npm
Security Advisories in npm
High
about 13 hours ago
SafeInstall agent guard shell parsing can miss raw package execution
npm
safeinstall-cli
Moderate
about 17 hours ago
tarteaucitron: data-cookie attribute can be used to delete arbitrary cookies
npm
tarteaucitronjs
High
about 17 hours ago
libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays
npm
@libp2p/gossipsub
Moderate
about 19 hours ago
morgan vulnerable to Log Forging via unneutralized control characters in :remote-user
npm
morgan
Moderate
2 days ago
Gittensory: Missing contributor-scoped access control on profile endpoint and MCP tool leaks miner financial data
npm
@jsonbored/gittensory-mcp
High
4 days ago
@better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers
npm
@better-auth/scim
Low
4 days ago
Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows
npm
@better-auth/scim, better-auth
High
4 days ago
@better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive
npm
better-auth, @better-auth/oauth-provider
Critical
4 days ago
@better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints
npm
@better-auth/sso
High
4 days ago
Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption
npm
better-auth, @better-auth/oauth-provider
High
4 days ago
Better Auth has insecure cryptographic defaults in oidcProvider: alg=none advertised and plain PKCE accepted by default
npm
better-auth
High
4 days ago
Better Auth has stored XSS in the auth-server origin via javascript: redirect_uri in oidc-provider and mcp
npm
better-auth
High
4 days ago
Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email
npm
better-auth
High
4 days ago
Better Auth vulnerable to unauthorized invitation acceptance via unverified email match in organization plugin
npm
better-auth
Moderate
4 days ago
@better-auth/oauth-provider may provide access tokens for unauthorized audiences via unbound resource indicators
npm
@better-auth/oauth-provider
Critical
4 days ago
Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
npm
better-auth
Moderate
4 days ago
@aborruso/ckan-mcp-server: SSRF via base_url allows access to internal networks (Potential fix bypass of CVE-2026-33060)
npm
@aborruso/ckan-mcp-server
Medium
4 days ago
Phoenix JavaScript presence client crashes on presence keys colliding with Object.prototype members in Presence.syncState/syncDiff
hex, npm
phoenix
High
4 days ago
9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
npm
9router
Critical
4 days ago
9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats
npm
9router
Critical
5 days ago
Decompress: Archive extraction can create files and links outside of the target directory
npm
decompress, @xhmikosr/decompress
High
8 days ago
9router has an Incomplete Fix: Local-Only Access Gate Bypass in 9router via Host Header SpoofING
npm
9router
Critical
9 days ago
9router's Hardcoded Default fallback JWT Secret Allows Authentication Bypass
npm
9router
Moderate
9 days ago
@asymmetric-effort/nogginlessdom vulnerable to ReDoS via user-controlled regex in HTMLInputElement pattern validation
npm
@asymmetric-effort/nogginlessdom
High
9 days ago
@asymmetric-effort/nogginlessdom's Path Traversal in matchFileSnapshot allows arbitrary file write
npm
@asymmetric-effort/nogginlessdom
Moderate
9 days ago
@nuxt/ui: UAuthForm / UForm SSR markup omits `method`, leaking credentials via GET if submitted before hydration
npm
@nuxt/ui
High
9 days ago
jsonata: Malicious inputs to "$toMillis" function can cause resource exhaustion
npm
jsonata
High
9 days ago
Grackle: Fail-open authorization in the MCP tool layer lets scoped agents perform cross-task and cross-session mutations (IDOR)
