npm
5,191,522 packages · npmjs.org
Security Advisories in npm
Moderate
about 6 hours ago
Hono vulnerable to Vary Header Injection leading to potential CORS Bypass
npm
hono
High
1 day ago
Kottster app reinitialization can be re-triggered allowing command injection in development mode
npm
@kottster/server
Moderate
3 days ago
Koa Vulnerable to Open Redirect via Trailing Double-Slash (//) in back Redirect Logic
npm
koa
Moderate
4 days ago
Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read
npm
uptime-kuma
Moderate
4 days ago
Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
npm
@actual-app/sync-server
Low
7 days ago
Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module
npm
@lobehub/chat
Moderate
8 days ago
Mammoth is vulnerable to Directory Traversal
nuget, pypi, maven, npm
Mammoth, mammoth, org.zwobble.mammoth:mammoth
Moderate
8 days ago
Strapi core vulnerable to sensitive data exposure via CORS misconfiguration
npm
@strapi/core
Moderate
8 days ago
Strapi Password Hashing Missing Maximum Password Length Validation
npm
@strapi/core
High
8 days ago
Strapi Allows Unauthorized Access to Private Fields via parms.lookup
npm
@strapi/core
Critical
9 days ago
happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
npm
happy-dom
High
9 days ago
`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`
npm
sveltekit-superforms
Moderate
10 days ago
Parse Javascript SDK vulnerable to prototype pollution in `Parse.Object` and internal APIs
npm
parse
High
10 days ago
Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
npm
flowise
High
10 days ago
Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate
npm
playwright
Moderate
11 days ago
CommandKit has incorrect command name exposure in context object for message command aliases
npm
commandkit
High
14 days ago
Flowise is vulnerable to arbitrary file exposure through its ReadFileTool
npm
flowise-components, flowise
Critical
15 days ago
Better Auth: Unauthenticated API key creation through api-key plugin
npm
better-auth
High
15 days ago
n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host
npm
n8n, n8n-nodes-base
Critical
15 days ago
Flowise is vulnerable to arbitrary file write through its WriteFileTool
npm
flowise-components, flowise
Moderate
17 days ago
Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict
npm
nodemailer
High
18 days ago
pdfmake is vulnerable to Throttling via repeatedly redirecting URL in file embedding
npm
pdfmake
Critical
18 days ago
Flowise vulnerable to RCE via Dynamic function constructor injection
npm
flowise
Moderate
20 days ago
MCPHub has an Improper Authorization vulnerability via its handleSseConnection function
npm
@samanhappy/mcphub
Critical
21 days ago
Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
npm
flowise
High
21 days ago
Claude Code can execute commands prior to the startup trust dialog
npm
@anthropic-ai/claude-code
High
23 days ago
@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user
npm
@plone/volto
Moderate
24 days ago
validator.js has a URL validation bypass vulnerability in its isURL function
npm
validator
High
24 days ago
figma-developer-mcp vulnerable to command injection in get_figma_data tool
npm
figma-developer-mcp
High
25 days ago
@nubosoftware/node-static failure to catch exception can result in server crash
npm
@nubosoftware/node-static
Moderate
28 days ago
algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
npm
algoliasearch-helper
High
28 days ago
Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
npm
@apollo/explorer, @apollo/sandbox
Moderate
28 days ago
express-xss-sanitizer has an unbounded recursion depth
npm
express-xss-sanitizer
Critical
28 days ago
get-jwks: poisoned JWKS cache allows post-fetch issuer validation bypass
npm
get-jwks
Moderate
about 1 month ago
json-schema-editor-visual vulnerable to prototype pollution
npm
json-schema-editor-visual
Low
about 1 month ago
web3-core-subscriptions has a Prototype Pollution vulnerability
npm
web3-core-subscriptions
Moderate
about 1 month ago
Mastra Docs MCP Server `@mastra/mcp-docs-server` Leads to Information Exposure
npm
@mastra/mcp-docs-server
High
about 1 month ago
Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions
npm
@anthropic-ai/claude-code
High
about 1 month ago
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
npm
tar-fs
High
about 1 month ago
Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink
npm
@meshconnect/web-link-sdk
Moderate
about 1 month ago
@conventional-changelog/git-client has Argument Injection vulnerability
npm
@conventional-changelog/git-client
High
about 1 month ago
Codex has sandbox bypass due to bug in path configuration logic
npm
@openai/codex
Moderate
about 1 month ago
@digitalocean/do-markdownit has Type Confusion vulnerability
npm
@digitalocean/do-markdownit
Moderate
about 1 month ago
Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages
npm
@lobehub/chat
Moderate
about 1 month ago
@sequa-ai/sequa-mcp has Command Injection vulnerability
npm
@sequa-ai/sequa-mcp
Moderate
about 1 month ago
Parcel has an Origin Validation Error vulnerability
npm
@parcel/reporter-dev-server
Moderate
about 1 month ago
matrix-js-sdk has insufficient validation when considering a room to be upgraded by another
npm
matrix-js-sdk
High
about 1 month ago
@executeautomation/database-server does not properly restrict access, bypassing a "read-only" mode
npm
@executeautomation/database-server
High
about 1 month ago
is-arrayish@0.3.3 contains malware after npm account takeover
npm
is-arrayish
High
about 1 month ago
color-convert@3.1.1 contains malware after npm account takeover
npm
color-convert
Filter by Severity
Filter by Package
directus
39
parse-server
33
flowise
31
next
29
electron
28
@openzeppelin/contracts-upgradeable
21
@openzeppelin/contracts
21
ghost
16
tinymce
16
sequelize
16
vite
16
undici
15
ckeditor4
15
joplin
14
swagger-ui
14
nodebb
14
angular
14
strapi
13
vm2
12
matrix-js-sdk
12
marked
12
tinymce/tinymce
11
TinyMCE
11
n8n
11
nocodb
11
handlebars
11
@anthropic-ai/claude-code
10
@strapi/strapi
10
uptime-kuma
10
matrix-appservice-irc
9
next-auth
9
systeminformation
9
validator
9
@evershop/evershop
9
matrix-react-sdk
9
serve
9
npm
8
shescape
8
editor.md
8
sanitize-html
8
steal
8
hono
8
@directus/api
8
node-forge
8
@haxtheweb/haxcms-nodejs
8
elliptic
8
url-parse
8
urijs
8
jsrsasign
8
dompurify
8
express-cart
8
@lobehub/chat
8
mermaid
7
axios
7
total.js
7
vega
7
tar
7
mongoose
7
hapi
7
snyk-broker
7
hermes-engine
7
org.webjars.npm:jquery-ui
6
openpgp
6
@sveltejs/kit
6
rsshub
6
@strapi/plugin-users-permissions
6
jquery-ui
6
parse-url
6
tarteaucitronjs
6
mattermost-desktop
6
aaptjs
6
better-auth
6
safe-eval
6
astro
6
prismjs
6
ejs
5
dojo
5
nuxt
5
xlsx
5
@backstage/plugin-scaffolder-backend
5
trix
5
@saltcorn/server
5
jQuery.UI.Combined
5
mysql2
5
sweetalert2
5
jspdf
5
bootstrap-sass
5
katex
5
yarn
5
rendertron
5
bootstrap
5
passport-wsfed-saml2
5
aws-cdk-lib
5
fastify
5
ws
5
jquery
5
express
5
ua-parser-js
5
@keystone-6/core
5
public
5
vditor
5
keystone
5
total4
5
payload
4
@auth0/nextjs-auth0
4
awsiotsdk
4
apollo-server-core
4
auth0-js
4
bootstrap-sass
4
koa
4
vega-functions
4
bootstrap
4
simple-markdown
4
follow-redirects
4
convert-svg-core
4
pnpm
4
materialize-css
4
code-server
4
@finos/git-proxy
4
moment
4
muhammara
4
yui
4
@intlify/vue-i18n-core
4
mongo-express
4
realms-shim
4
auth0-lock
4
snyk
4
meshcentral
4
erxes
4
valine
4
vue-i18n
4
tar-fs
4
froala-editor
4
apostrophe
4
remarkable
4
simple-git
4
software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk
4
multer
4
safer-eval
4
mongosh
4
nodemailer
4
engine.io
4
generator-jhipster
4
ecstatic
4
twbs/bootstrap
4
ses
4
fast-xml-parser
4
@apollo/gateway
4
qs
4
jQuery
4
aws-iot-device-sdk-v2
4
org.webjars:bootstrap
4
jquery-validation
4
glance
4
xml-crypto
4
@node-saml/node-saml
4
petite-vue-i18n
4
jsonwebtoken
4
dset
3
@janhq/core
3
node-jose
3
locutus
3
open-webui
3
@strapi/plugin-content-manager
3
send
3
express-fileupload
3
webpack-dev-server
3
docsify
3
@soketi/soketi
3
slp-validate
3
codecov
3
notevil
3
moodle/moodle
3
mcp-markdownify-server
3
openmct
3
convict
3
parsel
3
typeorm
3
sails
3
open-webui
3
@strapi/admin
3
tough-cookie
3
@intlify/core-base
3
jose-node-esm-runtime
3
xdLocalStorage
3
simplehttpserver
3
angular-expressions
3
