npm
5,162,107 packages · npmjs.org
Security Advisories in npm
Moderate
about 1 month ago
AiondaDotCom mcp-ssh command injection vulnerability in SSH operations
npm
@aiondadotcom/mcp-ssh
Moderate
about 1 month ago
Payload's SQLite adapter Session Fixation vulnerability
npm
@payloadcms/graphql, @payloadcms/next, payload
Moderate
about 1 month ago
Payload does not invalidate JWTs after log out
npm
@payloadcms/graphql, @payloadcms/next, payload
High
about 1 month ago
Volto affected by possible DoS by invoking specific URL by anonymous user
npm
@plone/volto
Critical
about 1 month ago
Malicious versions of Nx were published
npm
@nx/workspace, @nx/js, @nx/devkit, @nx/node, nx, @nx/eslint, @nx/enterprise-cloud, @nx/key
Moderate
about 1 month ago
GraphQL Armor Max-Depth Plugin Bypass via fragment caching
npm
@escape.tech/graphql-armor-max-depth
Moderate
about 1 month ago
GraphQL Armor Max-Depth Plugin Bypass via Introspection Query Obfuscation
npm
@escape.tech/graphql-armor-max-depth
Moderate
about 1 month ago
request-filtering-agent SSRF Bypass via HTTPS Requests to 127.0.0.1
npm
request-filtering-agent
Moderate
about 1 month ago
Liferay Portal Reflected XSS in CKeditor 4.21.0 endpoint
npm, maven
liferay-ckeditor, com.liferay:com.liferay.frontend.js.dependencies.web, com.liferay:com.liferay.frontend.editor.ckeditor.web
High
about 1 month ago
@musistudio/claude-code-router has improper CORS configuration
npm
@musistudio/claude-code-router
Moderate
about 1 month ago
vite-plugin-static-copy files not included in `src` are possible to access with a crafted request
npm
vite-plugin-static-copy
Critical
about 1 month ago
sha.js is missing type checks leading to hash rewind and passing on crafted data
npm
sha.js
Critical
about 1 month ago
cipher-base is missing type checks, leading to hash rewind and passing on crafted data
npm
cipher-base
High
about 1 month ago
x402 SDK vulnerable in outdated versions in resource servers for builders
npm
x402-hono, x402-express, x402-next, x402
Moderate
about 1 month ago
n8n symlink traversal vulnerability in "Read/Write File" node allows access to restricted files
npm
n8n
Critical
about 1 month ago
Directus allows unauthenticated file upload and file modification due to lacking input sanitization
npm
@directus/api, directus
Critical
about 1 month ago
screenshot-desktop vulnerable to command Injection via `format` option
npm
screenshot-desktop
Moderate
about 1 month ago
Mermaid improperly sanitizes sequence diagram labels leading to XSS
npm
mermaid
Moderate
about 1 month ago
Mermaid does not properly sanitize architecture diagram iconText leading to XSS
npm
mermaid
Moderate
about 1 month ago
Astro allows unauthorized third-party images in _image endpoint
npm
astro, @astrojs/node
High
about 1 month ago
Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source
npm
n8n
High
about 2 months ago
Claude Code's Permissive Default Allowlist Enables Unauthorized File Read and Network Exfiltration in Claude Code
npm
@anthropic-ai/claude-code
Moderate
about 2 months ago
ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/apps.js
npm
express-gateway
Moderate
about 2 months ago
ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/users.js
npm
express-gateway
Low
about 2 months ago
Template Secret leakage in logs in Scaffolder when using `fetch:template`
npm
@backstage/plugin-scaffolder-backend
Moderate
about 2 months ago
