最新の脆弱性情報
React, Next.js, Vue, Node.js エコシステムに関連する最新のセキュリティアドバイザリ(CVE)を収集しています。
よく探す:
深刻度:
全 1224 件中 1224 件を表示
GHSA-gv7w-rqvm-qjhrhighCVSS: 8.1
2026-06-12esbuild: Missing binary integrity verification in Deno module enables remote code execution via NPM_CONFIG_REGISTRY
esbuild
>= 0.17.0, < 0.28.1→0.28.1CVE-2026-48151highCVSS: 7.5
2026-06-12Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema
@budibase/server
< 3.39.0→3.39.0CVE-2026-48150criticalCVSS: 9
2026-06-12Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign
@budibase/server
< 3.39.0→3.39.0CVE-2026-48147mediumCVSS: 6.5
2026-06-12Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
@budibase/backend-core
< 3.35.4→3.35.4CVE-2026-48049mediumCVSS: 5.3
2026-06-11@hapi/inert has a static-file confinement bypass via sibling-prefix path
@hapi/inert
>= 4.0.0, <= 7.1.0→7.1.1Advertisement
CVE-2026-42890medium
2026-06-08actual Allows Electron to Run As Node
actual
< 26.5.0→26.5.0CVE-2026-48017highCVSS: 8.8
2026-06-05DbGate: Remote Code Execution via functionName injection in loadReader endpoint
dbgate-api
<= 7.1.8→7.1.9CVE-2026-47684highCVSS: 7.7
2026-06-05Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP
@sync-in/server
<= 2.2.1→2.3.0CVE-2026-47668criticalCVSS: 10
2026-06-05DbGate: Unauthenticated Remote Code Execution via JSON Script Runner
dbgate-serve
<= 7.1.8→7.1.9CVE-2026-47250mediumCVSS: 6.1
2026-06-05MCP Server Kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration
mcp-server-kubernetes
<= 3.6.2→3.7.0Advertisement
CVE-2026-34077highCVSS: 7.5
2026-06-04React Router vulnerable to Denial of Service via reflected user input in single-fetch
react-router
>= 7.0.0, < 7.14.0→7.14.0turbo-stream
< 3.0.0→3.0.0CVE-2026-44496highCVSS: 7.5
2026-06-04Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
axios
>= 1.0.0, < 1.16.0→1.16.0axios
<= 0.31.1→0.32.0CVE-2026-44488highCVSS: 7.5
2026-06-04Allocation of Resources Without Limits or Throttling in Axios
axios
>= 1.7.0, < 1.16.0→1.16.0CVE-2026-44487high
2026-06-04Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter
axios
>= 1.0.0, < 1.16.0→1.16.0axios
<= 0.31.1→0.32.0CVE-2026-44486highCVSS: 7.5
2026-06-04Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection
axios
>= 1.0.0, < 1.16.0→1.16.0axios
<= 0.31.1→0.32.0Advertisement
CVE-2026-49143highCVSS: 8.8
2026-06-03browserstack-runner vulnerable to Remote Code Execution via vm sandbox escape in _log HTTP handler
browserstack-runner
<= 0.9.5CVE-2026-49144highCVSS: 6.5
2026-06-03browserstack-runner has an unauthenticated arbitrary file read via path traversal in HTTP server
browserstack-runner
<= 0.9.5CVE-2026-42342highCVSS: 7.5
2026-06-03React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
react-router
>= 7.0.0, < 7.15.0→7.15.0@remix-run/server-runtime
>= 2.10.0, < 2.17.5→2.17.5CVE-2026-42211highCVSS: 8.1
2026-06-03React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
react-router
>= 7.0.0, <= 7.14.1→7.14.2CVE-2026-40181medium
2026-06-03React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation
react-router
>= 7.0.0, < 7.14.1→7.14.1react-router
>= 6.7.0, < 6.30.4→6.30.4Advertisement
CVE-2026-33245highCVSS: 8
2026-06-03React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
react-router
>= 7.7.0, < 7.13.2→7.13.2CVE-2026-33244mediumCVSS: 5.4
2026-06-03React Router has stored XSS via unescaped Location header in prerendered redirect HTML
react-router
>= 7.5.1, < 7.13.2→7.13.2CVE-2026-47428criticalCVSS: 9.6
2026-06-01Vitest browser mode serves unsanitized otelCarrier query parameter as inline script
@vitest/browser
>= 4.0.17, < 4.1.6→4.1.6@vitest/browser
>= 5.0.0-beta.0, < 5.0.0-beta.3→5.0.0-beta.3CVE-2026-47429criticalCVSS: 9.8
2026-06-01When Vitest UI server is listening, arbitrary file can be read and executed
vitest
>= 4.0.0, < 4.1.0→4.1.0vitest
< 3.2.6→3.2.6CVE-2026-50287high
2026-06-01@agenticmail/mcp Missing Authentication for Critical Function
@agenticmail/mcp
< 0.9.27→0.9.27Advertisement
CVE-2026-47141medium
2026-05-29NodeVM observability builtins leak host process and HTTP request data
vm2
<= 3.11.3→3.11.4CVE-2026-47139highCVSS: 8.6
2026-05-29NodeVM network builtin exclusions bypass via internal _http_client and _http_server
vm2
<= 3.11.3→3.11.4CVE-2026-47140criticalCVSS: 10
2026-05-29NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
vm2
<= 3.11.3→3.11.4CVE-2026-47210criticalCVSS: 9.8
2026-05-29vm2 sandbox escape via JSPI-backed Promise `.finally()` species bypass
vm2
<= 3.11.3→3.11.4CVE-2026-47135highCVSS: 8.7
2026-05-29vm2 has a sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks
vm2
<= 3.11.3→3.11.4Advertisement
GHSA-q3fm-4wcw-g57xlow
2026-05-29vm2 setup-sandbox.js violates Defense Invariant #11 in stack-trace formatter
vm2
<= 3.11.3→3.11.4CVE-2026-47131criticalCVSS: 10
2026-05-29vm2 has a Sandbox Escape issue
vm2
<= 3.11.3→3.11.4CVE-2026-47200medium
2026-05-29Nuxt's route middleware is not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
nuxt
>= 3.11.0, <= 3.21.5→3.21.6@nuxt/nitro-server
>= 3.20.0, <= 3.21.5→3.21.6@nuxt/nitro-server
>= 4.2.0, <= 4.4.5→4.4.6nuxt
>= 4.0.0-alpha.1, <= 4.4.5→4.4.6CVE-2026-44495highCVSS: 7
2026-05-29axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge
axios
>= 1.0.0, < 1.15.2→1.15.2axios
>= 0.19.0, < 0.31.1→0.31.1CVE-2026-44492highCVSS: 8.6
2026-05-29axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)
axios
>= 1.0.0, < 1.16.0→1.16.0axios
<= 0.31.1→0.32.0Advertisement
CVE-2026-44489lowCVSS: 3.7
2026-05-29Axios has a Patch Bypass: Proxy-Authorization Header Injection via Prototype Pollution — Incomplete Null-Prototype Fix
axios
= 1.15.2→1.16.0CVE-2026-48527highCVSS: 8.7
2026-05-29HaxCMS has a stored Cross-Site Scripting (XSS) bypass in its saveNode endpoint
@haxtheweb/haxcms-nodejs
<= 26.0.0→26.0.1CVE-2026-47144mediumCVSS: 5.5
2026-05-28Shamefile has an arbitrary file read via shamefile.yaml in shame next
shamefile
<= 0.1.6→0.1.7shamefile
<= 0.1.6→0.1.7shamefile
<= 0.1.6→0.1.7CVE-2026-45617highCVSS: 7.5
2026-05-27LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in `strip_html` Filter Regex
liquidjs
< 10.26.0→10.26.0CVE-2026-45357highCVSS: 7.5
2026-05-27LiquidJS has a memory and render limit bypass via unbounded width padding in `date` filter (strftime)
liquidjs
<= 10.25.7Advertisement
CVE-2026-44705high
2026-05-27tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape
tmp
< 0.2.6→0.2.6CVE-2026-44646mediumCVSS: 5.3
2026-05-27LiquidJS's `{% render %}` tag silently bypasses per-render `ownPropertyOnly:true` via `Context.spawn()`
liquidjs
<= 10.25.7CVE-2026-44645mediumCVSS: 6.5
2026-05-27LiquidJS has a renderLimit DoS guard bypass via empty `{% for %}` body
liquidjs
<= 10.25.7CVE-2026-44644mediumCVSS: 6.1
2026-05-27LiquidJS's strip_html filter bypass via newline characters in HTML tags enables XSS
liquidjs
<= 10.25.7CVE-2026-43947high
2026-05-26FUXA Vulnerable to Unauthenticated Remote Code Execution via Script Test Mode Authorization Bypass
fuxa-server
= 1.3.0→1.3.1Advertisement
CVE-2026-43946high
2026-05-26FUXA has an unauthenticated arbitrary tag value disclosure via /api/getTagValue
fuxa-server
= 1.3.0→1.3.1CVE-2026-43945high
2026-05-26FUXA Vulnerable to Pre-auth RCE via Path Manipulation & Configuration Injection
@frangoteam/fuxa
>= 1.2.11, < 1.3.1→1.3.1CVE-2026-42462highCVSS: 7
2026-05-26Fedify has an LD-Signature Bypass via JSON-LD Named-Graph Restructuring
@fedify/fedify
>= 2.2.0, < 2.2.3→2.2.3@fedify/fedify
>= 2.1.0, < 2.1.14→2.1.14@fedify/fedify
>= 2.0.0, < 2.0.18→2.0.18@fedify/fedify
>= 1.10.0, < 1.10.10→1.10.10@fedify/fedify
< 1.9.11→1.9.11CVE-2026-28445highCVSS: 8.7
2026-05-26Typebot has Stored XSS via Rating Block Custom Icon that Bypasses isUnsafe Sandbox in Builder Preview
@typebot.io/js
< 0.10.1→0.10.1CVE-2026-47138high
2026-05-23Parse Server: Pre-authentication denial of service via client version header regex backtracking
parse-server
>= 9.0.0, < 9.9.1-alpha.1→9.9.1-alpha.1parse-server
< 8.6.77→8.6.77Advertisement
CVE-2026-8723mediumCVSS: 5.3
2026-05-22qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set
qs
>= 6.11.1, <= 6.15.1→6.15.2CVE-2026-46703criticalCVSS: 9.6
2026-05-21Boxlite: Path Traversal Vulnerability Leads to Arbitrary File Write on the Host
boxlite
< 0.9.0→0.9.0boxlite-cli
< 0.9.0→0.9.0boxlite
< 0.9.0→0.9.0@boxlite-ai/boxlite
< 0.9.0→0.9.0github.com/boxlite-ai/boxlite/sdks/go
< 0.9.0→0.9.0CVE-2026-46679highCVSS: 7.5
2026-05-21js-libp2p: Memory DoS via subscription flood of unique topics
@libp2p/gossipsub
<= 15.0.22→15.0.23CVE-2026-46625highCVSS: 7.5
2026-05-21JavaScript Cookie: Per-instance prototype hijack in assign() enables cookie-attribute injection
js-cookie
<= 3.0.5→3.0.7CVE-2026-46547mediumCVSS: 6.1
2026-05-21NocoDB: Reflected Cross-Site Scripting via Page Leaving Redirect URL
nocodb
<= 0.301.3Advertisement
CVE-2026-46490high
2026-05-21samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions
samlify
< 2.13.0→2.13.0CVE-2026-30691mediumCVSS: 6.1
2026-05-20@cyntler/react-doc-viewer's TXTRenderer fails to sanitize file content and explicitly casts raw data as a ReactNode
@cyntler/react-doc-viewer
<= 1.17.1GHSA-c2c9-mfw7-p8hwmedium
2026-05-20Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows
flowise
<= 3.1.1→3.1.2CVE-2026-46417high
2026-05-19@angular/platform-server: SSRF via Hostname Hijacking
@angular/platform-server
>= 22.0.0-next.0, < 22.0.0-next.12→22.0.0-next.12@angular/platform-server
>= 21.0.0-next.0, < 21.2.13→21.2.13@angular/platform-server
>= 20.0.0-next.0, < 20.3.21→20.3.21@angular/platform-server
>= 19.0.0-next.0, < 19.2.22→19.2.22@angular/platform-server
<= 18.2.14CVE-2026-46412criticalCVSS: 10
2026-05-19Malicious code in @beproduct/nestjs-auth (0.1.2 through 0.1.19) — Mini Shai-Hulud worm
@beproduct/nestjs-auth
>= 0.1.2, <= 0.1.19Advertisement
CVE-2026-46372highCVSS: 8.5
2026-05-19SillyTavern: SSRF in SearXNG Search Proxy via Unvalidated baseUrl
sillytavern
<= 1.17.0→1.18.0CVE-2026-45783highCVSS: 7.5
2026-05-19@libp2p/kad-dht: Unvalidated PUT_VALUE records allow unbounded disk exhaustion on DHT server nodes
@libp2p/kad-dht
< 16.2.6→16.2.6CVE-2026-46342low
2026-05-19Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning
nuxt
>= 3.1.0, <= 3.21.5→3.21.6nuxt
>= 4.0.0-alpha.1, <= 4.4.5→4.4.6@nuxt/nitro-server
>= 3.20.0, <= 3.21.5→3.21.6@nuxt/nitro-server
>= 4.2.0, <= 4.4.5→4.4.6CVE-2026-45805highCVSS: 8.8
2026-05-19PenPot MCP REPL server binds to 0.0.0.0 with unauthenticated /execute endpoint — RCE
@penpot/mcp
< 2.15.0→2.15.0CVE-2026-46357mediumCVSS: 6.5
2026-05-19HAX CMS: Denial of Service using Malicious Import Request
@haxtheweb/haxcms-nodejs
< 26.0.0→26.0.0Advertisement
CVE-2026-46339criticalCVSS: 10
2026-05-199router: Unauthenticated Remote Code Execution via unprotected MCP custom plugin routes
9router
>= 0.4.30, < 0.4.37→0.4.37CVE-2026-46341mediumCVSS: 6.1
2026-05-19Apify Model Context Protocol (MCP) server: Domain Allowlist Bypass in fetch-apify-docs via String Prefix Matching
@apify/actors-mcp-server
< 0.9.21→0.9.21GHSA-3875-8gcx-7v46mediumCVSS: 9.1
2026-05-19n8n: Credential exfiltration via Allowed HTTP Request Domains Bypass
n8n
< 2.20.0→2.20.0GHSA-2vx9-7wpg-88jqmediumCVSS: 6.4
2026-05-19n8n: Legacy ExecuteWorkflow Node Bypassed File Path Restrictions
n8n
< 2.19.3→2.19.3CVE-2026-45669medium
2026-05-19Nuxt: Reflected XSS in `navigateTo()` external redirect
nuxt
>= 3.4.3, <= 3.21.5→3.21.6nuxt
>= 4.0.0-alpha.1, <= 4.4.5→4.4.6Advertisement
GHSA-hv85-774v-26fghighCVSS: 8.2
2026-05-19auth-fetch-mcp: SSRF and disk exfiltration via unvalidated auth_fetch and download_media URLs
auth-fetch-mcp
<= 3.0.0→3.0.1CVE-2026-46395critical
2026-05-19HAXcms: Private Key Disclosure via Broken HMAC Implementation
@haxtheweb/haxcms-nodejs
<= 25.0.0→26.0.0CVE-2026-45736mediumCVSS: 4.4
2026-05-18ws: Uninitialized memory disclosure
ws
>= 8.0.0, < 8.20.1→8.20.1CVE-2026-45707highCVSS: 8.1
2026-05-18n8n-MCP: Multi-tenant MCP requests fall back to process-level n8n credentials when tenant headers are absent or incomplete
n8n-mcp
<= 2.51.1→2.51.2CVE-2026-45302highCVSS: 8.2
2026-05-18parse-nested-form-data has Prototype Pollution via `__proto__` in FormData field names
parse-nested-form-data
<= 1.0.0→1.0.1Advertisement
CVE-2026-45577medium
2026-05-18Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass
neotoma
>= 0.6.0, < 0.11.1→0.11.1CVE-2026-46510highCVSS: 8.2
2026-05-18form-data-objectizer: Prototype pollution in form-data-objectizer via bracket-notation form keys
form-data-objectizer
<= 1.0.0→1.0.1CVE-2026-45582mediumCVSS: 6.5
2026-05-18n8n-MCP: Workflow telemetry sanitizer could retain partial values from URL-shaped node parameters
n8n-mcp
< 2.51.3→2.51.3CVE-2026-45411criticalCVSS: 9.8
2026-05-14vm2 Has a Sandbox Breakout Using Async Generator
vm2
<= 3.11.2→3.11.3GHSA-wf8q-wvv8-p8jfcriticalCVSS: 9.1
2026-05-14@samanhappy/mcphub: SSE Endpoint Accepts Arbitrary Username from URL Path Without Authentication, Enabling User Impersonation
@samanhappy/mcphub
< 0.12.15→0.12.15Advertisement
CVE-2026-44990criticalCVSS: 9.3
2026-05-14Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
sanitize-html
= 2.17.3→2.17.4GHSA-9m65-766c-r333medium
2026-05-14TanStack Start - Server Core: Inbound server-function request deserialization could invoke a sibling client-referenced server function
@tanstack/start-server-core
< 1.167.30→1.167.30CVE-2026-44791critical
2026-05-14n8n Has an XML Node Prototype Pollution Patch Bypass
n8n
< 1.123.43→1.123.43n8n
>= 2.21.0, < 2.22.1→2.22.1n8n
>= 2.0.0-rc.0, < 2.20.7→2.20.7CVE-2026-44790critical
2026-05-14n8n Has an Arbitrary File Read via Git Node
n8n
< 1.123.43→1.123.43n8n
>= 2.21.0, < 2.22.1→2.22.1n8n
>= 2.0.0-rc.0, < 2.20.7→2.20.7CVE-2026-44789critical
2026-05-14n8n: HTTP Request Node Pagination Prototype Pollution to RCE
n8n
< 1.123.43→1.123.43n8n
>= 2.21.0, < 2.22.1→2.22.1n8n
>= 2.0.0-rc.0, < 2.20.7→2.20.7Advertisement
CVE-2026-42853mediumCVSS: 6.5
2026-05-14@apostrophecms/cli: Command Injection in apos create via Unsanitized Password Input
@apostrophecms/cli
<= 3.6.0CVE-2026-46442critical
2026-05-14FlowiseAI: Authenticated Host RCE via POST /api/v1/node-custom-function and NodeVM Sandbox Escape
flowise
<= 3.1.1→3.1.2GHSA-m99r-2hxc-cp3qhigh
2026-05-14Flowise has an MCP Security Bypass that Enables RCE
flowise
<= 3.1.1→3.1.2flowise-components
<= 3.1.1→3.1.2CVE-2026-22599critical
2026-05-13Strapi Vulnerable to SQL Injection in Content Type Builder
@strapi/content-type-builder
>= 5.0.0, < 5.33.2→5.33.2@strapi/plugin-content-type-builder
>= 4.0.0, < 4.26.1→4.26.1CVE-2026-44724highCVSS: 7.8
2026-05-13Systeminformation vulnerable to Linux command injection in networkInterfaces() via unsanitized NetworkManager connection profile name
systeminformation
>= 4.17.0, <= 5.31.5→5.31.6Advertisement
CVE-2026-42074criticalCVSS: 9.8
2026-05-12OpenClaude Sandbox Bypass via Model-Controlled `dangerouslyDisableSandbox` Input
openclaude
< 0.5.1→0.5.1CVE-2026-42073mediumCVSS: 6.5
2026-05-12OpenClaude MCP OAuth Callback: State Check Bypass via error Param Leads to DoS
@gitlawb/openclaude
< 0.5.1→0.5.1CVE-2026-44288mediumCVSS: 5.3
2026-05-12protobufjs has overlong UTF-8 decoding
protobufjs
<= 7.5.5→7.5.6protobufjs
>= 8.0.0, <= 8.0.1→8.0.2@protobufjs/utf8
<= 1.1.0→1.1.1CVE-2026-45321criticalCVSS: 9.6
2026-05-12Malware in @tanstack/* packages exfiltrates cloud credentials, GitHub tokens, and SSH keys
@tanstack/arktype-adapter
= 1.166.12→1.166.16@tanstack/eslint-plugin-router
= 1.161.9→1.161.13@tanstack/eslint-plugin-start
= 0.0.4→0.0.8@tanstack/history
= 1.161.9→1.161.13@tanstack/nitro-v2-vite-plugin
= 1.154.12→1.154.16@tanstack/react-router
= 1.169.5→1.169.9@tanstack/react-router-devtools
= 1.166.16→1.166.20@tanstack/react-router-ssr-query
= 1.166.15→1.166.19@tanstack/react-start
= 1.167.68→1.167.72@tanstack/react-start-client
= 1.166.51→1.166.55@tanstack/react-start-rsc
= 0.0.47→0.0.51@tanstack/react-start-server
= 1.166.55→1.166.59@tanstack/router-cli
= 1.166.46→1.166.50@tanstack/router-core
= 1.169.5→1.169.9@tanstack/router-devtools
= 1.166.16→1.166.20@tanstack/router-devtools-core
= 1.167.6→1.167.10@tanstack/router-generator
= 1.166.45→1.166.49@tanstack/router-plugin
= 1.167.38→1.167.42@tanstack/router-ssr-query-core
= 1.168.3→1.168.7@tanstack/router-utils
= 1.161.11→1.161.15@tanstack/router-vite-plugin
= 1.166.53→1.166.57@tanstack/solid-router
= 1.169.5→1.169.9@tanstack/solid-router-devtools
= 1.166.16→1.166.20@tanstack/solid-router-ssr-query
= 1.166.15→1.166.19@tanstack/solid-start
= 1.167.65→1.167.69@tanstack/solid-start-client
= 1.166.50→1.166.54@tanstack/solid-start-server
= 1.166.54→1.166.58@tanstack/start-client-core
= 1.168.5→1.168.9@tanstack/start-fn-stubs
= 1.161.9→1.161.13@tanstack/start-plugin-core
= 1.169.23→1.169.27@tanstack/start-server-core
= 1.167.33→1.167.37@tanstack/start-static-server-functions
= 1.166.44→1.166.48@tanstack/start-storage-context
= 1.166.38→1.166.42@tanstack/valibot-adapter
= 1.166.12→1.166.16@tanstack/virtual-file-routes
= 1.161.10→1.161.14@tanstack/vue-router
= 1.169.5→1.169.9@tanstack/vue-router-devtools
= 1.166.16→1.166.20@tanstack/vue-router-ssr-query
= 1.166.15→1.166.19@tanstack/vue-start
= 1.167.61→1.167.65@tanstack/vue-start-client
= 1.166.46→1.166.50@tanstack/vue-start-server
= 1.166.50→1.166.54@tanstack/zod-adapter
= 1.166.12→1.166.16@tanstack/arktype-adapter
= 1.166.15→1.166.16@tanstack/eslint-plugin-router
= 1.161.12→1.161.13@tanstack/eslint-plugin-start
= 0.0.7→0.0.8@tanstack/history
= 1.161.12→1.161.13@tanstack/nitro-v2-vite-plugin
= 1.154.15→1.154.16@tanstack/react-router
= 1.169.8→1.169.9@tanstack/react-router-devtools
= 1.166.19→1.166.20@tanstack/react-router-ssr-query
= 1.166.18→1.166.19@tanstack/react-start
= 1.167.71→1.167.72@tanstack/react-start-client
= 1.166.54→1.166.55@tanstack/react-start-rsc
= 0.0.50→0.0.51@tanstack/react-start-server
= 1.166.58→1.166.59@tanstack/router-cli
= 1.166.49→1.166.50@tanstack/router-core
= 1.169.8→1.169.9@tanstack/router-devtools
= 1.166.19→1.166.20@tanstack/router-devtools-core
= 1.167.9→1.167.10@tanstack/router-generator
= 1.166.48→1.166.49@tanstack/router-plugin
= 1.167.41→1.167.42@tanstack/router-ssr-query-core
= 1.168.6→1.168.7@tanstack/router-utils
= 1.161.14→1.161.15@tanstack/router-vite-plugin
= 1.166.56→1.166.57@tanstack/solid-router
= 1.169.8→1.169.9@tanstack/solid-router-devtools
= 1.166.19→1.166.20@tanstack/solid-router-ssr-query
= 1.166.18→1.166.19@tanstack/solid-start
= 1.167.68→1.167.69@tanstack/solid-start-client
= 1.166.53→1.166.54@tanstack/solid-start-server
= 1.166.57→1.166.58@tanstack/start-client-core
= 1.168.8→1.168.9@tanstack/start-fn-stubs
= 1.161.12→1.161.13@tanstack/start-plugin-core
= 1.169.26→1.169.27@tanstack/start-server-core
= 1.167.36→1.167.37@tanstack/start-static-server-functions
= 1.166.47→1.166.48@tanstack/start-storage-context
= 1.166.41→1.166.42@tanstack/valibot-adapter
= 1.166.15→1.166.16@tanstack/virtual-file-routes
= 1.161.13→1.161.14@tanstack/vue-router
= 1.169.8→1.169.9@tanstack/vue-router-devtools
= 1.166.19→1.166.20@tanstack/vue-router-ssr-query
= 1.166.18→1.166.19@tanstack/vue-start
= 1.167.64→1.167.65@tanstack/vue-start-client
= 1.166.49→1.166.50@tanstack/vue-start-server
= 1.166.53→1.166.54@tanstack/zod-adapter
= 1.166.15→1.166.16CVE-2026-44635highCVSS: 7.5
2026-05-11Kysely: JSON-path traversal injection via unsanitized path-leg metacharacters in `JSONPathBuilder.key()` / `.at()`
kysely
>= 0.26.0, < 0.28.17→0.28.17Advertisement
CVE-2026-45109highCVSS: 7.5
2026-05-11Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
next
>= 15.2.0, < 15.5.18→15.5.18next
>= 16.0.0, < 16.2.6→16.2.6CVE-2026-45061highCVSS: 7.7
2026-05-11Budibase vulnerable to SSRF via trivial `.tar.gz` substring bypass in Plugin URL upload (`/api/plugin`)
budibase
<= 3.34.11→3.35.10CVE-2026-44572lowCVSS: 3.7
2026-05-11Next.js's Middleware / Proxy redirects can be cache-poisoned
next
>= 12.2.0, < 15.5.16→15.5.16next
>= 16.0.0, < 16.2.5→16.2.5GHSA-mhwj-73qx-jqxmhighCVSS: 7.5
2026-05-11@theecryptochad/merge-guard has Prototype Pollution in its deepMerge() function
@theecryptochad/merge-guard
< 1.0.1→1.0.1CVE-2026-44483highCVSS: 8.2
2026-05-11@rvf/set-get has a prototype pollution issue that's reachable via @rvf/core preprocessFormData (HTTP form data)
@rvf/set-get
>= 7.0.0, < 7.0.2→7.0.2@rvf/set-get
>= 6.0.0, < 6.0.4→6.0.4Advertisement
CVE-2026-44581mediumCVSS: 4.7
2026-05-11Next.js vulnerable to cross-site scripting in App Router applications using CSP nonces
next
>= 13.4.0, < 15.5.16→15.5.16next
>= 16.0.0, < 16.2.5→16.2.5CVE-2026-44582lowCVSS: 3.7
2026-05-11Next.js vulnerable to cache poisoning via collisions in React Server Component cache-busting
next
>= 13.4.6, < 15.5.16→15.5.16next
>= 16.0.0, < 16.2.5→16.2.5CVE-2026-44580mediumCVSS: 6.1
2026-05-11Next.js has cross-site scripting in beforeInteractive scripts with untrusted input
next
>= 13.0.0, < 15.5.16→15.5.16next
>= 16.0.0, < 16.2.5→16.2.5CVE-2026-44579highCVSS: 7.5
2026-05-11Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components
next
>= 15.0.0, < 15.5.16→15.5.16next
>= 16.0.0, < 16.2.5→16.2.5CVE-2026-44577mediumCVSS: 5.9
2026-05-11Next.js has a Denial of Service in the Image Optimization API
next
>= 10.0.0, < 15.5.16→15.5.16next
>= 16.0.0, < 16.2.5→16.2.5Advertisement
CVE-2026-44578highCVSS: 8.6
2026-05-11Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades
next
>= 13.4.13, < 15.5.16→15.5.16next
>= 16.0.0, < 16.2.5→16.2.5CVE-2026-44576mediumCVSS: 5.4
2026-05-11Next.js vulnerable to cache poisoning in React Server Component responses
next
>= 14.2.0, < 15.5.16→15.5.16next
>= 16.0.0, < 16.2.5→16.2.5CVE-2026-44575highCVSS: 7.5
2026-05-11Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes
next
>= 15.2.0, < 15.5.16→15.5.16next
>= 16.0.0, < 16.2.5→16.2.5CVE-2026-44574highCVSS: 8.1
2026-05-11Next.js has a Middleware / Proxy bypass through dynamic route parameter injection
next
>= 15.4.0, < 15.5.16→15.5.16next
>= 16.0.0, < 16.2.5→16.2.5CVE-2026-44573highCVSS: 7.5
2026-05-11Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n
next
>= 12.2.0, < 15.5.16→15.5.16next
>= 16.0.0, < 16.2.5→16.2.5Advertisement
GHSA-w94c-4vhp-22gxhighCVSS: 7.5
2026-05-11@vitejs/plugin-rsc has a Denial of Service Vulnerability in React Server Components
@vitejs/plugin-rsc
<= 0.5.25→0.5.26GHSA-8h8q-6873-q5fjhighCVSS: 7.5
2026-05-11Next.js Vulnerable to Denial of Service with Server Components
next
>= 13.0.0, < 15.5.16→15.5.16next
>= 16.0.0, < 16.2.5→16.2.5CVE-2026-23870highCVSS: 7.5
2026-05-11Facebook React has a Denial of Service Vulnerability in React Server Components
react-server-dom-parcel
>= 19.0.0, < 19.0.6→19.0.6react-server-dom-turbopack
>= 19.0.0, < 19.0.6→19.0.6react-server-dom-webpack
>= 19.0.0, < 19.0.6→19.0.6react-server-dom-parcel
>= 19.1.0, < 19.1.7→19.1.7react-server-dom-turbopack
>= 19.1.0, < 19.1.7→19.1.7react-server-dom-webpack
>= 19.1.0, < 19.1.7→19.1.7react-server-dom-parcel
>= 19.2.0, < 19.2.6→19.2.6react-server-dom-turbopack
>= 19.2.0, < 19.2.6→19.2.6react-server-dom-webpack
>= 19.2.0, < 19.2.6→19.2.6CVE-2026-44902highCVSS: 7.5
2026-05-11Prometheus exporter process crash via malformed HTTP request
@opentelemetry/exporter-prometheus
< 0.217.0→0.217.0@opentelemetry/sdk-node
< 0.217.0→0.217.0@opentelemetry/auto-instrumentations-node
< 0.75.0→0.75.0CVE-2026-44895high
2026-05-09@yoda.digital/gitlab-mcp-server's SSE transport has no authentication and wildcard CORS, exposing all 86 GitLab tools
@yoda.digital/gitlab-mcp-server
< 0.6.0→0.6.0Advertisement
CVE-2026-44211criticalCVSS: 9.6
2026-05-08Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability
cline
<= 2.13.0GHSA-qhh4-458h-xwh2medium
2026-05-08@cyclonedx/cdxgen: Docker registry auth substring match forwards credentials to a different registry
@cyclonedx/cdxgen
>= 9.9.5, < 12.3.3→12.3.3CVE-2026-7768highCVSS: 7.5
2026-05-08@fastify/accepts-serializer Vulnerable to Denial of Service via Unbounded Accept Header Cache Growth
@fastify/accepts-serializer
<= 6.0.3→6.0.4GHSA-8g7g-hmwm-6rv2highCVSS: 8.3
2026-05-08n8n-mcp affected by path traversal, redirect-following SSRF, and telemetry payload exposure
n8n-mcp
< 2.50.1→2.50.1CVE-2026-44589lowCVSS: 3.7
2026-05-07nuxt-og-image SSRF — bypass of GHSA-pqhr-mp3f-hrpp / v6.2.5 fix (IPv6 + redirect)
nuxt-og-image
>= 6.2.5, < 6.4.9→6.4.9Advertisement
CVE-2025-63706criticalCVSS: 9.8
2026-05-07next-npm-version is vulnerable to Command injection
@jswork/next-npm-version
= 1.0.1CVE-2025-63705highCVSS: 8.8
2026-05-07node-ts-ocr is vulnerable to OS Command Injection via the invokeImageOcr function in src/index.js
node-ts-ocr
= 1.0.15CVE-2026-44007criticalCVSS: 9.1
2026-05-07vm2 NodeVM `nesting: true` bypasses `require: false` allowing sandbox escape and arbitrary OS command execution
vm2
<= 3.11.0→3.11.1CVE-2026-43998highCVSS: 8.5
2026-05-07vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape
vm2
= 3.10.5→3.11.0CVE-2026-44003mediumCVSS: 5.3
2026-05-07vm2's Transformer Fast-Path Bypass Exposes Internal State Variable
vm2
<= 3.10.5→3.11.0Advertisement