npm
@grackle-ai/auth, @grackle-ai/plugin-core, @grackle-ai/mcp
High
9 days ago
electerm has Command Injection in File System Operations (rmrf, mv, cp)
npm
electerm
High
9 days ago
electerm has Path Traversal in Zmodem and Trzsz Download Filename Handling
npm
electerm
High
9 days ago
@conform-to/dom parseSubmission vulnerable to CPU exhaustion when parsing many unique form fields
npm
@conform-to/dom
High
9 days ago
Grackle has command/argument injection in the git worktree executor that enables RCE on provisioned hosts via an unsanitized task branch name (shell:true)
npm
@grackle-ai/powerline, @grackle-ai/runtime-sdk
Moderate
9 days ago
@asymmetric-effort/specifyjs: CSS expression sanitization is bypassable in renderToString
npm
@asymmetric-effort/specifyjs
Moderate
9 days ago
@asymmetric-effort/specifyjs: No redirect target validation in secureFetch
npm
@asymmetric-effort/specifyjs
Moderate
9 days ago
@asymmetric-effort/specifyjs: `data:` URI allowed without size restriction
npm
@asymmetric-effort/specifyjs
Moderate
9 days ago
@asymmetric-effort/specifyjs: Localhost bypass incomplete (IPv6, 0.0.0.0, 127.x range)
npm
@asymmetric-effort/specifyjs
Moderate
9 days ago
@asymmetric-effort/specifyjs: Production console warnings may leak internal framework state
npm
@asymmetric-effort/specifyjs
Moderate
9 days ago
@asymmetric-effort/specifyjs: GraphQL gql tag allows metacharacter injection
npm
@asymmetric-effort/specifyjs
High
9 days ago
@asymmetric-effort/specifyjs: URL parse failure silently allows request
npm
@asymmetric-effort/specifyjs
High
9 days ago
OpenClaw: Native command authorization could skip owner-command enforcement
npm
openclaw
High
9 days ago
OpenClaw: PowerShell encoded-command aliases could miss exec allowlist checks
npm
openclaw
Moderate
9 days ago
OpenClaw: Mattermost slash token revocation could lag until monitor refresh
npm
openclaw
High
9 days ago
OpenClaw: Paired nodes could forge exec lifecycle events without system.run provenance
npm
openclaw
Moderate
9 days ago
OpenClaw: MCP loopback could skip owner-only tool policy for non-owner callers
npm
openclaw
Moderate
9 days ago
OpenClaw: Slack and Zalo webhook secrets could remain active after secrets.reload
npm
openclaw
Low
9 days ago
OpenClaw: Feishu dynamic-agent bindings could miss configWrites enforcement
npm
openclaw
Moderate
9 days ago
OpenClaw: Sandboxed session spawn could expose the real workspace path to child prompts
npm
openclaw
Moderate
9 days ago
OpenClaw: Embedded runner policy could be confused by provider aliases
npm
openclaw
High
9 days ago
OpenClaw: Fake package roots could influence memory-core artifact loading
npm
openclaw
High
9 days ago
OpenClaw: Workspace .env could override Homebrew executable selection for skill install flows
npm
openclaw
Moderate
9 days ago
OpenClaw: QQBot pre-dispatch slash commands could skip allowFrom checks
npm
openclaw
High
9 days ago
OpenClaw: Non-owner chat senders could issue device-pairing bootstrap codes
npm
openclaw
Moderate
9 days ago
OpenClaw: Browser debug/export routes could reuse already-open blocked tabs
npm
openclaw
Moderate
9 days ago
OpenClaw: message.action forwarding could send Gateway credentials to model-supplied loopback URLs
npm
openclaw
Critical
9 days ago
OpenClaw: QQBot admin commands could skip DM-only and allowFrom policy
npm
openclaw
Moderate
9 days ago
OpenClaw: Mattermost handlers could fall open when channel type was missing
npm
openclaw
High
9 days ago
OpenClaw: Trusted-proxy Control UI WebSocket accepted client-declared scopes before pairing