node-red-dashboard
3
mathjs
3
mysql
3
localhost-now
3
@strapi/core
3
socket.io
3
@materializecss/materialize
3
parse
3
uap-core
3
@ckeditor/ckeditor5-markdown-gfm
3
ids-enterprise
3
@strapi/utils
3
connect
3
Filter by Repository
https://github.com/directus/directus
41
https://github.com/parse-community/parse-server
33
https://github.com/strapi/strapi
29
https://github.com/FlowiseAI/Flowise
28
https://github.com/electron/electron
28
https://github.com/vercel/next.js
25
https://github.com/OpenZeppelin/openzeppelin-contracts
21
https://github.com/backstage/backstage
19
https://github.com/tinymce/tinymce
16
https://github.com/vitejs/vite
16
https://github.com/sequelize/sequelize
16
https://github.com/nodejs/undici
15
https://github.com/TryGhost/Ghost
14
https://github.com/ckeditor/ckeditor4
14
https://github.com/swagger-api/swagger-ui
13
https://github.com/laurent22/joplin
13
https://github.com/patriksimek/vm2
12
https://github.com/matrix-org/matrix-js-sdk
12
https://github.com/NodeBB/NodeBB
12
https://github.com/n8n-io/n8n
11
https://github.com/nocodb/nocodb
11
https://github.com/VulnSageAgent/PoCs
11
https://github.com/keystonejs/keystone
11
https://github.com/louislam/uptime-kuma
10
https://github.com/nextauthjs/next-auth
10
https://github.com/anthropics/claude-code
10
https://github.com/sebhildebrandt/systeminformation
9
https://github.com/evershopcommerce/evershop
9
https://github.com/haxtheweb/issues
9
https://github.com/matrix-org/matrix-appservice-irc
9
https://github.com/matrix-org/matrix-react-sdk
9
https://github.com/nuxt/nuxt
8
https://github.com/pandao/editor.md
8
https://github.com/kjur/jsrsasign
8
https://github.com/ericcornelissen/shescape
8
https://github.com/withastro/astro
8
https://github.com/indutny/elliptic
8
https://github.com/honojs/hono
8
https://github.com/lobehub/lobe-chat
8
https://github.com/vega/vega
8
https://github.com/apollographql/apollo-server
8
https://github.com/cure53/DOMPurify
8
https://github.com/stealjs/steal
8
https://github.com/digitalbazaar/forge
8
https://github.com/saltcorn/saltcorn
7
https://github.com/unshiftio/url-parse
7
https://github.com/jquery/jquery
7
https://github.com/aws/aws-cdk
7
https://github.com/axios/axios
7
https://github.com/npm/node-tar
6
https://github.com/better-auth/better-auth
6
https://github.com/markedjs/marked
6
https://github.com/panva/jose
6
https://github.com/eclipse-theia/theia
6
https://github.com/shenzhim/aaptjs
6
https://github.com/ckeditor/ckeditor5
6
https://github.com/DIYgod/RSSHub
6
https://github.com/openpgpjs/openpgpjs
6
https://github.com/apostrophecms/sanitize-html
6
https://github.com/sveltejs/kit
6
https://github.com/totaljs/framework
6
https://github.com/ionicabizau/parse-url
6
https://github.com/facebook/hermes
6
https://github.com/jquery/jquery-ui
5
https://github.com/sweetalert2/sweetalert2
5
https://github.com/GoogleChrome/rendertron
5
https://github.com/gatsbyjs/gatsby
5
https://github.com/auth0/passport-wsfed-saml2
5
https://github.com/sidorares/node-mysql2
5
https://github.com/BlackFan/client-side-prototype-pollution
5
https://github.com/cloudflare/workers-sdk
5
https://github.com/faisalman/ua-parser-js
5
https://github.com/mermaid-js/mermaid
5
https://github.com/fastify/fastify
5
https://github.com/basecamp/trix
5
https://github.com/AmauriC/tarteaucitron.js
5
https://github.com/Automattic/mongoose
5
https://github.com/KaTeX/KaTeX
5
https://github.com/PrismJS/prism
5
https://github.com/handlebars-lang/handlebars.js
5
https://github.com/hacksparrow/safe-eval
5
https://github.com/npm/cli
5
https://github.com/auth0/nextjs-auth0
4
https://github.com/jhipster/generator-jhipster
4
https://github.com/ofirdagan/cross-domain-local-storage
4
https://github.com/yarnpkg/yarn
4
https://github.com/hapijs/hapi
4
https://github.com/follow-redirects/follow-redirects
4
https://github.com/Ylianst/MeshCentral
4
https://github.com/lodash/lodash
4
https://github.com/vendure-ecommerce/vendure
4
https://github.com/getsentry/sentry-javascript
4
https://github.com/websockets/ws
4
https://github.com/NaturalIntelligence/fast-xml-parser
4
https://github.com/Dogfalo/materialize
4
https://github.com/aws/aws-iot-device-sdk-java-v2