CVE-2026-44002mediumCVSS: 5.8
2026-05-07vm2 is Vulnerable to Host File Path Disclosure via Stack Trace Information Leak
vm2
<= 3.10.5→3.11.0CVE-2026-44004highCVSS: 7.5
2026-05-07vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion
vm2
<= 3.10.5→3.11.0CVE-2026-44001highCVSS: 8.6
2026-05-07vm2 has a Sandbox Escape via Promise Constructor Unhandled Rejection (Process Crash DoS)
vm2
<= 3.10.5→3.11.0CVE-2026-43999criticalCVSS: 9.9
2026-05-07vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape
vm2
= 3.10.5→3.11.0CVE-2026-44456mediumCVSS: 6.5
2026-05-06Hono: bodyLimit() can be bypassed for chunked / unknown-length requests
hono
< 4.12.16→4.12.16Advertisement
CVE-2026-44437medium
2026-05-06Angular SSR has Open Redirect and Request Steering via Encoded X-Forwarded-Prefix
@angular/ssr
>= 22.0.0-next.0, < 22.0.0-next.7→22.0.0-next.7@angular/ssr
>= 21.0.0-next.0, < 21.2.9→21.2.9@angular/ssr
>= 20.0.0-next.0, < 20.3.25→20.3.25@angular/ssr
>= 19.0.0-next.0, < 19.2.25→19.2.25CVE-2026-44351criticalCVSS: 9.1
2026-05-06fast-jwt: JWT auth bypass due to empty HMAC secret accepted by async key resolver
fast-jwt
<= 6.2.3→6.2.4CVE-2026-44240highCVSS: 7.5
2026-05-06basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
basic-ftp
<= 5.3.0→5.3.1CVE-2026-44232high
2026-05-06dssrf: every IPv6 category bypasses is_url_safe
dssrf
< 1.3.0→1.3.0GHSA-4c35-wcg5-mm9hmediumCVSS: 4.2
2026-05-06next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys
next-intl
<= 4.9.1→4.9.2Advertisement
GHSA-r27j-894h-3w3plowCVSS: 3.7
2026-05-06mcp-data-vis vulnerable to denial of service via unsanitized `select` key lookup on `Object.prototype` with `precompile: true`
icu-minify
<= 4.9.1→4.9.2GHSA-jxh8-jh77-xh6ghighCVSS: 8.1
2026-05-05@evomap/evolver's validator sandbox allowlist permits `npm`/`npx`, yielding RCE from Hub-delivered validation tasks via lifecycle scripts
@evomap/evolver
<= 1.70.0-beta.4→1.70.0-beta.5GHSA-7xp7-m392-h92cmediumCVSS: 6.2
2026-05-05@evomap/evolver has an unbounded request body in proxy /asset/submit that causes persistent disk-exhaustion DoS
@evomap/evolver
<= 1.70.0-beta.4→1.70.0-beta.5GHSA-cfcj-hqpf-hccfhighCVSS: 8.8
2026-05-05@evomap/evolver: Path Traversal in `evolver fetch` default-branch `safeId` allows Hub-controlled overwrite of project files (RCE)
@evomap/evolver
<= 1.70.0-beta.4→1.70.0-beta.5CVE-2026-42260highCVSS: 8.2
2026-05-05open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname`
open-websearch
<= 2.1.6→2.1.7Advertisement
CVE-2026-43929highCVSS: 8.2
2026-05-05ssrfcheck Vulnerable to Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs
ssrfcheck
<= 1.3.0CVE-2026-42047highCVSS: 8.6
2026-05-05Inngest TypeScript SDK exposes environment variables via serve() handler on unhandled HTTP methods
inngest
>= 3.22.0, < 3.54.0→3.54.0CVE-2026-42045mediumCVSS: 6.2
2026-05-05LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution
@lobehub/lobehub
<= 2.1.26CVE-2026-42856high
2026-05-05Network-AI missing authentication on MCP HTTP endpoint, which allows unauthenticated privileged tool calls
network-ai
<= 5.1.2→5.1.3CVE-2026-26956criticalCVSS: 9.8
2026-05-05VM2 Has a WASM Sandbox Escape
vm2
<= 3.10.4→3.10.5Advertisement
CVE-2026-26332criticalCVSS: 9.8
2026-05-05VM2 Has a Sandbox Escape Issue via SuppressedError
vm2
<= 3.10.4→3.11.0CVE-2026-24781criticalCVSS: 9.8
2026-05-05VM2 Has Sandbox Breakout Through Inspect Function
vm2
<= 3.10.3→3.11.0CVE-2026-42037mediumCVSS: 5.3
2026-05-05Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream
axios
>= 1.0.0, < 1.15.1→1.15.1CVE-2026-42039mediumCVSS: 7.5
2026-05-05Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
axios
>= 1.0.0, < 1.15.1→1.15.1axios
<= 0.31.0→0.31.1CVE-2026-42034mediumCVSS: 5.3
2026-05-05Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0
axios
>= 1.0.0, < 1.15.1→1.15.1axios
<= 0.31.0→0.31.1Advertisement
CVE-2026-42036mediumCVSS: 5.3
2026-05-05Axios: HTTP adapter streamed responses bypass maxContentLength
axios
>= 1.0.0, < 1.15.1→1.15.1axios
<= 0.31.0→0.31.1CVE-2026-42033highCVSS: 7.4
2026-05-05Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
axios
>= 1.0.0, < 1.15.1→1.15.1axios
<= 0.31.0→0.31.1CVE-2026-42043highCVSS: 7.2
2026-05-05Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0
axios
>= 1.0.0, < 1.15.1→1.15.1axios
<= 0.31.0→0.31.1CVE-2026-42264highCVSS: 7.4
2026-05-05Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking
axios
>= 1.0.0, < 1.15.2→1.15.2CVE-2026-42349highCVSS: 8.1
2026-04-30Clerk has an authorization bypass when combining organization, billing, or reverification checks
@clerk/shared
>= 3.0.0, <= 3.47.4→3.47.5@clerk/shared
>= 4.0.0, <= 4.8.2→4.8.3@clerk/backend
>= 2.0.0, <= 2.33.2→2.33.3@clerk/backend
>= 3.0.0, <= 3.2.13→3.2.14@clerk/nextjs
>= 6.0.0, <= 6.39.2→6.39.3@clerk/nextjs
>= 7.0.0, <= 7.2.3→7.2.4@clerk/clerk-js
>= 5.22.0, <= 5.125.9→5.125.10@clerk/clerk-js
>= 6.0.0, <= 6.7.4→6.7.5@clerk/clerk-react
>= 5.9.0, <= 5.61.5→5.61.6@clerk/react
>= 6.0.0, <= 6.4.2→6.4.3@clerk/vue
>= 1.0.0, <= 1.17.20→1.17.21@clerk/vue
>= 2.0.0, <= 2.0.15→2.0.16@clerk/astro
>= 2.0.0, <= 2.17.10→2.17.11@clerk/astro
>= 3.0.0, <= 3.0.17→3.0.18@clerk/nuxt
>= 1.0.0, <= 1.13.28→1.13.29@clerk/nuxt
>= 2.0.0, <= 2.2.4→2.2.5@clerk/clerk-expo
>= 2.2.11, <= 2.19.35→2.19.36@clerk/expo
>= 3.0.0, <= 3.2.1→3.2.2@clerk/react-router
>= 0.0.1, <= 2.4.12→2.4.13@clerk/react-router
>= 3.0.0, <= 3.1.3→3.1.4@clerk/tanstack-react-start
>= 0.0.1, <= 0.29.10→0.29.11@clerk/tanstack-react-start
>= 1.0.0, <= 1.1.3→1.1.4@clerk/chrome-extension
>= 1.3.5, <= 2.9.14→2.9.15@clerk/chrome-extension
>= 3.0.0, <= 3.1.14→3.1.15@clerk/fastify
>= 1.0.42, <= 2.6.30→2.6.31@clerk/fastify
>= 3.0.0, <= 3.1.15→3.1.16@clerk/express
>= 0.1.0, <= 1.7.78→1.7.79@clerk/express
>= 2.0.0, <= 2.1.5→2.1.6@clerk/hono
>= 0.0.2, <= 0.1.15→0.1.16Advertisement
CVE-2026-41686medium
2026-04-29Claude SDK for TypeScript has Insecure Default File Permissions in Local Filesystem Memory Tool
@anthropic-ai/sdk
>= 0.79.0, < 0.91.1→0.91.1CVE-2026-42353highCVSS: 8.2
2026-04-29i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters
i18next-http-middleware
< 3.9.3→3.9.3CVE-2026-41680highCVSS: 7.5
2026-04-29Marked Vulnerable to OOM Denial of Service via Infinite Recursion in marked Tokenizer
marked
>= 18.0.0, <= 18.0.1→18.0.2CVE-2026-42232criticalCVSS: 9.9
2026-04-29n8n has XML Node Prototype Pollution that to RCE
n8n
>= 2.18.0, < 2.18.1→2.18.1n8n
>= 2.17.0, < 2.17.4→2.17.4n8n
< 1.123.32→1.123.32CVE-2026-42231criticalCVSS: 10
2026-04-29n8n has Prototype Pollution in XML Webhook Body Parser that Leads to RCE
n8n
< 1.123.32→1.123.32n8n
>= 2.18.0, < 2.18.1→2.18.1n8n
>= 2.17.0, < 2.17.4→2.17.4Advertisement
CVE-2026-42226highCVSS: 8.5
2026-04-29n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay
n8n
>= 2.17.0, < 2.17.5→2.17.5n8n
< 1.123.33→1.123.33CVE-2026-42234highCVSS: 7.5
2026-04-29n8n has a Python Task Runner Sandbox Escape Vulnerability
n8n
< 1.123.32→1.123.32n8n
>= 2.18.0, < 2.18.1→2.18.1n8n
>= 2.17.0, < 2.17.4→2.17.4CVE-2026-42228mediumCVSS: 5.4
2026-04-29n8n Vulnerable to Hijacking of Unauthenticated Chat Execution
n8n
< 1.123.32→1.123.32n8n
>= 2.18.0, < 2.18.1→2.18.1n8n
>= 2.0.0, < 2.17.4→2.17.4CVE-2026-42229mediumCVSS: 6.8
2026-04-29n8n has SQL Injection in SeaTable Node
n8n
< 1.123.32→1.123.32n8n
>= 2.18.0, < 2.18.1→2.18.1n8n
>= 2.0.0, < 2.17.4→2.17.4CVE-2026-42233mediumCVSS: 9.8
2026-04-29n8n has SQL Injection in Oracle Database Node via Limit Field
n8n
< 1.123.32→1.123.32n8n
>= 2.18.0, < 2.18.1→2.18.1n8n
>= 2.0.0, < 2.17.4→2.17.4Advertisement
CVE-2026-42237mediumCVSS: 8.2
2026-04-29n8n has SQL Injection in Snowflake and MySQL Nodes
n8n
< 1.123.32→1.123.32n8n
>= 2.18.0, < 2.18.1→2.18.1n8n
>= 2.0.0, < 2.17.4→2.17.4CVE-2026-41636high
2026-04-28Apache Thrift Node.js bindings vulnerable to Uncontrolled Recursion
thrift
< 0.23.0→0.23.0GHSA-39h7-pwv7-rc3xmedium
2026-04-24Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering)
@excalidraw/excalidraw
= 0.18.0→0.18.1@excalidraw/mermaid-to-excalidraw
>= 0.3.0, < 1.1.3→1.1.3CVE-2026-41311highCVSS: 7.5
2026-04-24liquidjs has a Denial of Service via circular block reference in layout
liquidjs
< 10.25.7→10.25.7CVE-2026-41305mediumCVSS: 6.1
2026-04-24PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
postcss
< 8.5.10→8.5.10Advertisement
GHSA-7vq9-42cc-33j4highCVSS: 8.8
2026-04-24Duplicate Advisory: OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md
openclaw
< 2026.3.31→2026.3.31CVE-2026-41321lowCVSS: 2.2
2026-04-23Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4)
@astrojs/cloudflare
< 13.1.10→13.1.10CVE-2026-41322mediumCVSS: 5.3
2026-04-23Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed
@astrojs/node
< 10.0.5→10.0.5CVE-2026-42075highCVSS: 8.1
2026-04-22Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write
@evomap/evolver
< 1.69.3→1.69.3CVE-2026-42076criticalCVSS: 9.8
2026-04-22Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution
@evomap/evolver
< 1.69.3→1.69.3Advertisement
CVE-2026-42077mediumCVSS: 5.2
2026-04-22Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations
@evomap/evolver
< 1.69.3→1.69.3CVE-2026-41907mediumCVSS: 7.5
2026-04-22uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided
uuid
>= 12.0.0, < 12.0.1→12.0.1uuid
>= 13.0.0, < 13.0.1→13.0.1uuid
< 11.1.1→11.1.1GHSA-p3h2-2j4p-p83ghigh
2026-04-22MCPHub has Path Traversal via Malicious MCPB Manifest Name
@samanhappy/mcphub
< 0.12.13→0.12.13CVE-2026-41886highCVSS: 7.5
2026-04-22locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor
locize
< 4.0.21→4.0.21CVE-2026-41683highCVSS: 8.6
2026-04-22i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header
i18next-http-middleware
< 3.9.3→3.9.3Advertisement
CVE-2026-41673high
2026-04-22xmldom: Uncontrolled recursion in XML serialization leads to DoS
@xmldom/xmldom
< 0.8.13→0.8.13@xmldom/xmldom
>= 0.9.0, < 0.9.10→0.9.10xmldom
<= 0.6.0CVE-2026-41674high
2026-04-22xmldom has XML injection through unvalidated DocumentType serialization
@xmldom/xmldom
< 0.8.13→0.8.13@xmldom/xmldom
>= 0.9.0, < 0.9.10→0.9.10xmldom
<= 0.6.0CVE-2026-41675high
2026-04-22xmldom has XML node injection through unvalidated processing instruction serialization
@xmldom/xmldom
< 0.8.13→0.8.13@xmldom/xmldom
>= 0.9.0, < 0.9.10→0.9.10xmldom
<= 0.6.0CVE-2026-41672high
2026-04-22xmldom has XML node injection through unvalidated comment serialization
@xmldom/xmldom
< 0.8.13→0.8.13@xmldom/xmldom
>= 0.9.0, < 0.9.10→0.9.10xmldom
<= 0.6.0CVE-2026-41640highCVSS: 7.5
2026-04-22@nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading
@nocobase/database
< 2.0.39→2.0.39Advertisement
CVE-2026-41641highCVSS: 7.2
2026-04-22@nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call
@nocobase/plugin-collection-sql
< 2.0.39→2.0.39CVE-2026-41650mediumCVSS: 6.1
2026-04-22fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
fast-xml-parser
< 5.7.0→5.7.0CVE-2026-41691mediumCVSS: 6.5
2026-04-22i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns
i18next-http-backend
< 3.0.5→3.0.5CVE-2026-41690highCVSS: 8.6
2026-04-22i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters
i18next-http-middleware
< 3.9.3→3.9.3CVE-2026-41240medium
2026-04-22DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
dompurify
< 3.4.0→3.4.0Advertisement
CVE-2026-41239mediumCVSS: 6.8
2026-04-22DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
dompurify
>= 1.0.10, < 3.4.0→3.4.0CVE-2026-41067mediumCVSS: 6.1
2026-04-21Astro: XSS in define:vars via incomplete </script> tag sanitization
astro
< 6.1.6→6.1.6CVE-2026-41264criticalCVSS: 9.8
2026-04-21Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability
flowise
<= 3.0.13→3.1.0flowise-components
<= 3.0.13→3.1.0CVE-2026-39320highCVSS: 7.5
2026-04-21Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths
signalk-server
< 2.25.0→2.25.0CVE-2026-40155mediumCVSS: 5.4
2026-04-21Auth0 Next.js SDK has Improper Proxy Cache Lookup
@auth0/nextjs-auth0
>= 4.12.0, <= 4.17.0→4.18.0Advertisement
CVE-2026-41265criticalCVSS: 9.8
2026-04-18Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability
flowise
<= 3.0.13→3.1.0flowise-components
<= 3.0.13→3.1.0CVE-2026-41507criticalCVSS: 9.8
2026-04-17Remote Code Execution (RCE) via String Literal Injection into math-codegen
math-codegen
< 0.4.3→0.4.3CVE-2026-42434highCVSS: 8.8
2026-04-17OpenClaw: Sandboxed agents could escape exec routing via host=node override
openclaw
>= 2026.4.5, < 2026.4.10→2026.4.10CVE-2026-43567medium
2026-04-17OpenClaw: screen_record outPath bypassed workspace-only filesystem guard
openclaw
< 2026.4.10→2026.4.10CVE-2026-41278highCVSS: 7.5
2026-04-17Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs
flowise
<= 3.0.13→3.1.0Advertisement
CVE-2026-40931highCVSS: 8.4
2026-04-17Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing
compressing
>= 2.0.0, <= 2.1.0→2.1.1compressing
<= 1.10.4→1.10.5GHSA-fpw4-p57j-hqmqmediumCVSS: 5.4
2026-04-16Paperclip: Stored XSS via javascript: URLs in MarkdownBody — urlTransform override disables react-markdown sanitization
@paperclipai/ui
< 2026.416.0→2026.416.0GHSA-vr7g-88fq-vhq3criticalCVSS: 9.8
2026-04-16Paperclip: OS Command Injection via Execution Workspace cleanupCommand
@paperclipai/server
< 2026.416.0→2026.416.0GHSA-xfqj-r5qw-8g4jhighCVSS: 8.3
2026-04-16Paperclip: Unauthenticated Access to Multiple API Endpoints in Authenticated Mode
@paperclipai/server
< 2026.416.0→2026.416.0CVE-2026-41428criticalCVSS: 9.1
2026-04-16Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints
@budibase/backend-core
<= 3.35.3Advertisement
CVE-2026-41423high
2026-04-16Angular: SSRF via protocol-relative and backslash URLs in Angular Platform-Server
@angular/platform-server
>= 22.0.0-next.0, < 22.0.0-next.8→22.0.0-next.8@angular/platform-server
>= 21.0.0-next.0, < 21.2.9→21.2.9@angular/platform-server
>= 20.0.0-next.0, < 20.3.19→20.3.19@angular/platform-server
>= 19.0.0-next.0, < 19.2.21→19.2.21@angular/platform-server
<= 18.2.14CVE-2026-6410mediumCVSS: 5.3
2026-04-16@fastify/static vulnerable to path traversal in directory listing
@fastify/static
>= 8.0.0, <= 9.1.0→9.1.1CVE-2026-41274high
2026-04-16Flowise: Cypher Injection in GraphCypherQAChain
flowise
<= 3.0.13→3.1.0flowise-components
<= 3.0.13→3.1.0CVE-2026-41273highCVSS: 8.2
2026-04-16Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise
flowise
<= 3.0.13→3.1.0CVE-2026-41272highCVSS: 7.1
2026-04-16Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure)
flowise
<= 3.0.13→3.1.0flowise-components
<= 3.0.13→3.1.0Advertisement
CVE-2026-41270highCVSS: 7.1
2026-04-16Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox
flowise
<= 3.0.13→3.1.0flowise-components
<= 3.0.13→3.1.0CVE-2026-41269highCVSS: 7.1
2026-04-16Flowise: File Upload Validation Bypass in createAttachment
flowise
<= 3.0.13→3.1.0CVE-2026-41268highCVSS: 7.7
2026-04-16Flowise: Parameter Override Bypass Remote Command Execution
flowise
<= 3.0.13→3.1.0flowise-components
<= 3.0.13→3.1.0CVE-2026-41266highCVSS: 7.5
2026-04-16Flowise: Sensitive Data Leak in public-chatbotConfig
flowise
<= 3.0.13→3.1.0CVE-2026-41137criticalCVSS: 8.8
2026-04-16Flowise: Code Injection in CSVAgent leads to Authenticated RCE
flowise
<= 3.0.13→3.1.0flowise-components
<= 3.0.13→3.1.0Advertisement
CVE-2026-41138highCVSS: 8.3
2026-04-16Flowise: Remote code execution vulnerability in AirtableAgent.ts caused by lack of input verification when using `Pandas`.
flowise
<= 3.0.13→3.1.0flowise-components
<= 3.0.13→3.1.0CVE-2026-41248criticalCVSS: 9.1
2026-04-16Official Clerk JavaScript SDKs: Middleware-based route protection bypass
@clerk/nextjs
>= 5.0.0, < 5.7.6→5.7.6@clerk/nuxt
>= 1.1.0, < 1.13.28→1.13.28@clerk/astro
>= 0.0.1, < 1.5.7→1.5.7@clerk/shared
>= 2.20.17, < 2.22.1→2.22.1@clerk/nextjs
>= 6.0.0-snapshot.vb87a27f, < 6.39.2→6.39.2@clerk/nextjs
>= 7.0.0, < 7.2.1→7.2.1@clerk/nuxt
>= 2.0.0, < 2.2.2→2.2.2@clerk/astro
>= 2.0.0-snapshot.v20241206174604, <= 2.17.9→2.17.10@clerk/astro
>= 3.0.0, < 3.0.15→3.0.15@clerk/shared
>= 3.0.0-canary.v20250225091530, < 3.47.4→3.47.4@clerk/shared
>= 4.0.0, < 4.8.1→4.8.1GHSA-9hrv-gvrv-6gf2medium
2026-04-16Flowise Execute Flow function has an SSRF vulnerability
flowise
<= 3.0.13→3.1.0flowise-components
<= 3.0.13→3.1.0CVE-2026-43995medium
2026-04-16Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)
flowise
<= 3.0.13→3.1.0flowise-components
<= 3.0.13→3.1.0CVE-2026-41180highCVSS: 7.5
2026-04-16PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart
psitransfer
< 2.4.3→2.4.3Advertisement
CVE-2026-41244mediumCVSS: 4.7
2026-04-16Mojic: Observable Timing Discrepancy in HMAC Verification
mojic
<= 2.1.3→2.1.4CVE-2026-41213mediumCVSS: 5.9
2026-04-16@node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes
@node-oauth/oauth2-server
<= 5.2.1→5.3.0CVE-2026-33889mediumCVSS: 5.4
2026-04-16ApostropheCMS: Stored XSS via CSS Custom Property Injection in @apostrophecms/color-field Escaping Style Tag Context
apostrophe
< 4.29.0→4.29.0CVE-2026-33808criticalCVSS: 9.1
2026-04-16@fastify/express has a middleware authentication bypass via URL normalization gaps (duplicate slashes and semicolons)
@fastify/express
<= 4.0.4→4.0.5CVE-2026-33807criticalCVSS: 9.1
2026-04-16@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes
@fastify/express
<= 4.0.4→4.0.5Advertisement
CVE-2026-41211highCVSS: 10
2026-04-16Path traversal in vite-plus/binding downloadPackageManager() writes outside VP_HOME
vite-plus
<= 0.1.16→0.1.17CVE-2026-40346mediumCVSS: 6.5
2026-04-15NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins
@nocobase/plugin-workflow-request
< 2.0.37→2.0.37GHSA-26wg-9xf2-q495highCVSS: 8.1
2026-04-14Novu has a XSS sanitization bypass
novu/api
< 3.15.0→3.15.0GHSA-r4q5-vmmm-2653medium
2026-04-14follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets
follow-redirects
<= 1.15.11→1.16.0CVE-2026-28291highCVSS: 8.1
2026-04-13simple-git Affected by Command Execution via Option-Parsing Bypass
simple-git
< 3.32.0→3.32.0Advertisement
GHSA-x7mm-9vvv-64w8low
2026-04-10unhead: Streaming SSR `streamKey` injected into inline script without identifier validation
unhead
>= 3.0.0-beta.5, <= 3.0.0→3.0.1CVE-2026-41679criticalCVSS: 10
2026-04-10paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass
paperclipai
< 2026.410.0→2026.410.0@paperclipai/server
< 2026.410.0→2026.410.0CVE-2026-40299medium
2026-04-10next-intl has an open redirect vulnerability
next-intl
< 4.9.1→4.9.1CVE-2026-40190mediumCVSS: 5.6
2026-04-10LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`
langsmith
<= 0.5.17→0.5.18CVE-2026-40163highCVSS: 8.2
2026-04-10Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read
@saltcorn/server
< 1.4.5→1.4.5@saltcorn/server
>= 1.5.0-beta.0, < 1.5.5→1.5.5@saltcorn/server
>= 1.6.0-alpha.0, < 1.6.0-beta.4→1.6.0-beta.4Advertisement
CVE-2026-40073high
2026-04-10@sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass
@sveltejs/kit
<= 2.57.0→2.57.1GHSA-v457-wxvj-p9w9highCVSS: 7.5
2026-04-10@vitejs/plugin-rsc has a Denial of Service with React Server Components
@vitejs/plugin-rsc
<= 0.5.22→0.5.23GHSA-q4gf-8mx6-v5v3highCVSS: 7.5
2026-04-10Next.js has a Denial of Service with Server Components
next
>= 13.0.0, < 15.5.15→15.5.15next
>= 16.0.0-beta.0, < 16.2.3→16.2.3CVE-2026-23869highCVSS: 7.5
2026-04-10React Server Components have a Denial of Service Vulnerability
react-server-dom-parcel
>= 19.0.0, < 19.0.5→19.0.5react-server-dom-parcel
>= 19.1.0, < 19.1.6→19.1.6react-server-dom-parcel
>= 19.2.0, < 19.2.5→19.2.5react-server-dom-turbopack
>= 19.0.0, < 19.0.5→19.0.5react-server-dom-turbopack
>= 19.1.0, < 19.1.6→19.1.6react-server-dom-turbopack
>= 19.2.0, < 19.2.5→19.2.5react-server-dom-webpack
>= 19.0.0, < 19.0.5→19.0.5react-server-dom-webpack
>= 19.1.0, < 19.1.6→19.1.6react-server-dom-webpack
>= 19.2.0, < 19.2.5→19.2.5GHSA-r3v5-2grc-429hhighCVSS: 8.8
2026-04-10Duplicate Advisory: OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve
openclaw
< 2026.3.22→2026.3.22Advertisement
CVE-2026-39315mediumCVSS: 6.1
2026-04-09Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()
unhead
< 2.1.13→2.1.13CVE-2026-42426mediumCVSS: 8.8
2026-04-09OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval
openclaw
< 2026.4.8→2026.4.8CVE-2026-42432highCVSS: 7.8
2026-04-09OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement
openclaw
< 2026.4.8→2026.4.8CVE-2026-42431mediumCVSS: 8.1
2026-04-09OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard
openclaw
< 2026.4.8→2026.4.8CVE-2026-42423mediumCVSS: 7.5
2026-04-09OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts
openclaw
< 2026.4.8→2026.4.8Advertisement
CVE-2026-35041mediumCVSS: 4.2
2026-04-09fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification
fast-jwt
>= 5.0.0, <= 6.2.0→6.2.1CVE-2026-35040mediumCVSS: 5.3
2026-04-09fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)
fast-jwt
< 6.2.1→6.2.1GHSA-5478-66c3-rhxrhigh
2026-04-08Pretext: Algorithmic Complexity (DoS) in the text analysis phase
@chenglou/pretext
<= 0.0.4→0.0.5CVE-2026-39983highCVSS: 8.6
2026-04-08basic-ftp has FTP Command Injection via CRLF
basic-ftp
= 5.2.0→5.2.1CVE-2026-39865mediumCVSS: 5.9
2026-04-08Axios HTTP/2 Session Cleanup State Corruption Vulnerability
axios
>= 1.13.0, < 1.13.2→1.13.2Advertisement
CVE-2026-39859medium
2026-04-08LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read
liquidjs
<= 10.25.4→10.25.5CVE-2026-34166lowCVSS: 3.7
2026-04-08LiquidJS Has Memory Limit Bypass via Quadratic Amplification in `replace` Filter
liquidjs
<= 10.25.2→10.25.3CVE-2026-39409mediumCVSS: 5.3
2026-04-08Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
hono
< 4.12.12→4.12.12GHSA-26pp-8wgv-hjvmmediumCVSS: 5.3
2026-04-08Hono missing validation of cookie name on write path in setCookie()
hono
< 4.12.12→4.12.12CVE-2026-39406mediumCVSS: 5.3
2026-04-08@hono/node-server: Middleware bypass via repeated slashes in serveStatic
@hono/node-server
< 1.19.13→1.19.13Advertisement
CVE-2026-39397criticalCVSS: 9.4
2026-04-08@delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections
@delmaredigital/payload-puck
< 0.6.23→0.6.23GHSA-w6wx-jq6j-6mcjmedium
2026-04-07OpenClaw: pnpm dlx approvals did not bind local script operands
openclaw
<= 2026.4.1→2026.4.2CVE-2026-41398medium
2026-04-07OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch
openclaw
<= 2026.4.1→2026.4.2CVE-2026-34148highCVSS: 7.5
2026-04-07Fedify affected by resource exhaustion caused by unbounded redirect following during remote key/document resolution
@fedify/fedify
< 1.9.6→1.9.6@fedify/vocab-runtime
< 2.0.8→2.0.8@fedify/vocab-runtime
= 2.1.0→2.1.1@fedify/fedify
>= 1.10.0, < 1.10.5→1.10.5@fedify/fedify
>= 2.0.0, < 2.0.8→2.0.8@fedify/fedify
= 2.1.0→2.1.1CVE-2026-35214highCVSS: 8.7
2026-04-04Budibase: Path traversal in plugin file upload enables arbitrary directory deletion and file write
@budibase/server
< 3.33.4→3.33.4Advertisement
CVE-2026-35213highCVSS: 7.5
2026-04-04@hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing
@hapi/content
<= 6.0.0→6.0.1CVE-2026-34217medium
2026-04-03SandboxJS: Sandbox Escape via Prop Object Leak in New Handler
@nyariv/sandboxjs
<= 0.8.35→0.8.36CVE-2026-34211medium
2026-04-03SandboxJS: Stack overflow DoS via deeply nested expressions in recursive descent parser
@nyariv/sandboxjs
<= 0.8.35→0.8.36CVE-2026-34208criticalCVSS: 10
2026-04-03SandboxJS: Sandbox integrity escape
@nyariv/sandboxjs
< 0.8.36→0.8.36CVE-2026-35039criticalCVSS: 9.1
2026-04-03fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)
fast-jwt
>= 0.0.1, < 6.2.0→6.2.0Advertisement
CVE-2026-35038low
2026-04-03Signal K Server: Arbitrary Prototype Read via `from` Field Bypass
signalk-server
< 2.24.0→2.24.0GHSA-h5hg-h7rr-gpf3high
2026-04-03OpenClaw: Node browser proxy `allowProfiles` bypass through persistent profile mutation and runtime profile selection
openclaw
<= 2026.3.13-1→2026.3.22CVE-2026-41378highCVSS: 8.8
2026-04-03OpenClaw: Paired node escalates to gateway RCE via unrestricted node.event agent dispatch
openclaw
<= 2026.3.28→2026.3.31CVE-2026-41352highCVSS: 8.8
2026-04-03OpenClaw: Device-Paired Node Skips Node Scope Gate → Host RCE.md
openclaw
<= 2026.3.28→2026.3.31CVE-2026-34780highCVSS: 8.3
2026-04-03Electron: Context Isolation bypass via contextBridge VideoFrame transfer
electron
>= 39.0.0-alpha.1, < 39.8.0→39.8.0electron
>= 40.0.0-alpha.1, < 40.7.0→40.7.0electron
>= 41.0.0-alpha.1, < 41.0.0-beta.8→41.0.0-beta.8Advertisement
CVE-2026-34775mediumCVSS: 6.8
2026-04-03Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes
electron
< 38.8.6→38.8.6electron
>= 39.0.0-alpha.1, < 39.8.4→39.8.4electron
>= 40.0.0-alpha.1, < 40.8.4→40.8.4electron
>= 41.0.0-alpha.1, < 41.0.0→41.0.0CVE-2026-34950criticalCVSS: 9.1
2026-04-02fast-jwt: Incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key
fast-jwt
<= 6.1.0→6.2.0CVE-2026-34825highCVSS: 6.5
2026-04-01NocoBase Has SQL Injection via template variable substitution in workflow SQL node
@nocobase/plugin-workflow-sql
<= 2.0.29→2.0.30CVE-2026-34725highCVSS: 8.2
2026-04-01dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration
dbgate-web