npm
openclaw
Moderate
9 days ago
OpenClaw: Skill Workshop apply flow could override pending approval
npm
openclaw
High
9 days ago
OpenClaw: QQBot streaming command could mutate config without explicit allowFrom
npm
openclaw
Moderate
9 days ago
OpenClaw's Slack plugin approvals used the exec approver gate for plugin actions
npm
openclaw
Moderate
9 days ago
OpenClaw: memory-wiki ingest could read local files with operator.write scope
npm
openclaw
High
9 days ago
OpenClaw: Scoped chat.send route inheritance could bypass admin command scope gates
npm
openclaw
High
9 days ago
OpenClaw's POSIX node system.run safe-bin allowlist could be widened by shell expansion
npm
openclaw
High
9 days ago
OpenClaw: QQBot native approval buttons did not enforce configured approver identity
npm
openclaw
High
9 days ago
OpenClaw: Hook-triggered CLI runs could receive owner MCP tool authority
npm
openclaw
High
9 days ago
OpenClaw: Control UI locality spoofing could mint a durable admin device token
npm
openclaw
High
9 days ago
OpenClaw: Same-host trusted-proxy deployments could accept local forged identity headers
npm
openclaw
High
9 days ago
OpenClaw's marketplace runtime extension metadata could point at unscanned payloads
npm
openclaw
Moderate
9 days ago
OpenClaw's browser act interactions could bypass private-network navigation checks
npm
openclaw
High
9 days ago
OpenClaw: Shell wrapper argv could change between approval and execution
npm
Openclaw
Moderate
9 days ago
OpenClaw: Bundle MCP loopback could miss its exec denylist on session spawn
npm
openclaw
High
9 days ago
OpenClaw: Exec approval display truncation could hide the command being approved
npm
openclaw
High
9 days ago
Apify Model Context Protocol (MCP) server: Actor MCP path authority injection leaks Apify token
npm
@apify/actors-mcp-server
Critical
9 days ago
Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header
npm
ghost
Moderate
10 days ago
@hey-api/openapi-ts's `buildClientParams` template: prototype chain substitution via unknown `$<slot>___proto__` key
npm
@hey-api/openapi-ts
High
10 days ago
sigstore's `certificateOIDs` verification constraints are silently dropped and never enforced
npm
sigstore
Moderate
10 days ago
sigstore-js has Insufficient Verification of Data Authenticity
npm
@sigstore/verify
Moderate
10 days ago
repomix: attach_packed_output can bypass file-read secret scanning for supported local files
npm
repomix
High
10 days ago
repomix Vulnerable to Command Injection (RCE) via `--remote-branch` Argument Injection
npm
repomix
High
10 days ago
auth-fetch-mcp has SSRF Protection Bypass via IPv4-mapped IPv6 Loopback
npm
auth-fetch-mcp
Moderate
10 days ago
@jshookmcp/jshook: ICMP probe and traceroute skip local-network SSRF authorization
npm
@jshookmcp/jshook
High
11 days ago
@adonisjs/bodyparser has an incomplete fix for CVE-2026-25754
npm
@adonisjs/bodyparser
High
11 days ago
@cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation
npm
@cedar-policy/authorization-for-expressjs
High
14 days ago
pnpm: `patch-remove` could delete project-selected files outside the patches directory
npm
pnpm
High
14 days ago
pnpm: `stage download` writes outside its destination directory via manifest name/version traversal
npm
pnpm
Filter by Severity
Filter by Package
openclaw
591
parse-server
116
n8n
99
flowise
85
directus
56
next
55
nocodb
54
electron
47
vm2
43
hono
40
axios
33
undici
30
pnpm
28
@anthropic-ai/claude-code
27
dompurify
26
ghost
25
vite
22
better-auth
21
fuxa-server
21
@budibase/server
21
@openzeppelin/contracts
21
@openzeppelin/contracts-upgradeable