@astrojs/node's trailing slash handling causes open redirect issue
npm
@astrojs/node
High
about 2 months ago
content-security-policy-parser Prototype Pollution Vulnerability May Lead to RCE
npm
content-security-policy-parser
Moderate
about 2 months ago
Oak Server has ReDoS in x-forwarded-proto and x-forwarded-for headers
npm
@oakserver/oak
Low
about 2 months ago
HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit
npm
hfs
High
about 2 months ago
The AuthKit Remix Library renders sensitive auth data in HTML
npm
@workos-inc/authkit-remix
High
about 2 months ago
The AuthKit React Router Library rendered sensitive auth data in HTML
npm
@workos-inc/authkit-react-router
High
about 2 months ago
@fedify/fedify has Improper Authentication and Incorrect Authorization
npm
@fedify/fedify
Moderate
about 2 months ago
Astros's duplicate trailing slash feature leads to an open redirection security issue
npm
astro
Moderate
about 2 months ago
The Thinbus Javascript Secure Remote Password (SRP) Client Generates Fewer Bits of Entropy Than Intended
npm
thinbus-srp
Low
about 2 months ago
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
npm
tmp
High
about 2 months ago
mcp-package-docs vulnerable to command injection in several tools
npm
mcp-package-docs
High
about 2 months ago
Claude Code echo command allowed bypass of user approval prompt for command execution
npm
@anthropic-ai/claude-code
High
about 2 months ago
Claude Code Research Preview has a Path Restriction Bypass which could allow unauthorized file access
npm
@anthropic-ai/claude-code
Critical
2 months ago
@nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers
npm
@nestjs/devtools-integration
High
2 months ago
@nyariv/sandboxjs has Prototype Pollution vulnerability that may lead to RCE
npm
@nyariv/sandboxjs
High
2 months ago
ssrfcheck has Incomplete IP Address Deny List that leads to Server-Side Request Forgery Vulnerability
npm
ssrfcheck
High
2 months ago
HAX CMS API Lacks Authorization Checks
packagist, npm
elmsln/haxcms, @haxtheweb/haxcms-nodejs
Moderate
2 months ago
HAX CMS application pages vulnerable to clickjacking
packagist, npm
elmsln/haxcms, @haxtheweb/haxcms-nodejs
High
2 months ago
NodeJS version of the HAX CMS application is distributed with Default Secrets
npm
@haxtheweb/haxcms-nodejs
High
2 months ago
HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service
npm
@haxtheweb/haxcms-nodejs
High
2 months ago
NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
npm
@haxtheweb/haxcms-nodejs
Critical
2 months ago
NodeJS version of HAX CMS Has Insecure Default Configuration That Leads to Unauthenticated Access
npm
@haxtheweb/haxcms-nodejs
Critical
2 months ago
form-data uses unsafe random function in form-data for choosing boundary
npm
form-data
High
2 months ago
Alchemy Non-SMA and Webauthn Account Security Advisory
npm
@account-kit/smart-contracts
High
2 months ago
@translated/lara-mcp vulnerable to command injection in import_tmx tool
npm
@translated/lara-mcp
High
2 months ago
Nuxt MDC has an XSS vulnerability in markdown rendering that bypasses HTML filtering
npm
@nuxtjs/mdc
High
3 months ago
eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code
npm
napi-postinstall, @pkgr/core, synckit, eslint-plugin-prettier, eslint-config-prettier
Low
3 months ago
@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser
npm
@eslint/plugin-kit
Moderate
3 months ago