>= 7.0.0, < 7.1.5→7.1.5GHSA-x3ff-w252-2g7jmediumCVSS: 5.3
2026-04-01StableLib Ed25519 Signature Malleability via Missing S < L Check
@stablelib/ed25519
<= 2.0.2Advertisement
CVE-2026-34748highCVSS: 8.7
2026-04-01@payloadcms/next has Stored XSS in Admin Panel
@payloadcms/next
< 3.78.0→3.78.0CVE-2026-2265mediumCVSS: 6.5
2026-04-01Replicator deserializes untrusted user input
replicator
<= 1.0.5CVE-2026-34603highCVSS: 7.1
2026-04-01@tinacms/graphql's Media Endpoints Can Escape the Media Root via Symlinks or Junctions
@tinacms/graphql
<= 2.2.1→2.2.2CVE-2026-34601highCVSS: 7.5
2026-04-01xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
xmldom
<= 0.6.0@xmldom/xmldom
< 0.8.12→0.8.12@xmldom/xmldom
>= 0.9.0, < 0.9.9→0.9.9CVE-2026-33577mediumCVSS: 9.8
2026-04-01OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes
openclaw
<= 2026.3.24→2026.3.28Advertisement
CVE-2026-41387highCVSS: 9.6
2026-03-31OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides
openclaw
< 2026.3.22→2026.3.22CVE-2026-34573high
2026-03-31parse-server has GraphQL complexity validator exponential fragment traversal DoS
parse-server
>= 9.0.0, < 9.7.0-alpha.12→9.7.0-alpha.12parse-server
< 8.6.68→8.6.68CVE-2026-34532critical
2026-03-31parse-server has cloud function validator bypass via prototype chain traversal
parse-server
>= 9.0.0, < 9.7.0-alpha.11→9.7.0-alpha.11parse-server
< 8.6.67→8.6.67GHSA-w8rf-7qf8-65wwhighCVSS: 7.1
2026-03-31Duplicate Advisory: OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv
openclaw
< 2026.3.11→2026.3.11CVE-2026-35653highCVSS: 8.1
2026-03-30OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface
openclaw
< 2026.3.24→2026.3.24Advertisement
CVE-2026-35665mediumCVSS: 5.3
2026-03-30OpenClaw has incomplete Fix for CVE-2026-32011: Feishu Webhook Pre-Auth Body Parsing DoS (Slow-Body / Slowloris Variant)
openclaw
< 2026.3.24→2026.3.24CVE-2026-34156criticalCVSS: 9.9
2026-03-30NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node
@nocobase/plugin-workflow-javascript
<= 2.0.27→2.0.28GHSA-wmgj-hrx3-23gjhighCVSS: 7.3
2026-03-29Duplicate Advisory: OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity
openclaw
< 2026.3.11→2026.3.11CVE-2026-34226highCVSS: 7.5
2026-03-29Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies
happy-dom
< 20.8.9→20.8.9CVE-2026-35628mediumCVSS: 4.8
2026-03-27OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret
openclaw
<= 2026.3.24Advertisement
GHSA-fqw4-mph7-2vr8critical
2026-03-27OpenClaw: Silent privilege escalation via gateway shared-auth reconnect
openclaw
<= 2026.3.24GHSA-h8r8-wccr-v5f2medium
2026-03-27DOMPurify is vulnerable to mutation-XSS via Re-Contextualization
dompurify
< 3.3.2→3.3.2CVE-2026-33989highCVSS: 8.1
2026-03-27@mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools
@mobilenext/mobile-mcp
< 0.0.49→0.0.49CVE-2026-33941highCVSS: 8.2
2026-03-27Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options
handlebars
>= 4.0.0, <= 4.7.8→4.7.9CVE-2026-33939highCVSS: 7.5
2026-03-27Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
handlebars
>= 4.0.0, <= 4.7.8→4.7.9Advertisement
CVE-2026-33937criticalCVSS: 9.8
2026-03-27Handlebars.js has JavaScript Injection via AST Type Confusion
handlebars
>= 4.0.0, <= 4.7.8→4.7.9GHSA-3c7f-5hgj-h279mediumCVSS: 5.4
2026-03-27n8n has XSS in Chat Trigger Node through Custom CSS
n8n
< 1.123.27→1.123.27n8n
= 2.14.0→2.14.1n8n
>= 2.0.0-rc.0, < 2.13.3→2.13.3GHSA-w673-8fjw-457cmediumCVSS: 4.1
2026-03-27n8n: Authenticated XSS and Open Redirect via Form Node
n8n
>= 2.11.0, < 2.12.0→2.12.0n8n
>= 2.0.0-rc.0, < 2.10.4→2.10.4n8n
< 1.123.24→1.123.24GHSA-q4fm-pjq6-m63gmediumCVSS: 5.4
2026-03-27n8n has a Stored XSS Vulnerability in its Form Trigger
n8n
>= 2.0.0-rc.0, < 2.11.2→2.11.2n8n
< 1.123.25→1.123.25CVE-2026-33994medium
2026-03-27Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521
locutus
>= 2.0.39, < 3.0.25→3.0.25Advertisement
GHSA-vj2p-7pgw-g2wfhighCVSS: 7.5
2026-03-27Postiz App has a High-Severity SSRF Vulnerability via Next.js
postiz
<= 2.0.12GHSA-c7w3-x93f-qmm8low
2026-03-26Nodemailer has SMTP command injection due to unsanitized `envelope.size` parameter
nodemailer
< 8.0.4→8.0.4CVE-2026-33943highCVSS: 8.8
2026-03-26Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
happy-dom
>= 15.10.0, <= 20.8.7→20.8.8CVE-2026-33896highCVSS: 7.4
2026-03-26Forge has a basicConstraints bypass in its certificate chain verification (RFC 5280 violation)
node-forge
<= 1.3.3→1.4.0CVE-2026-33895highCVSS: 7.5
2026-03-26Forge has signature forgery in Ed25519 due to missing S > L check
node-forge
< 1.4.0→1.4.0Advertisement
CVE-2026-33894highCVSS: 7.5
2026-03-26Forge has signature forgery in RSA-PKCS due to ASN.1 extra field
node-forge
< 1.4.0→1.4.0CVE-2026-33891highCVSS: 7.5
2026-03-26Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
node-forge
< 1.4.0→1.4.0GHSA-9q82-xgwf-vj6hmedium
2026-03-26Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention
@apollo/server
< 5.5.0→5.5.0apollo-server-core
<= 3.13.0CVE-2026-35648lowCVSS: 3.7
2026-03-26OpenClaw may have stale policy enforcement for queued node actions
openclaw
< 2026.3.22→2026.3.22CVE-2026-35650highCVSS: 7.5
2026-03-26OpenClaw has Inconsistent Host Exec Environment Override Sanitization
openclaw
< 2026.3.22→2026.3.22Advertisement
CVE-2026-35643highCVSS: 8.8
2026-03-26OpenClaw: Arbitrary code execution via unvalidated WebView JavascriptInterface
openclaw
< 2026.3.22→2026.3.22CVE-2026-35634medium
2026-03-26OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication
openclaw
< 2026.3.23→2026.3.23CVE-2026-33864critical
2026-03-26Convict has Prototype Pollution via startsWith() function
convict
<= 6.2.4→6.2.5CVE-2026-33863critical
2026-03-26Convict has prototype pollution via load(), loadFile(), and schema initialization
convict
<= 6.2.4→6.2.5CVE-2026-33769lowCVSS: 5.3
2026-03-26Astro: Remote allowlist bypass via unanchored matchPathname wildcard
astro
>= 2.10.10, < 5.18.1→5.18.1Advertisement
CVE-2026-33768mediumCVSS: 6.5
2026-03-26Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`
@astrojs/vercel
< 10.0.2→10.0.2CVE-2026-33751mediumCVSS: 4.8
2026-03-26n8n Vulnerable to LDAP Filter Injection in LDAP Node
n8n
< 1.123.27→1.123.27n8n
= 2.14.0→2.14.1n8n
>= 2.0.0-rc.0, < 2.13.3→2.13.3CVE-2026-33732mediumCVSS: 4.8
2026-03-26srvx is vulnerable to middleware bypass via absolute URI in request line
srvx
< 0.11.13→0.11.13CVE-2026-33713highCVSS: 9.9
2026-03-26n8n has SQL Injection in Data Table Node via orderByColumn Expression
n8n
< 1.123.26→1.123.26n8n
= 2.14.0→2.14.1n8n
>= 2.0.0-rc.0, < 2.13.3→2.13.3CVE-2026-33696criticalCVSS: 9.9
2026-03-26n8n: Prototype Pollution in XML and GSuiteAdmin node parameters lead to RCE
n8n
= 2.14.0→2.14.1n8n
>= 2.0.0-rc.0, < 2.13.3→2.13.3n8n
< 1.123.27→1.123.27Advertisement
CVE-2026-33671highCVSS: 7.5
2026-03-25Picomatch has a ReDoS vulnerability via extglob quantifiers
picomatch
>= 4.0.0, < 4.0.4→4.0.4picomatch
>= 3.0.0, < 3.0.2→3.0.2picomatch
< 2.3.2→2.3.2CVE-2026-33660criticalCVSS: 9.9
2026-03-25n8n has Multiple Remote Code Execution Vulnerabilities in Merge Node AlaSQL SQL Mode
n8n
= 2.14.0→2.14.1n8n
>= 2.0.0-rc.0, < 2.13.3→2.13.3n8n
< 1.123.27→1.123.27CVE-2026-33532mediumCVSS: 4.3
2026-03-25yaml is vulnerable to Stack Overflow via deeply nested YAML collections
yaml
>= 2.0.0, < 2.8.3→2.8.3yaml
>= 1.0.0, < 1.10.3→1.10.3CVE-2026-26832criticalCVSS: 9.8
2026-03-25node-tesseract-ocr is vulnerable to OS Command Injection through unsanitized recognize() function parameter
node-tesseract-ocr
<= 2.2.1CVE-2026-33287highCVSS: 7.5
2026-03-25LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern
liquidjs
<= 10.24.0Advertisement
CVE-2026-33285highCVSS: 7.5
2026-03-25LiquidJS: memoryLimit Bypass through Negative Range Values Leads to Process Crash
liquidjs
<= 10.24.0GHSA-3mjm-x6gw-2x42medium
2026-03-25@grackle-ai/server has Missing Content-Security-Policy and X-Frame-Options Headers
@grackle-ai/server
<= 0.70.3→0.70.4CVE-2026-27496highCVSS: 6.5
2026-03-25n8n has In-Process Memory Disclosure in its Task Runner
n8n
< 1.123.22→1.123.22n8n
>= 2.10.0, < 2.10.1→2.10.1n8n
>= 2.0.0-rc.0, < 2.9.3→2.9.3CVE-2026-29772mediumCVSS: 5.9
2026-03-24Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands
@astrojs/node
< 10.0.0→10.0.0GHSA-g3qj-j598-cxmqhighCVSS: 7.5
2026-03-24fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing
fido2-lib
<= 3.5.7→3.5.8Advertisement
GHSA-fp4x-ggrf-wmc6mediumCVSS: 5.4
2026-03-23H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation
h3
= 2.0.1-rc.17→2.0.1-rc.18GHSA-q5pr-72pq-83v3mediumCVSS: 5.3
2026-03-23H3: Unbounded Chunked Cookie Count in Session Cleanup Loop may Lead to Denial of Service
h3
>= 2.0.0-beta.4, < 2.0.1-rc.18→2.0.1-rc.18GHSA-cjq8-m7wj-xmq9lowCVSS: 2.6
2026-03-21Duplicate Advisory: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows
openclaw
< 2026.2.26GHSA-xh9j-mpc9-2m9pmediumCVSS: 5.9
2026-03-21Duplicate Advisory: OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions
openclaw
<= 2026.2.24GHSA-3p2x-hjxj-c7rvmediumCVSS: 6.5
2026-03-21Duplicate Advisory: OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host
openclaw
<= 2026.2.24Advertisement
CVE-2026-33490lowCVSS: 3.7
2026-03-20h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes
h3
>= 2.0.1-alpha.0, <= 2.0.1-rc.16→2.0.1-rc.17CVE-2026-33468highCVSS: 8.1
2026-03-20Kysely has a MySQL SQL Injection via Insufficient Backslash Escaping in `sql.lit(string)` usage or similar methods that append string literal values into the compiled SQL strings
kysely
<= 0.28.13→0.28.14CVE-2026-33442highCVSS: 8.1
2026-03-20Kysely has a MySQL SQL Injection via Backslash Escape Bypass in non-type-safe usage of JSON path keys.
kysely
>= 0.28.12, <= 0.28.13→0.28.14GHSA-pgx6-7jcq-2qffmediumCVSS: 6.8
2026-03-20PDFME has SSRF via Unvalidated URL Fetch in `getB64BasePdf` When `basePdf` Is Attacker-Controlled
@pdfme/common
<= 5.5.9→5.5.10GHSA-vrqm-gvq7-rrwhmediumCVSS: 6.5
2026-03-20PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS
@pdfme/pdf-lib
<= 5.5.9→5.5.10Advertisement
CVE-2026-33418highCVSS: 7.5
2026-03-20SVG Dimension Capping Bypass via XML Comment Injection in @dicebear/converter ensureSize()
@dicebear/converter
<= 9.4.1→9.4.2CVE-2026-32887highCVSS: 7.4
2026-03-20Effect `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC
effect
< 3.20.0→3.20.0CVE-2026-33397mediumCVSS: 6.1
2026-03-19Protocol-Relative URL Injection via Single Backslash Bypass in Angular SSR
@angular/ssr
>= 22.0.0-next.0, < 22.0.0-next.2→22.0.0-next.2@angular/ssr
>= 21.0.0-next.0, < 21.2.3→21.2.3@angular/ssr
>= 20.0.0-next.0, < 20.3.21→20.3.21GHSA-wvr4-3wq4-gpc5criticalCVSS: 9.8
2026-03-19MCP Connect has unauthenticated remote OS command execution via /bridge endpoint
mcp-bridge
<= 2.0.0GHSA-g87j-gm7p-6vw2mediumCVSS: 6.7
2026-03-19Duplicate Advisory: OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts
openclaw
= 2026.3.1Advertisement
GHSA-5326-6f73-m96wmediumCVSS: 4.8
2026-03-19Duplicate Advisory: OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains
openclaw
< 2026.2.22GHSA-pfv5-rpcw-x34xhighCVSS: 6.4
2026-03-19Duplicate Advisory: OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution
openclaw
< 2026.2.22CVE-2026-33226highCVSS: 8.7
2026-03-18Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview
budibase
<= 3.30.6CVE-2026-32731criticalCVSS: 9.9
2026-03-18ApostropheCMS has Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction
@apostrophecms/import-export
<= 3.5.2→3.5.3CVE-2026-32730highCVSS: 8.1
2026-03-18ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
apostrophe
<= 4.27.1→4.28.0Advertisement
CVE-2026-33143high
2026-03-18OneUptime WhatsApp Webhook Missing Signature Verification
oneuptime
< 10.0.34→10.0.34GHSA-wr4h-v87w-p3r7mediumCVSS: 5.9
2026-03-18h3 has a Path Traversal via Percent-Encoded Dot Segments in serveStatic Allows Arbitrary File Read
h3
>= 2.0.0, <= 2.0.1-rc.14→2.0.1-rc.15h3
< 1.15.6→1.15.6CVE-2026-33131highCVSS: 7.4
2026-03-18h3 has a middleware bypass with one gadget
h3
>= 2.0.0-0, < 2.0.1-rc.15→2.0.1-rc.15CVE-2026-33128highCVSS: 7.5
2026-03-18h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
h3
>= 2.0.0, <= 2.0.1-rc.14→2.0.1-rc.15h3
< 1.15.6→1.15.6CVE-2026-32763highCVSS: 8.2
2026-03-18SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.
kysely
>= 0.26.0, <= 0.28.11→0.28.12Advertisement
CVE-2026-29057medium
2026-03-17Next.js: HTTP request smuggling in rewrites
next
>= 16.0.0-beta.0, < 16.1.7→16.1.7next
>= 9.5.0, < 15.5.13→15.5.13CVE-2026-27980medium
2026-03-17Next.js: Unbounded next/image disk cache growth can exhaust storage
next
>= 16.0.0-beta.0, < 16.1.7→16.1.7next
>= 10.0.0, < 15.5.14→15.5.14CVE-2026-27979medium
2026-03-17Next.js: Unbounded postponed resume buffering can lead to DoS
next
>= 16.0.1, < 16.1.7→16.1.7CVE-2026-27978medium
2026-03-17Next.js: null origin can bypass Server Actions CSRF checks
next
>= 16.0.1, < 16.1.7→16.1.7CVE-2026-27977low
2026-03-17Next.js: null origin can bypass dev HMR websocket CSRF checks
next
>= 16.0.1, < 16.1.7→16.1.7Advertisement
CVE-2026-32723medium
2026-03-16SandboxJS has an execution-quota bypass (cross-sandbox currentTicks race) in SandboxJS timers
@nyariv/sandboxjs
<= 0.8.34→0.8.35CVE-2026-32635highCVSS: 9
2026-03-13Angular vulnerable to XSS in i18n attribute bindings
@angular/core
>= 22.0.0-next.0, < 22.0.0-next.3→22.0.0-next.3@angular/core
>= 21.0.0-next.0, < 21.2.4→21.2.4@angular/core
>= 20.0.0-next.0.0.0, < 20.3.18→20.3.18@angular/compiler
>= 22.0.0-next.0, < 22.0.0-next.3→22.0.0-next.3@angular/compiler
>= 21.0.0-next.0, < 21.2.4→21.2.4@angular/compiler
>= 20.0.0-next.0.0.0, < 20.3.18→20.3.18@angular/core
>= 19.0.0-next.0, < 19.2.20→19.2.20@angular/core
>= 17.0.0-next.0, <= 18.2.14@angular/compiler
>= 19.0.0-next.0, < 19.2.20→19.2.20@angular/compiler
>= 17.0.0-next.0, <= 18.2.14CVE-2026-32630mediumCVSS: 5.3
2026-03-13file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry
file-type
>= 20.0.0, <= 21.3.1→21.3.2CVE-2026-32621criticalCVSS: 9.9
2026-03-13Apollo Federation vulnerable to prototype pollution via incomplete key sanitization
@apollo/federation-internals
< 2.9.6→2.9.6@apollo/federation-internals
>= 2.10.0, < 2.10.5→2.10.5@apollo/federation-internals
>= 2.11.0, < 2.11.6→2.11.6@apollo/federation-internals
>= 2.12.0, < 2.12.3→2.12.3@apollo/federation-internals
>= 2.13.0, < 2.13.2→2.13.2@apollo/gateway
< 2.9.6→2.9.6@apollo/gateway
>= 2.10.0, < 2.10.5→2.10.5@apollo/gateway
>= 2.11.0, < 2.11.6→2.11.6@apollo/gateway
>= 2.12.0, < 2.12.3→2.12.3@apollo/gateway
>= 2.13.0, < 2.13.2→2.13.2@apollo/query-planner
< 2.9.6→2.9.6@apollo/query-planner
>= 2.10.0, < 2.10.5→2.10.5@apollo/query-planner
>= 2.11.0, < 2.11.6→2.11.6@apollo/query-planner
>= 2.12.0, < 2.12.3→2.12.3@apollo/query-planner
>= 2.13.0, < 2.13.2→2.13.2CVE-2026-1526highCVSS: 7.5
2026-03-13Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression
undici
< 6.24.0→6.24.0undici
>= 7.0.0, < 7.24.0→7.24.0Advertisement
CVE-2026-2229highCVSS: 7.5
2026-03-13Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation
undici
< 6.24.0→6.24.0undici
>= 7.0.0, < 7.24.0→7.24.0CVE-2026-2581mediumCVSS: 5.9
2026-03-13Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS
undici
>= 7.17.0, < 7.24.0→7.24.0CVE-2026-32304criticalCVSS: 9.8
2026-03-13Locutus vulnerable to RCE via unsanitized input in create_function()
locutus
<= 3.0.13→3.0.14CVE-2026-32978highCVSS: 8
2026-03-13OpenClaw: Unrecognized script runners could bypass `system.run` approval integrity
openclaw
< 2026.3.11→2026.3.11CVE-2026-32971highCVSS: 7.1
2026-03-13OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv
openclaw
< 2026.3.11→2026.3.11Advertisement
CVE-2026-32979highCVSS: 7.3
2026-03-13OpenClaw: Unbound interpreter and runtime commands could bypass node-host approval integrity
openclaw
< 2026.3.11→2026.3.11GHSA-4jpw-hj22-2xmccriticalCVSS: 9.9
2026-03-13OpenClaw: Pairing-scoped device tokens could mint `operator.admin` and reach node RCE
openclaw
< 2026.3.11→2026.3.11CVE-2026-32141highCVSS: 7.5
2026-03-13flatted vulnerable to unbounded recursion DoS in parse() revive phase
flatted
< 3.4.0→3.4.0CVE-2026-31882highCVSS: 7.5
2026-03-13Dagu: SSE Authentication Bypass in Basic Auth Mode
dagu
< 2.2.4→2.2.4CVE-2026-29066mediumCVSS: 6.2
2026-03-12TinaCMS CLI has Arbitrary File Read via Disabled Vite Filesystem Restriction
@tinacms/cli
< 2.1.8→2.1.8Advertisement
CVE-2026-28792criticalCVSS: 9.6
2026-03-12TinaCMS CLI Dev Server Vulnerable to Cross-Origin File Exfiltration via CORS Misconfiguration + Path Traversal in TinaCMS
@tinacms/cli
< 2.1.8→2.1.8CVE-2026-28791highCVSS: 7.4
2026-03-12Tina: Path Traversal in Media Upload Handle
tinacms
< 2.1.7→2.1.7CVE-2026-24125mediumCVSS: 6.3
2026-03-12@tinacms/graphql has a Path Traversal issue
@tinacms/graphql
<= 2.1.1→2.1.2GHSA-qcc4-p59m-p54mhighCVSS: 7
2026-03-12OpenClaw: Sandbox dangling-symlink alias handling could bypass workspace-only write boundary
openclaw
<= 2026.2.25→2026.2.26CVE-2026-32055highCVSS: 7.6
2026-03-12OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf
openclaw
<= 2026.2.25→2026.2.26Advertisement
GHSA-gp3q-wpq4-5c5hhighCVSS: 7.1
2026-03-12OpenClaw: LINE group allowlist scope mismatch with DM pairing-store entries
openclaw
<= 2026.2.25→2026.2.26CVE-2026-31873low
2026-03-12Unhead Vulnerable to Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity
unhead
<= 2.1.10→2.1.11CVE-2026-31860medium
2026-03-12Unhead has XSS bypass in `useHeadSafe` via attribute name injection and case-sensitive protocol check
unhead
<= 2.1.10→2.1.11CVE-2026-31988mediumCVSS: 5.3
2026-03-12yauzl contains an off-by-one error
yauzl
= 3.2.0→3.2.1CVE-2026-32094medium
2026-03-11Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash
shescape
< 2.1.10→2.1.10Advertisement
CVE-2026-31975high
2026-03-11@siteboon/claude-code-ui Vulnerable to Unauthenticated RCE via WebSocket Shell Injection
@siteboon/claude-code-ui
<= 1.24.0→1.25.0CVE-2026-31862criticalCVSS: 9.1
2026-03-11@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters
@siteboon/claudecodeui
<= 1.23.0→1.24.0CVE-2026-31829highCVSS: 7.1
2026-03-11Flowise affected by Server-Side Request Forgery (SSRF) in HTTP Node Leading to Internal Network Access
flowise
<= 3.0.12→3.0.13flowise-components
<= 3.0.12→3.0.13CVE-2026-30973mediumCVSS: 6.5
2026-03-11@appium/support has a Zip Slip arbitrary file write in its ZIP extraction
@appium/support
<= 7.0.5→7.0.6CVE-2026-31861high
2026-03-10@siteboon/claude-code-ui is Vulnerable to Shell Command Injection in Git Routes
@siteboon/claude-code-ui
<= 1.23.0→1.24.0Advertisement
CVE-2026-31808mediumCVSS: 5.3
2026-03-10file-type affected by infinite loop in ASF parser on malformed input with zero-size sub-header
file-type
>= 13.0.0, < 21.3.1→21.3.1CVE-2026-31802high
2026-03-10node-tar Symlink Path Traversal via Drive-Relative Linkpath
tar
<= 7.5.10→7.5.11CVE-2026-28292criticalCVSS: 9.8
2026-03-10simple-git has blockUnsafeOperationsPlugin bypass via case-insensitive protocol.allow config key enables RCE
simple-git
>= 3.15.0, < 3.32.3→3.32.3CVE-2026-30959medium
2026-03-10OneUptime has WhatsApp Resend Verification Authorization Bypass
@oneuptime/common
< 10.0.21→10.0.21CVE-2026-30957criticalCVSS: 9.9
2026-03-10OneUptime has Synthetic Monitor RCE via exposed Playwright browser object
@oneuptime/common
< 10.0.21→10.0.21Advertisement
CVE-2026-30952high
2026-03-10liquidjs has a path traversal fallback vulnerability
liquidjs
< 10.25.0→10.25.0CVE-2026-30925high
2026-03-10Parse Server has Regular Expression Denial of Service (ReDoS) via `$regex` query in LiveQuery
parse-server
>= 9.0.0-alpha.1, < 9.5.0-alpha.14→9.5.0-alpha.14parse-server
< 8.6.11→8.6.11CVE-2026-30921criticalCVSS: 9.9
2026-03-07OneUptime: Synthetic Monitor RCE via exposed Playwright browser object
@oneuptime/common
< 10.0.20→10.0.20CVE-2026-30916low
2026-03-07Withdrawn Advisory: Shescape has possible misidentification of shell due to link chains
shescape
<= 2.1.8→2.1.9CVE-2026-30887criticalCVSS: 9.9
2026-03-07OneUpTime's Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE
@oneuptime/common
< 10.0.18→10.0.18Advertisement
CVE-2026-30822highCVSS: 7.7
2026-03-06Flowise Allows Mass Assignment in `/api/v1/leads` Endpoint
flowise
<= 3.0.12→3.0.13CVE-2026-30821high
2026-03-06Flowise has Arbitrary File Upload via MIME Spoofing
flowise
<= 3.0.12→3.0.13CVE-2026-30820high
2026-03-06Flowise has Authorization Bypass via Spoofed x-request-from Header
flowise
<= 3.0.12→3.0.13CVE-2026-30827highCVSS: 7.5
2026-03-06express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network
express-rate-limit
>= 8.2.0, < 8.2.2→8.2.2express-rate-limit
= 8.1.0→8.1.1express-rate-limit
>= 8.0.0, < 8.0.2→8.0.2CVE-2024-43035mediumCVSS: 5.8
2026-03-05Fonoster is vulnerable to directory traversal
@fonoster/voice
>= 0.5.5, < 0.6.1→0.6.1Advertisement
CVE-2026-3125high
2026-03-05opennextjs-cloudflare has SSRF vulnerability via /cdn-cgi/ path normalization bypass
@opennextjs/cloudflare
< 1.17.1→1.17.1CVE-2026-29786high
2026-03-05tar has Hardlink Path Traversal via Drive-Relative Linkpath
tar
<= 7.5.9→7.5.10CVE-2026-29186highCVSS: 7.7
2026-03-05TechDocs Mkdocs Configuration Key Enables Arbitrary Code Execution
@backstage/plugin-techdocs-node
<= 1.14.2→1.14.3CVE-2026-29074highCVSS: 7.5
2026-03-04SVGO DoS through entity expansion in DOCTYPE (Billion Laughs)
svgo
>= 2.1.0, < 2.8.1→2.8.1svgo
>= 3.0.0, < 3.3.3→3.3.3svgo
= 4.0.0→4.0.1CVE-2026-29063highCVSS: 9.8
2026-03-04Immutable is vulnerable to Prototype Pollution
immutable
>= 5.0.0, < 5.1.5→5.1.5immutable
>= 4.0.0-rc.1, < 4.3.8→4.3.8immutable
< 3.8.3→3.8.3Advertisement
CVE-2026-29091highCVSS: 8.1
2026-03-04locutus call_user_func_array vulnerable to Remote Code Execution (RCE) due to Code Injection
locutus
<= 2.0.39→3.0.0CVE-2026-29087highCVSS: 7.5
2026-03-04@hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware
@hono/node-server
< 1.19.10→1.19.10GHSA-jjgj-cpp9-cvpvmedium
2026-03-04OpenClaw Vulnerable to Local File Exfiltration via MCP Tool Result MEDIA: Directive Injection
openclaw
< 2026.2.21→2026.2.21GHSA-f6h3-846h-2r8wmedium
2026-03-04OpenClaw's elevated allowFrom accepted broader identity signals than specified within sender-scoped authorization
openclaw
< 2026.2.22→2026.2.22CVE-2026-32067lowCVSS: 3.7
2026-03-04OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access
openclaw
<= 2026.2.25→2026.2.26Advertisement
CVE-2026-32005highCVSS: 6.8
2026-03-04OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows
openclaw
<= 2026.2.24→2026.2.25CVE-2026-32001mediumCVSS: 5.4
2026-03-03OpenClaw's Node role device-identity bypass allows unauthorized node.event injection
openclaw
< 2026.2.22→2026.2.22CVE-2026-31995medium
2026-03-03OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path
openclaw
>= 2026.1.21, <= 2026.2.17→2026.2.19GHSA-cjv3-m589-v3rxmedium
2026-03-03OpenClaw has Canvas route hardening for mixed-trust deployments
openclaw
< 2026.2.21→2026.2.21CVE-2026-27566high
2026-03-03OpenClaw's exec allowlist wrapper analysis did not unwrap env/shell dispatch chains
openclaw
< 2026.2.22→2026.2.22Advertisement
CVE-2026-32039mediumCVSS: 5.9
2026-03-03OpenClaw's typed sender-key matching for toolsBySender prevents identity-collision policy bypass
openclaw
< 2026.2.22→2026.2.22CVE-2026-27523high
2026-03-03OpenClaw's sandbox bind validation could bypass allowed-root and blocked-path checks via symlink-parent missing-leaf paths
openclaw
<= 2026.2.23→2026.2.24GHSA-jxrq-8fm4-9p58high
2026-03-03OpenClaw: Zip extraction symlink traversal could write outside destination
openclaw
< 2026.2.22→2026.2.22GHSA-8mf7-vv8w-hjr2low
2026-03-03OpenClaw's tools.exec.safeBins generic fallback allowed interpreter-style inline payload execution in allowlist mode
openclaw
< 2026.2.22→2026.2.22CVE-2026-31998medium
2026-03-03OpenClaw's Synology Chat dmPolicy=allowlist failed open on empty allowedUserIds, allowing unauthorized agent dispatch
openclaw
>= 2026.2.22, <= 2026.2.23→2026.2.24Advertisement
CVE-2026-32897low
2026-03-03OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback
openclaw
<= 2026.2.21-2→2026.2.22GHSA-659f-22xc-98f2high
2026-03-03OpenClaw hook transform path containment missed symlink-resolved escapes
openclaw
<= 2026.2.21-2→2026.2.22CVE-2026-32010mediumCVSS: 8.8
2026-03-03In OpenClaw, manually adding sort to tools.exec.safeBins could bypass allowlist approval via --compress-program
openclaw
<= 2026.2.21-2→2026.2.22CVE-2026-32006mediumCVSS: 4.3
2026-03-03OpenClaw has a BlueBubbles group allowlist mismatch via DM pairing-store fallback
openclaw
<= 2026.2.25→2026.2.26GHSA-gcj7-r3hg-m7w6lowCVSS: 3.7
2026-03-03OpenClaw's voice-call Twilio replay dedupe now bound to authenticated webhook identity
openclaw
<= 2026.2.25→2026.2.26Advertisement
GHSA-w7j5-j98m-w679high
2026-03-03OpenClaw has multiple E2E/test Dockerfiles that run all processes as root
openclaw
< 2026.2.21→2026.2.21GHSA-796m-2973-wc5qmedium
2026-03-03OpenClaw has exec allowlist/safeBins policy-runtime mismatch via env -S wrapper interpretation
openclaw
< 2026.2.23→2026.2.23GHSA-7qf6-h84j-8fq4low
