npm
5,162,107 packages · npmjs.org
Moderate Security Advisories in npm Clear Filters
Moderate
4 days ago
algoliasearch-helper is vulnerable to Prototype Pollution in _merge()
npm
algoliasearch-helper
Moderate
5 days ago
express-xss-sanitizer has an unbounded recursion depth
npm
express-xss-sanitizer
Moderate
7 days ago
json-schema-editor-visual vulnerable to prototype pollution
npm
json-schema-editor-visual
Moderate
7 days ago
Mastra Docs MCP Server `@mastra/mcp-docs-server` Leads to Information Exposure
npm
@mastra/mcp-docs-server
Moderate
9 days ago
@conventional-changelog/git-client has Argument Injection vulnerability
npm
@conventional-changelog/git-client
Moderate
12 days ago
@digitalocean/do-markdownit has Type Confusion vulnerability
npm
@digitalocean/do-markdownit
Moderate
13 days ago
Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages
npm
@lobehub/chat
Moderate
14 days ago
@sequa-ai/sequa-mcp has Command Injection vulnerability
npm
@sequa-ai/sequa-mcp
Moderate
14 days ago
Parcel has an Origin Validation Error vulnerability
npm
@parcel/reporter-dev-server
Moderate
15 days ago
matrix-js-sdk has insufficient validation when considering a room to be upgraded by another
npm
matrix-js-sdk
Moderate
16 days ago
HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability
npm
hackmd-mcp
Moderate
16 days ago
Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark
npm
ghost
Moderate
16 days ago
Stored XSS in n8n LangChain Chat Trigger Node via initialMessages Parameter
npm
n8n
Moderate
16 days ago
MetaMask SDK indirectly exposed via malicious debug@4.4.2 dependency
npm
@metamask/sdk-communication-layer, @metamask/sdk-react, @metamask/sdk
Moderate
20 days ago
jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin
npm
jsondiffpatch
Moderate
22 days ago
Element Plus Link component (el-link) implements insufficient input validation for the href attribute
npm
element-plus
Moderate
23 days ago
SimStudioAI: A function in route.ts is vulnerable to Code Injection
npm
simstudio
Moderate
23 days ago
sanitize-html is vulnerable to XSS through incomprehensive sanitization
npm
sanitize-html
Moderate
about 1 month ago
Next.js Affected by Cache Key Confusion for Image Optimization API Routes
npm
next
Moderate
about 1 month ago
AiondaDotCom mcp-ssh command injection vulnerability in SSH operations
npm
@aiondadotcom/mcp-ssh
Moderate
about 1 month ago
Payload's SQLite adapter Session Fixation vulnerability
npm
@payloadcms/graphql, @payloadcms/next, payload
Moderate
about 1 month ago
Payload does not invalidate JWTs after log out
npm
@payloadcms/graphql, @payloadcms/next, payload
Moderate
about 1 month ago
GraphQL Armor Max-Depth Plugin Bypass via fragment caching
npm
@escape.tech/graphql-armor-max-depth
Moderate
about 1 month ago
GraphQL Armor Max-Depth Plugin Bypass via Introspection Query Obfuscation
npm
@escape.tech/graphql-armor-max-depth
Moderate
about 1 month ago
request-filtering-agent SSRF Bypass via HTTPS Requests to 127.0.0.1
npm
request-filtering-agent
Moderate
about 1 month ago
Liferay Portal Reflected XSS in CKeditor 4.21.0 endpoint
npm, maven
liferay-ckeditor, com.liferay:com.liferay.frontend.js.dependencies.web, com.liferay:com.liferay.frontend.editor.ckeditor.web
Moderate
about 1 month ago
vite-plugin-static-copy files not included in `src` are possible to access with a crafted request