OpenZeppelin Contracts Bytes's lastIndexOf function with position argument performs out-of-bound memory access on empty buffers
npm
@openzeppelin/contracts-upgradeable, @openzeppelin/contracts
High
3 months ago
Multer vulnerable to Denial of Service via unhandled exception from malformed request
npm
multer
Moderate
3 months ago
DiracX-Web is vulnerable to attack through an Open Redirect on its login page
npm
@dirac-grid/diracx-web-components
Moderate
3 months ago
vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes
npm
petite-vue-i18n, @intlify/vue-i18n-core, @intlify/core-base, @intlify/core, vue-i18n
High
3 months ago
GitHub Kanban MCP Server vulnerable to Command Injection
npm
@sunwood-ai-labs/github-kanban-mcp-server
Moderate
3 months ago
Directus' insufficient permission checks can enable unauthenticated users to manually trigger Flows
npm
directus
Moderate
3 months ago
Directus tokens are not redacted in flow logs, exposing session credentials to all admin
npm
directus
Moderate
3 months ago
Directus is vulnerable to sensitive data exposure as user data is not being redacted when logged
npm
directus
Moderate
3 months ago
@pdfme/common vulnerable to to XSS and Prototype Pollution through its expression evaluation
npm
@pdfme/common
Critical
3 months ago
docusaurus-plugin-content-gists vulnerability exposes GitHub Personal Access Token
npm
docusaurus-plugin-content-gists
Critical
3 months ago
Qwik's unhandled exception vulnerabilty can cause server crashes from malicious requests
npm
@builder.io/qwik-city
High
3 months ago
@clerk/backend Performs Insufficient Verification of Data Authenticity
npm
@clerk/tanstack-react-start, @clerk/remix, @clerk/react-router, @clerk/nuxt, @clerk/nextjs, @clerk/fastify, @clerk/express, @clerk/astro, @clerk/backend
Critical
3 months ago
mcp-remote exposed to OS command injection via untrusted MCP server connections
npm
mcp-remote
High
3 months ago
MCP Server Kubernetes vulnerable to command injection in several tools
npm
mcp-server-kubernetes
Moderate
3 months ago
Cloudflare Vite plugin exposes secrets over the built-in dev server
npm
@cloudflare/vite-plugin
High
3 months ago
Node.js Sandbox MCP Server vulnerability can lead to Sandbox Escape via Command Injection
npm
node-code-sandbox-mcp
Low
3 months ago
Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes
npm
better-auth
Low
3 months ago
Next.js has a Cache poisoning vulnerability due to omission of the Vary header
npm
next
Moderate
3 months ago
n8n is vulnerable to Improper Authorization through its `/stop` endpoint
npm
n8n
Moderate
3 months ago
tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript
npm
tarteaucitronjs
Filter by Severity
Filter by Package
directus
39
parse-server
33
next
29
electron
28
flowise
24
@openzeppelin/contracts
21
@openzeppelin/contracts-upgradeable
20
sequelize
16
ghost
16
tinymce
16
vite
15
undici
15
joplin
14
nodebb
14
angular
14
ckeditor4
14
strapi
13
swagger-ui
13
vm2
12
matrix-js-sdk
12
marked
12
tinymce/tinymce
11
TinyMCE
11
nocodb
11
handlebars
10
bootstrap
10
n8n
10
next-auth
9
uptime-kuma
9
matrix-react-sdk
9
@strapi/strapi
9
@evershop/evershop
9
matrix-appservice-irc
9
systeminformation
9
serve
9
steal
8
npm
8
node-forge
8
urijs
8
shescape
8
dompurify
8
sanitize-html
8
@haxtheweb/haxcms-nodejs
8
@directus/api
8
express-cart
8
editor.md
8
elliptic
8
@anthropic-ai/claude-code
8
jsrsasign
8
validator
8