2026-03-03OpenClaw: Microsoft Teams media fetch paths bypass shared SSRF guard model
openclaw
<= 2026.2.25→2026.2.26CVE-2026-32025mediumCVSS: 7.5
2026-03-03OpenClaw's browser-origin WebSocket auth hardening gap could enable loopback password brute-force chains
openclaw
<= 2026.2.24→2026.2.25CVE-2026-32029mediumCVSS: 5.3
2026-03-03OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions
openclaw
<= 2026.2.19-2→2026.2.21Advertisement
CVE-2026-32056highCVSS: 7.5
2026-03-03OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
openclaw
< 2026.2.22→2026.2.22CVE-2026-27524low
2026-03-03OpenClaw's runtime /debug override path accepted prototype-reserved keys
openclaw
< 2026.2.21→2026.2.21GHSA-w9cg-v44m-4qv8high
2026-03-03OpenClaw affected by BASH_ENV / ENV startup-file injection into spawned shell commands
openclaw
< 2026.2.21→2026.2.21CVE-2026-32057mediumCVSS: 7.1
2026-03-03OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions
openclaw
<= 2026.2.24→2026.2.25GHSA-h97f-6pqj-q452medium
2026-03-03OpenClaw has a IPv6 multicast SSRF classifier bypass
openclaw
<= 2026.2.24→2026.2.25Advertisement
CVE-2026-32021mediumCVSS: 6.5
2026-03-03OpenClaw has a Feishu allowFrom authorization bypass via display-name collision
openclaw
< 2026.2.22→2026.2.22CVE-2026-22179high
2026-03-03OpenClaw has macOS `system.run` allowlist bypass via quoted command substitution
openclaw
< 2026.2.22→2026.2.22GHSA-5h2c-8v84-qpvrmediumCVSS: 5.3
2026-03-03OpenClaw shell-env fallback trusted startup env and could execute attacker-influenced login-shell paths
openclaw
< 2026.2.22→2026.2.22GHSA-ff98-w8hj-qrxfmedium
2026-03-03OpenClaw plugin runtime command execution is part of trusted plugin boundary
openclaw
< 2026.2.19→2026.2.19CVE-2026-32008mediumCVSS: 6.5
2026-03-03OpenClaw browser navigation guard allowed non-network URL schemes, enabling authenticated browser-tool users to access file:// local files
openclaw
< 2026.2.21→2026.2.21Advertisement
CVE-2026-31994high
2026-03-03OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling
openclaw
< 2026.2.19→2026.2.19CVE-2026-32896mediumCVSS: 4.8
2026-03-03OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)
openclaw
< 2026.2.21→2026.2.21GHSA-2mc2-g238-722jmedium
2026-03-03OpenClaw affected by iMessage remote attachment SCP hardening (strict host-key checks and remoteHost validation)
openclaw
<= 2026.2.17→2026.2.19CVE-2026-32009highCVSS: 5.7
2026-03-03OpenClaw: safeBins static default trusted dirs allow writable-dir binary hijack (`jq`)
openclaw
<= 2026.2.23→2026.2.24CVE-2026-32028mediumCVSS: 3.7
2026-03-03OpenClaw: Discord DM reaction ingress missed dmPolicy/allowFrom checks in restricted setups
openclaw
<= 2026.2.24→2026.2.25Advertisement
CVE-2026-29608mediumCVSS: 6.7
2026-03-03OpenClaw's Node system.run approval hardening wrapper semantic drift can execute unintended local scripts
openclaw
= 2026.3.1→2026.3.2GHSA-2858-xg23-26fpmediumCVSS: 5.5
2026-03-03OpenClaw: Node camera URL payload host-binding bypass allowed gateway fetch pivots
openclaw
>= 2026.2.13, <= 2026.3.1→2026.3.2CVE-2026-28401medium
2026-03-03NocoDB Vulnerable to Stored Cross-Site Scripting via Rich Text Cells
nocodb
<= 0.301.2→0.301.3CVE-2026-28397medium
2026-03-03NocoDB Vulnerable to Stored Cross-site Scripting via Comments
nocodb
<= 0.301.2→0.301.3CVE-2026-28399medium
2026-03-03NocoDB Vulnerable to SQL Injection via DATEADD Formula
nocodb
<= 0.301.2→0.301.3Advertisement
CVE-2026-28398medium
2026-03-03NocoDB Vulnerable to Stored Cross-Site Scripting via Comments and Rich Text Cells
nocodb
<= 0.301.2→0.301.3CVE-2026-32030highCVSS: 7.5
2026-03-03OpenClaw vulnerable to sensitive file disclosure via stageSandboxMedia
openclaw
< 2026.2.19→2026.2.19CVE-2026-28460medium
2026-03-03OpenClaw's system.run allowlist bypass via shell line-continuation command substitution
openclaw
< 2026.2.22→2026.2.22CVE-2026-22177mediumCVSS: 8.8
2026-03-03OpenClaw's config env vars allowed startup env injection into service runtime
openclaw
< 2026.2.21→2026.2.21CVE-2026-32032highCVSS: 7.8
2026-03-03OpenClaw's shell env fallback trusts unvalidated SHELL path from host environment
openclaw
< 2026.2.22→2026.2.22Advertisement
GHSA-qhrr-grqp-6x2gmedium
2026-03-03OpenClaw's tools.exec.safeBins trusted PATH directories allowed binary shadowing in allowlist mode
openclaw
< 2026.2.22→2026.2.22CVE-2026-32052medium
2026-03-03OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text
openclaw
<= 2026.2.23→2026.2.24CVE-2026-32043medium
2026-03-03OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host
openclaw
<= 2026.2.24→2026.2.25CVE-2026-32064highCVSS: 7.7
2026-03-03OpenClaw's andbox browser noVNC observer lacked VNC authentication
openclaw
< 2026.2.21→2026.2.21CVE-2026-32027highCVSS: 6.5
2026-03-03OpenClaw DM pairing-store identities could satisfy group allowlist authorization
openclaw
<= 2026.2.25→2026.2.26Advertisement
CVE-2026-32023mediumCVSS: 8.8
2026-03-03OpenClaw's dispatch-wrapper depth-cap mismatch can bypass shell-wrapper approval gating in system.run allowlist mode
openclaw
<= 2026.2.23→2026.2.24CVE-2026-32022mediumCVSS: 6.5
2026-03-03OpenClaw safeBins grep -e File Read Bypass (stdin-only policy bypass)
openclaw
< 2026.2.21→2026.2.21GHSA-h656-5vcf-cm23medium
2026-03-03OpenClaw: Unauthorized Telegram Senders Trigger Media Download and Disk Write Before Access Check
openclaw
<= 2026.2.23→2026.2.24GHSA-9f72-qcpw-2hxchigh
2026-03-03OpenClaw: Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs
openclaw
<= 2026.2.23→2026.2.24CVE-2026-22169mediumCVSS: 6.4
2026-03-03OpenClaw's non-default safeBins sort configuration can bypass intended allowlist approval constraints
openclaw
< 2026.2.22→2026.2.22Advertisement
CVE-2026-32036highCVSS: 6.5
2026-03-03OpenClaw has gateway plugin auth bypass via encoded dot-segment traversal in protected /api/channels paths
openclaw
<= 2026.2.25→2026.2.26CVE-2026-32045medium
2026-03-03OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes
openclaw
< 2026.2.21→2026.2.21CVE-2026-32026mediumCVSS: 6.5
2026-03-03Temporary path handling could write outside OpenClaw temp boundary
openclaw
<= 2026.2.23→2026.2.24CVE-2026-32046medium
2026-03-03OpenClaw: Chrome --no-sandbox disabled OS-level browser sandbox in sandbox browser container
openclaw
< 2026.2.21→2026.2.21CVE-2026-32037highCVSS: 6
2026-03-03OpenClaw's MSTeams attachment redirect handling could bypass configured media host allowlists
openclaw
< 2026.2.22→2026.2.22Advertisement
CVE-2026-32016mediumCVSS: 7.8
2026-03-03OpenClaw: macOS optional allowlist basename matching could bypass path-based policy
openclaw
< 2026.2.22→2026.2.22CVE-2026-32003highCVSS: 6.6
2026-03-03OpenClaw has system.run shell-wrapper env injection via SHELLOPTS/PS4 can bypass allowlist intent (RCE)
openclaw
< 2026.2.22→2026.2.22CVE-2026-32014highCVSS: 8
2026-03-03OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy
openclaw
<= 2026.2.25→2026.2.26GHSA-5847-rm3g-23mwmedium
2026-03-03OpenClaw has hook auth rate limiter bypass via IPv4-mapped IPv6 client key variants
openclaw
< 2026.2.22→2026.2.22CVE-2026-27545high
2026-03-02OpenClaw: Node system.run approval bypass via parent-symlink cwd rebind
openclaw
<= 2026.2.25→2026.2.26Advertisement
CVE-2026-27522high
2026-03-02OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset
openclaw
<= 2026.2.23→2026.2.24CVE-2026-28466criticalCVSS: 9.9
2026-03-02OpenClaw Vulnerable to Remote Code Execution via Node Invoke Approval Bypass in Gateway
openclaw
< 2026.2.14→2026.2.14CVE-2026-32058lowCVSS: 2.6
2026-03-02OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows
openclaw
< 2026.2.26→2026.2.26CVE-2026-32049high
2026-03-02OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels
openclaw
< 2026.2.22→2026.2.22GHSA-jq4x-98m3-ggq6high
2026-03-02OpenClaw Canvas Path Traversal Information Disclosure Vulnerability
openclaw
< 2026.2.21→2026.2.21Advertisement
GHSA-6x2m-hqfw-hvpjmedium
2026-03-02OpenClaw: Node exec approvals could be replayed across nodes
openclaw
< 2026.2.23→2026.2.23CVE-2026-29607mediumCVSS: 6.4
2026-03-02OpenClaw's allow-always wrapper persistence could bypass future approvals and enable command execution
openclaw
< 2026.2.22→2026.2.22CVE-2026-32020lowCVSS: 3.3
2026-03-02OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read
openclaw
< 2026.2.22→2026.2.22CVE-2026-31993low
2026-03-02OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains
openclaw
< 2026.2.22→2026.2.22CVE-2026-22168high
2026-03-02OpenClaw has Windows system.run approval mismatch on cmd.exe /c trailing arguments
openclaw
< 2026.2.21→2026.2.21Advertisement
CVE-2026-31991lowCVSS: 3.7
2026-03-02OpenClaw has Signal group allowlist authorization bypass via DM pairing-store leakage
openclaw
< 2026.2.26→2026.2.26CVE-2026-31997high
2026-03-02OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind
openclaw
< 2026.3.1→2026.3.1CVE-2026-31999critical
2026-03-02CpenClaw's ACPX Windows wrapper shell fallback allowed cwd injection in specific paths
openclaw
>= 2026.2.26, < 2026.3.1→2026.3.1GHSA-392f-ggf5-fp3cmedium
2026-03-02OpenClaw: Unicode canonicalization drift in node metadata policy classification could broaden node allowlists
openclaw
< 2026.3.1→2026.3.1CVE-2026-28794critical
2026-03-02`@orpc/client` has Prototype Pollution via `StandardRPCJsonSerializer` Deserialization
@orpc/client
<= 1.13.5→1.13.6Advertisement
CVE-2026-28359medium
2026-03-02NocoDB Vulnerable to Stored Cross-site Scripting via Rich Text Field
nocodb
<= 0.301.2→0.301.3CVE-2026-2293high
2026-03-02Nest has a Fastify URL Encoding Middleware Bypass
@nestjs/platform-fastify
<= 11.1.13→11.1.14GHSA-5c6j-r48x-rmvqhighCVSS: 8.1
2026-02-28Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()
serialize-javascript
<= 7.0.2→7.0.3GHSA-38c7-23hj-2wgqmediumCVSS: 4
2026-02-26n8n has Webhook Forgery on Zendesk Trigger Node
n8n
< 1.123.18→1.123.18n8n
>= 2.0.0, < 2.6.2→2.6.2GHSA-fvfv-ppw4-7h2wmediumCVSS: 3.7
2026-02-26n8n has a Guardrail Node Bypass
n8n
< 2.10.0→2.10.0Advertisement
GHSA-jh8h-6c9q-7gmwmediumCVSS: 4.8
2026-02-26n8n has an Authentication Bypass in its Chat Trigger Node
n8n
< 1.123.22→1.123.22n8n
>= 2.0.0, < 2.9.3→2.9.3n8n
>= 2.10.0, < 2.10.1→2.10.1CVE-2026-27903highCVSS: 7.5
2026-02-26minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments
minimatch
>= 10.0.0, < 10.2.3→10.2.3minimatch
>= 9.0.0, < 9.0.7→9.0.7minimatch
>= 8.0.0, < 8.0.6→8.0.6minimatch
>= 7.0.0, < 7.4.8→7.4.8minimatch
>= 6.0.0, < 6.2.2→6.2.2minimatch
>= 5.0.0, < 5.1.8→5.1.8minimatch
>= 4.0.0, < 4.2.5→4.2.5minimatch
< 3.1.3→3.1.3CVE-2026-27904highCVSS: 7.5
2026-02-26minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions
minimatch
>= 10.0.0, < 10.2.3→10.2.3minimatch
>= 9.0.0, < 9.0.7→9.0.7minimatch
>= 8.0.0, < 8.0.6→8.0.6minimatch
>= 7.0.0, < 7.4.8→7.4.8minimatch
>= 6.0.0, < 6.2.2→6.2.2minimatch
>= 5.0.0, < 5.1.8→5.1.8minimatch
>= 4.0.0, < 4.2.5→4.2.5minimatch
< 3.1.4→3.1.4CVE-2026-27837mediumCVSS: 6.3
2026-02-26dottie is vulnerable to Prototype Pollution bypass via non-first path segments in set() and transform()
dottie
>= 2.0.4, <= 2.0.6→2.0.7GHSA-mqpr-49jj-32rcmediumCVSS: 4
2026-02-26n8n: Webhook Forgery on Github Webhook Trigger
n8n
< 1.123.15→1.123.15n8n
>= 2.0.0, < 2.5.0→2.5.0Advertisement
GHSA-f3f2-mcxc-pwjxmediumCVSS: 8.2
2026-02-26n8n: SQL Injection in MySQL, PostgreSQL, and Microsoft SQL nodes
n8n
< 2.4.0→2.4.0CVE-2026-27795mediumCVSS: 4.1
2026-02-25LangChain Community: redirect chaining can lead to SSRF bypass via RecursiveUrlLoader
@langchain/community
<= 1.1.17→1.1.18CVE-2026-27739critical
2026-02-25Angular SSR is vulnerable to SSRF and Header Injection via request handling pipeline
@angular/ssr
>= 21.2.0-next.0, < 21.2.0-rc.0→21.2.0-rc.1@angular/ssr
>= 21.0.0-next.0, < 21.1.5→21.1.5@angular/ssr
>= 20.0.0-next.0, < 20.3.17→20.3.17@angular/ssr
< 19.2.21→19.2.21@nguniversal/common
<= 16.2.0@nguniversal/express-engine
<= 16.2.0CVE-2026-27738medium
2026-02-25Angular SSR has an Open Redirect via X-Forwarded-Prefix
@angular/ssr
>= 21.2.0-next.0, < 21.2.0-rc.0→21.2.0-rc.1@angular/ssr
>= 21.0.0-next.0, < 21.1.5→21.1.5@angular/ssr
>= 20.0.0-next.0, < 20.3.17→20.3.17@angular/ssr
>= 19.0.0-next.0, < 19.2.21→19.2.21CVE-2026-27606high
2026-02-25Rollup 4 has Arbitrary File Write via Path Traversal
rollup
< 2.80.0→2.80.0rollup
>= 3.0.0, < 3.30.0→3.30.0rollup
>= 4.0.0, < 4.59.0→4.59.0Advertisement
CVE-2026-27729mediumCVSS: 5.9
2026-02-25Astro has memory exhaustion DoS due to missing request body size limit in Server Actions
@astrojs/node
>= 9.0.0, < 9.5.4→9.5.4CVE-2026-27578highCVSS: 5.4
2026-02-25n8n Vulnerable to Stored XSS via Various Nodes
n8n
< 1.123.22→1.123.22n8n
>= 2.0.0, < 2.9.3→2.9.3n8n
>= 2.10.0, < 2.10.1→2.10.1CVE-2026-27498criticalCVSS: 8.5
2026-02-25n8n has Arbitrary Command Execution via File Write and Git Operations
n8n
< 1.123.8→1.123.8n8n
>= 2.0.0, < 2.2.0→2.2.0CVE-2026-27497criticalCVSS: 9.9
2026-02-25n8n has Potential Remote Code Execution via Merge Node
n8n
< 1.123.22→1.123.22n8n
>= 2.0.0, < 2.9.3→2.9.3n8n
>= 2.10.0, < 2.10.1→2.10.1CVE-2026-27494highCVSS: 9.9
2026-02-25n8n has Arbitrary File Read via Python Code Node Sandbox Escape
n8n
< 1.123.22→1.123.22n8n
>= 2.0.0, < 2.9.3→2.9.3n8n
>= 2.10.0, < 2.10.1→2.10.1Advertisement
CVE-2026-27493criticalCVSS: 9
2026-02-25n8n has Unauthenticated Expression Evaluation via Form Node
n8n
< 1.123.22→1.123.22n8n
>= 2.0.0, < 2.9.3→2.9.3n8n
>= 2.10.0, < 2.10.1→2.10.1CVE-2026-27702criticalCVSS: 9.9
2026-02-25Budibase: Remote Code Execution via Unsafe eval() in View Filter Map Function (Budibase Cloud)
budibase
< 3.30.4→3.30.4CVE-2026-27829mediumCVSS: 6.5
2026-02-25Astro is vulnerable to SSRF due to missing allowlist enforcement in remote image inferSize
@astrojs/node
>= 9.0.0, < 9.5.4→9.5.4CVE-2026-27728criticalCVSS: 9.9
2026-02-25OneUptime: OS Command Injection in Probe NetworkPathMonitor via unsanitized destination in traceroute exec()
@oneuptime/common
< 10.0.7→10.0.7CVE-2026-27597criticalCVSS: 10
2026-02-25@enclave-vm/core is vulnerable to Sandbox Escape
@enclave-vm/core
<= 2.10.1→2.11.1Advertisement
CVE-2026-27612mediumCVSS: 6.1
2026-02-25repostat: Reflected Cross-Site Scripting (XSS) via repo prop in RepoCard
repostat
< 1.0.1→1.0.1CVE-2025-69985criticalCVSS: 9.8
2026-02-24FUXA has JWT Authentication Bypass via HTTP Referer header spoofing
@frangoteam/fuxa
<= 1.2.8CVE-2026-27574criticalCVSS: 9.9
2026-02-24OneUptime:: node:vm sandbox escape in probe allows any project member to achieve RCE
@oneuptime/common
< 10.0.0→10.0.0CVE-2026-25545mediumCVSS: 8.6
2026-02-23Astro has Full-Read SSRF in error rendering via Host: header injection
@astrojs/node
< 9.5.4→9.5.4CVE-2026-27576medium
2026-02-20OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs
openclaw
<= 2026.2.17→2026.2.19Advertisement
CVE-2026-27492mediumCVSS: 4.7
2026-02-20Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused
lettermint
< 1.5.1→1.5.1CVE-2026-27485medium
2026-02-20OpenClaw: Reject symlinks in local skill packaging script
openclaw
<= 2026.2.18→2026.2.19CVE-2026-27484low
2026-02-20OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows
openclaw
< 2026.2.18→2026.2.18CVE-2026-27212critical
2026-02-19Prototype pollution in swiper
swiper
>= 6.5.1, < 12.1.2→12.1.2CVE-2026-28479highCVSS: 5.4
2026-02-19OpenClaw replaced a deprecated sandbox hash algorithm
openclaw
<= 2026.2.14→2026.2.15Advertisement
CVE-2026-28394mediumCVSS: 6.5
2026-02-19OpenClaw has a Web Fetch DoS via unbounded response parsing
openclaw
< 2026.2.15→2026.2.15CVE-2026-27009mediumCVSS: 5.8
2026-02-18OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection
openclaw
< 2026.2.15→2026.2.15CVE-2026-27007medium
2026-02-18OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation
openclaw
< 2026.2.15→2026.2.15CVE-2026-27004medium
2026-02-18OpenClaw session tool visibility hardening and Telegram webhook secret fallback
openclaw
< 2026.2.15→2026.2.15CVE-2026-27003medium
2026-02-18OpenClaw: Telegram bot token exposure via logs
openclaw
< 2026.2.15→2026.2.15Advertisement
CVE-2026-27002high
2026-02-18OpenClaw: Docker container escape via unvalidated bind mount config injection
openclaw
< 2026.2.15→2026.2.15CVE-2026-26318highCVSS: 8.8
2026-02-18Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation
systeminformation
<= 5.30.7→5.31.0CVE-2026-26280highCVSS: 8.4
2026-02-18Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path
systeminformation
< 5.30.8→5.30.8CVE-2026-26974high
2026-02-18Improper Control of Generation of Code ('Code Injection') in @tygo-van-den-hurk/slyde
@tygo-van-den-hurk/slyde
< 0.0.5→0.0.5CVE-2026-27486medium
2026-02-18OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup
openclaw
< 2026.2.14→2026.2.14Advertisement
CVE-2026-27487highCVSS: 7.6
2026-02-18OpenClaw: Prevent shell injection in macOS keychain credential write
openclaw
< 2026.2.14→2026.2.14CVE-2026-28456highCVSS: 7.2
2026-02-18OpenClaw affected by potential code execution via unsafe hook module path handling in Gateway
openclaw
>= 2026.1.5, < 2026.2.14→2026.2.14CVE-2026-26960highCVSS: 7.1
2026-02-18Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction
tar
< 7.5.8→7.5.8CVE-2026-29610highCVSS: 8.8
2026-02-18OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides)
openclaw
< 2026.2.14→2026.2.14CVE-2026-28476mediumCVSS: 8.3
2026-02-18OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication
openclaw
< 2026.2.14→2026.2.14Advertisement
CVE-2026-29606mediumCVSS: 6.5
2026-02-18OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled
openclaw
< 2026.2.14→2026.2.14CVE-2026-28469highCVSS: 9.8
2026-02-18OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting
openclaw
< 2026.2.14→2026.2.14clawdbot
<= 2026.1.24-3CVE-2026-26317highCVSS: 7.1
2026-02-18OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints
openclaw
< 2026.2.14→2026.2.14clawdbot
<= 2026.1.24-3CVE-2026-28452mediumCVSS: 6.5
2026-02-18OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)
openclaw
< 2026.2.14→2026.2.14clawdbot
<= 2026.1.24-3CVE-2026-29609highCVSS: 7.5
2026-02-18OpenClaw affected by denial of service via unbounded URL-backed media fetch
openclaw
< 2026.2.14→2026.2.14Advertisement
CVE-2026-28392highCVSS: 4.8
2026-02-18OpenClaw Slack: dmPolicy=open allowed any DM sender to run privileged slash commands
openclaw
< 2026.2.14→2026.2.14CVE-2026-28463highCVSS: 5.7
2026-02-18OpenClaw exec approvals: safeBins could bypass stdin-only constraints via shell expansion
openclaw
< 2026.2.14→2026.2.14CVE-2026-26329high
2026-02-18OpenClaw has a path traversal in browser upload allows local file read
openclaw
< 2026.2.14→2026.2.14CVE-2026-26325highCVSS: 7.2
2026-02-17OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals
openclaw
< 2026.2.14→2026.2.14CVE-2026-26324highCVSS: 7.5
2026-02-17OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable)
openclaw
< 2026.2.14→2026.2.14Advertisement
CVE-2026-26322highCVSS: 7.6
2026-02-17OpenClaw Gateway tool allowed unrestricted gatewayUrl override
openclaw
< 2026.2.14→2026.2.14CVE-2026-26278highCVSS: 7.5
2026-02-17fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)
fast-xml-parser
>= 4.1.3, < 4.5.4→4.5.4fast-xml-parser
>= 5.0.0, < 5.3.6→5.3.6CVE-2026-29613highCVSS: 5.9
2026-02-17OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust)
openclaw
< 2026.2.12→2026.2.12CVE-2026-28391highCVSS: 9.8
2026-02-17OpenClaw's Windows cmd.exe parsing may bypass exec allowlist/approval gating
openclaw
< 2026.2.2→2026.2.2CVE-2026-0969highCVSS: 8.8
2026-02-12next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content
next-mdx-remote
>= 4.3.0, < 6.0.0→6.0.0Advertisement
GHSA-vx5f-vmr6-32wfmedium
2026-02-10cap-go/capacitor-native-biometric Authentication Bypass
@capgo/capacitor-native-biometric
< 8.3.6→8.3.6CVE-2026-25938critical
2026-02-10FUXA Unauthenticated Remote Code Execution in Node-RED Integration
fuxa-server
>= 1.2.8, < 1.2.11→1.2.11CVE-2026-25639highCVSS: 7.5
2026-02-09Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig
axios
>= 1.0.0, <= 1.13.4→1.13.5axios
<= 0.30.2→0.30.3CVE-2026-1615highCVSS: 9.8
2026-02-09jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions
jsonpath
<= 1.2.1→1.3.0CVE-2026-25762highCVSS: 7.5
2026-02-06AdonisJS vulnerable to Denial of Service (DoS) via Unrestricted Memory Buffering in PartHandler during File Type Detection
@adonisjs/bodyparser
<= 10.1.2→10.1.3@adonisjs/bodyparser
>= 11.0.0-next.0, <= 11.0.0-next.8→11.0.0-next.9Advertisement
CVE-2026-25754highCVSS: 7.2
2026-02-06AdonisJS multipart body parsing has Prototype Pollution issue
@adonisjs/bodyparser
<= 10.1.2→10.1.3@adonisjs/bodyparser
>= 11.0.0-next.0, <= 11.0.0-next.8→11.0.0-next.9CVE-2026-25651mediumCVSS: 6.1
2026-02-06client-certificate-auth Vulnerable to Open Redirect via Host Header Injection in HTTP-to-HTTPS redirect
client-certificate-auth
>= 0.2.1, < 1.0.0→1.0.0CVE-2026-25586criticalCVSS: 10
2026-02-05@nyariv/sandboxjs has Sandbox Escape via Prototype Whitelist Bypass and Host Prototype Pollution
@nyariv/sandboxjs
<= 0.8.28→0.8.29CVE-2025-68458lowCVSS: 3.7
2026-02-05webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior
webpack
>= 5.49.0, <= 5.104.0→5.104.1CVE-2025-68157lowCVSS: 3.7
2026-02-05webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence
webpack
>= 5.49.0, < 5.104.0→5.104.0Advertisement
CVE-2026-25533medium
2026-02-05Sandbox escape via infinite recursion and error objects
enclave-vm
<= 2.7.0@enclave-vm/core
< 2.10.1→2.10.1CVE-2026-25631medium
2026-02-04n8n's domain allowlist bypass enables credential exfiltration
n8n
< 1.121.0→1.121.0CVE-2026-25115criticalCVSS: 9.9
2026-02-04n8n has a Python sandbox escape
n8n
< 2.4.8→2.4.8CVE-2026-25056critical
2026-02-04n8n Merge Node has Arbitrary File Write leading to RCE
n8n
< 1.118.0→1.118.0n8n
>= 2.0.0, < 2.4.0→2.4.0CVE-2026-25055high
2026-02-04n8n Vulnerable to Arbitrary File Write on Remote Systems via SSH Node
n8n
>= 2.0.0, < 2.4.0→2.4.0n8n
< 1.123.12→1.123.12Advertisement
CVE-2026-25053critical
2026-02-04n8n has OS Command Injection in Git Node
n8n
>= 2.0.0, < 2.5.0→2.5.0n8n
< 1.123.10→1.123.10CVE-2026-23897highCVSS: 7.5
2026-02-04Apollo Serve vulnerable to Denial of Service with `startStandaloneServer`
apollo-server
>= 2.0.0, <= 3.13.0@apollo/server
>= 4.2.0, < 4.13.0→4.13.0@apollo/server
>= 5.0.0, < 5.4.0→5.4.0CVE-2025-61917highCVSS: 7.7
2026-02-04n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner
n8n
>= 1.65.0, < 1.114.3→1.114.3CVE-2026-25148medium
2026-02-03Qwik SSR XSS via Unsafe Virtual Node Serialization
@builder.io/qwik-city
< 1.19.0→1.19.0CVE-2026-25547high
2026-02-03@isaacs/brace-expansion has Uncontrolled Resource Consumption
@isaacs/brace-expansion
<= 5.0.0→5.0.1Advertisement
CVE-2026-24884highCVSS: 8.4
2026-02-03Compressing Vulnerable to Arbitrary File Write via Symlink Extraction
compressing
= 2.0.0→2.0.1compressing
<= 1.10.3→1.10.4CVE-2026-25224lowCVSS: 3.7
2026-02-02Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream
fastify
<= 5.7.2→5.7.3CVE-2026-25153highCVSS: 7.7
2026-02-02@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks
@backstage/plugin-techdocs-node
= 1.14.0→1.14.1@backstage/plugin-techdocs-node
< 1.13.11→1.13.11CVE-2026-24040medium
2026-02-02jsPDF has Shared State Race Condition in addJS Plugin
jspdf
<= 4.0.0→4.1.0CVE-2026-25152mediumCVSS: 5.3
2026-02-02@backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator
@backstage/plugin-techdocs-node
= 1.14.0→1.14.1@backstage/plugin-techdocs-node
< 1.13.11→1.13.11Advertisement
CVE-2026-25128highCVSS: 7.5
2026-01-30fast-xml-parser has RangeError DoS Numeric Entities Bug
fast-xml-parser
>= 5.0.9, <= 5.3.3→5.3.4CVE-2026-25047critical
2026-01-29deepHas vulnerable to Prototype Pollution via constructor.prototype
deephas
< 1.0.8→1.0.8CVE-2026-23864highCVSS: 7.5
2026-01-29React Server Components have multiple Denial of Service Vulnerabilities
react-server-dom-parcel
>= 19.0.0, < 19.0.4→19.0.4react-server-dom-turbopack
>= 19.1.0-canary-7130d0c6-20241212, < 19.1.5→19.1.5react-server-dom-webpack
>= 19.2.0-canary-63779030-20250328, < 19.2.4→19.2.4react-server-dom-turbopack
>= 19.0.0, < 19.0.4→19.0.4react-server-dom-parcel
>= 19.1.0-canary-7130d0c6-20241212, < 19.1.5→19.1.5react-server-dom-parcel
>= 19.2.0-canary-63779030-20250328, < 19.2.4→19.2.4react-server-dom-webpack
>= 19.1.0-canary-7130d0c6-20241212, < 19.1.5→19.1.5react-server-dom-webpack
>= 19.0.0, < 19.0.4→19.0.4react-server-dom-turbopack
>= 19.2.0-canary-63779030-20250328, < 19.2.4→19.2.4CVE-2026-24766mediumCVSS: 4.9
2026-01-28NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS
nocodb
< 0.301.0→0.301.0CVE-2025-57283medium
2026-01-28BrowserStack Local vulnerable to Command Injection through logfile variable
browserstack-local
<= 1.5.8→1.5.9Advertisement
CVE-2026-24842highCVSS: 8.2
2026-01-28node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal
tar
< 7.5.7→7.5.7GHSA-h25m-26qc-wcjfhighCVSS: 7.5
2026-01-28Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components
next
>= 13.0.0, < 15.0.8→15.0.8next
>= 15.1.1-canary.0, < 15.1.12→15.1.12next