npm
vite-plugin-static-copy
Moderate
about 1 month ago
n8n symlink traversal vulnerability in "Read/Write File" node allows access to restricted files
npm
n8n
Moderate
about 1 month ago
Mermaid improperly sanitizes sequence diagram labels leading to XSS
npm
mermaid
Moderate
about 1 month ago
Mermaid does not properly sanitize architecture diagram iconText leading to XSS
npm
mermaid
Moderate
about 1 month ago
Astro allows unauthorized third-party images in _image endpoint
npm
astro, @astrojs/node
Moderate
about 1 month ago
ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/users.js
npm
express-gateway
Moderate
about 1 month ago
ExpressGateway Cross-Site Scripting Vulnerability in lib/rest/routes/apps.js
npm
express-gateway
Moderate
about 2 months ago
@astrojs/node's trailing slash handling causes open redirect issue
npm
@astrojs/node
Moderate
about 2 months ago
Oak Server has ReDoS in x-forwarded-proto and x-forwarded-for headers
npm
@oakserver/oak
Moderate
about 2 months ago
Astros's duplicate trailing slash feature leads to an open redirection security issue
npm
astro
Moderate
about 2 months ago
The Thinbus Javascript Secure Remote Password (SRP) Client Generates Fewer Bits of Entropy Than Intended
npm
thinbus-srp
Moderate
2 months ago
HAX CMS application pages vulnerable to clickjacking
packagist, npm
elmsln/haxcms, @haxtheweb/haxcms-nodejs
Moderate
3 months ago
OpenZeppelin Contracts Bytes's lastIndexOf function with position argument performs out-of-bound memory access on empty buffers
npm
@openzeppelin/contracts-upgradeable, @openzeppelin/contracts
Moderate
3 months ago
DiracX-Web is vulnerable to attack through an Open Redirect on its login page
npm
@dirac-grid/diracx-web-components
Moderate
3 months ago
vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes
npm
petite-vue-i18n, @intlify/vue-i18n-core, @intlify/core-base, @intlify/core, vue-i18n
Moderate
3 months ago
Directus' insufficient permission checks can enable unauthenticated users to manually trigger Flows
npm
directus
Moderate
3 months ago
Directus tokens are not redacted in flow logs, exposing session credentials to all admin
npm
directus
Moderate
3 months ago
Directus is vulnerable to sensitive data exposure as user data is not being redacted when logged
npm
directus
Moderate
3 months ago
@pdfme/common vulnerable to to XSS and Prototype Pollution through its expression evaluation
npm
@pdfme/common
Moderate
3 months ago
Cloudflare Vite plugin exposes secrets over the built-in dev server
npm
@cloudflare/vite-plugin
Moderate
3 months ago
n8n is vulnerable to Improper Authorization through its `/stop` endpoint
npm
n8n
Moderate
3 months ago
tarteaucitron.js vulnerable to DOM Clobbering via document.currentScript
npm
tarteaucitronjs
Moderate
3 months ago
n8n Vulnerable to Denial of Service via Malformed Binary Data Requests
npm
n8n
Moderate
3 months ago
iOS Simulator MCP Command Injection allowed via exec API
npm
ios-simulator-mcp
Moderate
4 months ago
OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer
npm
@openlist-frontend/openlist-frontend
Moderate
4 months ago
taro-css-to-react-native Regular Expression Denial of Service vulnerability
npm
taro-css-to-react-native
Moderate
4 months ago
@vue/cli-plugin-pwa Regular Expression Denial of Service vulnerability
npm
@vue/cli-plugin-pwa
Moderate