20
astro
20
tinymce
20
handlebars
18
sequelize
17
flowise-components
17
@haxtheweb/haxcms-nodejs
16
protobufjs
15
node-forge
15
liquidjs
15
tar
15
ckeditor4
15
tinymce/tinymce
15
TinyMCE
15
jspdf
15
react-router
14
swagger-ui
14
@nyariv/sandboxjs
14
nodebb
14
joplin
14
svelte
14
nuxt
14
@sveltejs/kit
14
jsrsasign
14
signalk-server
14
angular
14
electerm
13
marked
13
systeminformation
13
apostrophe
13
matrix-js-sdk
12
@evershop/evershop
12
strapi
12
@directus/api
12
@oneuptime/common
11
renovate
11
clawdbot
11
@strapi/strapi
11
uptime-kuma
11
nodemailer
11
fast-xml-parser
11
sillytavern
11
@lobehub/chat
11
mermaid
11
h3
10
payload
10
fastify
10
next-auth
10
open-webui
10
lodash
10
validator
10
sanitize-html
10
elliptic
9
multer
9
bootstrap
9
@saltcorn/server
9
praisonai
9
n8n-mcp
9
shescape
9
matrix-appservice-irc
9
network-ai
9
matrix-react-sdk
9
serve
9
trix
8
urijs
8
steal
8
9router
8
@builder.io/qwik-city
8
editor.md
8
tarteaucitronjs
8
mongoose
8
fast-jwt
8
@backstage/plugin-scaffolder-backend
8
devalue
8
locutus
8
@strapi/plugin-users-permissions
8
npm
8
url-parse
8
xmldom
8
@paperclipai/server
8
mattermost-desktop
7
jQuery.UI.Combined
7
@auth0/nextjs-auth0
7
hapi
7
@vitejs/plugin-rsc
7
react-server-dom-turbopack
7
qs
7
@astrojs/node
7
@xmldom/xmldom
7
jquery-ui
7
react-server-dom-parcel
7
hermes-engine
7
@tinacms/cli
7
@hulumi/policies
7
@angular/core
7
vega
7
@actual-app/sync-server
7
@asymmetric-effort/specifyjs
7
express-cart
7
ws
7
org.webjars.npm:jquery-ui
7
snyk-broker
7
simple-git
7
total.js
7
budibase
7
studiocms
7
lodash-es
7
aaptjs
6
@frangoteam/fuxa
6
openpgp
6
@budibase/backend-core
6
@fedify/fedify
6
rsshub
6
parse-url
6
aws-cdk-lib
6
react-server-dom-webpack
6
prismjs
6
@angular/ssr
6
safe-eval
6
@angular/platform-server
6
@evomap/evolver
6
jquery
6
open-webui
6
ua-parser-js
6
@keystone-6/core
6
path-to-regexp
5
serialize-javascript
5
typeorm
5
mysql2
5
@angular/compiler
5
dojo
5
@samanhappy/mcphub
5
keystone
5
vditor
5
yarn
5
@perfood/couch-auth
5
happy-dom
5
katex
5
rendertron
5
apollo-server-core
5
koa
5
webpack-dev-server
5
mathjs
5
muhammara
5
minimatch
5
@grackle-ai/server
5
@apollo/server
5
oneuptime
5
convict
5
jQuery
5
public
5
seroval
5
auth0-js
5
follow-redirects
5
passport-wsfed-saml2
5
http-proxy-middleware
5
@apollo/gateway
5
@steipete/summarize
5
@tinacms/graphql
5
basic-ftp
5
mcp-server-kubernetes
5
lodash-amd
5
js-yaml
5
vega-functions
5
@angular/common
5
sweetalert2
5
express
5
xlsx
5
ejs
5
total4
5
@intlify/vue-i18n-core
4
jquery-validation
4
materialize-css
4
libxmljs
4
tinacms
4
safer-eval
4
erxes
4
psitransfer
4
@node-saml/node-saml
4
Filter by Repository
https://github.com/directus/directus
41
https://github.com/parse-community/parse-server
34
https://github.com/electron/electron
28
https://github.com/FlowiseAI/Flowise
28
https://github.com/strapi/strapi
28
https://github.com/vercel/next.js
25
https://github.com/OpenZeppelin/openzeppelin-contracts
21
https://github.com/backstage/backstage
19
https://github.com/sequelize/sequelize
16
https://github.com/vitejs/vite
16
https://github.com/tinymce/tinymce
16
https://github.com/nodejs/undici
15
https://github.com/TryGhost/Ghost
14
https://github.com/ckeditor/ckeditor4
14
https://github.com/swagger-api/swagger-ui
13
https://github.com/laurent22/joplin
13
https://github.com/matrix-org/matrix-js-sdk
12
https://github.com/n8n-io/n8n
12
https://github.com/NodeBB/NodeBB
12
https://github.com/patriksimek/vm2
12
https://github.com/nocodb/nocodb
11
https://github.com/keystonejs/keystone
11
https://github.com/nextauthjs/next-auth
11