>= 15.2.0-canary.0, < 15.2.9→15.2.9next
>= 15.3.0-canary.0, < 15.3.9→15.3.9next
>= 15.4.0-canary.0, < 15.4.11→15.4.11next
>= 15.5.1-canary.0, < 15.5.10→15.5.10next
>= 15.6.0-canary.0, < 15.6.0-canary.61→15.6.0-canary.61next
>= 16.0.0-beta.0, < 16.0.11→16.0.11next
>= 16.1.0-canary.0, < 16.1.5→16.1.5CVE-2025-59472mediumCVSS: 5.9
2026-01-28Next.js has Unbounded Memory Consumption via PPR Resume Endpoint
next
>= 16.0.0-beta.0, < 16.1.5→16.1.5next
>= 15.6.0-canary.0, < 15.6.0-canary.61→15.6.0-canary.61next
>= 15.0.0-canary.0, <= 15.0.0-canary.205next
>= 15.0.1-canary.0, <= 15.0.1-canary.3next
>= 15.0.2-canary.0, <= 15.0.2-canary.11next
>= 15.0.3-canary.0, <= 15.0.3-canary.9next
>= 15.0.4-canary.0, <= 15.0.4-canary.52next
>= 15.1.1-canary.0, <= 15.1.1-canary.27next
>= 15.2.0-canary.0, <= 15.2.0-canary.77next
>= 15.2.1-canary.0, <= 15.2.1-canary.6next
>= 15.2.2-canary.0, <= 15.2.2-canary.7next
>= 15.3.0-canary.0, <= 15.3.0-canary.46next
>= 15.3.1-canary.0, <= 15.3.1-canary.15next
>= 15.4.0-canary.0, <= 15.4.0-canary.130next
>= 15.4.2-canary.0, <= 15.4.2-canary.56next
>= 15.5.1-canary.0, <= 15.5.1-canary.39CVE-2025-59471mediumCVSS: 5.9
2026-01-27Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration
next
>= 10.0.0, < 15.5.10→15.5.10next
>= 15.6.0-canary.0, < 16.1.5→16.1.5CVE-2026-24472mediumCVSS: 5.3
2026-01-27Hono cache middleware ignores "Cache-Control: private" leading to Web Cache Deception
hono
< 4.11.7→4.11.7Advertisement
CVE-2026-23888mediumCVSS: 6.5
2026-01-26pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)
pnpm
< 10.28.1→10.28.1CVE-2026-22696critical
2026-01-26dcap-qvl has Missing Verification for QE Identity
dcap-qvl
< 0.3.9→0.3.9@phala/dcap-qvl
<= 0.3.0→0.3.9@phala/dcap-qvl-web
<= 0.3.3@phala/dcap-qvl-node
<= 0.3.3dcap-qvl
< 0.3.9→0.3.9CVE-2026-24046highCVSS: 7.1
2026-01-21Backstage has a Possible Symlink Path Traversal in Scaffolder Actions
@backstage/backend-defaults
< 0.12.2→0.12.2@backstage/backend-defaults
>= 0.13.0, < 0.13.2→0.13.2@backstage/backend-defaults
>= 0.14.0, < 0.14.1→0.14.1@backstage/plugin-scaffolder-backend
< 2.2.2→2.2.2@backstage/plugin-scaffolder-backend
>= 3.0.0, < 3.0.2→3.0.2@backstage/plugin-scaffolder-backend
>= 3.1.0, < 3.1.1→3.1.1@backstage/plugin-scaffolder-node
< 0.11.2→0.11.2@backstage/plugin-scaffolder-node
>= 0.12.0, < 0.12.3→0.12.3GHSA-h3hw-29fv-2x75high
2026-01-21@envelop/graphql-modules has a Race Condition vulnerability
@envelop/graphql-modules
< 9.1.0→9.1.0CVE-2026-23950highCVSS: 8.8
2026-01-21Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS
tar
<= 7.5.3→7.5.4Advertisement
CVE-2026-1245mediumCVSS: 6.5
2026-01-20binary-parser library has a code injection vulnerability
binary-parser
< 2.3.0→2.3.0CVE-2026-22037highCVSS: 8.4
2026-01-20@fastify/express vulnerable to Improper Handling of URL Encoding (Hex Encoding)
@fastify/express
<= 4.0.2→4.0.3CVE-2026-22031highCVSS: 8.4
2026-01-20Fastify Middie Middleware Path Bypass
@fastify/middie
<= 9.0.3→9.1.0CVE-2026-23745high
2026-01-16node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization
tar
<= 7.5.2→7.5.3CVE-2026-23527highCVSS: 8.9
2026-01-15h3 v1 has Request Smuggling (TE.TE) issue
h3
<= 1.15.4→1.15.5Advertisement
CVE-2025-67647high
2026-01-15SvelteKit is vulnerable to denial of service and possible SSRF when using prerendering
@sveltejs/kit
>= 2.19.0, <= 2.49.4→2.49.5@sveltejs/adapter-node
>= 5.4.1, <= 5.5.0→5.5.1CVE-2026-22036mediumCVSS: 5.9
2026-01-14Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
undici
>= 7.0.0, < 7.18.2→7.18.2undici
< 6.23.0→6.23.0CVE-2026-22686criticalCVSS: 10
2026-01-14enclave-vm Vulnerable to Sandbox Escape via Host Error Prototype Chain
enclave-vm
< 2.7.0→2.7.0CVE-2026-22814high
2026-01-13Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State
@adonisjs/lucid
<= 21.8.1→21.8.2@adonisjs/lucid
>= 22.0.0-next.0, < 22.0.0-next.6→22.0.0-next.6CVE-2025-68949mediumCVSS: 5.3
2026-01-13n8n: Webhook Node IP Whitelist Bypass via Partial String Matching
n8n
>= 1.36.0, < 2.2.0→2.2.0Advertisement
CVE-2026-22030mediumCVSS: 6.5
2026-01-08React Router has CSRF issue in Action/Server Action Request Processing
react-router
>= 7.0.0, <= 7.11.0→7.12.0@remix-run/server-runtime
<= 2.17.2→2.17.3CVE-2026-22029highCVSS: 8
2026-01-08React Router vulnerable to XSS via Open Redirects
react-router
>= 7.0.0, <= 7.11.0→7.12.0@remix-run/router
<= 1.23.1→1.23.2CVE-2026-21884highCVSS: 8.2
2026-01-08React Router SSR XSS in ScrollRestoration
react-router
>= 7.0.0, < 7.12.0→7.12.0@remix-run/react
< 2.17.3→2.17.3CVE-2025-68470mediumCVSS: 6.5
2026-01-08React Router has unexpected external redirect via untrusted paths
react-router
>= 6.0.0, < 6.30.2→6.30.2react-router
>= 7.0.0, < 7.9.6→7.9.6CVE-2025-61686criticalCVSS: 9.1
2026-01-08React Router has Path Traversal in File Session Storage
@react-router/node
>= 7.0.0, <= 7.9.3→7.9.4@remix-run/node
<= 2.17.1→2.17.2@remix-run/deno
<= 2.17.1→2.17.2Advertisement
CVE-2025-59057highCVSS: 7.6
2026-01-08React Router has XSS Vulnerability
react-router
>= 7.0.0, <= 7.8.2→7.9.0@remix-run/react
>= 1.15.0, <= 2.17.0→2.17.1CVE-2026-21894mediumCVSS: 6.5
2026-01-07n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks
n8n
>= 0.150.0, < 2.2.2→2.2.2CVE-2025-69264highCVSS: 8.8
2026-01-07pnpm v10+ Bypass "Dependency lifecycle scripts execution disabled by default"
pnpm
>= 10.0.0, < 10.26.0→10.26.0CVE-2025-69262highCVSS: 7.5
2026-01-07pnpm vulnerable to Command Injection via environment variable substitution
pnpm
>= 6.25.0, < 10.27.0→10.27.0CVE-2026-21877criticalCVSS: 9.9
2026-01-06n8n Vulnerable to RCE via Arbitrary File Write
n8n
>= 0.123.0, < 1.121.3→1.121.3Advertisement
CVE-2025-68428critical
2026-01-05jsPDF has Local File Inclusion/Path Traversal vulnerability
jspdf
<= 3.0.4→4.0.0CVE-2026-21440critical
2026-01-02AdonisJS Path Traversal in Multipart File Handling
@adonisjs/bodyparser
< 10.1.2→10.1.2@adonisjs/bodyparser
>= 11.0.0-next.0, < 11.0.0-next.6→11.0.0-next.6CVE-2025-68619highCVSS: 7.2
2026-01-02Signal K Server Vulnerable to Remote Code Execution via Malicious npm Package
signalk-server
< 2.9.0→2.9.0CVE-2025-68272highCVSS: 7.5
2026-01-02Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding
signalk-server
< 2.19.0→2.19.0CVE-2025-69202medium
2025-12-30axios-cache-interceptor Vulnerable to Cache Poisoning via Ignored HTTP Vary Header
axios-cache-interceptor
< 1.11.1→1.11.1Advertisement
CVE-2025-69206mediumCVSS: 4.3
2025-12-29hemmelig allows SSRF Filter bypass via Secret Request functionality
hemmelig
< 7.3.3→7.3.3CVE-2025-68697highCVSS: 7.1
2025-12-26Self-hosted n8n has Legacy Code node that enables arbitrary file read/write
n8n
>= 1.2.1, < 2.0.0→2.0.0CVE-2025-68668criticalCVSS: 9.9
2025-12-26n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node
n8n
>= 1.0.0, < 2.0.0→2.0.0CVE-2025-61914highCVSS: 7.3
2025-12-26n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe Sandbox
n8n
< 1.114.0→1.114.0CVE-2025-68475highCVSS: 7.5
2025-12-22Fedify has ReDoS Vulnerability in HTML Parsing Regex
@fedify/fedify
< 1.6.13→1.6.13@fedify/fedify
>= 1.7.0, < 1.7.14→1.7.14@fedify/fedify
>= 1.8.0, < 1.8.15→1.8.15@fedify/fedify
>= 1.9.0, < 1.9.2→1.9.2Advertisement
GHSA-24v3-254g-jv85low
2025-12-19Tuta Mail has DOM attribute and CSS injection in its Contact Viewer feature
@tutao/tutanota-utils
< 314.251111.0→314.251111.0CVE-2025-68154highCVSS: 8.1
2025-12-16systeminformation has a Command Injection vulnerability in fsSize() function on Windows
systeminformation
< 5.27.14→5.27.14CVE-2025-68155highCVSS: 7.5
2025-12-16@vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint
@vitejs/plugin-rsc
< 0.5.8→0.5.8CVE-2025-68130high
2025-12-16tRPC has possible prototype pollution in `experimental_nextAppDirCaller`
@trpc/server
>= 10.27.0, < 10.45.3→10.45.3@trpc/server
>= 11.0.0, < 11.8.0→11.8.0GHSA-vr6p-vq2p-6j74criticalCVSS: 10
2025-12-15Withdrawn Advisory: LikeC4 has RCE through vulnerable React and Next.js versions
likec4
<= 1.46.1Advertisement
GHSA-5j59-xgg2-r9c4highCVSS: 7.5
2025-12-12Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up
next
>= 13.3.1-canary.0, < 14.2.35→14.2.35next
>= 15.0.6, < 15.0.7→15.0.7next
>= 15.1.10, < 15.1.11→15.1.11next
>= 15.2.7, < 15.2.8→15.2.8next
>= 15.3.7, < 15.3.8→15.3.8next
>= 15.4.9, < 15.4.10→15.4.10next
>= 15.5.8, < 15.5.9→15.5.9next
>= 15.6.0-canary.59, < 15.6.0-canary.60→15.6.0-canary.60next
>= 16.0.9, < 16.0.10→16.0.10next
>= 16.1.0-canary.17, < 16.1.0-canary.19→16.1.0-canary.19GHSA-c6m7-q6pr-c64rmediumCVSS: 5.3
2025-12-12Vite Plugin React has a Source Code Exposure Vulnerability in React Server Components
@vitejs/plugin-rsc
<= 0.5.6→0.5.7GHSA-cpqf-f22c-r95xhighCVSS: 7.5
2025-12-12Vite Plugin React has a Denial of Service Vulnerability in React Server Components
@vitejs/plugin-rsc
<= 0.5.6→0.5.7CVE-2025-67779highCVSS: 7.5
2025-12-12Denial of Service Vulnerability in React Server Components
react-server-dom-parcel
>= 19.0.2, < 19.0.3→19.0.3react-server-dom-parcel
>= 19.1.3, < 19.1.4→19.1.4react-server-dom-parcel
>= 19.2.2, < 19.2.3→19.2.3react-server-dom-turbopack
>= 19.0.2, < 19.0.3→19.0.3react-server-dom-turbopack
>= 19.1.3, < 19.1.4→19.1.4react-server-dom-turbopack
>= 19.2.2, < 19.2.3→19.2.3react-server-dom-webpack
>= 19.0.2, < 19.0.3→19.0.3react-server-dom-webpack
>= 19.1.3, < 19.1.4→19.1.4react-server-dom-webpack
>= 19.2.2, < 19.2.3→19.2.3GHSA-w37m-7fhw-fmv9mediumCVSS: 5.3
2025-12-11Next Server Actions Source Code Exposure
next
>= 15.0.0-canary.0, < 15.0.6→15.0.6next
>= 15.1.1-canary.0, < 15.1.10→15.1.10next
>= 15.2.0-canary.0, < 15.2.7→15.2.7next
>= 15.3.0-canary.0, < 15.3.7→15.3.7next
>= 15.4.0-canary.0, < 15.4.9→15.4.9next
>= 15.5.1-canary.0, < 15.5.8→15.5.8next
>= 15.6.0-canary.0, < 15.6.0-canary.59→15.6.0-canary.59next
>= 16.0.0-beta.0, < 16.0.9→16.0.9next
>= 16.1.0-canary.0, < 16.1.0-canary.17→16.1.0-canary.17Advertisement
GHSA-mwv6-3258-q52chighCVSS: 7.5
2025-12-11Next Vulnerable to Denial of Service with Server Components
next
>= 13.3.0, < 14.2.34→14.2.34next
>= 15.0.0-canary.0, < 15.0.6→15.0.6next
>= 15.1.1-canary.0, < 15.1.10→15.1.10next
>= 15.2.0-canary.0, < 15.2.7→15.2.7next
>= 15.3.0-canary.0, < 15.3.7→15.3.7next
>= 15.4.0-canary.0, < 15.4.9→15.4.9next
>= 15.5.1-canary.0, < 15.5.8→15.5.8next
>= 15.6.0-canary.0, < 15.6.0-canary.59→15.6.0-canary.59next
>= 16.0.0-beta.0, < 16.0.9→16.0.9next
>= 16.1.0-canary.0, < 16.1.0-canary.17→16.1.0-canary.17CVE-2025-55184highCVSS: 7.5
2025-12-11Denial of Service Vulnerability in React Server Components
react-server-dom-parcel
>= 19.0.0, < 19.0.2→19.0.2react-server-dom-turbopack
>= 19.0.0, < 19.0.2→19.0.2react-server-dom-webpack
>= 19.0.0, < 19.0.2→19.0.2react-server-dom-parcel
>= 19.1.0, < 19.1.3→19.1.3react-server-dom-parcel
>= 19.2.0, < 19.2.2→19.2.2react-server-dom-turbopack
>= 19.1.0, < 19.1.3→19.1.3react-server-dom-turbopack
>= 19.2.0, < 19.2.2→19.2.2react-server-dom-webpack
>= 19.1.0, < 19.1.3→19.1.3react-server-dom-webpack
>= 19.2.0, < 19.2.2→19.2.2CVE-2025-55183mediumCVSS: 5.3
2025-12-11Source Code Exposure Vulnerability in React Server Components
react-server-dom-parcel
>= 19.0.0, < 19.0.2→19.0.2react-server-dom-turbopack
>= 19.0.0, < 19.0.2→19.0.2react-server-dom-webpack
>= 19.0.0, < 19.0.2→19.0.2react-server-dom-parcel
>= 19.1.0, < 19.1.3→19.1.3react-server-dom-parcel
>= 19.2.0, < 19.2.2→19.2.2react-server-dom-turbopack
>= 19.1.0, < 19.1.3→19.1.3react-server-dom-turbopack
>= 19.2.0, < 19.2.2→19.2.2react-server-dom-webpack
>= 19.1.0, < 19.1.3→19.1.3react-server-dom-webpack
>= 19.2.0, < 19.2.2→19.2.2CVE-2025-67716lowCVSS: 3.7
2025-12-10Improper Validation of Query Parameters in Auth0 Next.js SDK
@auth0/nextjs-auth0
>= 4.9.0, < 4.13.0→4.13.0CVE-2025-67490mediumCVSS: 5.4
2025-12-10Improper Request Caching Lookup in the Auth0 Next.js SDK
@auth0/nextjs-auth0
>= 4.11.0, < 4.11.2→4.11.2@auth0/nextjs-auth0
>= 4.12.0, < 4.12.1→4.12.1Advertisement
CVE-2025-67489criticalCVSS: 9.8
2025-12-08@vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server
@vitejs/plugin-rsc
<= 0.5.5→0.5.6CVE-2025-65964critical
2025-12-08n8n vulnerable to Remote Code Execution via Git Node Custom Pre-Commit Hook
n8n
>= 0.123.1, < 1.119.2→1.119.2CVE-2025-65959highCVSS: 8.7
2025-12-04Open WebUI Vulnerable to Stored DOM XSS via Note 'Download PDF'
open-webui
<= 0.6.36→0.6.37CVE-2025-65945highCVSS: 7.5
2025-12-04auth0/node-jws Improperly Verifies HMAC Signature
jws
< 3.2.3→3.2.3jws
= 4.0.0→4.0.1CVE-2025-66404mediumCVSS: 6.4
2025-12-03mcp-server-kubernetes has potential security issue in exec_in_pod tool
mcp-server-kubernetes
<= 2.9.7→2.9.8Advertisement
GHSA-fmh4-wr37-44fpcriticalCVSS: 10
2025-12-03React Server Components are Vulnerable to RCE
@vitejs/plugin-rsc
<= 0.5.2→0.5.3CVE-2025-55182criticalCVSS: 10
2025-12-03React Server Components are Vulnerable to RCE
react-server-dom-webpack
>= 19.1.0, < 19.1.2→19.1.2react-server-dom-webpack
= 19.2.0→19.2.1react-server-dom-turbopack
>= 19.1.0, < 19.1.2→19.1.2react-server-dom-turbopack
= 19.2.0→19.2.1react-server-dom-parcel
>= 19.1.0, < 19.1.2→19.1.2react-server-dom-parcel
= 19.2.0→19.2.1react-server-dom-turbopack
= 19.0.0→19.0.1react-server-dom-parcel
= 19.0.0→19.0.1react-server-dom-webpack
= 19.0.0→19.0.1GHSA-9qr9-h5gf-34mpcriticalCVSS: 10
2025-12-03Next.js is vulnerable to RCE in React flight protocol
next
>= 14.3.0-canary.77, < 15.0.5→15.0.5next
>= 15.2.0-canary.0, < 15.2.6→15.2.6next
>= 15.3.0-canary.0, < 15.3.6→15.3.6next
>= 15.4.0-canary.0, < 15.4.8→15.4.8next
>= 16.0.0-canary.0, < 16.0.7→16.0.7next
>= 15.1.0-canary.0, < 15.1.9→15.1.9next
>= 15.5.0-canary.0, < 15.5.7→15.5.7CVE-2025-14874highCVSS: 7.5
2025-12-01Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls
nodemailer
<= 7.0.10→7.0.11CVE-2025-66031high
2025-11-26node-forge has ASN.1 Unbounded Recursion
node-forge
< 1.3.2→1.3.2Advertisement
CVE-2025-66030medium
2025-11-26node-forge is vulnerable to ASN.1 OID Integer Truncation
node-forge
< 1.3.2→1.3.2CVE-2025-12816highCVSS: 8.6
2025-11-26node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization
node-forge
< 1.3.2→1.3.2CVE-2025-66020highCVSS: 7.5
2025-11-26Valibot has a ReDoS vulnerability in `EMOJI_REGEX`
valibot
>= 0.31.0, < 1.2.0→1.2.0CVE-2025-65944medium
2025-11-24Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`
@sentry/node
>= 10.11.0, < 10.27.0→10.27.0@sentry/astro
>= 10.11.0, < 10.27.0→10.27.0@sentry/aws-serverless
>= 10.11.0, < 10.27.0→10.27.0@sentry/bun
>= 10.11.0, < 10.27.0→10.27.0@sentry/google-cloud-serverless
>= 10.11.0, < 10.27.0→10.27.0@sentry/nestjs
>= 10.11.0, < 10.27.0→10.27.0@sentry/nextjs
>= 10.11.0, < 10.27.0→10.27.0@sentry/node-core
>= 10.11.0, < 10.27.0→10.27.0@sentry/nuxt
>= 10.11.0, < 10.27.0→10.27.0@sentry/remix
>= 10.11.0, < 10.27.0→10.27.0@sentry/solidstart
>= 10.11.0, < 10.27.0→10.27.0@sentry/sveltekit
>= 10.11.0, < 10.27.0→10.27.0CVE-2025-64762high
2025-11-20authkit-nextjs may let session cookies be cached in CDNs
@workos-inc/authkit-nextjs
<= 2.11.0→2.11.1Advertisement
CVE-2025-65019mediumCVSS: 5.4
2025-11-19Astro Cloudflare adapter has Stored Cross-site Scripting vulnerability in /_image endpoint
astro
< 5.15.9→5.15.9CVE-2025-64765medium
2025-11-19Astro's middleware authentication checks based on url.pathname can be bypassed via url encoded values
astro
< 5.15.8→5.15.8CVE-2025-64757lowCVSS: 3.5
2025-11-19Astro Development Server has Arbitrary Local File Read
astro
< 5.14.3→5.14.3CVE-2025-64756highCVSS: 7.5
2025-11-17glob CLI: Command injection via -c/--cmd executes matches with shell:true
glob
>= 11.0.0, < 11.1.0→11.1.0glob
>= 10.2.0, < 10.5.0→10.5.0CVE-2025-64718mediumCVSS: 5.3
2025-11-14js-yaml has prototype pollution in merge (<<)
js-yaml
>= 4.0.0, < 4.1.1→4.1.1js-yaml
< 3.14.2→3.14.2Advertisement
CVE-2025-64525mediumCVSS: 6.5
2025-11-13Astro vulnerable to URL manipulation via headers, leading to middleware and CVE-2025-61925 bypass
astro
>= 2.16.0, < 5.15.5→5.15.5CVE-2025-12613highCVSS: 8.6
2025-11-10Cloudinary Node SDK is vulnerable to Arbitrary Argument Injection through parameters that include an ampersand
cloudinary
< 2.7.0→2.7.0CVE-2025-64496highCVSS: 7.3
2025-11-07Open WebUI Affected by an External Model Server (Direct Connections) Code Injection via SSE Events
open-webui
<= 0.6.34→0.6.35open-webui
<= 0.6.34→0.6.35CVE-2025-11953criticalCVSS: 9.8
2025-11-03@react-native-community/cli has arbitrary OS command injection
@react-native-community/cli
>= 20.0.0-alpha.0, < 20.0.0→20.0.0@react-native-community/cli
>= 19.0.0-alpha.0, < 19.1.2→19.1.2@react-native-community/cli
>= 18.0.0, < 18.0.1→18.0.1@react-native-community/cli-server-api
>= 20.0.0-alpha.0, < 20.0.0→20.0.0@react-native-community/cli-server-api
>= 19.0.0-alpha.0, < 19.1.2→19.1.2@react-native-community/cli-server-api
>= 18.0.0, < 18.0.1→18.0.1CVE-2025-64118medium
2025-10-30node-tar has a race condition leading to uninitialized memory exposure
tar
= 7.5.1→7.5.2Advertisement
CVE-2025-62726highCVSS: 8.8
2025-10-30n8n Vulnerable to Remote Code Execution via Git Node Pre-Commit Hook
n8n
< 1.113.0→1.113.0CVE-2025-60542highCVSS: 6.5
2025-10-29TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update
typeorm
< 0.3.26→0.3.26GHSA-5jpx-9hw9-2fx4medium
2025-10-29NextAuthjs Email misdelivery Vulnerability
next-auth
< 4.24.12→4.24.12next-auth
>= 5.0.0-beta.0, < 5.0.0-beta.30→5.0.0-beta.30CVE-2025-62713high
2025-10-23Kottster app reinitialization can be re-triggered allowing command injection in development mode
@kottster/server
>= 3.2.0, < 3.3.2→3.3.2GHSA-xvp7-8vm8-xfxxmediumCVSS: 4.2
2025-10-20Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers
@actual-app/sync-server
<= 25.10.0→25.11.0Advertisement
CVE-2025-62427high
2025-10-16Angular SSR has a Server-Side Request Forgery (SSRF) flaw
@angular/ssr
>= 19.0.0-next.0, < 19.2.18→19.2.18@angular/ssr
>= 20.0.0-next.0, < 20.3.6→20.3.6@angular/ssr
>= 21.0.0-next.0, < 21.0.0-next.8→21.0.0-next.8CVE-2025-62410critical
2025-10-15happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
happy-dom
>= 19.0.0, < 20.0.2→20.0.2CVE-2025-34267high
2025-10-14Flowise: Authenticated Command Execution and Sandbox Bypass via Puppeteer and Playwright Packages
flowise
>= 3.0.1, < 3.0.8→3.0.8CVE-2025-61927critical
2025-10-10Happy DOM: VM Context Escape can lead to Remote Code Execution
happy-dom
< 20.0.0→20.0.0CVE-2025-61925mediumCVSS: 6.5
2025-10-10Astro's `X-Forwarded-Host` is reflected without validation
astro
< 5.14.3→5.14.3Advertisement
GHSA-j44m-5v8f-gc9chighCVSS: 7.7
2025-10-10Flowise is vulnerable to arbitrary file exposure through its ReadFileTool
flowise
< 3.0.8→3.0.8flowise-components
< 3.0.8→3.0.8GHSA-365g-vjw2-grx8highCVSS: 8.8
2025-10-09n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host
n8n-nodes-base
<= 1.113.0n8n
<= 1.114.4CVE-2025-61913criticalCVSS: 9.9
2025-10-09Flowise is vulnerable to arbitrary file write through its WriteFileTool
flowise
< 3.0.8→3.0.8flowise-components
< 3.0.8→3.0.8Flowise
<= 3.0.5→3.0.8CVE-2025-61687highCVSS: 8.3
2025-10-08FlowiseAI/Flosise has File Upload vulnerability
flowise
= 3.0.7→3.0.8CVE-2025-55346criticalCVSS: 9.8
2025-10-06Flowise vulnerable to RCE via Dynamic function constructor injection
flowise
<= 2.2.7-patch.1Advertisement
GHSA-4fr9-3x69-36wvmedium
2025-10-03Flowise vulnerable to XSS
flowise
< 3.0.8→3.0.8CVE-2025-11149highCVSS: 7.5
2025-09-30@nubosoftware/node-static failure to catch exception can result in server crash
@nubosoftware/node-static
<= 0.7.11CVE-2025-59364medium
2025-09-26express-xss-sanitizer has an unbounded recursion depth
express-xss-sanitizer
< 2.0.1→2.0.1CVE-2025-59936criticalCVSS: 9.4
2025-09-26get-jwks: poisoned JWKS cache allows post-fetch issuer validation bypass
get-jwks
<= 11.0.1→11.0.2CVE-2025-57348low
2025-09-24node-cube vulnerable to prototype pollution
node-cube
<= 5.0.0-beta.19Advertisement
CVE-2025-59834criticalCVSS: 9.8
2025-09-24Command Injection in adb-mcp MCP Server
adb-mcp
<= 0.1.0CVE-2025-57354mediumCVSS: 6.5
2025-09-24counterpart vulnerable to prototype pollution
counterpart
<= 0.18.6CVE-2025-57353mediumCVSS: 5.3
2025-09-24messageformat prototype pollution vulnerability
@messageformat/runtime
= 3.0.1→3.0.2CVE-2025-59831highCVSS: 8.8
2025-09-22`git-comiters` Command Injection vulnerability
git-commiters
< 0.1.2→0.1.2CVE-2025-59417medium
2025-09-18Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages
@lobehub/chat
<= 1.129.3→1.129.4Advertisement
CVE-2025-10619mediumCVSS: 6.3
2025-09-17@sequa-ai/sequa-mcp has Command Injection vulnerability
@sequa-ai/sequa-mcp
< 1.0.14→1.0.14CVE-2025-59333highCVSS: 8.1
2025-09-16@executeautomation/database-server does not properly restrict access, bypassing a "read-only" mode
@executeautomation/database-server
<= 1.1.0CVE-2025-59331high
2025-09-15is-arrayish@0.3.3 contains malware after npm account takeover
is-arrayish
= 0.3.3→0.3.4CVE-2025-59330high
2025-09-15error-ex@1.3.3 contains malware after npm account takeover
error-ex
= 1.3.3→1.3.4CVE-2025-59162high
2025-09-15color-convert@3.1.1 contains malware after npm account takeover
color-convert
= 3.1.1→3.1.2Advertisement
CVE-2025-59145high
2025-09-15color-name@2.0.1 contains malware after npm account takeover
color-name
= 2.0.1→2.0.2CVE-2025-59144high
2025-09-15debug@4.4.2 contains malware after npm account takeover
debug
= 4.4.2→4.4.3CVE-2025-59143high
2025-09-15color@5.0.1 contains malware after npm account takeover
color
= 5.0.1→5.0.2CVE-2025-59142high
2025-09-15color-string@2.1.1 contains malware after npm account takeover
color-string
= 2.1.1→2.1.2CVE-2025-59141high
2025-09-15simple-swizzle@0.2.3 contains malware after npm account takeover
simple-swizzle
= 0.2.3→0.2.4Advertisement
CVE-2025-59140high
2025-09-15backslash@0.2.1 contains malware after npm account takeover
backslash
= 0.2.1→0.2.2GHSA-6933-jpx5-q87qhigh
2025-09-15Flowise has unsandboxed remote code execution via Custom MCP
flowise
>= 2.2.7-patch.1, < 3.0.6→3.0.6CVE-2025-59528criticalCVSS: 10
2025-09-15Flowise has Remote Code Execution vulnerability
flowise
= 3.0.5→3.0.6CVE-2025-57164criticalCVSS: 9.1
2025-09-15FlowiseAI Pre-Auth Arbitrary Code Execution
flowise
= 3.0.5→3.0.6CVE-2025-58177mediumCVSS: 4.1
2025-09-15Stored XSS in n8n LangChain Chat Trigger Node via initialMessages Parameter
n8n
>= 1.24.0, < 1.107.0→1.107.0Advertisement
GHSA-qj3p-xc97-xw74medium
2025-09-15MetaMask SDK indirectly exposed via malicious debug@4.4.2 dependency
@metamask/sdk
>= 0.16.0, <= 0.33.0→0.33.1@metamask/sdk-react
>= 0.16.0, <= 0.33.0→0.33.1@metamask/sdk-communication-layer
>= 0.16.0, <= 0.33.0→0.33.1GHSA-qhwp-454g-2gv4medium
2025-09-15Duplicate Advisory: express-xss-sanitizer has an unbounded recursion depth
express-xss-sanitizer
<= 2.0.0CVE-2025-58754highCVSS: 7.5
2025-09-11Axios is vulnerable to DoS attack through lack of data size check
axios
>= 1.0.0, < 1.12.0→1.12.0axios
>= 0.28.0, < 0.30.2→0.30.2CVE-2025-59052high
2025-09-10Angular SSR: Global Platform Injector Race Condition Leads to Cross-Request Data Leakage
@angular/platform-server
>= 16.0.0-next.0, < 18.2.14→18.2.14@angular/platform-server
>= 20.0.0-next.0, < 20.3.0→20.3.0@angular/platform-server
>= 19.0.0-next.0, < 19.2.15→19.2.15@angular/platform-server
>= 21.0.0-next.0, < 21.0.0-next.3→21.0.0-next.3@angular/ssr
>= 17.0.0-next.0, < 18.2.21→18.2.21@angular/ssr
>= 19.0.0-next.0, < 19.2.16→19.2.16@angular/ssr
>= 20.0.0-next.0, < 20.3.0→20.3.0@angular/ssr
>= 21.0.0-next.0, < 21.0.0-next.3→21.0.0-next.3@nguniversal/common
>= 16.0.0-next.0, <= 16.2.0CVE-2025-59046criticalCVSS: 9.8
2025-09-10interactive-git-checkout has a Command Injection vulnerability
interactive-git-checkout
<= 1.1.4Advertisement
CVE-2025-58751low
2025-09-09Vite middleware may serve files starting with the same name with the public directory
vite
>= 7.1.0, <= 7.1.4→7.1.5vite
>= 7.0.0, <= 7.0.6→7.0.7vite
>= 6.0.0, <= 6.3.5→6.3.6vite
<= 5.4.19→5.4.20CVE-2025-58752low
2025-09-09Vite's `server.fs` settings were not applied to HTML files
vite
>= 7.1.0, <= 7.1.4→7.1.5vite
>= 7.0.0, <= 7.0.6→7.0.7vite
>= 6.0.0, <= 6.3.5→6.3.6vite
<= 5.4.19→5.4.20CVE-2025-59037high
2025-09-09DuckDB NPM packages 1.3.3 and 1.29.2 briefly compromised with malware
duckdb
= 1.3.3→1.3.4@duckdb/node-api
= 1.3.3→1.3.4-alpha.27@duckdb/node-bindings
= 1.3.3→1.3.4-alpha.27@duckdb/duckdb-wasm
= 1.29.2→1.30.0CVE-2025-54994critical
2025-09-08@akoskm/create-mcp-server-stdio is vulnerable to MCP Server Command Injection through `exec` API
@akoskm/create-mcp-server-stdio
< 0.0.13→0.0.13CVE-2025-58358highCVSS: 7.5
2025-09-02mcp-markdownify-server vulnerable to command injection in pptx-to-markdown tool
mcp-markdownify-server
<= 0.0.1→0.0.2Advertisement
CVE-2025-57752mediumCVSS: 6.2
2025-08-29Next.js Affected by Cache Key Confusion for Image Optimization API Routes
next
>= 15.0.0, <= 15.4.4→15.4.5next
>= 0.9.9, < 14.2.31→14.2.31CVE-2025-55173mediumCVSS: 4.3
2025-08-29Next.js Content Injection Vulnerability for Image Optimization
next
>= 15.0.0, <= 15.4.4→15.4.5next
>= 0.9.9, < 14.2.31→14.2.31CVE-2025-57822mediumCVSS: 6.5
2025-08-29Next.js Improper Middleware Redirect Handling Leads to SSRF
next
