npm
5,252,287 packages · npmjs.org
Security Advisories in npm
Moderate
10 months ago
@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
npm
@octokit/request-error
Moderate
10 months ago
@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
npm
@octokit/plugin-paginate-rest
Moderate
10 months ago
@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
npm
@octokit/endpoint
Moderate
10 months ago
Vega allows Cross-site Scripting via the vlSelectionTuples function
npm
vega-selections, vega
Critical
10 months ago
Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)
npm
elliptic
High
10 months ago
parse-duration has a Regex Denial of Service that results in event loop delay and out of memory
npm
parse-duration
Moderate
10 months ago
esbuild enables any website to send any requests to the development server and read the response
npm
esbuild
Critical
10 months ago
Parsed HTML anchor links in Markdown provided to parseMarkdown can result in XSS in @nuxtjs/mdc
npm
@nuxtjs/mdc
High
10 months ago
@stryker-mutator/util vulnerable to Prototype Pollution
npm
@stryker-mutator/util
High
10 months ago
node-opcua-alarm-condition prototype pollution vulnerability
npm
node-opcua-alarm-condition
Critical
10 months ago
Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting)
npm
better-auth
Critical
10 months ago
Vitest allows Remote Code Execution when accessing a malicious website while Vitest API server is listening
npm
vitest
Moderate
10 months ago
snowflake-sdk may incorrectly validate temporary credential cache file permissions
npm
snowflake-sdk
Low
10 months ago
Potential DoS when using ContextLines integration
npm
@sentry/sveltekit, @sentry/solidstart, @sentry/remix, @sentry/nuxt, @sentry/nextjs, @sentry/nestjs, @sentry/google-cloud-serverless, @sentry/bun, @sentry/aws-serverless, @sentry/astro, @sentry/node
Moderate
10 months ago
Opening a malicious website while running a Nuxt dev server could allow read-only access to code
npm
@nuxt/rspack-builder, @nuxt/webpack-builder
Moderate
10 months ago
Opening a malicious website while running a Nuxt dev server could allow read-only access to code
npm
@nuxt/vite-builder
Low
11 months ago
Directus has a DOM-Based cross-site scripting (XSS) via layout_options
npm
directus
Moderate
11 months ago
XSS/HTML Injection Vulnerability in Umbraco Backoffice Components
npm, nuget
@umbraco-cms/backoffice, Umbraco.Cms.StaticAssets
Moderate
11 months ago
Infinite loop and Blind SSRF found inside the Webfinger mechanism in @fedify/fedify
npm
@fedify/fedify
Moderate
11 months ago
Websites were able to send any requests to the development server and read the response in vite
npm
vite
Low
11 months ago
AWS Cloud Development Kit (AWS CDK) IAM OIDC custom resource allows connection to unauthorized OIDC provider
npm
aws-cdk-lib
Moderate
11 months ago
parse-uri Regular expression Denial of Service (ReDoS)
npm
parseuri, parse-uri
Critical
11 months ago
path-sanitizer allows bypassing the existing filters to achieve path-traversal vulnerability
npm
path-sanitizer
High
11 months ago
Better Auth has an Open Redirect Vulnerability in Verify Email Endpoint
npm
better-auth
Moderate
12 months ago
Marp Core allows XSS by improper neutralization of HTML sanitization
npm
@marp-team/marp-core
High
12 months ago
Systeminformation has command injection vulnerability in getWindowsIEEE8021x (SSID)
npm
systeminformation
Moderate
12 months ago
