npm
Security Advisories in npm
High
3 days ago
AgenticMail API/storage and outbound relay hardening fixes
npm
@agenticmail/core, @agenticmail/api
Moderate
3 days ago
Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers
npm
parse-server
High
3 days ago
NodeVM network builtin exclusions bypass via internal _http_client and _http_server
npm
vm2
Critical
3 days ago
NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
npm
vm2
High
3 days ago
ExifReader is vulnerable to denial of service via crafted ICC `mluc` tag
npm
exifreader
Moderate
3 days ago
ExifReader is vulnerable to denial of service via unbounded decompression of image metadata
npm
exifreader
Critical
3 days ago
vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE
npm
vm2
Moderate
3 days ago
Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
npm
nuxt, @nuxt/nitro-server
High
3 days ago
axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy`
npm
axios
Moderate
3 days ago
axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions
npm
axios
High
3 days ago
HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint
npm
@haxtheweb/haxcms-nodejs
Moderate
4 days ago
FUXA provides guest and invalid-token access to protected read APIs in secure mode
npm
fuxa-server
Moderate
4 days ago
Shamefile has an arbitrary file read via shamefile.yaml in shame next
cargo, npm, pypi
shamefile
High
4 days ago
FUXA's Unauthenticated Project Data Disclosure Exposes Server-Side Scripts and Device Configurations
npm
fuxa-server
High
5 days ago
LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex
npm
liquidjs
High
5 days ago
LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)
npm
liquidjs
Moderate
5 days ago
@hapi/wreck leaks sensitive `Proxy-Authorization` header across cross-hostname redirects
npm
@hapi/wreck
High
5 days ago
@hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters
npm
@hapi/content
High
5 days ago
tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
npm
tmp
Moderate
5 days ago
LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`
npm
liquidjs
Moderate
5 days ago
LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
npm
liquidjs
Moderate
5 days ago
LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS
npm
liquidjs
High
5 days ago
FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass
npm
fuxa-server
High
5 days ago
FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue
npm
fuxa-server
High
5 days ago
FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection
npm
@frangoteam/fuxa
High
5 days ago
Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring
npm
@fedify/fedify
High
5 days ago
yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation
npm
yeoman-environment
Moderate
6 days ago
CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS
npm
cryptpad
Moderate
6 days ago
Typebot.io has stored XSS via `javascript`: URI in text bubble links — bot author executes JS on visitors' browsers
npm
@typebot.io/js
High
6 days ago
Typebot has Stored XSS via Rating Block Custom Icon that Bypasses isUnsafe Sandbox in Builder Preview
npm
@typebot.io/js
High
9 days ago
Parse Server: Pre-authentication denial of service via client version header regex backtracking
npm
parse-server
High
10 days ago
Network-AI: Unauthenticated Cross-Origin MCP Tool Invocation via Empty Default Secret
npm
network-ai
Critical
10 days ago
Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host
go, npm, cargo, pypi
github.com/boxlite-ai/boxlite/sdks/go, @boxlite-ai/boxlite, boxlite, boxlite-cli
Critical
10 days ago
BoxLite: Permission Bypass Allows Modification of Read-Only Files
cargo, go, npm, pypi
boxlite-cli, boxlite, github.com/boxlite-ai/boxlite/sdks/go, @boxlite-ai/boxlite
High
10 days ago
@nevware21/ts-utils: Prototype Pollution in objDeepCopy/objCopyProps via for...in without hasOwnProperty
