npm
5,203,566 packages · npmjs.org
High Security Advisories in npm Clear Filters
High
5 days ago
TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update
npm
typeorm
High
6 days ago
Astro's bypass of image proxy domain validation leads to SSRF and potential XSS
npm
astro
High
11 days ago
Kottster app reinitialization can be re-triggered allowing command injection in development mode
npm
@kottster/server
High
18 days ago
Strapi Allows Unauthorized Access to Private Fields via parms.lookup
npm
@strapi/core
High
18 days ago
`sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js`
npm
sveltekit-superforms
High
19 days ago
Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
npm
flowise
High
20 days ago
Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate
npm
playwright
High
23 days ago
Flowise is vulnerable to arbitrary file exposure through its ReadFileTool
npm
flowise-components, flowise
High
25 days ago
n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host
npm
n8n, n8n-nodes-base
High
27 days ago
pdfmake is vulnerable to Throttling via repeatedly redirecting URL in file embedding
npm
pdfmake
High
about 1 month ago
Claude Code can execute commands prior to the startup trust dialog
npm
@anthropic-ai/claude-code
High
about 1 month ago
@plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user
npm
@plone/volto
High
about 1 month ago
Finance.js vulnerable to DoS via the IRR function’s depth parameter
npm
financejs
High
about 1 month ago
figma-developer-mcp vulnerable to command injection in get_figma_data tool
npm
figma-developer-mcp
High
about 1 month ago
@nubosoftware/node-static failure to catch exception can result in server crash
npm
@nubosoftware/node-static
High
about 1 month ago
Apollo Embedded Sandbox and Explorer vulnerable to CSRF via window.postMessage origin-validation bypass
npm
@apollo/explorer, @apollo/sandbox
High
about 1 month ago
Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions
npm
@anthropic-ai/claude-code
High
about 1 month ago
tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball
npm
tar-fs
High
about 1 month ago
Mesh Connect JS SDK Vulnerable to Cross Site Scripting via createLink.openLink
npm
@meshconnect/web-link-sdk
High
about 1 month ago
Codex has sandbox bypass due to bug in path configuration logic
npm
@openai/codex
High
about 2 months ago
@executeautomation/database-server does not properly restrict access, bypassing a "read-only" mode
npm
@executeautomation/database-server
High
about 2 months ago
is-arrayish@0.3.3 contains malware after npm account takeover
npm
is-arrayish
High
about 2 months ago
color-convert@3.1.1 contains malware after npm account takeover
npm
color-convert
High
about 2 months ago
color-string@2.1.1 contains malware after npm account takeover
npm
color-string
High
about 2 months ago
simple-swizzle@0.2.3 contains malware after npm account takeover
npm
simple-swizzle
High
about 2 months ago
FlowiseAI/Flowise has Server-Side Request Forgery (SSRF) vulnerability
npm
flowise
High
about 2 months ago
Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage
npm
@nguniversal/common, @angular/ssr, @angular/platform-server
High
about 2 months ago
Claude Code vulnerable to arbitrary code execution caused by maliciously configured git email
npm
@anthropic-ai/claude-code
High
about 2 months ago
Webrecorder packages are vulnerable to XSS through 404 error handling logic
npm
@webrecorder/archivewebpage, replaywebpage, @webrecorder/wabac
High
about 2 months ago
Claude Code rg vulnerability does not protect against approval prompt bypass
npm
@anthropic-ai/claude-code
High
about 2 months ago
Cattown is Vulnerable to Uncontrolled Resource Consumption through Inefficient Regular Expression Complexity
npm
cattown
High
about 2 months ago
DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware
npm
@duckdb/duckdb-wasm, @duckdb/node-bindings, @duckdb/node-api, duckdb
High
about 2 months ago
MCP Inspector is Vulnerable to Potential Command Execution via XSS When Connecting to an Untrusted MCP Server