4 months ago
@haxtheweb/haxcms-nodejs Iframe Phishing vulnerability
npm
@haxtheweb/haxcms-nodejs
Moderate
4 months ago
Unauthenticated Disclosure of PSU HAX CMS Site Listings via haxPsuUsage API Endpoint
npm
@haxtheweb/open-apis
Moderate
4 months ago
webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
npm
webpack-dev-server
Moderate
4 months ago
webpack-dev-server users' source code may be stolen when they access a malicious web site
npm
webpack-dev-server
Moderate
4 months ago
AngularJS Incomplete Filtering of Special Elements vulnerability
npm
angular-sanitize
Moderate
4 months ago
Markdownify MCP Server allows attackers to read arbitrary files
npm
mcp-markdownify-server
Moderate
4 months ago
Markdownify MCP Server allows Server-Side Request Forgery (SSRF) via the Markdownify.get() function
npm
mcp-markdownify-server
Moderate
4 months ago
Strapi allows Server-Side Request Forgery in Webhook function
npm
@strapi/admin
Moderate
4 months ago
radashi Allows Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
npm
radashi
Moderate
5 months ago
lockfile-lint-api Vulnerable to Incorrect Behavior Order
npm
lockfile-lint-api
Moderate
5 months ago
Bootstrap Vulnerable to Cross-Site Scripting in its Popover and Tooltip Components
npm
bootstrap
Moderate
5 months ago
Bootstrap Multiselect Vulnerable to CSRF and Reflective XSS via Arbitrary POST Data
npm
bootstrap-multiselect
Moderate
5 months ago
@lumieducation/h5p-server Fails to Sanitize Plain Text Strings
npm
@lumieducation/h5p-server
Moderate
5 months ago
@misskey-dev/summaly allows IP Filter Bypass via Redirect
npm
@misskey-dev/summaly
Moderate
5 months ago
@cloudflare/workers-oauth-provider PKCE bypass via downgrade attack
npm
@cloudflare/workers-oauth-provider
Moderate
5 months ago
@cloudflare/workers-oauth-provider missing validation of redirect_uri on authorize endpoint
npm
@cloudflare/workers-oauth-provider
Moderate
5 months ago
@account-kit/smart-contracts Allowlist Module Bypass Vulnerability
npm
@account-kit/smart-contracts
Moderate
5 months ago
GraphQL Armor Cost-Limit Plugin Bypass via Introspection Query Obfuscation
npm
@escape.tech/graphql-armor-cost-limit
Moderate
5 months ago
pnpm uses the md5 path shortening function causes packet paths to coincide, which causes indirect packet overwriting
npm
pnpm
Filter by Severity
Filter by Package
directus
23
tinymce
14
next
12
tinymce/tinymce
11
ghost
11
TinyMCE
11
@openzeppelin/contracts-upgradeable
11
@openzeppelin/contracts
11
vite
10
ckeditor4
10
joplin
10
electron
10
bootstrap
10
swagger-ui
9
angular
9
parse-server
8
editor.md
8
n8n
7
nodebb
7
nocodb
7
validator
7
marked
7
sanitize-html
7
snyk-broker
6
matrix-js-sdk
6
vega
6
uptime-kuma
6
url-parse
6
flowise
6
undici
6
urijs
6
tarteaucitronjs
5
katex
5
vditor
5
@lobehub/chat
5
matrix-appservice-irc
5
@evershop/evershop
5
jquery-ui
4
matrix-react-sdk
4
froala-editor
4
mermaid
4
dompurify
4
rsshub
4
serve
4
vega-functions
4
yui
4
jQuery.UI.Combined
4
org.webjars.npm:jquery-ui
4
trix
4
glance
4
@directus/api
4
astro
4
bootstrap
4
hono
4
jquery
4
materialize-css
4
moodle/moodle
3
express
3
@jmondi/url-to-png
3
follow-redirects
3
org.webjars.npm:jquery
3
dojo
3
xlsx
3
jose-node-cjs-runtime
3
mattermost-desktop
3
m-server
3
systeminformation
3
jose-node-esm-runtime
3
@materializecss/materialize
3
@saltcorn/server
3
next-auth