url-parse
8
vega
7
total.js
7
@lobehub/chat
7
axios
7
hapi
7
tar
7
jquery-ui
7
snyk-broker
7
mongoose
7
mermaid
7
hermes-engine
7
hono
6
openpgp
6
jquery
6
rsshub
6
mattermost-desktop
6
aaptjs
6
lodash
6
org.webjars.npm:jquery-ui
6
@sveltejs/kit
6
safe-eval
6
tarteaucitronjs
6
jQuery.UI.Combined
6
@strapi/plugin-users-permissions
6
prismjs
6
parse-url
6
keystone
5
jQuery
5
nuxt
5
sweetalert2
5
aws-cdk-lib
5
better-auth
5
public
5
astro
5
ua-parser-js
5
vditor
5
fastify
5
yarn
5
bootstrap
5
@keystone-6/core
5
rendertron
5
@backstage/plugin-scaffolder-backend
5
ws
5
passport-wsfed-saml2
5
express
5
mysql2
5
ejs
5
@saltcorn/server
5
trix
5
xlsx
5
total4
5
katex
5
dojo
5
jspdf
5
mongo-express
4
snyk
4
ecstatic
4
glance
4
code-server
4
safer-eval
4
generator-jhipster
4
remarkable
4
@finos/git-proxy
4
org.webjars.npm:jquery
4
apollo-server-core
4
pnpm
4
apostrophe
4
@auth0/nextjs-auth0
4
froala-editor
4
vue-i18n
4
moment
4
valine
4
simple-git
4
materialize-css
4
realms-shim
4
fast-xml-parser
4
ses
4
petite-vue-i18n
4
tar-fs
4
auth0-lock
4
erxes
4
xml-crypto
4
mongosh
4
jquery-validation
4
lodash-es
4
vega-functions
4
meshcentral
4
payload
4
qs
4
simple-markdown
4
auth0-js
4
follow-redirects
4
jsonwebtoken
4
software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk
4
@intlify/vue-i18n-core
4
yui
4
multer
4
muhammara
4
engine.io
4
convert-svg-core
4
aws-iot-device-sdk-v2
4
@apollo/gateway
4
awsiotsdk
4
@node-saml/node-saml
4
@sequelize/core
3
dset
3
sails
3
codecov
3
xdLocalStorage
3
docsify
3
mxgraph
3
jquery-ui-rails
3
m-server
3
open-webui
3
yapi-vendor
3
connect
3
highcharts
3
llhttp
3
stimulsoft-dashboards-js
3
@intlify/core
3
ftp-srv
3
socket.io-file
3
@soketi/soketi
3
localhost-now
3
@strapi/utils
3
uap-core
3
socket.io
3
json-pointer
3
libxmljs
3
serialize-javascript
3
@strapi/admin
3
@cubejs-backend/api-gateway
3
jointjs
3
node-red-dashboard
3
@janhq/core
3
slp-validate
3
locutus
3
webpack-dev-server
3
mcp-markdownify-server
3
parsel
3
dojox
3
simplehttpserver
3
nodemailer
3
ids-enterprise
3
mysql
3
loader-utils
3
@commercial/subtext
3
@frangoteam/fuxa
3
buttle
3
Filter by Repository
https://github.com/directus/directus
41
https://github.com/parse-community/parse-server
33
https://github.com/electron/electron
28
https://github.com/vercel/next.js
25
https://github.com/strapi/strapi
25
https://github.com/OpenZeppelin/openzeppelin-contracts
21
https://github.com/FlowiseAI/Flowise
20
https://github.com/backstage/backstage
19
https://github.com/tinymce/tinymce
16
https://github.com/sequelize/sequelize
16
https://github.com/vitejs/vite
15
https://github.com/nodejs/undici
15
https://github.com/ckeditor/ckeditor4
14
https://github.com/TryGhost/Ghost
14
https://github.com/laurent22/joplin
13
https://github.com/NodeBB/NodeBB
12
https://github.com/VulnSageAgent/PoCs
12
https://github.com/swagger-api/swagger-ui
12
https://github.com/patriksimek/vm2
12
https://github.com/matrix-org/matrix-js-sdk
12
https://github.com/keystonejs/keystone
11
https://github.com/nocodb/nocodb
11
https://github.com/n8n-io/n8n
10
https://github.com/nextauthjs/next-auth
10
https://github.com/haxtheweb/issues
9
https://github.com/matrix-org/matrix-appservice-irc
9
https://github.com/evershopcommerce/evershop
9
https://github.com/sebhildebrandt/systeminformation
9
https://github.com/louislam/uptime-kuma
9
https://github.com/matrix-org/matrix-react-sdk
9