npm
@modelcontextprotocol/inspector
High
about 2 months ago
N8N's Chat Trigger component is vulnerable to XSS
npm
@n8n/n8n-nodes-langchain
High
about 2 months ago
Server-Side Request Forgery via /_image endpoint in Astro Cloudflare adapter
npm
@astrojs/cloudflare
High
2 months ago
Claude Code Vulnerable to Arbitrary Code Execution Due to Insufficient Startup Warning
npm
@anthropic-ai/claude-code
High
2 months ago
mcp-markdownify-server vulnerable to command injection in pptx-to-markdown tool
npm
mcp-markdownify-server
High
2 months ago
Volto affected by possible DoS by invoking specific URL by anonymous user
npm
@plone/volto
High
2 months ago
@musistudio/claude-code-router has improper CORS configuration
npm
@musistudio/claude-code-router
High
2 months ago
x402 SDK vulnerable in outdated versions in resource servers for builders
npm
x402-hono, x402-express, x402-next, x402
High
3 months ago
Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source
npm
n8n
High
3 months ago
Claude Code's Permissive Default Allowlist Enables Unauthorized File Read and Network Exfiltration in Claude Code
npm
@anthropic-ai/claude-code
High
3 months ago
content-security-policy-parser Prototype Pollution Vulnerability May Lead to RCE
npm
content-security-policy-parser
High
3 months ago
The AuthKit Remix Library renders sensitive auth data in HTML
npm
@workos-inc/authkit-remix
High
3 months ago
The AuthKit React Router Library rendered sensitive auth data in HTML
npm
@workos-inc/authkit-react-router
High
3 months ago
@fedify/fedify has Improper Authentication and Incorrect Authorization
npm
@fedify/fedify
High
3 months ago
mcp-package-docs vulnerable to command injection in several tools
npm
mcp-package-docs
High
3 months ago
Claude Code echo command allowed bypass of user approval prompt for command execution
npm
@anthropic-ai/claude-code
High
3 months ago
Claude Code Research Preview has a Path Restriction Bypass which could allow unauthorized file access
npm
@anthropic-ai/claude-code
High
3 months ago
@nyariv/sandboxjs has Prototype Pollution vulnerability that may lead to RCE
npm
@nyariv/sandboxjs
High
3 months ago
ssrfcheck has Incomplete IP Address Deny List that leads to Server-Side Request Forgery Vulnerability
npm
ssrfcheck
High
3 months ago
HAX CMS API Lacks Authorization Checks
packagist, npm
elmsln/haxcms, @haxtheweb/haxcms-nodejs
High
3 months ago
NodeJS version of the HAX CMS application is distributed with Default Secrets
npm
@haxtheweb/haxcms-nodejs
High
3 months ago
HAX CMS NodeJS Application Has Improper Error Handling That Leads to Denial of Service
npm
@haxtheweb/haxcms-nodejs
High
3 months ago
NodeJS version of HAX CMS Has Disabled Content Security Policy That Enables Cross-Site Scripting
npm
@haxtheweb/haxcms-nodejs
High
3 months ago
Alchemy Non-SMA and Webauthn Account Security Advisory
npm
@account-kit/smart-contracts
High
3 months ago
@translated/lara-mcp vulnerable to command injection in import_tmx tool
npm
@translated/lara-mcp
High
4 months ago
Nuxt MDC has an XSS vulnerability in markdown rendering that bypasses HTML filtering
npm
@nuxtjs/mdc
High
4 months ago
eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code
npm
got-fetch, napi-postinstall, @pkgr/core, synckit, eslint-plugin-prettier, eslint-config-prettier
High
4 months ago
Multer vulnerable to Denial of Service via unhandled exception from malformed request
npm
multer
High
4 months ago
GitHub Kanban MCP Server vulnerable to Command Injection
npm
@sunwood-ai-labs/github-kanban-mcp-server
High
4 months ago
@clerk/backend Performs Insufficient Verification of Data Authenticity
npm
@clerk/tanstack-react-start, @clerk/remix, @clerk/react-router, @clerk/nuxt, @clerk/nextjs, @clerk/fastify, @clerk/express, @clerk/astro, @clerk/backend
High
4 months ago
MCP Server Kubernetes vulnerable to command injection in several tools
npm
mcp-server-kubernetes
High
4 months ago