uptime-kuma vulnerable to Local File Inclusion (LFI) via Improper URL Handling in `Real-Browser` monitor
npm
uptime-kuma
High
12 months ago
Astro's server source code is exposed to the public if sourcemaps are enabled
npm
astro
Moderate
12 months ago
Bun has an Application-level Prototype Pollution vulnerability in the runtime native API for Glo
npm
bun
Moderate
12 months ago
pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion
npm
pnpm
Critical
12 months ago
Angular Expressions - Remote Code Execution when using locals
npm
angular-expressions
High
12 months ago
Directus allows unauthenticated access to WebSocket events and operations
npm
@directus/api, directus
Moderate
12 months ago
Predictable results in nanoid generation when given non-integer values
npm
nanoid
High
about 1 year ago
Modified package published to npm, containing malware that exfiltrates private key material
npm
@solana/web3.js
Moderate
about 1 year ago
Backstage Scaffolder plugin vulnerable to Server-Side Request Forgery
npm
@backstage/plugin-scaffolder-node
Moderate
about 1 year ago
@intlify/shared Prototype Pollution vulnerability
npm
vue-i18n, @intlify/vue-i18n-core, @intlify/shared, petite-vue-i18n
Moderate
about 1 year ago
vue-i18n has cross-site scripting vulnerability with prototype pollution
npm
@intlify/vue-i18n-core, @intlify/core, vue-i18n, @intlify/core-base, petite-vue-i18n
Moderate
about 1 year ago
@dapperduckling/keycloak-connector-server has Reflected XSS Vulnerability in Authentication Flow URL Handling
npm
@dapperduckling/keycloak-connector-server
Low
about 1 year ago
@sveltejs/kit has unescaped error message included on error page
npm
@sveltejs/kit
Moderate
about 1 year ago
smol-toml has a Denial of Service via malicious TOML document using deeply nested inline tables
npm
smol-toml
Moderate
about 1 year ago
Firebase JavaScript SDK allows attackers to manipulate the "_authTokenSyncURL" to point to their own server
npm
firebase
Low
about 1 year ago
Regular Expression Denial of Service (ReDoS) in @eslint/plugin-kit
npm
@eslint/plugin-kit
Moderate
about 1 year ago
matrix-js-sdk has insufficient MXC URI validation which allows client-side path traversal
npm
matrix-js-sdk
Moderate
about 1 year ago
Froala WYSIWYG editor allows cross-site scripting (XSS)
packagist, npm
froala/wysiwyg-editor, froala-editor
Critical
about 1 year ago
happy-dom allows for server side code to be executed by a <script> tag
npm
happy-dom
Low
about 1 year ago
@workos-inc/authkit-remix refresh tokens are logged when the debug flag is enabled
npm
@workos-inc/authkit-remix
Low
about 1 year ago
@workos-inc/authkit-nextjs refresh tokens are logged when the debug flag is enabled
npm
@workos-inc/authkit-nextjs
High
about 1 year ago
Path traversal in oak allows transfer of hidden files within the served root directory
npm
@oakserver/oak
Filter by Severity
Filter by Package
directus
43
parse-server
35
flowise
33
next
30
electron
28
@openzeppelin/contracts
21
@openzeppelin/contracts-upgradeable
20
ghost
16
tinymce
16
sequelize
16
vite
16
undici
15
ckeditor4
15
joplin
14
swagger-ui
14
angular
14
nodebb
14
@anthropic-ai/claude-code
13
strapi
13
astro
13
n8n
12
vm2
12
marked
12
matrix-js-sdk
12
nocodb
11
node-forge
11
TinyMCE
11
tinymce/tinymce
11
@directus/api
10
@strapi/strapi
10
bootstrap
10
next-auth
10
@evershop/evershop
10
uptime-kuma
10
validator
10
handlebars
10
matrix-appservice-irc
9
matrix-react-sdk
9
serve
9