https://github.com/VulnSageAgent/PoCs
10
https://github.com/louislam/uptime-kuma
10
https://github.com/anthropics/claude-code
10
https://github.com/matrix-org/matrix-react-sdk
9
https://github.com/evershopcommerce/evershop
9
https://github.com/matrix-org/matrix-appservice-irc
9
https://github.com/sebhildebrandt/systeminformation
9
https://github.com/withastro/astro
9
https://github.com/haxtheweb/issues
9
https://github.com/kjur/jsrsasign
8
https://github.com/jquery/jquery
8
https://github.com/apollographql/apollo-server
8
https://github.com/cure53/DOMPurify
8
https://github.com/pandao/editor.md
8
https://github.com/vega/vega
8
https://github.com/indutny/elliptic
8
https://github.com/nuxt/nuxt
8
https://github.com/lobehub/lobe-chat
8
https://github.com/stealjs/steal
8
https://github.com/honojs/hono
8
https://github.com/ericcornelissen/shescape
8
https://github.com/digitalbazaar/forge
8
https://github.com/aws/aws-cdk
7
https://github.com/saltcorn/saltcorn
7
https://github.com/unshiftio/url-parse
7
https://github.com/axios/axios
7
https://github.com/lodash/lodash
7
https://github.com/apostrophecms/sanitize-html
6
https://github.com/ionicabizau/parse-url
6
https://github.com/npm/node-tar
6
https://github.com/panva/jose
6
https://github.com/better-auth/better-auth
6
https://github.com/openpgpjs/openpgpjs
6
https://github.com/totaljs/framework
6
https://github.com/markedjs/marked
6
https://github.com/DIYgod/RSSHub
6
https://github.com/eclipse-theia/theia
6
https://github.com/facebook/hermes
6
https://github.com/shenzhim/aaptjs
6
https://github.com/sveltejs/kit
6
https://github.com/twbs/bootstrap
6
https://github.com/jquery/jquery-ui
6
https://github.com/ckeditor/ckeditor5
6
https://github.com/AmauriC/tarteaucitron.js
5
https://github.com/sidorares/node-mysql2
5
https://github.com/basecamp/trix
5
https://github.com/npm/cli
5
https://github.com/auth0/passport-wsfed-saml2
5
https://github.com/fastify/fastify
5
https://github.com/PrismJS/prism
5
https://github.com/KaTeX/KaTeX
5
https://github.com/mermaid-js/mermaid
5
https://github.com/sweetalert2/sweetalert2
5
https://github.com/hacksparrow/safe-eval
5
https://github.com/GoogleChrome/rendertron
5
https://github.com/cloudflare/workers-sdk
5
https://github.com/gatsbyjs/gatsby
5
https://github.com/Automattic/mongoose
5
https://github.com/faisalman/ua-parser-js
5
https://github.com/handlebars-lang/handlebars.js
5
https://github.com/BlackFan/client-side-prototype-pollution
5
https://github.com/balderdashy/sails
4
https://github.com/pnpm/pnpm
4
https://github.com/aws/aws-iot-device-sdk-java-v2
4
https://github.com/follow-redirects/follow-redirects
4
https://github.com/expressjs/multer
4
https://github.com/ofirdagan/cross-domain-local-storage
4
https://github.com/auth0/nextjs-auth0
4
https://github.com/finos/git-proxy
4
https://github.com/medialize/uri.js
4
https://github.com/node-saml/node-saml
4
https://github.com/xCss/Valine
4
https://github.com/nodemailer/nodemailer
4
https://github.com/expressjs/express
4
https://github.com/npm/npm
4
https://github.com/mde/ejs
4
https://github.com/koajs/koa
4
https://github.com/auth0/lock
4
https://github.com/erxes/erxes
4
https://github.com/node-opcua/node-opcua
4
https://github.com/getsentry/sentry-javascript
4
https://github.com/intlify/vue-i18n
4
https://github.com/angular/angular.js
4
https://github.com/vendure-ecommerce/vendure
4
https://github.com/typeorm/typeorm
4
https://github.com/Dogfalo/materialize
4
https://github.com/jquery-validation/jquery-validation
4
https://github.com/jhipster/generator-jhipster
4
https://github.com/steveukx/git-js