Node.js Sandbox MCP Server vulnerability can lead to Sandbox Escape via Command Injection
npm
node-code-sandbox-mcp
High
4 months ago
@modelcontextprotocol/server-filesystem vulnerability allows for path validation bypass via colliding path prefix
npm
@modelcontextprotocol/server-filesystem
High
4 months ago
@modelcontextprotocol/server-filesystem allows for path validation bypass via prefix matching and symlink handling
npm
@modelcontextprotocol/server-filesystem
High
4 months ago
@cyanheads/git-mcp-server vulnerable to command injection in several tools
npm
@cyanheads/git-mcp-server
High
4 months ago
tiny-secp256k1 allows for verify() bypass when running in bundled environment
npm
tiny-secp256k1
Filter by Severity
Filter by Package
parse-server
16
electron
12
flowise
12
directus
11
next
11
@anthropic-ai/claude-code
9
strapi
7
@strapi/strapi
7
tar
7
matrix-js-sdk
6
express-cart
6
@openzeppelin/contracts
6
sequelize
6
handlebars
6
npm
6
serve
5
ua-parser-js
5
@haxtheweb/haxcms-nodejs
5
systeminformation
5
axios
5
@openzeppelin/contracts-upgradeable
5
n8n
5
@finos/git-proxy
4
auth0-js
4
generator-jhipster
4
nocodb
4
ckeditor4
4
yarn
4
muhammara
4
total.js
4
multer
4
marked
4
@apollo/gateway
4
openpgp
4
tar-fs
4
hapi
4
qs
4
matrix-react-sdk
4
shescape
4
@strapi/plugin-users-permissions
4
prismjs
4
mermaid
3
open-webui
3
ghost
3
highcharts
3
simple-git
3
@commercial/subtext
3
keystone
3
socket.io-file
3
aws-iot-device-sdk-v2
3
ids-enterprise
3
localhost-now
3
jsrsasign
3
fastify
3
rendertron
3
hermes-engine
3
ws
3
next-auth
3
steal
3
awsiotsdk
3
vite
3
node-forge
3
software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk
3
@uppy/companion
3
passport-wsfed-saml2
3
@sveltejs/kit
3
node-opcua
3
remarkable
3
@backstage/plugin-scaffolder-backend
3
convert-svg-core
3
ecstatic
3
jspdf
3
moment
3
open-webui
3
meshcentral
3
devcert
2
@theia/mini-browser
2
nodebb
2
matrix-appservice-irc
2
tiny-secp256k1
2
financejs
2
@saltcorn/server
2
@kindspells/astro-shield
2
node-saml
2
sqlite3
2
is-svg
2
hoek
2
mcstatic
2
mout
2
css-what
2
xlsx
2
glob-parent
2
lodash.mergewith
2
dompurify
2
squirrelly
2
grunt
2
mqtt-packet
2
semver
2
undici
2
debug
2
fs-git
2
@tinacms/cli
2
node-jose
2
fuxa-server
2
lodash.merge
2
code-server
2
buttle
2
hummus
2
@directus/api
2
mixme
2
rollup-plugin-server
2
@nguniversal/common
2
react-router
2
http-proxy
2
typeorm
2
angular-expressions
2
codecov
2
sails
2
snyk
2
http-live-simulator
2
decal
2
loader-utils
2
cached-path-relative
2
@angular/ssr
2
jointjs
2
merge
2
@discordjs/opus
2
@cubejs-backend/api-gateway
2
pdfjs-dist
2
xdLocalStorage
2
deep-get-set
2
bmoor
2
minimatch
2
lodash.defaultsdeep
2
@evershop/evershop
2
json-ptr
2
engine.io
2
@nubosoftware/node-static
2
assign-deep
2
jquery-validation
2
uptime-kuma
2
loopback-connector-mongodb
2
@frangoteam/fuxa
2
@solana/web3.js
2
hawk
2
object-path
2
dojo
2
hono
2
@npmcli/arborist
2
total4
2
convict
2
vp-toolkit
2
nuxt-api-party
2
oauth2-server
2
@strikeentco/set
2
detect-character-encoding
2
erxes
2
path-to-regexp
2
astro
2
@plone/volto
2
@modelcontextprotocol/server-filesystem
2
joplin
2
fast-xml-parser
2
urijs
2
angular
2
pnpm
2
@auth0/nextjs-auth0
2
eta
2
rsshub
2
immer
2
simple-markdown
2
mongosh
2
flowise-components
2
@fastify/multipart
2
mongoose
2
content
2
Moment.js
2
decode-uri-component
1
tmpl
1
serverabc
1
@pnpm/win-x64
1
http-proxy-middleware
1
simple-get
1
express-openid-connect
1
@chainsafe/lodestar
1
js-yaml
1
git-promise
1
tough-cookie
1
is-user-valid
1
underscore-keypath
1
node-stringbuilder
1
jqueryfiletree
1
osm-static-maps
1
@executeautomation/database-server
1
fancy-server
1
@conform-to/zod
1
json8-merge-patch
1
electron-pdf
1
error-ex
1
isolated-vm
1
Filter by Repository
https://github.com/parse-community/parse-server
16
https://github.com/electron/electron
12
https://github.com/directus/directus
12
https://github.com/strapi/strapi
11
https://github.com/FlowiseAI/Flowise
10
https://github.com/anthropics/claude-code
9
https://github.com/vercel/next.js
9