4
https://github.com/angular/angular.js
4
https://github.com/xCss/Valine
4
https://github.com/intlify/vue-i18n
4
https://github.com/mafintosh/tar-fs
4
https://github.com/pnpm/pnpm
4
https://github.com/expressjs/multer
4
https://github.com/medialize/URI.js
4
https://github.com/balderdashy/sails
4
https://github.com/auth0/node-jsonwebtoken
4
https://github.com/medialize/uri.js
4
https://github.com/node-saml/node-saml
4
https://github.com/jquery-validation/jquery-validation
4
https://github.com/jonschlinkert/remarkable
4
https://github.com/payloadcms/payload
4
https://github.com/finos/git-proxy
4
https://github.com/steveukx/git-js
4
https://github.com/auth0/lock
4
https://github.com/npm/npm
4
https://github.com/mde/ejs
4
https://github.com/socketio/engine.io
4
https://github.com/koajs/koa
4
https://github.com/mrvautin/expressCart
4
https://github.com/nodemailer/nodemailer
4
https://github.com/node-opcua/node-opcua
4
https://github.com/twbs/bootstrap
4
https://github.com/erxes/erxes
4
https://github.com/expressjs/express
4
https://github.com/clientIO/joint
3
https://github.com/postcss/postcss
3
https://github.com/chimurai/http-proxy-middleware
3
https://github.com/dwisiswant0/advisory
3
https://github.com/transloadit/uppy
3
https://github.com/mozilla/node-convict
3
https://github.com/webpack/webpack-dev-server
3
https://github.com/hapijs/subtext
3
https://github.com/Marak/colors.js
3
https://github.com/facebook/react
3
https://github.com/snyk/cli
3
https://github.com/josdejong/mathjs
3
https://github.com/dojo/dojox
3
https://github.com/adaltas/node-mixme
3
https://github.com/feathersjs-ecosystem/feathers-sequelize
3
https://github.com/jfhbrook/node-ecstatic
3
https://github.com/jarofghosts/glance
3
https://github.com/libxmljs/libxmljs
3
https://github.com/cloudhead/node-static
3
https://github.com/chjj/marked
3
https://github.com/simpleledger/slpjs
3
https://github.com/agnaistic/agnai
3
https://github.com/nestjs/nest
3
https://github.com/renovatebot/renovate
3
https://github.com/gruntjs/grunt
3
https://github.com/mozilla/pdf.js
3
https://github.com/zestedesavoir/zmarkdown
3
https://github.com/dojo/dojo
3
https://github.com/xmldom/xmldom
3
https://github.com/infor-design/enterprise-ng
3
https://github.com/zeit/next.js
3
https://github.com/typeorm/typeorm
3
https://github.com/HackAllSec/CVEs
3
https://github.com/mariocasciaro/object-path
3
https://github.com/moment/moment
3
https://github.com/endojs/endo
3
https://github.com/eladnava/mailgen
3
https://github.com/socketio/socket.io-parser
3
https://github.com/jasonraimondi/url-to-png
3
https://github.com/mongo-express/mongo-express
3
https://github.com/RIAEvangelist/node-ipc
3
https://github.com/micromatch/braces
3
https://github.com/ag-grid/ag-grid
3
https://github.com/YMFE/yapi
3
https://github.com/skoranga/node-dns-sync
3
https://github.com/cisco/node-jose
3
https://github.com/beerpwn/CVE
3
https://github.com/apostrophecms/apostrophe
3
https://github.com/Escape-Technologies/graphql-armor
3
https://github.com/peerigon/angular-expressions
3
https://github.com/actions/toolkit
3
https://github.com/udecode/plate
3
https://github.com/highcharts/highcharts
3
https://github.com/snowflakedb/snowflake-connector-nodejs
3
https://github.com/koush/scrypted
3
https://github.com/lukeed/dset
3
https://github.com/vanessa219/vditor
3
https://github.com/socketio/socket.io
3
https://github.com/immerjs/immer
3
https://github.com/neocotic/convert-svg
3
https://github.com/node-saml/xml-crypto
3
https://github.com/apollographql/federation
3
https://github.com/nodejs/llhttp
3
https://github.com/manuelstofer/json-pointer
3
https://github.com/thlorenz/browserify-shim
3
https://github.com/nasa/openmct
3
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable
3
https://github.com/MrRio/jsPDF
3
https://github.com/validatorjs/validator.js
3
https://github.com/soketi/soketi
3
https://github.com/ua-parser/uap-core
3
https://github.com/fastify/fastify-multipart
3
https://github.com/kujirahand/nadesiko3
3
https://github.com/docsifyjs/docsify
3
https://github.com/mongodb/js-bson
3
https://github.com/zcaceres/markdownify-mcp
3