systeminformation
9
steal
8
url-parse
8
express-cart
8
jsrsasign
8
dompurify
8
urijs
8
@lobehub/chat
8
tar
8
editor.md
8
better-auth
8
shescape
8
vega
8
sanitize-html
8
elliptic
8
hono
8
@haxtheweb/haxcms-nodejs
8
npm
8
mongoose
7
snyk-broker
7
mermaid
7
org.webjars.npm:jquery-ui
7
jQuery.UI.Combined
7
hermes-engine
7
jquery-ui
7
lodash
7
total.js
7
hapi
7
axios
7
safe-eval
6
@sveltejs/kit
6
aaptjs
6
@strapi/plugin-users-permissions
6
rsshub
6
prismjs
6
mattermost-desktop
6
jquery
6
parse-url
6
tarteaucitronjs
6
open-webui
6
openpgp
6
rendertron
5
dojo
5
xlsx
5
ejs
5
public
5
sweetalert2
5
mysql2
5
nodemailer
5
@backstage/plugin-scaffolder-backend
5
fastify
5
ua-parser-js
5
express
5
jspdf
5
@keystone-6/core
5
open-webui
5
aws-cdk-lib
5
katex
5
nuxt
5
@saltcorn/server
5
yarn
5
vditor
5
ws
5
total4
5
jQuery
5
keystone
5
passport-wsfed-saml2
5
trix
5
bootstrap
5
moment
4
apollo-server-core
4
js-yaml
4
pnpm
4
@auth0/nextjs-auth0
4
mongosh
4
jsonwebtoken
4
auth0-js
4
@node-saml/node-saml
4
snyk
4
bootstrap-sass
4
software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk
4
typeorm
4
realms-shim
4
remarkable
4
aws-iot-device-sdk-v2
4
engine.io
4
follow-redirects
4
petite-vue-i18n
4
vega-functions
4
vue-i18n
4
convert-svg-core
4
@apollo/gateway
4
awsiotsdk
4
code-server
4
koa
4
simple-git
4
xml-crypto
4
auth0-lock
4
fast-xml-parser
4
payload
4
multer
4
ecstatic
4
tar-fs
4
lodash-es
4
meshcentral
4
simple-markdown
4
ses
4
mongo-express
4
apostrophe
4
valine
4
yui
4
erxes
4
@intlify/vue-i18n-core
4
safer-eval
4
qs
4
generator-jhipster
4
muhammara
4
materialize-css
4
@finos/git-proxy
4
glance
4
froala-editor
4
jquery-validation
4
keycloak-connect
3
@plone/volto
3
@sentry/nextjs
3
@sequelize/core
3
node-jose
3
mathjs
3
yapi-vendor
3
mysql
3
tough-cookie
3
loader-utils
3
buttle
3
openmct
3
browserify-shim
3
dojox
3
grunt
3
socket.io
3
@ckeditor/ckeditor5-markdown-gfm
3
parse
3
postcss
3
json-ptr
3
raneto
3
@builder.io/qwik
3
localhost-now
3
layui
3
jose
3
statics-server
3
blamer
3
@vrite/sdk
3
angular-expressions
3
serialize-to-js
3
@sentry/astro
3
mixme
3
@materializecss/materialize
3
node-saml
3
highcharts
3
json-pointer
3
braces
3
@strapi/core
3
serialize-javascript
3
Filter by Repository
https://github.com/directus/directus
41
https://github.com/parse-community/parse-server
34
https://github.com/strapi/strapi
29
https://github.com/FlowiseAI/Flowise
28
https://github.com/electron/electron
28
https://github.com/vercel/next.js
25
https://github.com/OpenZeppelin/openzeppelin-contracts
21
https://github.com/backstage/backstage
19
https://github.com/vitejs/vite
16
https://github.com/tinymce/tinymce
16
https://github.com/sequelize/sequelize
16
https://github.com/nodejs/undici
15
https://github.com/TryGhost/Ghost
14
https://github.com/ckeditor/ckeditor4
14
https://github.com/swagger-api/swagger-ui
13
https://github.com/laurent22/joplin
13
https://github.com/NodeBB/NodeBB
12
https://github.com/n8n-io/n8n
12
https://github.com/matrix-org/matrix-js-sdk
12
https://github.com/patriksimek/vm2
12
https://github.com/nextauthjs/next-auth
11
https://github.com/keystonejs/keystone
11
https://github.com/nocodb/nocodb
11
https://github.com/louislam/uptime-kuma
10
https://github.com/anthropics/claude-code
10
https://github.com/VulnSageAgent/PoCs
10
https://github.com/haxtheweb/issues
9
https://github.com/withastro/astro
9
https://github.com/matrix-org/matrix-react-sdk
9