npm
@nevware21/ts-utils
High
10 days ago
js-libp2p: Memory DoS via subscription flood of unique topics
npm
@libp2p/gossipsub
High
11 days ago
JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
npm
js-cookie
High
11 days ago
@hulumi/policies: Stack-wide evidence bypassed Cloudflare and deployment-governance guardrails
npm
@hulumi/policies
Critical
11 days ago
@hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators
npm
@hulumi/policies
High
11 days ago
@hulumi/policies: CIS 1.16 admin policy bypass for inline and attached IAM policies
npm
@hulumi/policies
High
11 days ago
@hulumi/drift: Orphan reconciler accepted externally supplied execute plans
npm
@hulumi/drift
Moderate
11 days ago
@hulumi/baseline: CloudTrail selector tampering events were not fully detected
npm
@hulumi/baseline
Moderate
11 days ago
NocoDB: Shared-base link access can invite arbitrary users as persistent base members
npm
nocodb
Moderate
11 days ago
NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion
npm
nocodb
Moderate
11 days ago
NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags
npm
nocodb
Low
11 days ago
NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation
npm
nocodb
Moderate
11 days ago
NocoDB: SSRF Protection Bypass in Notification Webhook Plugins (Slack, Discord, Mattermost, Teams)
npm
nocodb
Moderate
11 days ago
NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL
npm
nocodb
High
11 days ago
MCP Server Kubernetes: Tool Access Control Bypass via Presentation-Layer Filtering Without Execution-Layer Enforcement
npm
mcp-server-kubernetes
High
11 days ago
md-fileserver: Stored/Reflected XSS when viewing Markdown (raw HTML allowed)
npm
md-fileserver
High
11 days ago
samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions
npm
samlify
Moderate
12 days ago
Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows
npm
flowise
Moderate
12 days ago
Flowise: Hardcoded CORS wildcard on TTS endpoint enables cross-origin credential abuse from any webpage
npm
flowise
Critical
12 days ago
Supply chain compromise via malicious package versions (@cap-js/sqlite, @cap-js/postgres, @cap-js/db-service)
npm
@cap-js/db-service, @cap-js/postgres, @cap-js/sqlite
Critical
13 days ago
Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm
npm
@beproduct/nestjs-auth
High
13 days ago
@libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes
npm
@libp2p/kad-dht
High
13 days ago
PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE
npm
@penpot/mcp
Moderate
13 days ago
HAX CMS: Denial of Service using Malicious Import Request
npm
@haxtheweb/haxcms-nodejs
Low
13 days ago
Turbo: Unexpected local code execution during Yarn Berry detection
npm
@turbo/workspaces, @turbo/codemod, turbo
Critical
13 days ago
9router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes
npm
9router
Moderate
13 days ago
Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching
npm
@apify/actors-mcp-server
Moderate
13 days ago
Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour
npm
@budibase/backend-core
Moderate
13 days ago
protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion
npm
protobufjs
Moderate
13 days ago
Nuxt: Dev server exposes built source over LAN to malicious sites (incomplete fix for GHSA-4gf7-ff8x-hq99)
npm
@nuxt/webpack-builder, @nuxt/rspack-builder
High
13 days ago
auth-fetch-mcp: SSRF and disk exfiltration via unvalidated auth_fetch and download_media URLs
npm
auth-fetch-mcp
High
13 days ago
HAXcms: Mass Token Exfiltration and Cross-Tenant Hijack
npm
@haxtheweb/haxcms-nodejs
High
13 days ago
Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover
npm
@haxtheweb/iframe-loader, @haxtheweb/video-player, @haxtheweb/haxcms-nodejs
Critical
13 days ago
HAXcms: Private Key Disclosure via Broken HMAC Implementation
npm
@haxtheweb/haxcms-nodejs
