Technologies/graphql-armor
3
https://github.com/mozilla/pdf.js
3
https://github.com/apostrophecms/apostrophe
3
https://github.com/peerigon/angular-expressions
3
https://github.com/udecode/plate
3
https://github.com/gruntjs/grunt
3
https://github.com/renovatebot/renovate
3
https://github.com/highcharts/highcharts
3
https://github.com/koush/scrypted
3
https://github.com/yahoo/serialize-javascript
3
https://github.com/lukeed/dset
3
https://github.com/nestjs/nest
3