https://github.com/sebhildebrandt/systeminformation
9
https://github.com/evershopcommerce/evershop
9
https://github.com/matrix-org/matrix-appservice-irc
9
https://github.com/jquery/jquery
8
https://github.com/kjur/jsrsasign
8
https://github.com/indutny/elliptic
8
https://github.com/pandao/editor.md
8
https://github.com/honojs/hono
8
https://github.com/lobehub/lobe-chat
8
https://github.com/stealjs/steal
8
https://github.com/ericcornelissen/shescape
8
https://github.com/apollographql/apollo-server
8
https://github.com/cure53/DOMPurify
8
https://github.com/digitalbazaar/forge
8
https://github.com/vega/vega
8
https://github.com/nuxt/nuxt
8
https://github.com/aws/aws-cdk
7
https://github.com/axios/axios
7
https://github.com/twbs/bootstrap
7
https://github.com/saltcorn/saltcorn
7
https://github.com/unshiftio/url-parse
7
https://github.com/lodash/lodash
7
https://github.com/markedjs/marked
6
https://github.com/ckeditor/ckeditor5
6
https://github.com/totaljs/framework
6
https://github.com/facebook/hermes
6
https://github.com/shenzhim/aaptjs
6
https://github.com/DIYgod/RSSHub
6
https://github.com/panva/jose
6
https://github.com/npm/node-tar
6
https://github.com/better-auth/better-auth
6
https://github.com/eclipse-theia/theia
6
https://github.com/jquery/jquery-ui
6
https://github.com/apostrophecms/sanitize-html
6
https://github.com/openpgpjs/openpgpjs
6
https://github.com/ionicabizau/parse-url
6
https://github.com/sveltejs/kit
6
https://github.com/mermaid-js/mermaid
5
https://github.com/KaTeX/KaTeX
5
https://github.com/auth0/passport-wsfed-saml2
5
https://github.com/GoogleChrome/rendertron
5
https://github.com/faisalman/ua-parser-js
5
https://github.com/PrismJS/prism
5
https://github.com/Automattic/mongoose
5
https://github.com/hacksparrow/safe-eval
5
https://github.com/fastify/fastify
5
https://github.com/sidorares/node-mysql2
5
https://github.com/cloudflare/workers-sdk
5
https://github.com/BlackFan/client-side-prototype-pollution
5
https://github.com/sweetalert2/sweetalert2
5
https://github.com/AmauriC/tarteaucitron.js
5
https://github.com/handlebars-lang/handlebars.js
5
https://github.com/basecamp/trix
5
https://github.com/gatsbyjs/gatsby
5
https://github.com/npm/cli
5
https://github.com/NaturalIntelligence/fast-xml-parser
4
https://github.com/erxes/erxes
4
https://github.com/node-opcua/node-opcua
4
https://github.com/jhipster/generator-jhipster
4
https://github.com/ofirdagan/cross-domain-local-storage
4
https://github.com/Dogfalo/materialize
4
https://github.com/open-webui/open-webui
4
https://github.com/auth0/nextjs-auth0
4
https://github.com/vendure-ecommerce/vendure
4
https://github.com/Ylianst/MeshCentral
4
https://github.com/getsentry/sentry-javascript
4
https://github.com/hapijs/hapi
4
https://github.com/websockets/ws
4
https://github.com/yarnpkg/yarn
4
https://github.com/follow-redirects/follow-redirects
4
https://github.com/auth0/lock
4
https://github.com/finos/git-proxy
4
https://github.com/mafintosh/tar-fs
4
https://github.com/pnpm/pnpm
4
https://github.com/expressjs/multer
4
https://github.com/medialize/URI.js
4
https://github.com/medialize/uri.js
4
https://github.com/node-saml/node-saml
4
https://github.com/jquery-validation/jquery-validation
4
https://github.com/jonschlinkert/remarkable
4
https://github.com/payloadcms/payload
4
https://github.com/typeorm/typeorm
4
https://github.com/balderdashy/sails
4
https://github.com/steveukx/git-js
4
https://github.com/npm/npm
4