3
yapi-vendor
3
parse-url
3
public
3
vue-i18n
3
@intlify/vue-i18n-core
3
strapi
3
valine
3
jquery-ui-rails
3
apollo-server-core
3
twbs/bootstrap
3
mysql
3
layui
3
postcss
3
petite-vue-i18n
3
jQuery
3
hapi
3
bootstrap-sass
3
statics-server
3
jose
3
renovate
3
lodash
3
sequelize
3
@backstage/techdocs-common
3
docsify
3
jodit
2
erxes
2
uap-core
2
jellyfin-web
2
@escape.tech/graphql-armor-max-depth
2
mapbox.js
2
http-file-server
2
json-pointer
2
jsonwebtoken
2
serialize-javascript
2
@strapi/strapi
2
@openc3/tool-common
2
bootstrap
2
mxgraph
2
status-board
2
parse
2
node-forge
2
saml2-js
2
element-plus
2
connect
2
notevil
2
bl
2
harp
2
simditor
2
nunjucks
2
bootbox
2
webpack-dev-server
2
@vrite/sdk
2
bodymen
2
express-gateway
2
lodash-rails
2
karma
2
@astrojs/node
2
node-red-dashboard
2
@intlify/core
2
nodemailer
2
@strapi/utils
2
google-closure-library
2
@intlify/core-base
2
querymen
2
simple-markdown
2
openc3
2
converse.js
2
@excalidraw/excalidraw
2
http-proxy-middleware
2
@strapi/plugin-content-manager
2
mcp-markdownify-server
2
lodash-es
2
@auth0/nextjs-auth0
2
aws-cdk
2
jspdf
2
Umbraco.Cms.StaticAssets
2
pnpm
2
mongo-express
2
wrangler
2
@builder.io/qwik
2
tough-cookie
2
apollo-server
2
matrix-appservice-bridge
2
jsrsasign
2
fastify
2
@finastra/nestjs-proxy
2
mysql2
2
simplehttpserver
2
keystone
2
summernote
2
aws-cdk-lib
2
fast-jwt
2
@adobe/css-tools
2
reveal.js
2
request
2
sockjs
2
nanoid
2
engine.io
2
svelte
2
pug
2
jose-browser-runtime
2
jsoneditor
2
i18next
2
html-janitor
2
@payloadcms/graphql
2
gitbook
2
payload
2
xmldom
2
auth0-lock
2
openmct
2
socket.io
2
jszip
2
handlebars
2
@strapi/admin
2
node-sass
2
express-xss-sanitizer
2
@fedify/fedify
2
swagger-ui-dist
2
ggit
2
openpgp
2
keycloak-connect
2
axios
2
psitransfer
2
@ckeditor/ckeditor5-markdown-gfm
2
@haxtheweb/haxcms-nodejs
2
org.webjars:bootstrap
2
@directus/storage-driver-s3
2
@braintree/sanitize-url
2
apostrophe
2
Filter by Repository
https://github.com/directus/directus
24
https://github.com/tinymce/tinymce
14
https://github.com/electron/electron
11
https://github.com/strapi/strapi
11
https://github.com/OpenZeppelin/openzeppelin-contracts
11
https://github.com/TryGhost/Ghost
10
https://github.com/ckeditor/ckeditor4
10
https://github.com/laurent22/joplin
10
https://github.com/vitejs/vite
10
https://github.com/backstage/backstage
10
https://github.com/vercel/next.js
10
https://github.com/parse-community/parse-server
8
https://github.com/swagger-api/swagger-ui
8
https://github.com/pandao/editor.md
8
https://github.com/n8n-io/n8n
7
https://github.com/nocodb/nocodb
7
https://github.com/vega/vega
7
https://github.com/panva/jose
6
https://github.com/louislam/uptime-kuma
6
https://github.com/jquery/jquery
6
https://github.com/nodejs/undici
6
https://github.com/twbs/bootstrap
6
https://github.com/matrix-org/matrix-js-sdk
6
https://github.com/FlowiseAI/Flowise
6
https://github.com/NodeBB/NodeBB
6
https://github.com/apostrophecms/sanitize-html
5
https://github.com/ckeditor/ckeditor5
5
https://github.com/KaTeX/KaTeX
5
https://github.com/evershopcommerce/evershop
5
https://github.com/unshiftio/url-parse
5
https://github.com/lobehub/lobe-chat
5
https://github.com/matrix-org/matrix-appservice-irc
5
https://github.com/withastro/astro
5
https://github.com/honojs/hono
4
https://github.com/apollographql/apollo-server
4