High
13 days ago
HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis
npm
@haxtheweb/open-apis
Moderate
13 days ago
HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft
npm
@haxtheweb/video-player, @haxtheweb/haxcms-nodejs
Moderate
14 days ago
Summarize's hover summary feature allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links
npm
@steipete/summarize
Filter by Severity
Filter by Package
openclaw
524
parse-server
109
flowise
86
n8n
80
directus
56
next
55
electron
47
vm2
43
nocodb
33
hono
31
axios
29
@anthropic-ai/claude-code
25
ghost
24
undici
22
@openzeppelin/contracts
21
@openzeppelin/contracts-upgradeable
21
vite
19
fuxa-server
18
handlebars
18
sequelize
17
flowise-components
17
astro
17
dompurify
17
tinymce
16
@haxtheweb/haxcms-nodejs
16
liquidjs
15
ckeditor4
15
node-forge
15
jspdf
15
@sveltejs/kit
14
swagger-ui
14
tar
14
nodebb
14
angular
14
jsrsasign
14
joplin
14
@nyariv/sandboxjs
14
svelte
14
systeminformation
13
marked
13
apostrophe
13
signalk-server
13
pnpm
12
better-auth
12
strapi
12
matrix-js-sdk
12
@directus/api
12
protobufjs
12
@evershop/evershop
12
@strapi/strapi
11
fast-xml-parser
11
mermaid
11
@oneuptime/common
11
renovate
11
tinymce/tinymce
11
@lobehub/chat
11
sillytavern
11
uptime-kuma
11
electerm
11
clawdbot
11
TinyMCE
11
lodash
10
sanitize-html
10
payload
10
fastify
10
next-auth
10
validator
10
h3
10
bootstrap
10
n8n-mcp
9
serve
9
open-webui
9
shescape
9
matrix-appservice-irc
9
@saltcorn/server
9
elliptic
9
@budibase/server
9
matrix-react-sdk
9
@builder.io/qwik-city
8
@strapi/plugin-users-permissions
8
urijs
8
mongoose
8
fast-jwt
8
nuxt
8
url-parse
8
xmldom
8
steal
8
editor.md
8
@paperclipai/server
8
vega
8
npm
8
devalue
8
@backstage/plugin-scaffolder-backend
8
locutus
8
trix
8
org.webjars.npm:jquery-ui
7
studiocms
7
express-cart
7
nodemailer
7
react-server-dom-webpack
7
lodash-es
7
@xmldom/xmldom
7
@vitejs/plugin-rsc
7
total.js
7
jQuery.UI.Combined
7
qs
7
react-router
7
mattermost-desktop
7
snyk-broker
7
hapi
7
react-server-dom-parcel
7
jquery-ui
7
@astrojs/node
7
react-server-dom-turbopack
7
@auth0/nextjs-auth0
7
tarteaucitronjs
7
simple-git
7
hermes-engine
7
multer
7
@angular/ssr
6
parse-url
6
ws
6
prismjs
6
@tinacms/cli
6
safe-eval
6
rsshub
6
@frangoteam/fuxa
6
openpgp
6
@evomap/evolver
6
aaptjs
6
@fedify/fedify
6
@keystone-6/core
6
@steipete/summarize
5
vega-functions
5
jquery
5
ejs
5
total4
5
oneuptime
5
@actual-app/sync-server
5
keystone
5
@tinacms/graphql
5
open-webui
5
auth0-js
5
minimatch
5
convict
5
apollo-server-core
5
budibase
5
passport-wsfed-saml2
5
mathjs
5
katex
5
aws-cdk-lib
5
bootstrap
5
serialize-javascript
5
seroval
5
@samanhappy/mcphub
5
ua-parser-js
5
mysql2
5
follow-redirects
5
lodash-amd
5
yarn
5
express
5
dojo
5
koa
5
jQuery
5
path-to-regexp
5
public
5
vditor
5
@apollo/server
5
happy-dom
5
@perfood/couch-auth
5
rendertron
5
sweetalert2
5
@grackle-ai/server
5
basic-ftp
5
xlsx
5
remarkable
4
@feathersjs/authentication-oauth
4
valine
4
moment
4
aws-iot-device-sdk-v2
4
xml-crypto
4
@builder.io/qwik
4
@budibase/backend-core
4
brace-expansion
4
libxmljs
4
js-yaml
4
jsonwebtoken
4
langsmith
4
froala-editor
4
muhammara
4
awsiotsdk
4
realms-shim
4
vue-i18n
4
@angular/core
4
elysia
4
@backstage/plugin-techdocs-node
4
@apollo/gateway
4
apollo-server
4
yapi-vendor
4
psitransfer
4
Filter by Repository
https://github.com/directus/directus
41
https://github.com/parse-community/parse-server
34
https://github.com/strapi/strapi
28
https://github.com/FlowiseAI/Flowise
28
https://github.com/electron/electron
28
https://github.com/vercel/next.js
25
https://github.com/OpenZeppelin/openzeppelin-contracts
21
https://github.com/backstage/backstage
19
https://github.com/tinymce/tinymce
16
https://github.com/sequelize/sequelize
16
https://github.com/vitejs/vite
16