>= 15.0.0-canary.0, < 15.4.7→15.4.7next
>= 0.9.9, < 14.2.32→14.2.32CVE-2025-4643medium
2025-08-29Payload does not invalidate JWTs after log out
payload
< 3.44.0→3.44.0@payloadcms/next
< 3.44.0→3.44.0@payloadcms/graphql
< 3.44.0→3.44.0CVE-2025-4644medium
2025-08-29Payload's SQLite adapter Session Fixation vulnerability
payload
< 3.44.0→3.44.0@payloadcms/next
< 3.44.0→3.44.0@payloadcms/graphql
< 3.44.0→3.44.0Advertisement
CVE-2025-10894critical
2025-08-27Malicious versions of Nx were published
nx
= 21.5.0@nx/key
= 3.2.0@nx/enterprise-cloud
= 3.2.0@nx/devkit
= 21.5.0@nx/js
= 21.5.0@nx/workspace
= 21.5.0@nx/eslint
= 21.5.0@nx/node
= 21.5.0nx
= 20.9.0nx
= 20.10.0nx
= 21.6.0nx
= 20.11.0nx
= 21.7.0nx
= 21.8.0nx
= 20.12.0@nx/node
= 20.9.0@nx/devkit
= 20.9.0@nx/js
= 20.9.0@nx/workspace
= 20.9.0GHSA-224p-v68g-5g8fmediumCVSS: 5.3
2025-08-26GraphQL Armor Max-Depth Plugin Bypass via fragment caching
@escape.tech/graphql-armor-max-depth
<= 2.4.1→2.4.2GHSA-hmfr-rx46-4jx2mediumCVSS: 5.3
2025-08-26GraphQL Armor Max-Depth Plugin Bypass via Introspection Query Obfuscation
@escape.tech/graphql-armor-max-depth
<= 2.4.1→2.4.2CVE-2025-9287criticalCVSS: 9.1
2025-08-21cipher-base is missing type checks, leading to hash rewind and passing on crafted data
cipher-base
<= 1.0.4→1.0.5GHSA-3j63-5h8p-gf7chigh
2025-08-20x402 SDK vulnerable in outdated versions in resource servers for builders
x402
< 0.5.2→0.5.2x402-next
< 0.5.2→0.5.2x402-express
< 0.5.2→0.5.2x402-hono
< 0.5.2→0.5.2Advertisement
CVE-2025-57749mediumCVSS: 6.5
2025-08-20n8n symlink traversal vulnerability in "Read/Write File" node allows access to restricted files
n8n
< 1.106.0→1.106.0CVE-2025-54881medium
2025-08-19Mermaid improperly sanitizes sequence diagram labels leading to XSS
mermaid
>= 11.0.0-alpha.1, < 11.10.0→11.10.0mermaid
>= 10.9.0-rc.1, < 10.9.4→10.9.4CVE-2025-54880medium
2025-08-19Mermaid does not properly sanitize architecture diagram iconText leading to XSS
mermaid
>= 11.1.0, < 11.10.0→11.10.0CVE-2025-55303mediumCVSS: 6.1
2025-08-19Astro allows unauthorized third-party images in _image endpoint
@astrojs/node
<= 9.1.0→9.1.1astro
<= 4.16.18→4.16.19astro
>= 5.0.0-alpha.0, < 5.13.2→5.13.2CVE-2025-52478highCVSS: 8.7
2025-08-19Stored XSS in n8n Form Trigger allows Account Takeover via injected iframe and video/source
n8n
>= 1.77.0, < 1.98.2→1.98.2Advertisement
CVE-2025-55207medium
2025-08-15@astrojs/node's trailing slash handling causes open redirect issue
@astrojs/node
<= 9.4.0→9.4.1CVE-2025-55164high
2025-08-12content-security-policy-parser Prototype Pollution Vulnerability May Lead to RCE
content-security-policy-parser
< 0.6.0→0.6.0CVE-2025-55008highCVSS: 7.1
2025-08-08The AuthKit React Router Library rendered sensitive auth data in HTML
@workos-inc/authkit-react-router
< 0.7.0→0.7.0CVE-2025-54793medium
2025-08-07Astros's duplicate trailing slash feature leads to an open redirection security issue
astro
>= 5.2.0, < 5.12.8→5.12.8CVE-2025-54798lowCVSS: 2.5
2025-08-06tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
tmp
<= 0.2.3→0.2.4Advertisement
CVE-2025-54387medium
2025-08-04IPX Allows Path Traversal via Prefix Matching Bypass
ipx
< 1.3.2→1.3.2ipx
>= 2.0.0-0, < 2.1.1→2.1.1ipx
>= 3.0.0, < 3.1.1→3.1.1CVE-2025-54782critical
2025-08-01@nestjs/devtools-integration: CSRF to Sandbox Escape Allows for RCE against JS Developers
@nestjs/devtools-integration
<= 0.2.0→0.2.1CVE-2025-54419criticalCVSS: 10
2025-07-28Node-SAML SAML Signature Verification Vulnerability
@node-saml/node-saml
<= 5.0.1→5.1.0passport-saml
<= 3.2.4@node-saml/passport-saml
<= 5.0.1→5.1.0CVE-2025-54369critical
2025-07-25Node-SAML SAML Authentication Bypass
node-saml
<= 3.1.2@node-saml/node-saml
<= 5.0.1→5.1.0CVE-2025-7783critical
2025-07-21form-data uses unsafe random function in form-data for choosing boundary
form-data
< 2.5.4→2.5.4form-data
>= 3.0.0, < 3.0.4→3.0.4form-data
>= 4.0.0, < 4.0.4→4.0.4Advertisement
CVE-2025-54313highCVSS: 7.5
2025-07-19eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, napi-postinstall have embedded malicious code
eslint-config-prettier
= 8.10.1→8.10.2eslint-config-prettier
= 9.1.1→9.1.2eslint-config-prettier
>= 10.1.6, <= 10.1.7→10.1.8eslint-plugin-prettier
>= 4.2.2, <= 4.2.3→4.2.4synckit
= 0.11.9→0.11.10@pkgr/core
= 0.2.8→0.2.9napi-postinstall
= 0.3.1→0.3.2got-fetch
>= 5.1.11, <= 5.1.12→6.0.0GHSA-xffm-g5w8-qvg7low
2025-07-18@eslint/plugin-kit is vulnerable to Regular Expression Denial of Service attacks through ConfigCommentParser
@eslint/plugin-kit
< 0.3.4→0.3.4CVE-2025-53892medium
2025-07-16vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes
vue-i18n
>= 9.0.0, < 9.14.5→9.14.5vue-i18n
>= 10.0.0, < 10.0.8→10.0.8vue-i18n
>= 11.0.0, < 11.1.10→11.1.10@intlify/core
>= 9.0.0, < 9.14.5→9.14.5@intlify/core
>= 10.0.0, < 10.0.8→10.0.8@intlify/core
>= 11.0.0, < 11.1.10→11.1.10@intlify/core-base
>= 9.0.0, < 9.14.5→9.14.5@intlify/core-base
>= 10.0.0, < 10.0.8→10.0.8@intlify/core-base
>= 11.0.0, < 11.1.10→11.1.10@intlify/vue-i18n-core
>= 9.2.0, < 9.14.5→9.14.5@intlify/vue-i18n-core
>= 10.0.0, < 10.0.8→10.0.8@intlify/vue-i18n-core
>= 11.0.0, < 11.1.10→11.1.10petite-vue-i18n
>= 10.0.0, < 10.0.8→10.0.8petite-vue-i18n
>= 11.0.0, < 11.1.10→11.1.10CVE-2025-53818high
2025-07-15GitHub Kanban MCP Server vulnerable to Command Injection
@sunwood-ai-labs/github-kanban-mcp-server
<= 0.3.0CVE-2025-53620critical
2025-07-09Qwik's unhandled exception vulnerabilty can cause server crashes from malicious requests
@builder.io/qwik-city
< 1.13.0→1.13.0Advertisement
CVE-2025-53548highCVSS: 7.5
2025-07-09@clerk/backend Performs Insufficient Verification of Data Authenticity
@clerk/backend
>= 2.0.0, < 2.4.0→2.4.0@clerk/astro
>= 2.9.0, < 2.10.2→2.10.2@clerk/express
>= 1.6.0, < 1.7.4→1.7.4@clerk/fastify
>= 2.3.0, < 2.4.4→2.4.4@clerk/nextjs
>= 6.2.10, < 6.23.3→6.23.3@clerk/nuxt
>= 1.7.0, < 1.7.5→1.7.5@clerk/react-router
>= 1.5.0, < 1.6.4→1.6.4@clerk/remix
>= 4.8.0, < 4.8.5→4.8.5@clerk/tanstack-react-start
>= 0.16.0, < 0.18.3→0.18.3CVE-2025-59427medium
2025-07-08Cloudflare Vite plugin exposes secrets over the built-in dev server
@cloudflare/vite-plugin
< 1.6.0→1.6.0CVE-2025-53372highCVSS: 7.5
2025-07-08Node.js Sandbox MCP Server vulnerability can lead to Sandbox Escape via Command Injection
node-code-sandbox-mcp
<= 1.2.0→1.3.0CVE-2025-49826highCVSS: 7.5
2025-07-03Next.JS vulnerability can lead to DoS via cache poisoning
next
>= 15.0.4-canary.51, < 15.1.8→15.1.8CVE-2025-49005lowCVSS: 3.7
2025-07-03Next.js has a Cache poisoning vulnerability due to omission of the Vary header
next
>= 15.3.0, < 15.3.3→15.3.3Advertisement
CVE-2025-52554mediumCVSS: 4.3
2025-07-03n8n is vulnerable to Improper Authorization through its `/stop` endpoint
n8n
< 1.99.1→1.99.1CVE-2024-49365high
2025-06-30tiny-secp256k1 allows for verify() bypass when running in bundled environment
tiny-secp256k1
<= 1.1.6→1.1.7CVE-2024-49364high
2025-06-30tiny-secp256k1 vulnerable to private key extraction when signing a malicious JSON-stringifyable message in bundled environment
tiny-secp256k1
<= 1.1.6→1.1.7CVE-2025-52573mediumCVSS: 6
2025-06-26iOS Simulator MCP Command Injection allowed via exec API
ios-simulator-mcp
< 1.3.3→1.3.3CVE-2025-6547critical
2025-06-23pbkdf2 silently disregards Uint8Array input, returning static keys
pbkdf2
>= 1.0.0, <= 3.1.2→3.1.3Advertisement
CVE-2025-6545critical
2025-06-23pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos
pbkdf2
>= 3.0.10, <= 3.1.2→3.1.3CVE-2025-6087high
2025-06-16OpenNext for Cloudflare (opennextjs-cloudflare) has a SSRF vulnerability via /_next/image endpoint
@opennextjs/cloudflare
< 1.3.0→1.3.0CVE-2025-5897mediumCVSS: 4.3
2025-06-09@vue/cli-plugin-pwa Regular Expression Denial of Service vulnerability
@vue/cli-plugin-pwa
<= 5.0.8CVE-2025-5896mediumCVSS: 4.3
2025-06-09taro-css-to-react-native Regular Expression Denial of Service vulnerability
taro-css-to-react-native
< 4.1.2→4.1.2CVE-2025-45001highCVSS: 7.5
2025-06-09react-native-keys insecurely stores encryption cipher and Base64 chunks
react-native-keys
<= 0.7.11Advertisement
CVE-2025-48947high
2025-06-04NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies
@auth0/nextjs-auth0
>= 4.0.1, <= 4.6.0→4.6.1CVE-2025-48068low
2025-05-28Information exposure in Next.js dev server due to lack of origin verification
next
>= 15.0.0, < 15.2.2→15.2.2next
>= 13.0, < 14.2.30→14.2.30CVE-2024-52588mediumCVSS: 4.9
2025-05-27Strapi allows Server-Side Request Forgery in Webhook function
@strapi/admin
< 4.25.2→4.25.2CVE-2025-47935highCVSS: 7.5
2025-05-19Multer vulnerable to Denial of Service via memory leaks from unclosed streams
multer
< 2.0.0→2.0.0CVE-2025-32421lowCVSS: 3.7
2025-05-15Next.js Race Condition to Cache Poisoning
next
>= 15.0.0, < 15.1.6→15.1.6next
>= 0.9.9, < 14.2.24→14.2.24Advertisement
CVE-2025-46653lowCVSS: 3.1
2025-04-26Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content
formidable
>= 3.1.1-canary.20211030, < 3.5.3→3.5.3formidable
>= 2.1.0, < 2.1.3→2.1.3GHSA-733v-p3h5-qpq7mediumCVSS: 5.3
2025-04-25GraphQL Armor Cost-Limit Plugin Bypass via Introspection Query Obfuscation
@escape.tech/graphql-armor-cost-limit
< 2.4.2→2.4.2CVE-2025-43865highCVSS: 8.2
2025-04-24React Router allows pre-render data spoofing on React-Router framework mode
react-router
>= 7.0.0-pre.0, <= 7.5.1→7.5.2CVE-2025-43864highCVSS: 7.5
2025-04-24React Router allows a DoS via cache poisoning by forcing SPA mode
react-router
>= 7.2.0, <= 7.5.1→7.5.2CVE-2025-43855high
2025-04-24tRPC 11 WebSocket DoS Vulnerability
@trpc/server
>= 11.0.0, < 11.1.1→11.1.1Advertisement
CVE-2025-32388mediumCVSS: 5.4
2025-04-14@sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params
@sveltejs/kit
>= 2.0.0, < 2.20.6→2.20.6CVE-2025-32395medium
2025-04-11Vite has an `server.fs.deny` bypass with an invalid `request-target`
vite
>= 6.2.0, < 6.2.6→6.2.6vite
>= 6.1.0, < 6.1.5→6.1.5vite
>= 6.0.0, < 6.0.15→6.0.15vite
>= 5.0.0, < 5.4.18→5.4.18vite
< 4.5.13→4.5.13CVE-2025-28269high
2025-04-07js-object-utilities Vulnerable to Prototype Pollution
js-object-utilities
< 2.2.1→2.2.1CVE-2025-31486mediumCVSS: 5.3
2025-04-04Vite allows server.fs.deny to be bypassed with .svg or relative paths
vite
>= 6.2.0, < 6.2.5→6.2.5vite
>= 6.1.0, < 6.1.4→6.1.4vite
>= 6.0.0, < 6.0.14→6.0.14vite
>= 5.0.0, < 5.4.17→5.4.17vite
< 4.5.12→4.5.12CVE-2025-3191lowCVSS: 6.1
2025-04-04React Draft Wysiwyg Cross-Site Scripting (XSS) via the Embedded Button
react-draft-wysiwyg
<= 1.15.0Advertisement
CVE-2025-30218low
2025-04-02Next.js may leak x-middleware-subrequest-id to external hosts
next
= 12.3.5→12.3.6next
= 13.5.9→13.5.10next
= 14.2.25→14.2.26next
= 15.2.3→15.2.4CVE-2025-71319highCVSS: 7.5
2025-04-02image-size Denial of Service via Infinite Loop during Image Processing
image-size
>= 1.1.0, < 1.2.1→1.2.1image-size
>= 2.0.0, < 2.0.2→2.0.2CVE-2025-31137highCVSS: 7.5
2025-04-01Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers
@react-router/express
>= 7.0.0, < 7.4.1→7.4.1@remix-run/express
>= 2.11.1, < 2.16.3→2.16.3CVE-2025-26042medium
2025-03-31Uptime Kuma's Regular Expression in pushdeeer and whapi file Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
uptime-kuma
>= 1.15.0, <= 1.23.16uptime-kuma
>= 2.0.0-beta.0, < 2.0.0-beta.2→2.0.0-beta.2CVE-2025-30350mediumCVSS: 5.3
2025-03-26Directus's S3 assets become unavailable after a burst of HEAD requests
@directus/storage-driver-s3
>= 9.22.0, < 12.0.1→12.0.1directus
>= 9.22, < 11.5.0→11.5.0Advertisement
CVE-2025-30225mediumCVSS: 5.3
2025-03-26Directus's S3 assets become unavailable after a burst of malformed transformations
@directus/storage-driver-s3
>= 9.22.0, < 12.0.1→12.0.1directus
>= 9.22.0, < 11.5.0→11.5.0CVE-2025-30222low
2025-03-26Shescape has potential environment variable exposure on Windows with CMD
shescape
>= 1.7.2, < 2.1.2→2.1.2CVE-2025-29927criticalCVSS: 9.1
2025-03-21Authorization Bypass in Next.js Middleware
next
>= 13.0.0, < 13.5.9→13.5.9next
>= 14.0.0, < 14.2.25→14.2.25next
>= 15.0.0, < 15.2.3→15.2.3next
>= 12.0.0, < 12.3.5→12.3.5CVE-2025-27415highCVSS: 7.5
2025-03-19Nuxt allows DOS via cache poisoning with payload rendering response
nuxt
>= 3.0.0, < 3.16.0→3.16.0CVE-2025-30144mediumCVSS: 6.5
2025-03-19Fast-JWT Improperly Validates iss Claims
fast-jwt
< 5.0.6→5.0.6Advertisement
CVE-2025-29775critical
2025-03-14xml-crypto Vulnerable to XML Signature Verification Bypass via DigestValue Comment
xml-crypto
>= 4.0.0, < 6.0.1→6.0.1xml-crypto
>= 3.0.0, < 3.2.1→3.2.1xml-crypto
< 2.1.6→2.1.6CVE-2025-29774critical
2025-03-14xml-crypto Vulnerable to XML Signature Verification Bypass via Multiple SignedInfo References
xml-crypto
>= 4.0.0, < 6.0.1→6.0.1xml-crypto
>= 3.0.0, < 3.2.1→3.2.1xml-crypto
< 2.1.6→2.1.6GHSA-h42x-xx2q-6v6gcritical
2025-03-13Flowise Pre-auth Arbitrary File Upload
flowise
<= 2.2.7CVE-2025-27789mediumCVSS: 6.2
2025-03-11Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
@babel/helpers
< 7.26.10→7.26.10@babel/runtime
< 7.26.10→7.26.10@babel/runtime-corejs2
< 7.26.10→7.26.10@babel/runtime-corejs3
< 7.26.10→7.26.10@babel/helpers
>= 8.0.0-alpha.0, < 8.0.0-alpha.16→8.0.0-alpha.17@babel/runtime
>= 8.0.0-alpha.0, < 8.0.0-alpha.16→8.0.0-alpha.17@babel/runtime-corejs2
>= 8.0.0-alpha.0, < 8.0.0-alpha.16→8.0.0-alpha.17@babel/runtime-corejs3
>= 8.0.0-alpha.0, < 8.0.0-alpha.16→8.0.0-alpha.17CVE-2025-27597high
2025-03-07Vue I18n Allows Prototype Pollution in `handleFlatJson`
@intlify/message-resolver
>= 9.1.0, < 9.1.11→9.1.11@intlify/vue-i18n-core
>= 9.2.0, < 9.14.3→9.14.3petite-vue-i18n
>= 10.0.0, < 10.0.6→10.0.6vue-i18n
>= 9.1.0, < 9.14.3→9.14.3@intlify/core-base
>= 9.1.0, < 9.1.11→9.1.11@intlify/core
>= 9.1.0, < 9.1.11→9.1.11@intlify/vue-i18n-core
>= 10.0.0-alpha.1, < 10.0.6→11.1.2@intlify/vue-i18n-core
>= 11.0.0-beta.0, < 11.1.2→11.1.2petite-vue-i18n
>= 11.0.0-beta.0, < 11.1.2→11.1.2vue-i18n
>= 10.0.0-alpha.1, < 10.0.6→10.0.6vue-i18n
>= 11.0.0-beta.0, < 11.1.2→11.1.2Advertisement
CVE-2025-27152high
2025-03-07axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
axios
>= 1.0.0, < 1.8.2→1.8.2axios
< 0.30.0→0.30.0CVE-2025-25290mediumCVSS: 5.3
2025-02-14@octokit/request has a Regular Expression in fetchWrapper that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
@octokit/request
>= 9.0.0-beta.1, < 9.2.1→9.2.1@octokit/request
>= 1.0.0, < 8.4.1→8.4.1CVE-2025-25289mediumCVSS: 5.3
2025-02-14@octokit/request-error has a Regular Expression in index that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
@octokit/request-error
>= 1.0.0, < 5.1.1→5.1.1@octokit/request-error
>= 6.0.0, < 6.1.7→6.1.7CVE-2025-25288mediumCVSS: 5.3
2025-02-14@octokit/plugin-paginate-rest has a Regular Expression in iterator Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
@octokit/plugin-paginate-rest
>= 9.3.0-beta.1, < 11.4.1→11.4.1@octokit/plugin-paginate-rest
>= 1.0.0, < 9.2.2→9.2.2CVE-2025-25285mediumCVSS: 5.3
2025-02-14@octokit/endpoint has a Regular Expression in parse that Leads to ReDoS Vulnerability Due to Catastrophic Backtracking
@octokit/endpoint
>= 9.0.5, < 9.0.6→9.0.6@octokit/endpoint
>= 10.0.0, < 10.1.3→10.1.3Advertisement
CVE-2025-25283highCVSS: 7.5
2025-02-12parse-duration has a Regex Denial of Service that results in event loop delay and out of memory
parse-duration
< 2.1.3→2.1.3CVE-2025-24876highCVSS: 8.1
2025-02-11Authentication bypass in @sap/approuter
@sap/approuter
>= 2.6.1, < 16.7.2→16.7.2CVE-2024-57086highCVSS: 8.2
2025-02-06node-opcua-alarm-condition prototype pollution vulnerability
node-opcua-alarm-condition
< 2.137.0→2.137.0CVE-2024-57075highCVSS: 7.5
2025-02-06eazy-logger prototype pollution
eazy-logger
<= 4.0.1→4.1.0CVE-2025-24963mediumCVSS: 5.9
2025-02-04Vitest browser mode serves arbitrary files
@vitest/browser
>= 2.0.4, < 2.1.9→2.1.9@vitest/browser
>= 3.0.0, < 3.0.4→3.0.4Advertisement
GHSA-r5w7-f542-q2j4lowCVSS: 3.7
2025-01-28Potential DoS when using ContextLines integration
@sentry/node
>= 8.10.0, < 8.49.0→8.49.0@sentry/astro
>= 8.10.0, < 8.49.0→8.49.0@sentry/aws-serverless
>= 8.10.0, < 8.49.0→8.49.0@sentry/bun
>= 8.10.0, < 8.49.0→8.49.0@sentry/google-cloud-serverless
>= 8.10.0, < 8.49.0→8.49.0@sentry/nestjs
>= 8.10.0, < 8.49.0→8.49.0@sentry/nextjs
>= 8.10.0, < 8.49.0→8.49.0@sentry/nuxt
>= 8.10.0, < 8.49.0→8.49.0@sentry/remix
>= 8.10.0, < 8.49.0→8.49.0@sentry/solidstart
>= 8.10.0, < 8.49.0→8.49.0@sentry/sveltekit
>= 8.10.0, < 8.49.0→8.49.0CVE-2025-24360mediumCVSS: 5.3
2025-01-27Opening a malicious website while running a Nuxt dev server could allow read-only access to code
@nuxt/vite-builder
>= 3.8.1, < 3.15.3→3.15.3CVE-2025-23221mediumCVSS: 5.4
2025-01-21Infinite loop and Blind SSRF found inside the Webfinger mechanism in @fedify/fedify
@fedify/fedify
= 1.0.13→1.0.14@fedify/fedify
= 1.1.10→1.1.11@fedify/fedify
= 1.2.10→1.2.11@fedify/fedify
= 1.3.3→1.3.4CVE-2025-24010mediumCVSS: 6.5
2025-01-21Websites were able to send any requests to the development server and read the response in vite
vite
>= 6.0.0, <= 6.0.8→6.0.9vite
>= 5.0.0, <= 5.4.11→5.4.12vite
<= 4.5.5→4.5.6CVE-2025-23206low
2025-01-17AWS Cloud Development Kit (AWS CDK) IAM OIDC custom resource allows connection to unauthorized OIDC provider
aws-cdk-lib
< 2.177.0→2.177.0Advertisement
GHSA-m9c9-mc2h-9wjwlow
2025-01-14Lodestar snappy checksum issue
@lodestar/reqresp
< 1.25.0→1.25.0CVE-2024-56332mediumCVSS: 5.3
2025-01-03Next.js Allows a Denial of Service (DoS) with Server Actions
next
>= 13.0.0, < 13.5.8→13.5.8next
>= 14.0.0, < 14.2.21→14.2.21next
>= 15.0.0, < 15.1.2→15.1.2CVE-2024-56140mediumCVSS: 5.9
2024-12-18Atro CSRF Middleware Bypass (security.checkOrigin)
astro
< 4.16.17→4.16.17CVE-2024-51479highCVSS: 7.5
2024-12-17Next.js authorization bypass vulnerability
next
>= 9.5.5, < 14.2.15→14.2.15CVE-2024-55565mediumCVSS: 4.3
2024-12-09Predictable results in nanoid generation when given non-integer values
nanoid
>= 4.0.0, < 5.0.9→5.0.9nanoid
< 3.3.8→3.3.8Advertisement
CVE-2024-53983mediumCVSS: 5.4
2024-12-02Backstage Scaffolder plugin vulnerable to Server-Side Request Forgery
@backstage/plugin-scaffolder-node
< 0.4.12→0.4.12@backstage/plugin-scaffolder-node
= 0.5.0→0.5.1@backstage/plugin-scaffolder-node
= 0.6.0→0.6.1CVE-2024-52810medium
2024-12-02@intlify/shared Prototype Pollution vulnerability
@intlify/shared
>= 9.7.0, < 9.14.2→9.14.2@intlify/vue-i18n-core
>= 9.7.0, < 9.14.2→9.14.2vue-i18n
>= 9.7.0, < 9.14.2→9.14.2petite-vue-i18n
>= 10.0.0, < 10.0.5→10.0.5@intlify/shared
>= 10.0.0, < 10.0.5→10.0.5@intlify/vue-i18n-core
>= 10.0.0, < 10.0.5→10.0.5vue-i18n
>= 10.0.0, < 10.0.5→10.0.5CVE-2024-52809medium
2024-12-02vue-i18n has cross-site scripting vulnerability with prototype pollution
@intlify/core-base
>= 9.3.0, < 9.14.2→9.14.2vue-i18n
>= 9.3.0, < 9.14.2→9.14.2@intlify/core
>= 9.3.0, < 9.14.2→9.14.2@intlify/vue-i18n-core
>= 9.3.0, < 9.14.2→9.14.2petite-vue-i18n
>= 10.0.0, < 10.0.5→10.0.5@intlify/core-base
>= 10.0.0, < 10.0.5→10.0.5vue-i18n
>= 10.0.0, < 10.0.5→10.0.5@intlify/core
>= 10.0.0, < 10.0.5→10.0.5@intlify/vue-i18n-core
>= 10.0.0, < 10.0.5→10.0.5CVE-2024-21539lowCVSS: 3.5
2024-11-15Regular Expression Denial of Service (ReDoS) in @eslint/plugin-kit
@eslint/plugin-kit
< 0.2.3→0.2.3CVE-2024-49362highCVSS: 7.7
2024-11-14Remote Code Execution on click of <a> Link in markdown preview
joplin
= 3.0.0→3.1.0Advertisement
CVE-2024-49770highCVSS: 7.5
2024-11-01Path traversal in oak allows transfer of hidden files within the served root directory
@oakserver/oak
<= 14.1.0CVE-2020-26311mediumCVSS: 7.5
2024-10-26useragent Regular Expression Denial of Service vulnerability
useragent
<= 2.3.0CVE-2024-48930high
2024-10-21secp256k1-node allows private key extraction over ECDH
secp256k1
= 5.0.0→5.0.1secp256k1
>= 4.0.0, < 4.0.4→4.0.4secp256k1
<= 3.8.0→3.8.1CVE-2024-21536highCVSS: 7.5
2024-10-19Denial of service in http-proxy-middleware
http-proxy-middleware
< 2.0.7→2.0.7http-proxy-middleware
>= 3.0.0, < 3.0.3→3.0.3CVE-2024-9506lowCVSS: 3.7
2024-10-15ReDoS vulnerability in vue package that is exploitable through inefficient regex evaluation in the parseHTML function
vue
>= 2.0.0-alpha.1, < 3.0.0-alpha.0→3.0.0-alpha.0Advertisement
CVE-2024-47824high
2024-10-15Malicious homeservers can steal message keys when the matrix-react-sdk user invites another user to a room
matrix-react-sdk
>= 3.18.0, < 3.102.0→3.102.0CVE-2024-48914criticalCVSS: 9.1
2024-10-15Vendure asset server plugin has local file read vulnerability with AssetServerPlugin & LocalAssetStorageStrategy
@vendure/asset-server-plugin
< 2.3.3→2.3.3@vendure/asset-server-plugin
>= 3.0.0, < 3.0.5→3.0.5CVE-2024-48948lowCVSS: 4.8
2024-10-15Valid ECDSA signatures erroneously rejected in Elliptic
elliptic
< 6.6.0→6.6.0CVE-2024-47831mediumCVSS: 5.9
2024-10-14Denial of Service condition in Next.js image optimization
next
>= 10.0.0, < 14.2.7→14.2.7CVE-2024-21534criticalCVSS: 9.8
2024-10-11JSONPath Plus Remote Code Execution (RCE) Vulnerability
org.webjars.npm:jsonpath-plus
<= 6.0.1jsonpath-plus
< 10.2.0→10.2.0Advertisement
CVE-2024-48949lowCVSS: 5.3
2024-10-10Elliptic's verify function omits uniqueness validation
elliptic
< 6.5.6→6.5.6CVE-2024-21532mediumCVSS: 7.3
2024-10-08ggit is vulnerable to Command Injection via the fetchTags(branch) API
ggit
<= 2.4.12CVE-2024-45277mediumCVSS: 4.3
2024-10-08SAP HANA Node.js client package vulnerable to Prototype Pollution
@sap/hana-client
>= 2.0.0, < 2.21.31→2.21.31GHSA-pf56-h9qf-rxq4mediumCVSS: 6.1
2024-10-07Saltcorn Server Stored Cross-Site Scripting (XSS) in event logs page
@saltcorn/server
< 1.0.0-beta.16→1.0.0-beta.16CVE-2024-47066mediumCVSS: 9
2024-09-23lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964)
@lobehub/chat
<= 1.19.12→1.19.13Advertisement
CVE-2024-47061highCVSS: 8.3
2024-09-20Plate allows arbitrary DOM attributes in element.attributes and leaf.attributes
@udecode/plate-core
>= 37.0.0, < 38.0.6→38.0.6@udecode/plate-core
>= 22.0.0, < 36.5.9→36.5.9@udecode/plate-core
< 21.5.1→21.5.1CVE-2024-46982highCVSS: 7.5
2024-09-17Next.js Cache Poisoning
next
>= 13.5.1, < 13.5.7→13.5.7next
>= 14.0.0, < 14.2.10→14.2.10CVE-2024-45812mediumCVSS: 6.4
2024-09-17Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS
vite
>= 4.0.0, < 4.5.4→4.5.4vite
>= 5.4.0, < 5.4.6→5.4.6vite
>= 5.3.0, < 5.3.6→5.3.6vite
>= 5.2.0, < 5.2.14→5.2.14vite
< 3.2.11→3.2.11vite
>= 5.0.0, < 5.1.8→5.1.8CVE-2024-21528highCVSS: 5.9
2024-09-10node-gettext vulnerable to Prototype Pollution
node-gettext
<= 3.0.0CVE-2024-43373mediumCVSS: 7.7
2024-08-14webcrack has an Arbitrary File Write Vulnerability on Windows when Parsing and Saving a Malicious Bundle
webcrack
<= 2.14.0→2.14.1Advertisement
CVE-2024-42347mediumCVSS: 4.1
2024-08-06Matrix SDK for React's URL preview setting for a room is controllable by the homeserver
matrix-react-sdk
< 3.105.1→3.105.1CVE-2023-49785criticalCVSS: 9.1
2024-08-05NextChat has full-read SSRF and XSS vulnerability in /api/cors endpoint
nextchat
<= 2.11.2CVE-2024-34344criticalCVSS: 8.8
2024-08-05Nuxt vulnerable to remote code execution via the browser when running the test locally
nuxt
>= 3.4.0, < 3.12.4→3.12.4CVE-2024-34343mediumCVSS: 6.3
2024-08-05nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR
nuxt
< 3.12.4→3.12.4CVE-2024-23657highCVSS: 8.8
2024-08-05Nuxt Devtools has a Path Traversal: '../filedir'
@nuxt/devtools
< 1.3.9→1.3.9Advertisement
CVE-2024-42461lowCVSS: 5.3
2024-08-02Elliptic allows BER-encoded signatures
elliptic
>= 5.2.1, <= 6.5.6→6.5.7CVE-2024-42460lowCVSS: 5.3
2024-08-02Elliptic's ECDSA missing check for whether leading bit of r and s is zero
elliptic
>= 2.0.0, <= 6.5.6→6.5.7CVE-2024-42459lowCVSS: 5.3
2024-08-02Elliptic's EDDSA missing signature length check
elliptic
>= 4.0.0, <= 6.5.6→6.5.7CVE-2024-41945lowCVSS: 3.1
2024-07-30The fuels-ts typescript SDK has no awareness of to-be-spent transactions
@fuel-ts/account
< 0.93.0→0.93.0CVE-2024-6783mediumCVSS: 4.2
2024-07-23vue-template-compiler vulnerable to client-side Cross-Site Scripting (XSS)
vue-template-compiler
>= 2.0.0, < 3.0.0Advertisement
CVE-2024-41655highCVSS: 7.5
2024-07-23(ReDoS) Regular Expression Denial of Service in tf2-item-format
tf2-item-format
>= 4.2.6, <= 5.9.13→5.9.14CVE-2024-39693highCVSS: 7.5
2024-07-10Next.js Denial of Service (DoS) condition
next
>= 13.3.1, < 13.5.0→13.5.0CVE-2024-21525highCVSS: 8.3
2024-07-10node-twain vulnerable to Improper Check or Handling of Exceptional Conditions
node-twain
<= 0.0.16CVE-2024-21524highCVSS: 8.2
2024-07-10node-stringbuilder vulnerable to Out-of-bounds Read
node-stringbuilder
<= 2.2.7CVE-2024-38372lowCVSS: 2
2024-07-09Undici vulnerable to data leak when using response.arrayBuffer()
undici
>= 6.14.0, < 6.19.2→6.19.2Advertisement
CVE-2024-39687mediumCVSS: 7.2
2024-07-05Server Side Request Forgery (SSRF) attack in Fedify
@fedify/fedify
< 0.9.2→0.9.2@fedify/fedify
>= 0.10.0, < 0.10.2→0.10.2@fedify/fedify
>= 0.11.0, < 0.11.2→0.11.2CVE-2024-39943highCVSS: 9.9
2024-07-05rejetto HFS vulnerable to OS Command Execution by remote authenticated users
hfs
< 0.52.10→0.52.10CVE-2024-38993criticalCVSS: 9.8
2024-07-01jsonic was discovered to contain a prototype pollution via the function empty.