https://github.com/Dogfalo/materialize
4
https://github.com/basecamp/trix
4
https://github.com/mermaid-js/mermaid
4
https://github.com/AmauriC/tarteaucitron.js
4
https://github.com/markedjs/marked
4
https://github.com/nextauthjs/next-auth
4
https://github.com/DIYgod/RSSHub
4
https://github.com/keystonejs/keystone
4
https://github.com/aws/aws-cdk
4
https://github.com/matrix-org/matrix-react-sdk
4
https://github.com/lodash/lodash
3
https://github.com/intlify/vue-i18n
3
https://github.com/YMFE/yapi
3
https://github.com/jasonraimondi/url-to-png
3
https://github.com/medialize/URI.js
3
https://github.com/saltcorn/saltcorn
3
https://github.com/angular/angular.js
3
https://github.com/ionicabizau/parse-url
3
https://github.com/sequelize/sequelize
3
https://github.com/xCss/Valine
3
https://github.com/jarofghosts/glance
3
https://github.com/cloudflare/workers-sdk
3
https://github.com/haxtheweb/issues
3
https://github.com/postcss/postcss
3
https://github.com/sebhildebrandt/systeminformation
3
https://github.com/renovatebot/renovate
3
https://github.com/Escape-Technologies/graphql-armor
3
https://github.com/hapijs/hapi
3
https://github.com/cure53/DOMPurify
3
https://github.com/docsifyjs/docsify
3
https://github.com/jquery/jquery-ui
3
https://github.com/eclipse-theia/theia
3
https://github.com/follow-redirects/follow-redirects
3
https://github.com/nuxt/nuxt
3
https://github.com/medialize/uri.js
3
https://github.com/vanessa219/vditor
3
https://github.com/cloudflare/workers-oauth-provider
2
https://github.com/auth0/nextjs-auth0
2
https://github.com/Urigo/graphql-mesh
2
https://github.com/vriteio/vrite
2
https://github.com/givanz/VvvebJs
2
https://github.com/fastify/fastify
2
https://github.com/chocobozzz/peertube
2
https://github.com/froala/wysiwyg-editor
2
https://github.com/request/request
2
https://github.com/Vanessa219/vditor
2
https://github.com/zeit/next.js
2
https://github.com/GoogleChrome/rendertron
2
https://github.com/dahlia/fedify
2
https://github.com/sass/node-sass
2
https://github.com/facebook/react
2
https://github.com/webpack/webpack-dev-server
2
https://github.com/yahoo/serialize-javascript
2
https://github.com/openpgpjs/openpgpjs
2
https://github.com/rvagg/bl
2
https://github.com/vendure-ecommerce/vendure
2
https://github.com/getsentry/sentry-javascript
2
https://github.com/mozilla/nunjucks
2
https://github.com/sidorares/node-mysql2
2
https://github.com/quilljs/quill
2
https://github.com/digitalbazaar/forge
2
https://github.com/gatsbyjs/gatsby
2
https://github.com/caolan/forms
2
https://github.com/mde/ejs
2
https://github.com/auth0/lock
2
https://github.com/Stuk/jszip
2
https://github.com/apostrophecms/apostrophe
2
https://github.com/mysqljs/mysql
2
https://github.com/VulnSageAgent/PoCs
2
https://github.com/manuelstofer/json-pointer
2
https://github.com/moxiecode/plupload
2
https://github.com/zcaceres/markdownify-mcp
2
https://github.com/highlightjs/highlight.js
2
https://github.com/socketio/engine.io
2
https://github.com/nodemailer/nodemailer
2
https://github.com/Khan/simple-markdown
2
https://github.com/punkave/sanitize-html
2
https://github.com/josdejong/jsoneditor
2
https://github.com/i18next/i18next
2
https://github.com/firebase/firebase-js-sdk
2
https://github.com/socketio/socket.io
2
https://github.com/ai/nanoid
2
https://github.com/salesforce/tough-cookie
2