4
https://github.com/open-webui/open-webui
4
https://github.com/yarnpkg/yarn
4
https://github.com/Ylianst/MeshCentral
4
https://github.com/auth0/node-jsonwebtoken
4
https://github.com/hapijs/hapi
4
https://github.com/medialize/URI.js
4
https://github.com/payloadcms/payload
4
https://github.com/mafintosh/tar-fs
4
https://github.com/NaturalIntelligence/fast-xml-parser
4
https://github.com/socketio/engine.io
4
https://github.com/jonschlinkert/remarkable
4
https://github.com/websockets/ws
4
https://github.com/peerigon/angular-expressions
3
https://github.com/snyk/cli
3
https://github.com/YMFE/yapi
3
https://github.com/validatorjs/validator.js
3
https://github.com/cloudhead/node-static
3
https://github.com/nestjs/nest
3
https://github.com/ua-parser/uap-core
3
https://github.com/xmldom/xmldom
3
https://github.com/snowflakedb/snowflake-connector-nodejs
3
https://github.com/skoranga/node-dns-sync
3
https://github.com/feathersjs-ecosystem/feathers-sequelize
3
https://github.com/transloadit/uppy
3
https://github.com/dojo/dojo
3
https://github.com/chjj/marked
3
https://github.com/infor-design/enterprise-ng
3
https://github.com/HackAllSec/CVEs
3
https://github.com/gruntjs/grunt
3
https://github.com/Marak/colors.js
3
https://github.com/yahoo/serialize-javascript
3
https://github.com/udecode/plate
3
https://github.com/salesforce/tough-cookie
3
https://github.com/RIAEvangelist/node-ipc
3
https://github.com/cisco/node-jose
3
https://github.com/Escape-Technologies/graphql-armor
3
https://github.com/plone/volto
3
https://github.com/vriteio/vrite
3
https://github.com/webpack/webpack-dev-server
3
https://github.com/actions/toolkit
3
https://github.com/adaltas/node-mixme
3
https://github.com/highcharts/highcharts
3
https://github.com/jarofghosts/glance
3
https://github.com/jfhbrook/node-ecstatic
3
https://github.com/jasonraimondi/url-to-png
3
https://github.com/koush/scrypted
3
https://github.com/webpack/loader-utils
3
https://github.com/clientIO/joint
3
https://github.com/libxmljs/libxmljs
3
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable
3
https://github.com/beerpwn/CVE
3
https://github.com/postcss/postcss
3
https://github.com/nasa/openmct
3
https://github.com/socketio/socket.io-parser
3
https://github.com/mongodb/js-bson
3
https://github.com/capricorn86/happy-dom
3
https://github.com/moment/moment
3
https://github.com/node-saml/xml-crypto
3
https://github.com/fastify/fastify-multipart
3
https://github.com/agnaistic/agnai
3
https://github.com/chimurai/http-proxy-middleware
3
https://github.com/mozilla/node-convict
3
https://github.com/apollographql/federation
3
https://github.com/eladnava/mailgen
3
https://github.com/node-fetch/node-fetch
3
https://github.com/zestedesavoir/zmarkdown
3
https://github.com/hapijs/subtext
3
https://github.com/socketio/socket.io
3
https://github.com/thlorenz/browserify-shim
3
https://github.com/josdejong/mathjs
3
https://github.com/zcaceres/markdownify-mcp
3
https://github.com/ChainSafe/lodestar
3
https://github.com/nodejs/llhttp
3
https://github.com/simpleledger/slpjs
3
https://github.com/ag-grid/ag-grid
3
https://github.com/manuelstofer/json-pointer
3
https://github.com/dojo/dojox
3
https://github.com/mongo-express/mongo-express
3
https://github.com/zeit/next.js
3
https://github.com/mrvautin/expressCart
3
https://github.com/lukeed/dset
3
https://github.com/neocotic/convert-svg
3
https://github.com/mariocasciaro/object-path
3
https://github.com/vanessa219/vditor
3
https://github.com/apostrophecms/apostrophe
3
https://github.com/soketi/soketi
3
https://github.com/kujirahand/nadesiko3
3