https://github.com/ericcornelissen/shescape
8
https://github.com/stealjs/steal
8
https://github.com/anthropics/claude-code
8
https://github.com/pandao/editor.md
8
https://github.com/jquery/jquery
8
https://github.com/indutny/elliptic
8
https://github.com/vega/vega
8
https://github.com/cure53/DOMPurify
8
https://github.com/kjur/jsrsasign
8
https://github.com/digitalbazaar/forge
8
https://github.com/nuxt/nuxt
8
https://github.com/apollographql/apollo-server
8
https://github.com/withastro/astro
7
https://github.com/lobehub/lobe-chat
7
https://github.com/axios/axios
7
https://github.com/saltcorn/saltcorn
7
https://github.com/aws/aws-cdk
7
https://github.com/unshiftio/url-parse
7
https://github.com/npm/node-tar
6
https://github.com/ionicabizau/parse-url
6
https://github.com/sveltejs/kit
6
https://github.com/facebook/hermes
6
https://github.com/DIYgod/RSSHub
6
https://github.com/markedjs/marked
6
https://github.com/twbs/bootstrap
6
https://github.com/honojs/hono
6
https://github.com/panva/jose
6
https://github.com/openpgpjs/openpgpjs
6
https://github.com/apostrophecms/sanitize-html
6
https://github.com/eclipse-theia/theia
6
https://github.com/lodash/lodash
6
https://github.com/totaljs/framework
6
https://github.com/jquery/jquery-ui
6
https://github.com/shenzhim/aaptjs
6
https://github.com/ckeditor/ckeditor5
6
https://github.com/npm/cli
5
https://github.com/KaTeX/KaTeX
5
https://github.com/auth0/passport-wsfed-saml2
5
https://github.com/GoogleChrome/rendertron
5
https://github.com/mermaid-js/mermaid
5
https://github.com/sweetalert2/sweetalert2
5
https://github.com/faisalman/ua-parser-js
5
https://github.com/BlackFan/client-side-prototype-pollution
5
https://github.com/cloudflare/workers-sdk
5
https://github.com/hacksparrow/safe-eval
5
https://github.com/sidorares/node-mysql2
5
https://github.com/AmauriC/tarteaucitron.js
5
https://github.com/basecamp/trix
5
https://github.com/PrismJS/prism
5
https://github.com/gatsbyjs/gatsby
5
https://github.com/better-auth/better-auth
5
https://github.com/fastify/fastify
5
https://github.com/handlebars-lang/handlebars.js
5
https://github.com/Automattic/mongoose
5
https://github.com/medialize/URI.js
4
https://github.com/socketio/engine.io
4
https://github.com/pnpm/pnpm
4
https://github.com/angular/angular.js
4
https://github.com/yarnpkg/yarn
4
https://github.com/node-saml/node-saml
4
https://github.com/mafintosh/tar-fs
4
https://github.com/expressjs/express
4
https://github.com/xCss/Valine
4
https://github.com/npm/npm
4
https://github.com/NaturalIntelligence/fast-xml-parser
4
https://github.com/aws/aws-iot-device-sdk-java-v2
4
https://github.com/mde/ejs
4
https://github.com/medialize/uri.js
4
https://github.com/jhipster/generator-jhipster
4
https://github.com/expressjs/multer
4
https://github.com/follow-redirects/follow-redirects
4
https://github.com/erxes/erxes
4
https://github.com/balderdashy/sails
4
https://github.com/node-opcua/node-opcua
4
https://github.com/getsentry/sentry-javascript
4
https://github.com/vendure-ecommerce/vendure
4
https://github.com/steveukx/git-js
4
https://github.com/mrvautin/expressCart
4
https://github.com/intlify/vue-i18n
4
https://github.com/auth0/node-jsonwebtoken
4
https://github.com/Ylianst/MeshCentral
4
https://github.com/hapijs/hapi
4
https://github.com/payloadcms/payload
4
https://github.com/jonschlinkert/remarkable
4
https://github.com/auth0/lock
4
https://github.com/websockets/ws