https://github.com/nodejs/undici
15
https://github.com/TryGhost/Ghost
14
https://github.com/ckeditor/ckeditor4
14
https://github.com/swagger-api/swagger-ui
13
https://github.com/laurent22/joplin
13
https://github.com/matrix-org/matrix-js-sdk
12
https://github.com/patriksimek/vm2
12
https://github.com/NodeBB/NodeBB
12
https://github.com/n8n-io/n8n
12
https://github.com/nocodb/nocodb
11
https://github.com/nextauthjs/next-auth
11
https://github.com/keystonejs/keystone
11
https://github.com/louislam/uptime-kuma
10
https://github.com/anthropics/claude-code
10
https://github.com/VulnSageAgent/PoCs
10
https://github.com/haxtheweb/issues
9
https://github.com/evershopcommerce/evershop
9
https://github.com/sebhildebrandt/systeminformation
9
https://github.com/matrix-org/matrix-appservice-irc
9
https://github.com/matrix-org/matrix-react-sdk
9
https://github.com/withastro/astro
9
https://github.com/pandao/editor.md
8
https://github.com/indutny/elliptic
8
https://github.com/ericcornelissen/shescape
8
https://github.com/apollographql/apollo-server
8
https://github.com/stealjs/steal
8
https://github.com/cure53/DOMPurify
8
https://github.com/digitalbazaar/forge
8
https://github.com/kjur/jsrsasign
8
https://github.com/honojs/hono
8
https://github.com/vega/vega
8
https://github.com/lobehub/lobe-chat
8
https://github.com/nuxt/nuxt
8
https://github.com/axios/axios
7
https://github.com/twbs/bootstrap
7
https://github.com/lodash/lodash
7
https://github.com/unshiftio/url-parse
7
https://github.com/jquery/jquery
7
https://github.com/aws/aws-cdk
7
https://github.com/saltcorn/saltcorn
7
https://github.com/markedjs/marked
6
https://github.com/apostrophecms/sanitize-html
6
https://github.com/DIYgod/RSSHub
6
https://github.com/ionicabizau/parse-url
6
https://github.com/facebook/hermes
6
https://github.com/panva/jose
6
https://github.com/shenzhim/aaptjs
6
https://github.com/openpgpjs/openpgpjs
6
https://github.com/npm/node-tar
6
https://github.com/eclipse-theia/theia
6
https://github.com/totaljs/framework
6
https://github.com/ckeditor/ckeditor5
6
https://github.com/jquery/jquery-ui
6
https://github.com/sveltejs/kit
6
https://github.com/better-auth/better-auth
6
https://github.com/AmauriC/tarteaucitron.js
5
https://github.com/faisalman/ua-parser-js
5
https://github.com/basecamp/trix
5
https://github.com/sweetalert2/sweetalert2
5
https://github.com/cloudflare/workers-sdk
5
https://github.com/BlackFan/client-side-prototype-pollution
5
https://github.com/KaTeX/KaTeX
5
https://github.com/Automattic/mongoose
5
https://github.com/handlebars-lang/handlebars.js
5
https://github.com/fastify/fastify
5
https://github.com/mermaid-js/mermaid
5
https://github.com/PrismJS/prism
5
https://github.com/sidorares/node-mysql2
5
https://github.com/hacksparrow/safe-eval
5
https://github.com/gatsbyjs/gatsby
5
https://github.com/npm/cli
5
https://github.com/GoogleChrome/rendertron
5
https://github.com/auth0/passport-wsfed-saml2
5
https://github.com/mafintosh/tar-fs
4
https://github.com/auth0/node-jsonwebtoken
4
https://github.com/auth0/lock
4
https://github.com/websockets/ws
4
https://github.com/Dogfalo/materialize
4
https://github.com/nodemailer/nodemailer
4
https://github.com/finos/git-proxy
4
https://github.com/yarnpkg/yarn
4
https://github.com/Ylianst/MeshCentral
4
https://github.com/typeorm/typeorm
4
https://github.com/NaturalIntelligence/fast-xml-parser
4
https://github.com/getsentry/sentry-javascript
4
https://github.com/auth0/nextjs-auth0
4
https://github.com/hapijs/hapi
4
https://github.com/ofirdagan/cross-domain-local-storage
4
https://github.com/vendure-ecommerce/vendure
4
https://github.com/payloadcms/payload
4
https://github.com/koajs/koa
4
https://github.com/socketio/engine.io
4
https://github.com/medialize/uri.js
4
https://github.com/jonschlinkert/remarkable
4
https://github.com/expressjs/express