https://github.com/backstage/backstage
8
https://github.com/OpenZeppelin/openzeppelin-contracts
6
https://github.com/npm/node-tar
6
https://github.com/matrix-org/matrix-js-sdk
6
https://github.com/sequelize/sequelize
6
https://github.com/sebhildebrandt/systeminformation
5
https://github.com/BlackFan/client-side-prototype-pollution
5
https://github.com/haxtheweb/issues
5
https://github.com/axios/axios
5
https://github.com/faisalman/ua-parser-js
5
https://github.com/n8n-io/n8n
5
https://github.com/node-opcua/node-opcua
4
https://github.com/matrix-org/matrix-react-sdk
4
https://github.com/saltcorn/saltcorn
4
https://github.com/totaljs/framework
4
https://github.com/npm/cli
4
https://github.com/ericcornelissen/shescape
4
https://github.com/expressjs/multer
4
https://github.com/openpgpjs/openpgpjs
4
https://github.com/finos/git-proxy
4
https://github.com/jhipster/generator-jhipster
4
https://github.com/mafintosh/tar-fs
4
https://github.com/nocodb/nocodb
4
https://github.com/ckeditor/ckeditor4
4
https://github.com/PrismJS/prism
4
https://github.com/highcharts/highcharts
3
https://github.com/stealjs/steal
3
https://github.com/kjur/jsrsasign
3
https://github.com/udecode/plate
3
https://github.com/transloadit/uppy
3
https://github.com/steveukx/git-js
3
https://github.com/TryGhost/Ghost
3
https://github.com/GoogleChrome/rendertron
3
https://github.com/handlebars-lang/handlebars.js
3
https://github.com/balderdashy/sails
3
https://github.com/sveltejs/kit
3
https://github.com/moment/moment
3
https://github.com/vitejs/vite
3
https://github.com/remix-run/react-router
3
https://github.com/Marak/colors.js
3
https://github.com/gatsbyjs/gatsby
3
https://github.com/jonschlinkert/remarkable
3
https://github.com/aws/aws-iot-device-sdk-java-v2
3
https://github.com/fastify/fastify-multipart
3
https://github.com/npm/npm
3
https://github.com/auth0/passport-wsfed-saml2
3
https://github.com/digitalbazaar/forge
3
https://github.com/hapijs/subtext
3
https://github.com/jfhbrook/node-ecstatic
3
https://github.com/nextauthjs/next-auth
3
https://github.com/fastify/fastify
3
https://github.com/mozilla/pdf.js
3
https://github.com/Ylianst/MeshCentral
3
https://github.com/cure53/DOMPurify
3
https://github.com/keystonejs/keystone
3
https://github.com/facebook/hermes
3
https://github.com/yarnpkg/yarn
3
https://github.com/infor-design/enterprise-ng
3
https://github.com/apollographql/federation
3
https://github.com/withastro/astro
3
https://github.com/mrvautin/expressCart
3
https://github.com/ofirdagan/cross-domain-local-storage
3
https://github.com/honojs/hono
2
https://github.com/jonschlinkert/assign-deep
2
https://github.com/jquery-validation/jquery-validation
2
https://github.com/fb55/css-what
2
https://github.com/vivaxy/here
2
https://github.com/ag-grid/ag-grid
2
https://github.com/mozilla/node-convict
2
https://github.com/oauthjs/node-oauth2-server
2
https://github.com/tinacms/tinacms
2
https://github.com/modelcontextprotocol/servers
2
https://github.com/DCKT/localhost-now
2
https://github.com/eclipse-theia/theia
2
https://github.com/websockets/ws
2
https://github.com/solana-labs/solana-web3.js
2
https://github.com/VulnSageAgent/PoCs
2
https://github.com/NaturalIntelligence/fast-xml-parser
2
https://github.com/clientIO/joint
2
https://github.com/erxes/erxes
2
https://github.com/cloudhead/node-static
2
https://github.com/plone/volto
2
https://github.com/DIYgod/RSSHub
2
https://github.com/adaltas/node-mixme
2
https://github.com/VulnSphere/LLMVulnSphere
2
https://github.com/ebradyjobory/finance.js
2
https://github.com/strikeentco/set
2
https://github.com/eta-dev/eta
2
https://github.com/markedjs/marked
2
https://github.com/julianhille/MuhammaraJS
2
https://github.com/hapijs/hoek
2
https://github.com/sindresorhus/is-svg
2
https://github.com/louislam/uptime-kuma
2
https://github.com/npm/arborist
2
https://github.com/dimpu/ngx-md
2
https://github.com/johannschopplich/nuxt-api-party
2
https://github.com/chjj/marked
2
https://github.com/debug-js/debug
2