4
https://github.com/jquery-validation/jquery-validation
4
https://github.com/finos/git-proxy
4
https://github.com/ofirdagan/cross-domain-local-storage
4
https://github.com/Dogfalo/materialize
4
https://github.com/auth0/nextjs-auth0
4
https://github.com/jfhbrook/node-ecstatic
3
https://github.com/node-saml/xml-crypto
3
https://github.com/vriteio/vrite
3
https://github.com/gruntjs/grunt
3
https://github.com/immerjs/immer
3
https://github.com/facebook/react
3
https://github.com/koajs/koa
3
https://github.com/plone/volto
3
https://github.com/HackAllSec/CVEs
3
https://github.com/manuelstofer/json-pointer
3
https://github.com/zcaceres/markdownify-mcp
3
https://github.com/beerpwn/CVE
3
https://github.com/remix-run/react-router
3
https://github.com/yahoo/serialize-javascript
3
https://github.com/koush/scrypted
3
https://github.com/ag-grid/ag-grid
3
https://github.com/apostrophecms/apostrophe
3
https://github.com/feathersjs-ecosystem/feathers-sequelize
3
https://github.com/nestjs/nest
3
https://github.com/xmldom/xmldom
3
https://github.com/peerigon/angular-expressions
3
https://github.com/renovatebot/renovate
3
https://github.com/cloudhead/node-static
3
https://github.com/mariocasciaro/object-path
3
https://github.com/dojo/dojox
3
https://github.com/Escape-Technologies/graphql-armor
3
https://github.com/webpack/loader-utils
3
https://github.com/micromatch/braces
3
https://github.com/webpack/webpack-dev-server
3
https://github.com/clientIO/joint
3
https://github.com/docsifyjs/docsify
3
https://github.com/kujirahand/nadesiko3
3
https://github.com/zeit/next.js
3
https://github.com/Marak/colors.js
3
https://github.com/cisco/node-jose
3
https://github.com/skoranga/node-dns-sync
3
https://github.com/infor-design/enterprise-ng
3
https://github.com/dojo/dojo
3
https://github.com/thlorenz/browserify-shim
3
https://github.com/udecode/plate
3
https://github.com/highcharts/highcharts
3
https://github.com/node-fetch/node-fetch
3
https://github.com/agnaistic/agnai
3
https://github.com/socketio/socket.io-parser
3
https://github.com/zestedesavoir/zmarkdown
3
https://github.com/snowflakedb/snowflake-connector-nodejs
3
https://github.com/mongodb/js-bson
3
https://github.com/hapijs/subtext
3
https://github.com/snyk/cli
3
https://github.com/simpleledger/slpjs
3
https://github.com/endojs/endo
3
https://github.com/salesforce/tough-cookie
3
https://github.com/dwisiswant0/advisory
3
https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable
3
https://github.com/typeorm/typeorm
3
https://github.com/YMFE/yapi
3
https://github.com/soketi/soketi
3
https://github.com/mozilla/node-convict
3
https://github.com/chjj/marked
3
https://github.com/jasonraimondi/url-to-png
3
https://github.com/josdejong/mathjs
3
https://github.com/ChainSafe/lodestar
3
https://github.com/chimurai/http-proxy-middleware
3
https://github.com/nodejs/llhttp
3
https://github.com/MrRio/jsPDF
3
https://github.com/nodemailer/nodemailer
3
https://github.com/socketio/socket.io
3
https://github.com/lukeed/dset
3
https://github.com/jarofghosts/glance
3
https://github.com/vanessa219/vditor
3
https://github.com/nasa/openmct
3
https://github.com/libxmljs/libxmljs
3
https://github.com/moment/moment
3
https://github.com/mozilla/pdf.js
3
https://github.com/adaltas/node-mixme
3
https://github.com/postcss/postcss
3
https://github.com/neocotic/convert-svg
3
https://github.com/apollographql/federation
3