4
https://github.com/aws/aws-iot-device-sdk-java-v2
4
https://github.com/node-saml/node-saml
4
https://github.com/follow-redirects/follow-redirects
4
https://github.com/npm/npm
4
https://github.com/expressjs/multer
4
https://github.com/xCss/Valine
4
https://github.com/steveukx/git-js
4
https://github.com/jquery-validation/jquery-validation
4
https://github.com/jhipster/generator-jhipster
4
https://github.com/angular/angular.js
4
https://github.com/pnpm/pnpm
4
https://github.com/balderdashy/sails
4
https://github.com/intlify/vue-i18n
4
https://github.com/erxes/erxes
4
https://github.com/node-opcua/node-opcua
4
https://github.com/mde/ejs
4
https://github.com/medialize/URI.js
4
https://github.com/udecode/plate
3
https://github.com/highcharts/highcharts
3
https://github.com/koush/scrypted
3
https://github.com/immerjs/immer
3
https://github.com/node-saml/xml-crypto
3
https://github.com/Escape-Technologies/graphql-armor
3
https://github.com/jarofghosts/glance
3
https://github.com/manuelstofer/json-pointer
3
https://github.com/facebook/react
3
https://github.com/chimurai/http-proxy-middleware
3
https://github.com/docsifyjs/docsify
3
https://github.com/josdejong/mathjs
3
https://github.com/mozilla/node-convict
3
https://github.com/transloadit/uppy
3
https://github.com/snowflakedb/snowflake-connector-nodejs
3
https://github.com/vriteio/vrite
3
https://github.com/plone/volto
3
https://github.com/lukeed/dset
3
https://github.com/fastify/fastify-multipart
3
https://github.com/gruntjs/grunt
3
https://github.com/cisco/node-jose
3
https://github.com/skoranga/node-dns-sync
3
https://github.com/socketio/socket.io-parser
3
https://github.com/ChainSafe/lodestar
3
https://github.com/soketi/soketi
3
https://github.com/chjj/marked
3
https://github.com/hapijs/subtext
3
https://github.com/snyk/cli
3
https://github.com/simpleledger/slpjs
3
https://github.com/jfhbrook/node-ecstatic
3
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable
3
https://github.com/nestjs/nest
3
https://github.com/HackAllSec/CVEs
3
https://github.com/feathersjs-ecosystem/feathers-sequelize
3
https://github.com/zcaceres/markdownify-mcp
3
https://github.com/apollographql/federation
3
https://github.com/neocotic/convert-svg
3
https://github.com/remix-run/react-router
3
https://github.com/yahoo/serialize-javascript
3
https://github.com/apostrophecms/apostrophe
3
https://github.com/xmldom/xmldom
3
https://github.com/RIAEvangelist/node-ipc
3
https://github.com/Marak/colors.js
3
https://github.com/webpack/webpack-dev-server
3
https://github.com/libxmljs/libxmljs
3
https://github.com/clientIO/joint
3
https://github.com/vanessa219/vditor
3
https://github.com/ag-grid/ag-grid
3
https://github.com/dwisiswant0/advisory
3
https://github.com/zeit/next.js
3
https://github.com/eladnava/mailgen
3
https://github.com/mongodb/js-bson
3
https://github.com/zestedesavoir/zmarkdown
3
https://github.com/node-fetch/node-fetch
3
https://github.com/agnaistic/agnai
3
https://github.com/ua-parser/uap-core
3
https://github.com/dojo/dojo
3
https://github.com/actions/toolkit
3
https://github.com/infor-design/enterprise-ng
3
https://github.com/open-webui/open-webui
3
https://github.com/dojo/dojox
3
https://github.com/mariocasciaro/object-path
3
https://github.com/nodejs/llhttp
3
https://github.com/MrRio/jsPDF
3
https://github.com/socketio/socket.io
3
https://github.com/mozilla/pdf.js
3
https://github.com/endojs/endo
3
https://github.com/peerigon/angular-expressions
3
https://github.com/jasonraimondi/url-to-png
3
https://github.com/salesforce/tough-cookie
3
https://github.com/mongo-express/mongo-express
3
https://github.com/webpack/loader-utils
3
https://github.com/nasa/openmct
3
https://github.com/cloudhead/node-static
3
https://github.com/beerpwn/CVE
3
https://github.com/validatorjs/validator.js
3