jsonic
<= 2.12.1CVE-2024-38527mediumCVSS: 5.4
2024-06-26Cross-site Scripting in ZenUML
@zenuml/core
< 3.23.25→3.23.25CVE-2024-38355mediumCVSS: 7.3
2024-06-19socket.io has an unhandled 'error' event
socket.io
< 2.5.0→2.5.1socket.io
>= 3.0.0, < 4.6.2→4.6.2Advertisement
CVE-2024-34065highCVSS: 7.1
2024-06-12@strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass
@strapi/plugin-users-permissions
< 4.24.2→4.24.2CVE-2024-31217mediumCVSS: 5.3
2024-06-12@strapi/plugin-upload has a Denial-of-Service via Improper Exception Handling
@strapi/plugin-upload
< 4.22.0→4.22.0CVE-2024-35255mediumCVSS: 5.5
2024-06-11Azure Identity Libraries and Microsoft Authentication Library Elevation of Privilege Vulnerability
azure-identity
< 1.16.1→1.16.1@azure/identity
< 4.2.1→4.2.1com.azure:azure-identity
< 1.12.2→1.12.2Azure.Identity
< 1.11.4→1.11.4@azure/msal-node
>= 2.7.0, < 2.9.2→2.9.2com.microsoft.azure:msal4j
>= 1.14.4-beta, < 1.15.1→1.15.1Microsoft.Identity.Client
>= 4.49.1, < 4.60.4→4.60.4Microsoft.Identity.Client
>= 4.61.0, < 4.61.3→4.61.3github.com/Azure/azure-sdk-for-go/sdk/azidentity
< 1.6.0-beta.4.0.20240610221955-50774cd97099→1.6.0-beta.4.0.20240610221955-50774cd97099CVE-2024-29415highCVSS: 8.1
2024-06-02ip SSRF improper categorization in isPublic
ip
<= 2.0.1CVE-2023-49781highCVSS: 7.3
2024-05-13NocoDB Vulnerable to Stored Cross-Site Scripting in Formula.vue
nocodb
<= 0.202.8→0.202.9Advertisement
CVE-2024-34708mediumCVSS: 4.9
2024-05-13Directus allows redacted data extraction on the API through "alias"
directus
< 10.11.0→10.11.0CVE-2024-34351highCVSS: 7.5
2024-05-09Next.js Server-Side Request Forgery in Server Actions
next
>= 13.4.0, < 14.1.1→14.1.1CVE-2024-34350highCVSS: 7.5
2024-05-09Next.js Vulnerable to HTTP Request Smuggling
next
>= 13.4.0, < 13.5.1→13.5.1CVE-2024-34342highCVSS: 7.1
2024-05-07react-pdf vulnerable to arbitrary JavaScript execution upon opening a malicious PDF with PDF.js
react-pdf
< 7.7.3→7.7.3react-pdf
>= 8.0.0, < 8.0.2→8.0.2CVE-2024-34393criticalCVSS: 8.1
2024-05-02libxmljs2 type confusion vulnerability when parsing specially crafted XML
libxmljs2
<= 0.33.0Advertisement
CVE-2024-34394criticalCVSS: 8.1
2024-05-02libxmljs2 vulnerable to type confusion when parsing specially crafted XML
libxmljs2
<= 0.35.0CVE-2024-34392criticalCVSS: 8.1
2024-05-02libxmljs vulnerable to type confusion when parsing specially crafted XML
libxmljs
<= 1.0.11CVE-2024-34391criticalCVSS: 8.1
2024-05-02libxmljs vulnerable to type confusion when parsing specially crafted XML
libxmljs
<= 1.0.11CVE-2024-32962criticalCVSS: 10
2024-05-01xml-crypto vulnerable to XML signature verification bypass due improper verification of signature/signature spoofing
xml-crypto
>= 4.0.0, < 6.0.0→6.0.0CVE-2023-36821highCVSS: 8.8
2024-05-01Uptime Kuma vulnerable to authenticated remote code execution via malicious plugin installation
uptime-kuma
<= 1.22.0→1.22.1Advertisement
CVE-2024-33883mediumCVSS: 4
2024-04-28ejs lacks certain pollution protection
ejs
< 3.1.10→3.1.10CVE-2024-21511criticalCVSS: 9.8
2024-04-23MySQL2 for Node Arbitrary Code Injection
mysql2
< 3.9.7→3.9.7CVE-2024-34347highCVSS: 8.3
2024-04-22@hoppscotch/cli affected by Sandbox Escape in @hoppscotch/js-sandbox leads to RCE
@hoppscotch/cli
>= 0.5.0, < 0.8.0→0.8.0CVE-2024-32652highCVSS: 7.5
2024-04-19@hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed
@hono/node-server
>= 1.3.0, < 1.10.1→1.10.1GHSA-82jv-9wjw-pqh6low
2024-04-17Prototype pollution in emit function
derby
<= 2.3.1→2.3.2derby
>= 3.0.0, <= 3.0.1→3.0.2derby
>= 4.0.0-beta1, <= 4.0.0-beta.10→4.0.0-beta.11Advertisement
CVE-2021-4438mediumCVSS: 5.3
2024-04-07React Native Sms User Consent Intent Redirection Vulnerability
@kyivstarteam/react-native-sms-user-consent
< 1.1.5→1.1.5CVE-2024-29900highCVSS: 7.5
2024-03-29@electron/packager's build process memory potentially leaked into final executable
@electron/packager
= 18.3.0→18.3.1CVE-2024-29041mediumCVSS: 6.1
2024-03-25Express.js Open Redirect in malformed URLs
express
< 4.19.2→4.19.2express
>= 5.0.0-alpha.1, < 5.0.0-beta.3→5.0.0-beta.3CVE-2024-28863mediumCVSS: 6.5
2024-03-22Denial of service while parsing a tar file due to lack of folders count validation
node-tar
< 6.2.1→6.2.1tar
< 6.2.1→6.2.1CVE-2024-28176mediumCVSS: 5.3
2024-03-07jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
jose
>= 3.0.0, <= 4.15.4→4.15.5jose-node-cjs-runtime
<= 4.15.4→4.15.5jose-node-esm-runtime
<= 4.15.4→4.15.5jose
< 2.0.7→2.0.7Advertisement
CVE-2024-27922criticalCVSS: 9.8
2024-03-05HTTP Handling Vulnerability in the Bare server
@tomphttp/bare-server-node
< 2.0.2→2.0.2GHSA-68c2-4mpx-qh95low
2024-03-01Potential leakage of Sentry auth tokens by React Native SDK with Expo plugin
@sentry/react-native
>= 5.16.0, <= 5.19.0→5.19.1CVE-2024-26135highCVSS: 8.3
2024-02-21MeshCentral cross-site websocket hijacking (CSWSH) vulnerability
meshcentral
< 1.1.21→1.1.21GHSA-w4hv-vmv9-hgcrhighCVSS: 8.3
2024-02-16GitHub Security Lab (GHSL) Vulnerability Report, scrypted: `GHSL-2023-218`, `GHSL-2023-219`
@scrypted/server
<= 0.56.0@scrypted/core
<= 0.1.142CVE-2024-25466highCVSS: 7.3
2024-02-16React Native Document Picker Directory Traversal vulnerability
react-native-document-picker
>= 9.0.0, < 9.1.1→9.1.1react-native-document-picker
< 8.2.2→8.2.2Advertisement
CVE-2024-24828mediumCVSS: 6.6
2024-02-09Pkg Local Privilege Escalation
pkg
<= 5.8.1CVE-2024-24556highCVSS: 7.2
2024-01-30@urql/next Cross-site Scripting vulnerability
@urql/next
< 1.1.1→1.1.1CVE-2024-24558highCVSS: 8.2
2024-01-30react-query-streamed-hydration Cross-site Scripting vulnerability
@tanstack/react-query-next-experimental
>= 5.0.0, < 5.18.0→5.18.0CVE-2024-23641highCVSS: 7.5
2024-01-24Sending a GET or HEAD request with a body crashes SvelteKit
@sveltejs/kit
>= 2.0.0, < 2.4.3→2.4.3@sveltejs/adapter-node
>= 2.0.0, < 2.1.2→2.1.2@sveltejs/adapter-node
>= 3.0.0, < 3.0.3→3.0.3@sveltejs/adapter-node
= 4.0.0→4.0.1CVE-2024-23340mediumCVSS: 5.3
2024-01-23@hono/node-server cannot handle "double dots" in URL
@hono/node-server
>= 1.3.0, < 1.4.1→1.4.1Advertisement
GHSA-wg2x-rv86-mmpxhigh
2024-01-19SPV Merkle proof malleability allows the maintainer to prove invalid transactions
@keep-network/tbtc-v2
<= 1.5.1→1.5.2CVE-2024-23331highCVSS: 7.5
2024-01-19Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem
vite
>= 2.7.0, <= 2.9.16→2.9.17vite
>= 3.0.0, <= 3.2.7→3.2.8vite
>= 4.0.0, <= 4.5.1→4.5.2vite
>= 5.0.0, <= 5.0.11→5.0.12CVE-2024-22206criticalCVSS: 9
2024-01-12@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)
@clerk/nextjs
>= 4.7.0, < 4.29.3→4.29.3CVE-2024-21668mediumCVSS: 4.4
2024-01-09react-native-mmkv Insertion of Sensitive Information into Log File vulnerability
react-native-mmkv
< 2.11.0→2.11.0GHSA-cfxh-frx4-9gjgcritical
2023-12-15Cross-site Scripting in @spscommerce/ds-react
@spscommerce/ds-react
>= 4.12.2, < 7.17.4→7.17.4Advertisement
CVE-2023-50710mediumCVSS: 4.2
2023-12-15Named path parameters can be overridden in TrieRouter
hono
< 3.11.7→3.11.7CVE-2023-49583criticalCVSS: 9.1
2023-12-12Escalation of privileges in @sap/xssec
@sap/xssec
< 3.6.0→3.6.0CVE-2023-49799highCVSS: 7.5
2023-12-12SSRF & Credentials Leak
nuxt-api-party
< 0.22.0→0.22.0CVE-2023-49800highCVSS: 7.5
2023-12-11DOS by abusing `fetchOptions.retry`.
nuxt-api-party
< 0.22.1→0.22.1CVE-2023-49293mediumCVSS: 6.1
2023-12-05Vite XSS vulnerability in `server.transformIndexHtml` via URL payload
vite
>= 4.4.0, < 4.4.12→4.4.12vite
= 4.5.0→4.5.1vite
>= 5.0.0, < 5.0.5→5.0.5Advertisement
CVE-2023-48711lowCVSS: 3.7
2023-11-27google-translate-api-browser Server-Side Request Forgery (SSRF) Vulnerability
google-translate-api-browser
< 4.1.0→4.1.0CVE-2023-49210criticalCVSS: 9.8
2023-11-23openssl npm package vulnerable to command execution
openssl
<= 2.0.0CVE-2023-48309mediumCVSS: 5.3
2023-11-20Possible user mocking that bypasses basic authentication
next-auth
< 4.24.5→4.24.5CVE-2023-48223mediumCVSS: 5.9
2023-11-20JWT Algorithm Confusion
fast-jwt
< 3.3.2→3.3.2CVE-2023-48238highCVSS: 7.5
2023-11-17json-web-token library is vulnerable to a JWT algorithm confusion attack
json-web-token
<= 3.1.1→4.0.0Advertisement
CVE-2023-46729mediumCVSS: 6.1
2023-11-09Sentry Next.js vulnerable to SSRF via Next.js SDK tunnel endpoint
@sentry/nextjs
>= 7.26.0, < 7.77.0→7.77.0CVE-2023-45827highCVSS: 7.3
2023-11-03Prototype Pollution(PP) vulnerability in setByPath
@clickbar/dot-diver
< 1.0.2→1.0.2CVE-2023-39345highCVSS: 7.6
2023-11-03Unauthorized Access to Private Fields in User Registration API
@strapi/plugin-users-permissions
>= 4.0.0, < 4.13.1→4.13.1@strapi/strapi
>= 4.0.0, < 4.13.1→4.13.1CVE-2023-39619highCVSS: 7.5
2023-10-25Inefficient Regular Expression Complexity in node-email-check
node-email-check
<= 1.0.4CVE-2023-46298low
2023-10-22Next.js missing cache-control header may lead to CDN caching empty reply
next
>= 0.9.9, < 13.4.20-canary.13→13.4.20-canary.13Advertisement
CVE-2023-46115highCVSS: 8.4
2023-10-20Tauri's Updater Private Keys Possibly Leaked via Vite Environment Variables
tauri-cli
>= 2.0.0-alpha.0, < 2.0.0-alpha.16→2.0.0-alpha.16@tauri-apps/cli
>= 2.0.0-alpha.0, < 2.0.0-alpha.16→2.0.0-alpha.16@tauri-apps/cli
>= 1.0.0, < 1.5.6→1.5.6tauri-cli
>= 1.0.0, < 1.5.6→1.5.6CVE-2023-45820highCVSS: 7.5
2023-10-19Directus crashes on invalid WebSocket message
directus
>= 10.4.0, < 10.6.2→10.6.2CVE-2023-45818mediumCVSS: 6.1
2023-10-19TinyMCE mXSS vulnerability in undo/redo, getContent API, resetContent API, and Autosave plugin
tinymce
>= 6.0.0, < 6.7.1→6.7.1TinyMCE
>= 6.0.0, < 6.7.1→6.7.1tinymce/tinymce
>= 6.0.0, < 6.7.1→6.7.1tinymce
< 5.10.8→5.10.8TinyMCE
< 5.10.8→5.10.8tinymce/tinymce
< 5.10.8→5.10.8CVE-2023-5654mediumCVSS: 6.5
2023-10-19React Developer Tools extension Improper Authorization vulnerability
react-devtools-core
< 4.28.4→4.28.4CVE-2023-45811highCVSS: 7.8
2023-10-18Synchrony deobfuscator prototype pollution vulnerability leading to arbitrary code execution
deobfuscator
>= 2.0.1, < 2.4.4→2.4.4Advertisement
CVE-2023-26155highCVSS: 7.3
2023-10-14node-qpdf vulnerable to command injection
node-qpdf
<= 1.0.3CVE-2023-38507highCVSS: 7.3
2023-09-13Strapi Improper Rate Limiting vulnerability
@strapi/admin
< 4.12.1→4.12.1@strapi/plugin-users-permissions
< 4.12.1→4.12.1GHSA-j5g3-5c8r-7qfxlow
2023-08-30Prevent logging invalid header values
@apollo/server
< 4.9.3→4.9.3apollo-server-core
>= 3.0.0, < 3.12.1→3.12.1apollo-server-core
< 2.26.1→2.26.1CVE-2021-32050mediumCVSS: 4.2
2023-08-29MongoDB Driver may publish events containing authentication-related data
mongodb/mongodb
>= 1.0.0, < 1.9.2→1.9.2mongodb
>= 3.6.0, < 3.6.10→3.6.10mongodb
>= 4.0.0, < 4.17.0→4.17.0mongodb
>= 5.0.0, < 5.8.0→5.8.0github.com/mongodb/mongo-swift-driver
>= 1.0.0, < 1.1.1→1.1.1CVE-2023-41167mediumCVSS: 4.8
2023-08-24@webiny/react-rich-text-renderer vulnerable to insecure rendering of rich text content
@webiny/react-rich-text-renderer
<= 5.37.1→5.37.2Advertisement
CVE-2023-40185highCVSS: 8.6
2023-08-22Shescape on Windows escaping may be bypassed in threaded context
shescape
< 1.7.4→1.7.4CVE-2023-40178mediumCVSS: 5.3
2023-08-21@node-saml/node-saml's validatePostRequestAsync does not include checkTimestampsValidityError
@node-saml/node-saml
< 4.0.5→4.0.5CVE-2023-26140mediumCVSS: 6.1
2023-08-16@excalidraw/excalidraw Cross-site Scripting vulnerability
@excalidraw/excalidraw
< 0.15.3→0.15.3CVE-2021-29057mediumCVSS: 6.5
2023-08-11SUCHMOKUO node-worker-threads-pool denial of service Vulnerability
node-worker-threads-pool
<= 1.4.3CVE-2023-39532criticalCVSS: 9.8
2023-08-09SES's dynamic import and spread operator provides possible path to arbitrary exfiltration and execution
ses
>= 0.13.0, < 0.13.5→0.13.5ses
>= 0.14.0, < 0.14.5→0.14.5ses
>= 0.15.0, < 0.15.24→0.15.24ses
= 0.16.0→0.16.1ses
= 0.17.0→0.17.1ses
>= 0.18.0, < 0.18.7→0.18.7Advertisement
CVE-2023-37478highCVSS: 7.5
2023-08-01pnpm incorrectly parses tar archives relative to specification
pnpm
< 7.33.4→7.33.4@pnpm/exe
< 7.33.4→7.33.4@pnpm/linux-arm64
< 7.33.4→7.33.4@pnpm/linux-x64
< 7.33.4→7.33.4@pnpm/linuxstatic-arm64
< 7.33.4→7.33.4@pnpm/macos-arm64
< 7.33.4→7.33.4@pnpm/macos-x64
< 7.33.4→7.33.4@pnpm/win-x64
< 7.33.4→7.33.4@pnpm/cafs
< 7.0.5→7.0.5pnpm
>= 8.0.0, < 8.6.8→8.6.8@pnpm/exe
>= 8.0.0, < 8.6.8→8.6.8@pnpm/linux-arm64
>= 8.0.0, < 8.6.8→8.6.8@pnpm/linux-x64
>= 8.0.0, < 8.6.8→8.6.8@pnpm/linuxstatic-arm64
>= 8.0.0, < 8.6.8→8.6.8@pnpm/macos-arm64
>= 8.0.0, < 8.6.8→8.6.8@pnpm/macos-x64
>= 8.0.0, < 8.6.8→8.6.8@pnpm/win-x64
>= 8.0.0, < 8.6.8→8.6.8CVE-2023-38504highCVSS: 7.5
2023-07-27DoS vulnerability for apps with sockets enabled
sails
< 1.5.7→1.5.7CVE-2023-37259mediumCVSS: 6.1
2023-07-18matrix-react-sdk vulnerable to XSS in Export Chat feature
matrix-react-sdk
>= 3.32.0, < 3.76.0→3.76.0CVE-2023-37903criticalCVSS: 9.8
2023-07-13vm2 Sandbox Escape vulnerability
vm2
<= 3.9.19CVE-2023-30589highCVSS: 7.5
2023-07-01llhttp vulnerable to HTTP request smuggling
llhttp
< 8.1.1→8.1.1Advertisement
CVE-2023-35931lowCVSS: 3.1
2023-06-22Shescape potential environment variable exposure on Windows with CMD
shescape
< 1.7.1→1.7.1CVE-2023-34459mediumCVSS: 5.3
2023-06-19OpenZeppelin Contracts using MerkleProof multiproofs may allow proving arbitrary leaves for specific trees
@openzeppelin/contracts
>= 4.7.0, < 4.9.2→4.9.2@openzeppelin/contracts-upgradeable
>= 4.7.0, < 4.9.2→4.9.2CVE-2020-36732mediumCVSS: 5.3
2023-06-12crypto-js uses insecure random numbers
crypto-js
= 3.2.0→3.2.1CVE-2023-34232highCVSS: 7.3
2023-06-09Snowflake NodeJS Driver vulnerable to Command Injection
snowflake-sdk
< 1.6.21→1.6.21CVE-2023-34092highCVSS: 7.5
2023-06-06Vite Server Options (server.fs.deny) can be bypassed using double forward-slash (//)
vite
< 2.9.16→2.9.16vite
>= 3.0.2, < 3.2.7→3.2.7vite
>= 4.0.0, < 4.0.5→4.0.5vite
>= 4.1.0, < 4.1.5→4.1.5vite
>= 4.2.0, < 4.2.3→4.2.3vite
>= 4.3.0, < 4.3.9→4.3.9Advertisement
CVE-2023-26127highCVSS: 7.8
2023-05-27n158 vulnerable to Command Injection due to improper input sanitization in the 'module.exports' function
n158
<= 1.4.1CVE-2023-26128highCVSS: 8.4
2023-05-27keep-module-latest vulnerable to Command Injection due to missing input sanitization
keep-module-latest
<= 1.0.1CVE-2023-26129highCVSS: 7.8
2023-05-27bwm-ng vulnerable to command injection
bwm-ng
<= 0.1.1GHSA-7cgc-fjv4-52x6critical
2023-05-24Malware in pre-build binaries of bignum
bignum
>= 0.12.2, < 0.13.1→0.13.1CVE-2023-32695mediumCVSS: 7.3
2023-05-23Insufficient validation when decoding a Socket.IO packet
socket.io-parser
>= 3.4.0, < 3.4.3→3.4.3socket.io-parser
>= 4.0.4, < 4.2.3→4.2.3socket.io-parser
< 3.3.4→3.3.4Advertisement
CVE-2023-32313mediumCVSS: 5.3
2023-05-17vm2 vulnerable to Inspect Manipulation
vm2
< 3.9.18→3.9.18CVE-2023-27562mediumCVSS: 6.5
2023-05-10n8n Directory Traversal vulnerability
n8n
< 0.216.1→0.216.1CVE-2023-27564highCVSS: 7.5
2023-05-10n8n Information Disclosure vulnerability
n8n
< 0.216.1→0.216.1CVE-2023-27563highCVSS: 8.8
2023-05-10n8n Privilege Escalation vulnerability
n8n
< 0.216.1→0.216.1CVE-2023-31125mediumCVSS: 6.5
2023-05-03engine.io Uncaught Exception vulnerability
engine.io
>= 5.1.0, < 6.4.2→6.4.2Advertisement
CVE-2023-30846criticalCVSS: 9.1
2023-04-27Potential leak of authentication data to 3rd parties
typed-rest-client
< 1.8.0→1.8.0CVE-2023-30609highCVSS: 8.2
2023-04-25HTML injection in search results via plaintext message highlighting
matrix-react-sdk
< 3.71.0→3.71.0CVE-2023-29566criticalCVSS: 9.8
2023-04-24Remote code execution in dawnsparks-node-tesseract
dawnsparks-node-tesseract
< 0.4.1→0.4.1CVE-2023-30543mediumCVSS: 5.2
2023-04-18`chainId` may be outdated if user changes chains as part of connection in @web3-react
@web3-react/coinbase-wallet
>= 6.0.0, < 8.0.35-beta.0→8.0.35-beta.0@web3-react/eip1193
>= 6.0.0, < 8.0.27-beta.0→8.0.27-beta@web3-react/metamask
>= 6.0.0, < 8.0.30-beta.0→8.0.30-beta.0@web3-react/walletconnect
>= 6.0.0, < 8.0.37-beta.0→8.0.37-beta.0CVE-2023-29017criticalCVSS: 9.8
2023-04-07vm2 vulnerable to sandbox escape
vm2
< 3.9.15→3.9.15Advertisement
CVE-2023-29003highCVSS: 8.8
2023-04-04SvelteKit vulnerable to Cross-Site Request Forgery
@sveltejs/kit
< 1.15.1→1.15.1CVE-2023-28427highCVSS: 8.2
2023-03-30Prototype pollution in matrix-js-sdk (part 2)
matrix-js-sdk
< 24.0.0→24.0.0CVE-2023-28103highCVSS: 8.2
2023-03-29Prototype pollution in matrix-react-sdk
matrix-react-sdk
< 3.69.0→3.69.0CVE-2022-36060highCVSS: 7.2
2023-03-28matrix-react-sdk Prototype pollution vulnerability
matrix-react-sdk
< 3.53.0→3.53.0GHSA-2w9p-xf5h-qwj3high
2023-03-27Duplicate Advisory: pullit Command Injection vulnerability
pullit
< 1.4.0Advertisement
CVE-2023-28444criticalCVSS: 9.9
2023-03-24angular-server-side-configuration information disclosure vulnerability in monorepo with node.js backend
angular-server-side-configuration
>= 15.0.0, < 15.1.0→15.1.0CVE-2023-26113highCVSS: 7.5
2023-03-18Collection.js vulnerable to Prototype Pollution
collection.js
< 6.8.1→6.8.1CVE-2023-28155mediumCVSS: 6.1
2023-03-16Server-Side Request Forgery in Request
request
<= 2.88.2@cypress/request
<= 2.88.12→3.0.0CVE-2023-27490highCVSS: 8.1
2023-03-13Missing proper state, nonce and PKCE checks for OAuth authentication
next-auth
< 4.20.1→4.20.1CVE-2022-43441highCVSS: 8.1
2023-03-13sqlite vulnerable to code execution due to Object coercion
sqlite3
>= 5.0.0, < 5.1.5→5.1.5Advertisement
CVE-2023-26109criticalCVSS: 9.8
2023-03-09node-bluetooth-serial-port is vulnerable to Buffer Overflow via the findSerialPortChannel
node-bluetooth-serial-port
<= 2.2.7CVE-2023-26110criticalCVSS: 9.8
2023-03-09node-bluetooth is vulnerable to Buffer Overflow via the findSerialPortChannel method due to improper user input length validation
node-bluetooth
<= 1.2.6CVE-2023-1283criticalCVSS: 9.8
2023-03-09builderio/qwik is vulnerable to code injection
@builder.io/qwik
< 0.21.0→0.21.0CVE-2023-26111highCVSS: 7.5
2023-03-06node-static and @nubosoftware/node-static vulnerable to Directory Traversal
node-static
<= 0.7.11@nubosoftware/node-static
<= 0.7.11CVE-2022-2237mediumCVSS: 6.1
2023-03-02keycloak-connect contains Open redirect vulnerability in the Node.js adapter
keycloak-connect
< 21.0.1→21.0.1Advertisement
CVE-2023-25653highCVSS: 7.5
2023-02-16Improper calculations in ECC implementation can trigger a Denial-of-Service (DoS)
node-jose
< 2.2.0→2.2.0CVE-2023-25572mediumCVSS: 5.4
2023-02-14Cross-Site-Scripting attack on `<RichTextField>`
react-admin
< 3.19.12→3.19.12react-admin
>= 4.0.0, < 4.7.6→4.7.6ra-ui-materialui
>= 4.0.0, < 4.7.6→4.7.6ra-ui-materialui
< 3.19.12→3.19.12CVE-2020-36651highCVSS: 7.5
2023-01-18Path Traversal in web-node-server
web-node-server
< 0.0.11→0.0.11CVE-2020-36650highCVSS: 8
2023-01-11gry vulnerable to Command Injection
gry
< 6.0.0→6.0.0CVE-2023-0163highCVSS: 8.4
2023-01-10convict vulnerable to Prototype Pollution
convict
< 6.2.4→6.2.4Advertisement
CVE-2017-20165highCVSS: 7.5
2023-01-09debug Inefficient Regular Expression Complexity vulnerability
debug
< 2.6.9→2.6.9debug
>= 3.0.0, < 3.1.0→3.1.0CVE-2018-25053mediumCVSS: 6.1
2022-12-28Json2html vulnerable to cross-site scripting
node-json2html
< 1.2.0→1.2.0CVE-2022-23541mediumCVSS: 5
2022-12-22jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC
jsonwebtoken
<= 8.5.1→9.0.0CVE-2022-23529highCVSS: 7.6
2022-12-22jsonwebtoken has insecure input validation in jwt.verify function
jsonwebtoken
<= 8.5.1→9.0.0CVE-2020-36618criticalCVSS: 9.8
2022-12-19FurqanSoftware/node-whois vulnerable to Prototype Pollution
whois
< 2.13.6→2.13.6Advertisement
CVE-2022-24999highCVSS: 7.5
2022-11-27qs vulnerable to Prototype Pollution
qs
>= 6.10.0, < 6.10.3→6.10.3qs
>= 6.9.0, < 6.9.7→6.9.7qs
>= 6.8.0, < 6.8.3→6.8.3qs
>= 6.7.0, < 6.7.3→6.7.3qs
>= 6.6.0, < 6.6.1→6.6.1qs
>= 6.5.0, < 6.5.3→6.5.3qs
>= 6.4.0, < 6.4.1→6.4.1qs
>= 6.3.0, < 6.3.3→6.3.3qs
< 6.2.4→6.2.4CVE-2022-41940mediumCVSS: 6.5
2022-11-21Uncaught exception in engine.io
engine.io
< 3.6.1→3.6.1engine.io
>= 4.0.0, < 6.2.1→6.2.1CVE-2022-39353criticalCVSS: 9.8
2022-11-01xmldom allows multiple root nodes in a DOM
xmldom
<= 0.6.0@xmldom/xmldom
< 0.7.7→0.7.7@xmldom/xmldom
>= 0.8.0, < 0.8.4→0.8.4@xmldom/xmldom
>= 0.9.0-beta.1, < 0.9.0-beta.4→0.9.0-beta.4CVE-2022-3783mediumCVSS: 6.1
2022-11-01node-red-dashboard vulnerable to Cross-site Scripting
node-red-dashboard
< 3.2.0→3.2.0CVE-2022-39300highCVSS: 8.1
2022-10-12Signature bypass via multiple root elements
node-saml
< 4.0.0-beta.5→4.0.0-beta.5Advertisement
CVE-2022-39299highCVSS: 8.1
2022-10-12Signature bypass via multiple root elements
passport-saml
< 3.2.2→3.2.2node-saml
< 4.0.0-beta.5→4.0.0-beta.5@node-saml/node-saml
< 4.0.0-beta.5→4.0.0-beta.5@node-saml/passport-saml
< 4.0.0-beta.3→4.0.0-beta.3GHSA-2p3c-p3qw-69r4medium
2022-10-12The graphql-upload library included in Apollo Server 2 is vulnerable to CSRF mutations
apollo-server
>= 2.0.0, < 2.25.4→2.25.4CVE-2022-37616criticalCVSS: 9.8
2022-10-11Withdrawn: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in @xmldom/xmldom and xmldom
xmldom
<= 0.6.0@xmldom/xmldom
= 0.9.0-beta.1→0.9.0-beta.2@xmldom/xmldom
>= 0.8.0, < 0.8.3→0.8.3@xmldom/xmldom
< 0.7.6→0.7.6CVE-2022-24373highCVSS: 7.5
2022-10-01react-native-reanimated vulnerable to ReDoS
react-native-reanimated
< 2.10.0→2.10.0CVE-2022-39263mediumCVSS: 6.8
2022-09-30Upstash Adapter missing token verification
@next-auth/upstash-redis-adapter
< 3.0.2→3.0.2Advertisement
CVE-2022-41340highCVSS: 7.5
2022-09-25secp256k1-js implements ECDSA without required r and s validation, leading to signature forgery
@lionello/secp256k1-js
< 1.1.0→1.1.0CVE-2022-36083mediumCVSS: 5.3
2022-09-16JOSE vulnerable to resource exhaustion via specifically crafted JWE
jose
>= 1.0.0, <= 1.28.1→1.28.2jose-browser-runtime
>= 3.0.0, <= 3.20.3→3.20.4jose-node-cjs-runtime
>= 3.0.0, <= 3.20.3→3.20.4jose-node-esm-runtime
>= 3.0.0, <= 3.20.3→3.20.4jose
>= 2.0.0, <= 2.0.5→2.0.6jose
>= 3.0.0, <= 3.20.3→3.20.4jose
>= 4.0.0, <= 4.9.1→4.9.2jose-browser-runtime
>= 4.0.0, <= 4.9.1→4.9.2jose-node-cjs-runtime
>= 4.0.0, <= 4.9.1→4.9.2jose-node-esm-runtime
>= 4.0.0, <= 4.9.1→4.9.2CVE-2022-39202mediumCVSS: 4.3
2022-09-15matrix-appservice-irc vulnerable to IRC mode parameter confusion
matrix-appservice-irc
< 0.35.0→0.35.0CVE-2022-39203highCVSS: 8.8
2022-09-15Parsing issue in matrix-org/node-irc leading to room takeovers
matrix-appservice-irc
< 0.35.0→0.35.0CVE-2022-36046mediumCVSS: 5.3
2022-08-30Unexpected server crash in Next.js
next
= 12.2.3→12.2.4Advertisement
GHSA-56x4-j7p9-fcf9low
2022-08-30Command Injection in moment-timezone
moment-timezone
>= 0.1.0, < 0.5.35→0.5.35CVE-2020-26938highCVSS: 7.2
2022-08-30oauth2-server through 3.1.1 vulnerable to Open Redirect
oauth2-server
<= 3.1.1CVE-2022-24375highCVSS: 7.5
2022-08-25node-opcua DoS when bypassing limitations for excessive memory consumption
node-opcua
< 2.74.0→2.74.0CVE-2022-25231highCVSS: 7.5
2022-08-24node-opcua DoS vulnerability via message with memory allocation that exceeds v8's memory limit
node-opcua
< 2.74.0→2.74.0CVE-2022-21208highCVSS: 7.5
2022-08-24Uncontrolled Resource Consumption in node-opcua
node-opcua
< 2.74.0→2.74.0Advertisement
CVE-2022-36010criticalCVSS: 10
2022-08-18React Editable Json Tree vulnerable to arbitrary code execution via function parsing
react-editable-json-tree
< 2.2.2→2.2.2CVE-2022-35948mediumCVSS: 5.3
2022-08-18Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type
undici
<= 5.8.1→5.8.2CVE-2022-35949mediumCVSS: 5.3
2022-08-18`undici.request` vulnerable to SSRF using absolute URL on `pathname`
undici
<= 5.8.1→5.8.2CVE-2022-31186lowCVSS: 3.3
2022-08-06next-auth before v4.10.2 and v3.29.9 leaks excessive information into log
next-auth
< 3.29.9→3.29.9next-auth
>= 4.0.0, < 4.10.2→4.10.2CVE-2020-28433criticalCVSS: 9.8
2022-08-03node-latex-pdf is susceptible to command injection
node-latex-pdf
<= 0.0.2Advertisement
CVE-2022-35924criticalCVSS: 9.1
2022-08-02NextAuth.js before 4.10.3 and 3.29.10 sending verification requests (magic link) to unwanted emails
next-auth
>= 4.0.0, < 4.10.3→4.10.3next-auth
< 3.29.10→3.29.10CVE-2022-2596mediumCVSS: 5.9
2022-08-02node-fetch Inefficient Regular Expression Complexity
node-fetch
>= 3.0.0, < 3.2.10→3.2.10CVE-2020-7678criticalCVSS: 9.8
2022-07-26node-import `params` argument can be controlled by users without any sanitization
node-import
<= 0.9.2CVE-2022-35131criticalCVSS: 9
2022-07-26Joplin is vulnerable to arbitrary code execution
joplin
< 2.9.1→2.9.1CVE-2022-36313highCVSS: 7.5
2022-07-22file-type vulnerable to Infinite Loop via malformed MKV file
file-type
>= 17.0.0, < 17.1.3→17.1.3file-type
>= 13.0.0, < 16.5.4→16.5.4Advertisement
CVE-2022-31151lowCVSS: 3.7
2022-07-21undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect
undici
< 5.8.0→5.8.0CVE-2022-31150mediumCVSS: 5.3