https://github.com/OrangeShieldInfos/PoCs
2
https://github.com/ariabuckles/simple-markdown
2
https://github.com/typeorm/typeorm
2
https://github.com/pillarjs/path-to-regexp
2
https://github.com/lodash/lodash
2
https://github.com/beerpwn/CVE
2
https://github.com/418sec/json-ptr
2
https://github.com/auth0/nextjs-auth0
2
https://github.com/open-webui/open-webui
2
https://github.com/nuxt/nuxt
2
https://github.com/immerjs/immer
2
https://github.com/neocotic/convert-svg
2
https://github.com/peerigon/angular-expressions
2
https://github.com/electron-userland/electron-builder
2
https://github.com/pnpm/pnpm
2
https://github.com/cube-js/cube.js
2
https://github.com/ljharb/qs
2
https://github.com/TryGhost/node-sqlite3
2
https://github.com/discordjs/opus
2
https://github.com/dojo/dojo
2
https://github.com/apollographql/apollo-server
2
https://github.com/ashaffer/cached-path-relative
2
https://github.com/sonicdoe/detect-character-encoding
2
https://github.com/evershopcommerce/evershop
2
https://github.com/b-heilman/bmoor
2
https://github.com/cisco/node-jose
2
https://github.com/parallax/jsPDF
2
https://github.com/vvakame/fs-git
2
https://github.com/gruntjs/grunt
2
https://github.com/matrix-org/matrix-appservice-irc
2
https://github.com/webpack/loader-utils
2
https://github.com/rabobank-blockchain/vp-toolkit
2
https://github.com/mout/mout
2
https://github.com/socketio/engine.io
2
https://github.com/nodejs/undici
2
https://github.com/mariocasciaro/object-path
2
https://github.com/gigafied/decal.js
2
https://github.com/squirrellyjs/squirrelly
2
https://github.com/bitcoinjs/tiny-secp256k1
2
https://github.com/rico345100/socket.io-file
2
https://github.com/galkahana/HummusJS
2
https://github.com/gemini-testing/png-img
1
https://github.com/cliftonc/calipso
1
https://github.com/ua-parser/uap-core
1
https://github.com/creharmony/node-etsy-client
1
https://github.com/mde/utilities
1
https://github.com/jonschlinkert/defaults-deep
1
https://github.com/cdr/code-server
1
https://github.com/libxmljs/libxmljs
1
https://github.com/expressjs/connect-multiparty
1
https://github.com/carlos8f/node-accesslog
1
https://github.com/vesse/node-ldapauth-fork
1
https://github.com/NodeBB/NodeBB
1
https://github.com/rollup/rollup
1
https://github.com/opensearch-project/OpenSearch-Dashboards
1
https://github.com/fastify/session
1
https://github.com/segmentio/is-url
1
https://github.com/DylanPiercey/local-devices
1
https://github.com/mercurius-js/mercurius
1
https://github.com/curveball/a12n-server
1
https://github.com/Prestaul/skeemas
1
https://github.com/FixedOctocat/CVE-2024-25466
1
https://github.com/natelong/p4
1
https://github.com/JPeer264/node-git-commit-info
1
https://github.com/dorattias/CVE-2025-26319
1
https://github.com/MateusTesser/CVE-2023-31718
1
https://github.com/uWebSockets/uWebSockets
1
https://github.com/buefy/buefy
1
https://github.com/Ranks/emojione
1
https://github.com/npm/node-semver
1
https://github.com/iden3/snarkjs
1
https://github.com/sindresorhus/file-type
1
https://github.com/bootstrap-tagsinput/bootstrap-tagsinput
1
https://github.com/prisma-labs/graphql-playground
1
https://github.com/Turistforeningen/node-im-metadata
1
https://github.com/ionic-team/cordova-plugin-ionic-webview
1
https://github.com/thinkjs/think-helper
1
https://github.com/frouriojs/frourio-express
1
https://github.com/Qix-/node-is-arrayish
1
https://github.com/janryWang/depath
1
https://github.com/gurgunday/ghtml
1
https://github.com/vdemedes/secure-compare
1
https://github.com/facebook/react-native
1
https://github.com/leeoniya/uPlot
1
https://github.com/mat-sz/lettersanitizer
1
https://github.com/AlgoRythm-Dylan/httpserv
1
https://github.com/mcollina/mosca
1
https://github.com/stryker-mutator/stryker-js
1
https://github.com/sammcj/mcp-package-docs
1
https://github.com/bruno-robert/window-control
1
https://github.com/QuorumDMS/ftp-srv
1
https://github.com/mscdex/ssh2
1
https://github.com/williamkapke/bson-objectid
1
https://github.com/phulelouch/CVEs
1