https://github.com/umbraco/Umbraco-CMS
2
https://github.com/expressjs/express
2
https://github.com/karma-runner/karma
2
https://github.com/freshfish-hust/my-cves
2
https://github.com/chimurai/http-proxy-middleware
2
https://github.com/google/closure-library
2
https://github.com/koush/scrypted
2
https://github.com/pugjs/pug
2
https://github.com/kjur/jsrsasign
2
https://github.com/summernote/summernote
2
https://github.com/excalidraw/excalidraw
2
https://github.com/psi-4ward/psitransfer
2
https://github.com/jameswlane/status-board
2
https://github.com/erxes/erxes
2
https://github.com/OpenC3/cosmos
2
https://github.com/matrix-org/matrix-appservice-bridge
2
https://github.com/nestjs/nest
2
https://github.com/jellyfin/jellyfin-web
2
https://github.com/xmldom/xmldom
2
https://github.com/AhmedAdelFahim/express-xss-sanitizer
2
https://github.com/keycloak/keycloak-nodejs-connect
2
https://github.com/validatorjs/validator.js
2
https://github.com/payloadcms/payload
2
https://github.com/braintree/sanitize-url
2
https://github.com/pnpm/pnpm
2
https://github.com/Finastra/finastra-nodejs-libs
2
https://github.com/MrRio/jsPDF
2
https://github.com/sveltejs/svelte
2
https://github.com/ua-parser/uap-core
2
https://github.com/auth0/node-jsonwebtoken
2
https://github.com/adobe/css-tools
2
https://github.com/guardian/html-janitor
2
https://github.com/axios/axios
2
https://github.com/nasa/openmct
2
https://github.com/nearform/fast-jwt
2
https://github.com/yarnpkg/yarn
1
https://github.com/imsebao/404team
1
https://github.com/lukeed/tempura
1
https://github.com/johndatserakis/file-upload-with-preview
1
https://github.com/AgeOfLearning/aofl
1
https://github.com/AntSwordProject/antSword
1
https://github.com/arnog/mathlive
1
https://github.com/TooTallNate/node-https-proxy-agent
1
https://github.com/gruntjs/grunt
1
https://github.com/isomorphic-git/isomorphic-git
1
https://github.com/lukeed/dset
1
https://github.com/openwhisk/openwhisk-client-js
1
https://github.com/Zireael-N/node-weakauras-parser
1
https://github.com/ajv-validator/ajv
1
https://github.com/Uniswap/web3-react
1
https://github.com/LemonLDAPNG/node-lemonldap-ng-handler
1
https://github.com/expo/expo
1
https://github.com/zowe/zowe-cli
1
https://github.com/hayageek/jquery-upload-file
1
https://github.com/squirrelchat/smol-toml
1
https://github.com/tristao-marinho/CVE-2023-41646
1
https://github.com/novnc/noVNC
1
https://github.com/knockout/knockout
1
https://github.com/indutny/elliptic
1
https://github.com/tj/node-cookie-signature
1
https://github.com/NetEase/pomelo
1
https://github.com/vuetifyjs/vuetify
1
https://github.com/netlify/netlify-ipx
1
https://github.com/silverwind/droppy
1
https://github.com/auth0/angular-jwt
1
https://github.com/colinhacks/zod
1
https://github.com/GladysAssistant/Gladys
1
https://github.com/mathjax/MathJax
1
https://github.com/radashi-org/radashi
1
https://github.com/makeusabrew/bootbox
1
https://github.com/marp-team/marp-core
1
https://github.com/jpuri/react-draft-wysiwyg
1
https://github.com/autovance/ftp-srv
1
https://github.com/bpmn-io/diagram-js
1
https://github.com/okta/okta-oidc-middleware
1
https://github.com/koajs/koa
1
https://github.com/mhart/StringStream
1
https://github.com/auth0/passport-wsfed-saml2
1
https://github.com/remy/undefsafe
1
https://github.com/minimistjs/minimist
1
https://github.com/BorisMoore/jsrender
1