https://github.com/mde/ejs
4
https://github.com/mrvautin/expressCart
4
https://github.com/auth0/node-jsonwebtoken
4
https://github.com/nodemailer/nodemailer
4
https://github.com/expressjs/express
4
https://github.com/angular/angular.js
4
https://github.com/xCss/Valine
4
https://github.com/aws/aws-iot-device-sdk-java-v2
4
https://github.com/intlify/vue-i18n
4
https://github.com/koajs/koa
4
https://github.com/socketio/engine.io
4
https://github.com/dojo/dojox
3
https://github.com/Marak/colors.js
3
https://github.com/clientIO/joint
3
https://github.com/infor-design/enterprise-ng
3
https://github.com/ChainSafe/lodestar
3
https://github.com/node-fetch/node-fetch
3
https://github.com/facebook/react
3
https://github.com/mongodb/js-bson
3
https://github.com/zcaceres/markdownify-mcp
3
https://github.com/xmldom/xmldom
3
https://github.com/capricorn86/happy-dom
3
https://github.com/dojo/dojo
3
https://github.com/zestedesavoir/zmarkdown
3
https://github.com/agnaistic/agnai
3
https://github.com/webpack/webpack-dev-server
3
https://github.com/hapijs/subtext
3
https://github.com/micromatch/braces
3
https://github.com/ag-grid/ag-grid
3
https://github.com/postcss/postcss
3
https://github.com/skoranga/node-dns-sync
3
https://github.com/mongo-express/mongo-express
3
https://github.com/cisco/node-jose
3
https://github.com/snyk/cli
3
https://github.com/simpleledger/slpjs
3
https://github.com/endojs/endo
3
https://github.com/chjj/marked
3
https://github.com/moment/moment
3
https://github.com/jfhbrook/node-ecstatic
3
https://github.com/eladnava/mailgen
3
https://github.com/beerpwn/CVE
3
https://github.com/feathersjs-ecosystem/feathers-sequelize
3
https://github.com/mariocasciaro/object-path
3
https://github.com/HackAllSec/CVEs
3
https://github.com/manuelstofer/json-pointer
3
https://github.com/soketi/soketi
3
https://github.com/ua-parser/uap-core
3
https://github.com/kujirahand/nadesiko3
3
https://github.com/socketio/socket.io-parser
3
https://github.com/docsifyjs/docsify
3
https://github.com/validatorjs/validator.js
3
https://github.com/fastify/fastify-multipart
3
https://github.com/MrRio/jsPDF
3
https://github.com/nasa/openmct
3
https://github.com/jasonraimondi/url-to-png
3
https://github.com/RIAEvangelist/node-ipc
3
https://github.com/snowflakedb/snowflake-connector-nodejs
3
https://github.com/actions/toolkit
3
https://github.com/vanessa219/vditor
3
https://github.com/webpack/loader-utils
3
https://github.com/YMFE/yapi
3
https://github.com/vriteio/vrite
3
https://github.com/chimurai/http-proxy-middleware
3
https://github.com/salesforce/tough-cookie
3
https://github.com/plone/volto
3
https://github.com/dwisiswant0/advisory
3
https://github.com/transloadit/uppy
3
https://github.com/libxmljs/libxmljs
3
https://github.com/cloudhead/node-static
3
https://github.com/jarofghosts/glance
3
https://github.com/mozilla/node-convict
3
https://github.com/adaltas/node-mixme
3
https://github.com/peerigon/angular-expressions
3
https://github.com/zeit/next.js
3
https://github.com/mozilla/pdf.js
3
https://github.com/Escape-Technologies/graphql-armor
3
https://github.com/apostrophecms/apostrophe
3
https://github.com/udecode/plate
3
https://github.com/gruntjs/grunt
3
https://github.com/renovatebot/renovate
3
https://github.com/highcharts/highcharts
3
https://github.com/koush/scrypted
3
https://github.com/yahoo/serialize-javascript
3
https://github.com/lukeed/dset
3
https://github.com/nestjs/nest
3