2022-07-21undici before v5.8.0 vulnerable to CRLF injection in request headers
undici
< 5.8.0→5.8.0CVE-2022-31180criticalCVSS: 9.8
2022-07-15Shescape vulnerable to insufficient escaping of whitespace
shescape
>= 1.4.0, < 1.5.8→1.5.8CVE-2022-31179highCVSS: 8.1
2022-07-15Shescape prior to 1.5.8 vulnerable to insufficient escaping of line feeds for CMD
shescape
< 1.5.8→1.5.8CVE-2022-32214criticalCVSS: 9.1
2022-07-15llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields
llhttp
< 6.0.7→6.0.7Advertisement
CVE-2022-32213criticalCVSS: 9.1
2022-07-15llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding
llhttp
< 6.0.7→6.0.7CVE-2022-31127highCVSS: 7.1
2022-07-06Improper handling of email input
next-auth
< 3.29.8→3.29.8next-auth
>= 4.0.0, < 4.9.0→4.9.0CVE-2022-31103highCVSS: 7.5
2022-06-23Improper handling of CSS at-rules in lettersanitizer
lettersanitizer
< 1.0.2→1.0.2CVE-2022-31093highCVSS: 7.5
2022-06-21Improper Handling of `callbackUrl` parameter in next-auth
next-auth
< 3.29.5→3.29.5next-auth
>= 4.0.0, < 4.5.0→4.5.0CVE-2022-33987mediumCVSS: 5.3
2022-06-19Got allows a redirect to a UNIX socket
got
>= 12.0.0, < 12.1.0→12.1.0got
< 11.8.5→11.8.5Advertisement
GHSA-4jqc-jvh2-pxg9medium
2022-06-17Path traversal for local publishers in TechDocs backend
@backstage/plugin-techdocs-node
< 1.1.2→1.1.2@backstage/techdocs-common
< 0.11.16→0.11.16CVE-2022-32210highCVSS: 7.7
2022-06-17ProxyAgent vulnerable to MITM
undici
>= 4.8.2, <= 5.5.0→5.5.1CVE-2022-29247lowCVSS: 2.2
2022-06-16Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled
electron
< 15.5.5→15.5.5electron
>= 16.0.0, < 16.2.6→16.2.6electron
>= 17.0.0, < 17.2.0→17.2.0electron
>= 18.0.0-beta.1, <= 18.0.0-beta.5→18.0.0-beta.6CVE-2022-25863highCVSS: 8.1
2022-06-03Unsanitized JavaScript code injection possible in gatsby-plugin-mdx
gatsby-plugin-mdx
< 2.14.1→2.14.1gatsby-plugin-mdx
>= 3.0.0, < 3.15.2→3.15.2CVE-2021-34084high
2022-06-03OS Command Injection in s3-uploader
s3-uploader
<= 2.0.3Advertisement
CVE-2021-34082high
2022-06-03OS Command Injection in proctree
proctree
<= 0.1.1CVE-2021-34083highCVSS: 8.1
2022-06-03Command injection in google-it
google-it
<= 1.6.2CVE-2021-34080high
2022-06-03OS Command injection in ssl-utils
ssl-utils
<= 1.0.0CVE-2022-29244highCVSS: 7.5
2022-06-02Packing does not respect root-level ignore files in workspaces
npm
>= 7.9.0, < 8.11.0→8.11.0CVE-2021-4231mediumCVSS: 5.4
2022-05-27Angular vulnerable to Cross-site Scripting
@angular/core
>= 11.1.0-next.0, <= 11.1.0-next.2→11.1.0-next.3@angular/core
>= 11.0.0, < 11.0.5→11.0.5@angular/core
< 10.2.5→10.2.5Advertisement
CVE-2022-29229mediumCVSS: 6.3
2022-05-25Missing Cryptographic Step in cassproject
cassproject
< 1.5.8→1.5.8CVE-2021-26073highCVSS: 7.7
2022-05-24Broken Authentication in Atlassian Connect Express
atlassian-connect-express
>= 3.0.2, < 6.6.0→6.6.0CVE-2022-29214mediumCVSS: 6.1
2022-05-24URL Redirection to Untrusted Site ('Open Redirect') in next-auth
next-auth
< 3.29.3→3.29.3next-auth
>= 4.0.0, < 4.3.3→4.3.3CVE-2019-19729highCVSS: 7.5
2022-05-24bson-objectid contains Improper input validation
bson-objectid
<= 1.3.0CVE-2021-42740criticalCVSS: 9.8
2022-05-24Improper Neutralization of Special Elements used in a Command in Shell-quote
shell-quote
>= 1.6.3, <= 1.7.2→1.7.3Advertisement
CVE-2021-24037criticalCVSS: 9.8
2022-05-24Use After Free in Hermes
hermes-engine
<= 0.7.2→0.8.0CVE-2020-1915highCVSS: 7.5
2022-05-24Out-of-bounds Read in Facebook Hermes
hermes-engine
<= 0.7.1→0.7.2CVE-2020-1914criticalCVSS: 9.8
2022-05-24Always-Incorrect Control Flow Implementation in Facebook Hermes
hermes-engine
<= 0.7.1→0.7.2CVE-2020-1913highCVSS: 8.1
2022-05-24Signed to Unsigned Conversion Error in Facebook Hermes
hermes-engine
<= 0.4.3→0.5.2CVE-2020-1912highCVSS: 8.1
2022-05-24Out-of-bounds Read and Out-of-bounds Write in Facebook Hermes
hermes-engine
<= 0.4.3→0.5.2Advertisement
CVE-2020-1911criticalCVSS: 9.8
2022-05-24Access of Resource Using Incompatible Type in Facebook Hermes
hermes-engine
<= 0.4.3→0.5.2CVE-2018-21268criticalCVSS: 9.8
2022-05-24Node-Traceroute RCE Vulnerability
traceroute
<= 1.0.0GHSA-f478-xwv9-p93qhighCVSS: 7.8
2022-05-24Duplicate Advisory: Kerberos for NodeJS allows DLL Injection
kerberos
< 1.0.0→1.0.0CVE-2020-11883mediumCVSS: 5.3
2022-05-24Diavante vue-storefront-api and storefront-api disclose stack trace
storefront-api
< 1.0.0-rc3→1.0.0-rc3vue-storefront-api
< 1.12.0→1.12.0CVE-2019-15598criticalCVSS: 9.8
2022-05-24Treekill Enables OS Command Injection
tree-kill
< 1.2.2→1.2.2Advertisement
GHSA-mxq6-vrrr-ppmgcriticalCVSS: 9.8
2022-05-24Duplicate Advisory: tree-kill vulnerable to remote code execution
tree-kill
<= 1.2.1CVE-2016-1000021lowCVSS: 3.5
2022-05-24Duplicate Advisory: Node CLI Allows Arbitrary File Overwrite
cli
>= 0.1.0, <= 0.11.3→1.0.0CVE-2019-17606mediumCVSS: 6.1
2022-05-24hexo-admin plugin for Node.js XSS Vulnerability
hexo-admin
<= 2.3.0CVE-2019-17625criticalCVSS: 9
2022-05-24Rambox RCE Vulnerability
Rambox
<= 0.6.9CVE-2019-14939mediumCVSS: 5.5
2022-05-24MySQL for Node.js Unsafe Options
mysql
= 2.17.1→2.18.0Advertisement
CVE-2022-29166highCVSS: 8
2022-05-23Improper handling of multiline messages in node-irc affects matrix-appservice-irc
matrix-appservice-irc
<= 0.33.1→0.33.2CVE-2022-24434highCVSS: 7.5
2022-05-21Crash in HeaderParser in dicer
dicer
<= 0.3.1org.webjars.npm:dicer
<= 0.3.0CVE-2017-12581highCVSS: 8.1
2022-05-17Electron vulnerable to remote command execution
electron
< 1.6.8→1.6.8CVE-2017-1000491mediumCVSS: 6.1
2022-05-14Shiba vulnerable to XSS leading to code execution
shiba
< 1.1.1→1.1.1CVE-2018-3749criticalCVSS: 9.8
2022-05-14Improper Input Validation in Deap
deap
< 1.0.1→1.0.1Advertisement
CVE-2022-21190criticalCVSS: 9.8
2022-05-14Prototype Pollution in convict
convict
< 6.2.3→6.2.3CVE-2018-7408highCVSS: 7.8
2022-05-13Incorrect Permission Assignment for Critical Resource in NPM
npm
< 5.7.1→5.7.1CVE-2018-6835criticalCVSS: 9.8
2022-05-13Etherpad Lite Access Restriction Bypass
ep_etherpad-lite
< 1.6.3→1.6.3CVE-2018-0114highCVSS: 7.5
2022-05-13Cisco node-jose improper validation of JWT signature
node-jose
< 0.11.0→0.11.0CVE-2018-7160highCVSS: 8.8
2022-05-13Withdrawn Advisory: Node.js Inspector RCE via DNS Rebinding
node-inspector
>= 6.0Advertisement
CVE-2022-25324highCVSS: 7.5
2022-05-07Uncaught Exception in bignum
bignum
<= 0.13.1GHSA-52rh-5rpj-c3w6highCVSS: 8
2022-05-05Improper handling of multiline messages in node-irc
matrix-org-irc
<= 1.2.0→1.2.1CVE-2013-7371mediumCVSS: 6.1
2022-05-05Node Connect Reflected Cross-Site Scripting in Sencha Labs Connect middleware
connect
< 2.8.2→2.8.2CVE-2022-30241mediumCVSS: 6.1
2022-05-05Cross-site Scripting in jquery.json-viewer
jquery.json-viewer
< 1.5.0→1.5.0CVE-2022-29078criticalCVSS: 9.8
2022-04-26ejs template injection vulnerability
ejs
< 3.1.7→3.1.7Advertisement
CVE-2022-24858mediumCVSS: 6.1
2022-04-22NextAuth.js default redirect callback vulnerable to open redirects
next-auth
< 3.29.2→3.29.2next-auth
>= 4.0.0, < 4.3.2→4.3.2CVE-2022-29080criticalCVSS: 9.8
2022-04-13Command injection in npm-dependency-versions
npm-dependency-versions
<= 0.3.0CVE-2022-24066highCVSS: 8.1
2022-04-02Command injection in simple-git
simple-git
< 3.5.0→3.5.0CVE-2022-24773mediumCVSS: 5.3
2022-03-18Improper Verification of Cryptographic Signature in `node-forge`
node-forge
< 1.3.0→1.3.0CVE-2022-24772highCVSS: 7.5
2022-03-18Improper Verification of Cryptographic Signature in node-forge
node-forge
< 1.3.0→1.3.0Advertisement
CVE-2022-24771highCVSS: 7.5
2022-03-18Improper Verification of Cryptographic Signature in node-forge
node-forge
< 1.3.0→1.3.0CVE-2022-21164highCVSS: 7.5
2022-03-17Unhandled case in node-lmdb
node-lmdb
< 0.9.7→0.9.7GHSA-3mpp-xfvh-qh37low
2022-03-16node-ipc behavior change
node-ipc
>= 11.0.0, < 12.0.0→12.0.0GHSA-8gr3-2gjw-jj7glow
2022-03-16Hidden functionality in node-ipc
node-ipc
= 9.2.2CVE-2022-23812criticalCVSS: 9.8
2022-03-16Embedded Malicious Code in node-ipc
node-ipc
>= 10.1.1, < 10.1.3→10.1.3Advertisement
CVE-2022-24740mediumCVSS: 5
2022-03-14Sudden swap of user auth tokens in Volto
@plone/volto
>= 14.0.0-alpha.6, <= 14.10.0→15.0.0-alpha.0CVE-2021-46708mediumCVSS: 6.1
2022-03-12Spoofing attack in swagger-ui-dist
swagger-ui-dist
< 4.1.3→4.1.3CVE-2022-24760criticalCVSS: 10
2022-03-11Command injection in Parse Server through prototype pollution
parse-server
< 4.10.7→4.10.7CVE-2022-24719lowCVSS: 2.6
2022-03-01Forwarding of confidentials headers to third parties in fluture-node
fluture-node
>= 4.0.0, < 4.0.2→4.0.2pyquest
<= 0.0.1CVE-2022-24709highCVSS: 8.8
2022-02-25Cross site scripting in @awsui/components-react
@awsui/components-react
< 3.0.367→3.0.367Advertisement
CVE-2022-0654highCVSS: 7.5
2022-02-24Cookie exposure in requestretry
requestretry
< 7.0.0→7.0.0CVE-2022-23646mediumCVSS: 5.9
2022-02-17Improper CSP in Image Optimization API for Next.js versions between 10.0.0 and 12.1.0
next
>= 10.0.0, < 12.1.0→12.1.0CVE-2021-23555criticalCVSS: 9.8
2022-02-12Sandbox bypass in vm2
vm2
< 3.9.6→3.9.6CVE-2021-28860criticalCVSS: 9.1
2022-02-10Prototype Pollution in mixme
mixme
< 0.5.1→0.5.1CVE-2021-32622mediumCVSS: 4.2
2022-02-10Improper file handling in matrix-react-sdk
matrix-react-sdk
< 3.21.0→3.21.0Advertisement
CVE-2020-7627criticalCVSS: 9.8
2022-02-10OS Command Injection in node-key-sender
node-key-sender
<= 1.0.11CVE-2021-29369criticalCVSS: 9.8
2022-02-10Code injection in @rkesters/gnuplot
@rkesters/gnuplot
< 0.1.1→0.1.1CVE-2017-18869lowCVSS: 2.5
2022-02-10Time-of-check Time-of-use (TOCTOU) Race Condition in chownr
chownr
< 1.1.0→1.1.0GHSA-h87q-g2wp-47pjmedium
2022-02-09Signatures are mistakenly recognized to be valid in jsrsasign
jsrsasign
< 10.2.0→10.2.0CVE-2020-24025mediumCVSS: 5.3
2022-02-09Improper Certificate Validation in node-sass
node-sass
>= 2.0.0, < 7.0.0→7.0.0Advertisement
CVE-2021-23460highCVSS: 7.5
2022-02-01Prototype pollution in min-dash
min-dash
< 3.8.1→3.8.1org.webjars.npm:min-dash
< 3.8.1→3.8.1CVE-2022-21721mediumCVSS: 5.9
2022-01-28Denial of Service Vulnerability in next.js
next
>= 12.0.0, < 12.0.9→12.0.9CVE-2022-0235highCVSS: 8.8
2022-01-21node-fetch forwards secure headers to untrusted sites
node-fetch
>= 3.0.0, < 3.1.1→3.1.1node-fetch
< 2.6.7→2.6.7CVE-2022-0122mediumCVSS: 6.1
2022-01-21Open Redirect in node-forge
node-forge
< 1.0.0→1.0.0CVE-2022-21704mediumCVSS: 5.5
2022-01-21Incorrect Default Permissions in log4js
log4js
< 6.4.0→6.4.0Advertisement
CVE-2022-21676highCVSS: 7.5
2022-01-13Uncaught Exception in engine.io
engine.io
>= 4.0.0, < 4.1.2→4.1.2engine.io
>= 5.0.0, < 5.2.1→5.2.1engine.io
>= 6.0.0, < 6.1.1→6.1.1CVE-2022-0087highCVSS: 7.1
2022-01-12Reflected cross-site scripting (XSS) vulnerability
@keystone-6/auth
< 1.0.2→1.0.2@keystone-next/auth
<= 37.0.0GHSA-5rqg-jm4f-cqx7high
2022-01-10Infinite loop causing Denial of Service in colors
Colors
>= 1.4.1, <= 1.4.2Colors
= 1.4.44-liberty-2GHSA-5rrq-pxf6-6jx5low
2022-01-08Prototype Pollution in node-forge debug API.
node-forge
< 1.0.0→1.0.0GHSA-wxgw-qj99-44c2low
2022-01-08Prototype Pollution in node-forge util.setPath API
node-forge
< 0.10.0→0.10.0Advertisement
GHSA-gf8q-jrpm-jvxqlow
2022-01-08URL parsing in node-forge could lead to undesired behavior.
node-forge
< 1.0.0→1.0.0CVE-2020-7632criticalCVSS: 9.8
2022-01-07OS Command Injection in node-mpv
node-mpv
<= 1.4.3GHSA-qpw2-xchm-655qmediumCVSS: 6.5
2022-01-06Out-of-Bounds read in stringstream
stringstream
< 0.0.6→0.0.6CVE-2021-45459criticalCVSS: 9.8
2022-01-05Command Injection in node-windows
node-windows
<= 1.0.0-beta.5→1.0.0-beta.6CVE-2021-23797highCVSS: 7.5
2022-01-05Path Traversal in http-server-node
http-server-node
<= 1.0.2Advertisement
CVE-2020-7609criticalCVSS: 9.8
2021-12-10Code Injection in node-rules
node-rules
>= 3.0.0, < 5.0.0→5.0.0CVE-2021-23398mediumCVSS: 6.1
2021-12-10Cross-site scripting in react-bootstrap-table
react-bootstrap-table
<= 4.3.1CVE-2021-36716highCVSS: 7.5
2021-12-10Improper Input Validation in is-email
is-email
< 1.0.1→1.0.1GHSA-qrmm-w75w-3wpxmedium
2021-12-09Server side request forgery in SwaggerUI
swagger-ui
< 4.1.3→4.1.3swagger-ui-dist
< 4.1.3→4.1.3swagger-ui-react
< 4.1.3→4.1.3Swashbuckle.AspNetCore.SwaggerUI
< 6.3.0→6.3.0CVE-2021-43803highCVSS: 7.5
2021-12-07Unexpected server crash in Next.js.
next
>= 12.0.0, < 12.0.5→12.0.5next
>= 0.9.9, < 11.1.3→11.1.3Advertisement
CVE-2021-40830highCVSS: 6.3
2021-11-24Improper certificate management in AWS IoT Device SDK v2
software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk
< 1.5.0→1.5.0aws-iot-device-sdk-v2
< 1.5.3→1.5.3awsiotsdk
< 1.6.1→1.6.1CVE-2021-40829highCVSS: 6.3
2021-11-24Improper certificate management in AWS IoT Device SDK v2
software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk
< 1.4.2→1.4.2aws-iot-device-sdk-v2
< 1.5.3→1.5.3awsiotsdk
< 1.6.1→1.6.1CVE-2021-40828mediumCVSS: 6.3
2021-11-24Improper certificate management in AWS IoT Device SDK v2
software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk
< 1.3.3→1.3.3aws-iot-device-sdk-v2
< 1.5.1→1.5.1awsiotsdk
< 1.5.18→1.5.18CVE-2021-40831highCVSS: 6.3
2021-11-24Improper certificate management in AWS IoT Device SDK v2
software.amazon.awssdk.iotdevicesdk:aws-iot-device-sdk
< 1.5.0→1.5.0aws-iot-device-sdk-v2
< 1.6.0→1.6.0awsiotsdk
< 1.7.0→1.7.0CVE-2021-43571criticalCVSS: 9.8
2021-11-10Improper Verification of Cryptographic Signature in starkbank-ecdsa
starkbank-ecdsa
< 1.1.3→1.1.3Advertisement
CVE-2021-41249highCVSS: 7.1
2021-11-08XSS vulnerability in GraphQL Playground from untrusted schemas
graphql-playground-react
< 1.7.28→1.7.28CVE-2021-41248highCVSS: 7.1
2021-11-08GraphiQL introspection schema template injection attack
graphiql
>= 0.5.0, < 1.4.7→1.4.7CVE-2021-23807mediumCVSS: 5.6
2021-11-08Prototype Pollution in node-jsonpointer
jsonpointer
< 5.0.0→5.0.0org.webjars.npm:json-pointer
< 5.0.0→5.0.0CVE-2020-36378criticalCVSS: 9.8
2021-11-02Vulnerability in packageCmd function leads to arbitrary code execution via filePath parameters
aaptjs
<= 1.3.1CVE-2020-36379criticalCVSS: 9.8
2021-11-02Vulnerability in remove function leads to arbitrary code execution via filePath parameters
aaptjs
<= 1.3.1Advertisement
CVE-2020-36377criticalCVSS: 9.8
2021-11-02Vulnerability in dump function leads to arbitrary code execution via filePath parameters
aaptjs
<= 1.3.1CVE-2020-36376criticalCVSS: 9.8
2021-11-02Vulnerability in list function leads to arbitrary code execution via filePath parameters
aaptjs
<= 1.3.1CVE-2020-36381criticalCVSS: 9.8
2021-11-01Vulnerability in singleCrunch function leads to arbitrary code execution via filePath parameters
aaptjs
<= 1.3.1CVE-2020-36380criticalCVSS: 9.8
2021-11-01Vulnerability in crunch function leads to arbitrary code execution via filePath parameters
aaptjs
<= 1.3.1CVE-2019-10061criticalCVSS: 9.8
2021-10-12OS Command Injection in node-opencv
opencv
< 6.1.0→6.1.0Advertisement
CVE-2021-41117highCVSS: 8.7
2021-10-11Insecure random number generation in keypair
keypair
< 1.0.4→1.0.4CVE-2021-41580mediumCVSS: 5.3
2021-09-29Improper Access Control in passport-oauth2
passport-oauth2
< 1.6.1→1.6.1CVE-2021-23443mediumCVSS: 5.4
2021-09-22Cross-site Scripting in edge.js
edge.js
< 5.3.2→5.3.2GHSA-8r4g-cg4m-x23cmedium
2021-09-22Denial of Service in node-static
node-static
<= 0.7.11CVE-2020-26301highCVSS: 7.5
2021-09-21OS Command Injection in ssh2
ssh2
< 1.4.0→1.4.0Advertisement
CVE-2021-3794highCVSS: 7.5
2021-09-20Inefficient Regular Expression Complexity in vuelidate
@vuelidate/validators
<= 2.0.0-alpha.21→2.0.0-alpha.22CVE-2021-23406highCVSS: 8.1
2021-09-02Code Injection in pac-resolver
pac-resolver
< 5.0.0→5.0.0degenerator
< 3.0.1→3.0.1CVE-2021-39187highCVSS: 7.5
2021-09-02Parse Server crashes with query parameter
parse-server
< 4.10.3→4.10.3CVE-2021-39176highCVSS: 7.5
2021-09-01Missing Release of Memory after Effective Lifetime in detect-character-encoding
detect-character-encoding
< 0.3.1→0.3.1CVE-2021-39178highCVSS: 7.5
2021-09-01XSS in Image Optimization API for Next.js
next
>= 10.0.0, < 11.1.1→11.1.1Advertisement
CVE-2021-32831highCVSS: 7.5
2021-09-01Code Injection in total.js
total.js
< 3.4.9→3.4.9CVE-2021-37701highCVSS: 8.2
2021-08-31Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
tar
>= 5.0.0, < 5.0.8→5.0.8tar
>= 6.0.0, < 6.1.7→6.1.7tar
>= 3.0.0, < 4.4.16→4.4.16CVE-2021-37712highCVSS: 8.2
2021-08-31Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning using symbolic links
tar
>= 5.0.0, < 5.0.10→5.0.10tar
>= 6.0.0, < 6.1.9→6.1.9tar
>= 3.0.0, < 4.4.18→4.4.18CVE-2021-37713highCVSS: 8.2
2021-08-31Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
tar
< 4.4.18→4.4.18tar
>= 5.0.0, < 5.0.10→5.0.10tar
>= 6.0.0, < 6.1.9→6.1.9CVE-2021-39134highCVSS: 8.2
2021-08-31@npmcli/arborist vulnerable to UNIX Symbolic Link (Symlink) Following
@npmcli/arborist
< 2.8.2→2.8.2Advertisement
CVE-2020-22403highCVSS: 8.8
2021-08-30Cross-Site Request Forgery in express-cart
express-cart
< 1.1.17→1.1.17CVE-2021-39171mediumCVSS: 5.3
2021-08-30Unlimited transforms allowed for signed nodes
passport-saml
< 3.1.0→3.1.0CVE-2021-39157highCVSS: 7.5
2021-08-25Improper Handling of Exceptional Conditions in detect-character-encoding
detect-character-encoding
< 0.7.0→0.7.0CVE-2021-39131highCVSS: 7.5
2021-08-23Improper Handling of Unexpected Data Type in ced
ced
< 1.0.0→1.0.0CVE-2021-37699mediumCVSS: 6.9
2021-08-12Open Redirect in Next.js
next
>= 0.9.9, < 11.1.0→11.1.0Advertisement
CVE-2018-3718mediumCVSS: 5.3
2021-08-09vercel/serve allows access to restricted files if filename is URL encoded.
serve
< 6.5.2→6.5.2GHSA-xh2p-7p87-fhghlowCVSS: 3.1
2021-08-05Incorrect TCR calculation in batchLiquidateTroves() during Recovery Mode
@liquity/contracts
<= 1.0.0CVE-2021-32804highCVSS: 8.2
2021-08-03Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization
tar
< 3.2.2→3.2.2tar
>= 4.0.0, < 4.4.14→4.4.14tar
>= 5.0.0, < 5.0.6→5.0.6tar
>= 6.0.0, < 6.1.1→6.1.1CVE-2021-32803highCVSS: 8.2
2021-08-03Arbitrary File Creation/Overwrite via insufficient symlink protection due to directory cache poisoning
tar
>= 4.0.0, < 4.4.15→4.4.15tar
>= 5.0.0, < 5.0.7→5.0.7tar
>= 6.0.0, < 6.1.2→6.1.2tar
>= 3.0.0, < 3.2.3→3.2.3CVE-2020-1920highCVSS: 7.5
2021-07-20Regular expression denial of service in react-native
react-native
>= 0.59.0, < 0.62.3→0.62.3react-native
>= 0.63.0, < 0.64.1→0.64.1Advertisement
CVE-2021-3647mediumCVSS: 5.3
2021-07-19URIjs Vulnerable to Hostname spoofing via backslashes in URL
urijs
< 1.19.7→1.19.7GHSA-5w25-hxp5-h8c9criticalCVSS: 9.8
2021-06-21Duplicate Advisory: Improper Verification of Cryptographic Signature
tenvoy
< 7.0.3→7.0.3CVE-2021-33502highCVSS: 7.5
2021-06-08ReDoS in normalize-url
normalize-url
>= 5.0.0, < 5.3.1→5.3.1normalize-url
>= 6.0.0, < 6.0.1→6.0.1normalize-url
>= 4.3.0, < 4.5.1→4.5.1CVE-2021-33587highCVSS: 7.5
2021-06-07Denial of service in css-what
css-what
>= 4.0.0, <= 5.0.0→5.0.1CVE-2021-33623highCVSS: 7.5
2021-06-07Uncontrolled Resource Consumption in trim-newlines
trim-newlines
< 3.0.1→3.0.1trim-newlines
= 4.0.0→4.0.1Advertisement
CVE-2021-26707criticalCVSS: 9.8
2021-06-07Prototype pollution in Merge-deep
merge-deep
< 3.0.3→3.0.3GHSA-h45p-w933-jxh3medium
2021-06-01Improper Verification of Cryptographic Signature in aws-encryption-sdk-javascript
@aws-crypto/client-browser
< 1.9.0→1.9.0@aws-crypto/client-browser
>= 2.0.0, < 2.2.0→2.2.0@aws-crypto/client-node
< 1.9.0→1.9.0@aws-crypto/client-node
>= 2.0.0, < 2.2.0→2.2.0GHSA-5vm8-hhgr-jcjpmedium
2021-05-28Cross-site scripting vulnerability in TinyMCE
tinymce
< 5.7.1→5.7.1CVE-2021-31597criticalCVSS: 9.4
2021-05-24Improper Certificate Validation in xmlhttprequest-ssl
xmlhttprequest-ssl
< 1.6.1→1.6.1CVE-2020-7696mediumCVSS: 5.3
2021-05-18Credential leak in react-native-fast-image
react-native-fast-image
< 8.3.0→8.3.0Advertisement
CVE-2020-7673criticalCVSS: 9.8
2021-05-17Code Injection in node-extend
node-extend
<= 0.2.0GHSA-8796-gc9j-63rvmediumCVSS: 4.2
2021-05-17File upload local preview can run embedded scripts after user interaction
matrix-react-sdk
< 3.21.0→3.21.0CVE-2020-7740highCVSS: 8.2
2021-05-10Server-Side Request Forgery in node-pdf-generator
node-pdf-generator
<= 0.0.6GHSA-r2gr-fhmr-66c5highCVSS: 7.8
2021-05-10Duplicate Advisory: "Arbitrary code execution in socket.io-file"
socket.io-file
<= 2.0.31CVE-2020-7602criticalCVSS: 9.8
2021-05-07OS Command Injection in node-prompt-here
node-prompt-here
<= 1.0.1Advertisement
CVE-2020-7721criticalCVSS: 9.8
2021-05-06Prototype Pollution in node-oojs
node-oojs
<= 1.4.0CVE-2021-23371highCVSS: 7.5
2021-05-06Denial of service in chrono-node
chrono-node
< 2.2.4→2.2.4CVE-2021-31712mediumCVSS: 5.4
2021-05-06Cross-site Scripting in React Draft Wysiwyg
react-draft-wysiwyg
< 1.14.6→1.14.6CVE-2021-29491highCVSS: 7.1
2021-05-06Use of Potentially Dangerous Function in mixme
mixme
< 0.5.1→0.5.1CVE-2021-29469highCVSS: 7.5
2021-04-27Node-Redis potential exponential regex in monitor mode
redis
>= 2.6.0, < 3.1.1→3.1.1Advertisement
CVE-2017-18924highCVSS: 7.5
2021-04-22Code Injection in oauth2-server
oauth2-server
<= 3.1.1CVE-2021-29446mediumCVSS: 5.9
2021-04-19Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-cjs-runtime
jose-node-cjs-runtime
< 3.11.4→3.11.4CVE-2021-29445mediumCVSS: 5.9
2021-04-19Padding Oracle Attack due to Observable Timing Discrepancy in jose-node-esm-runtime
jose-node-esm-runtime
< 3.11.4→3.11.4CVE-2021-26276mediumCVSS: 5.3
2021-04-13Improper Control of Dynamically-Managed Code Resources in config-shield
config-shield
< 0.2.3→0.2.3CVE-2021-25864highCVSS: 7.5
2021-04-13Path Traversal in node-red-contrib-huemagic
node-red-contrib-huemagic
<= 3.0.0Advertisement
CVE-2020-7693mediumCVSS: 5.3
2021-04-13Improper Input Validation in SocksJS-Node
sockjs
< 0.3.20→0.3.20CVE-2020-8823mediumCVSS: 6.1
2021-04-13Cross-site scripting in SocksJS-node
sockjs
< 0.3.0→0.3.0CVE-2020-7787highCVSS: 8.2
2021-04-13Improper Authentication in react-adal
react-adal
< 0.5.1→0.5.1CVE-2021-26275criticalCVSS: 9.8
2021-04-13Command injection in eslint-fixer
eslint-fixer
<= 0.1.5CVE-2021-27191highCVSS: 7.5
2021-04-13Denial of Service in get-ip-range
get-ip-range
< 4.0.0→4.0.0Advertisement
CVE-2020-27543highCVSS: 7.5
2021-04-12Denial of Service (DoS) in restify-paginate
restify-paginate
<= 0.0.5CVE-2021-20327mediumCVSS: 6.8
2021-04-12mongodb-client-encryption vulnerable to Improper Certificate Validation
mongodb-client-encryption
= 1.2.0→1.2.1GHSA-prmc-5v5w-c465critical
2021-04-06Client TLS credentials sent raw to server in npm package nats
nats
>= 2.0.0-201, <= 2.0.0-208→2.0.0-209CVE-2021-21421highCVSS: 8.1
2021-04-06ApiKey secret could be revelated on network issue
node-etsy-client
<= 0.2.0→0.3.0CVE-2021-29418mediumCVSS: 5.3
2021-03-29netmask npm package mishandles octal input data
netmask
< 2.0.1→2.0.1Advertisement
CVE-2021-27884mediumCVSS: 5.1
2021-03-26Weak JSON Web Token in yapi-vendor
yapi-vendor
<= 1.9.2→1.9.3CVE-2020-8298criticalCVSS: 9.8
2021-03-25Command injection in fs-path
fs-path
< 0.0.25→0.0.25CVE-2021-23344criticalCVSS: 9.8
2021-03-19total.js Remote Code Execution Vulnerability
total.js
< 3.4.7→3.4.8CVE-2021-28092highCVSS: 7.5
2021-03-19Regular Expression Denial of Service (ReDoS)
is-svg
>= 2.1.0, < 4.2.2→4.2.2CVE-2020-7785criticalCVSS: 9.8
2021-03-19Command injection in node-ps
node-ps
<= 0.0.2Advertisement
GHSA-hfwx-c7q6-g54chigh
2021-03-12Vulnerability allowing for reading internal HTTP resources
highcharts-export-server
<= 2.0.30→2.1.0CVE-2021-24033mediumCVSS: 5.6
2021-03-11react-dev-utils OS Command Injection in function `getProcessForPort`
react-dev-utils
>= 0.4.0, < 11.0.4→11.0.4CVE-2021-21320lowCVSS: 2.6
2021-03-03User content sandbox can be confused into opening arbitrary documents
matrix-react-sdk
< 3.15.0→3.15.0CVE-2021-21353mediumCVSS: 6.8
2021-03-03Remote code execution via the `pretty` option.
pug
< 3.0.1→3.0.1pug-code-gen
< 2.0.3→2.0.3pug-code-gen
>= 3.0.0, < 3.0.2→3.0.2CVE-2021-27405mediumCVSS: 4.3
2021-03-01Regular expression Denial of Service in @progfay/scrapbox-parser
@progfay/scrapbox-parser
< 6.0.3→6.0.3@progfay/scrapbox-parser
>= 7.0.0, < 7.0.2→7.0.2Advertisement
CVE-2021-27516highCVSS: 7.5
2021-03-01URIjs Hostname spoofing via backslashes in URL
urijs
< 1.19.6→1.19.6CVE-2021-21298low
2021-02-26Path traversal in Node-Red
@node-red/runtime
< 1.2.8→1.2.8CVE-2021-21297highCVSS: 7.7
2021-02-26Prototype Pollution in Node-Red
@node-red/runtime
< 1.2.8→1.2.8GHSA-f6gj-7592-5jxmhigh
2021-02-23Directory Traversal
node-simple-router
< 0.10.1→0.10.1CVE-2021-21310low
2021-02-11Token verification bug in next-auth
next-auth
< 3.3.0→3.3.0Advertisement
CVE-2021-27185criticalCVSS: 9.8
2021-02-11Command injection in samba-client
samba-client
< 4.0.0→4.0.0CVE-2021-3190criticalCVSS: 9.8
2021-01-29OS Command Injection in async-git
async-git
< 1.13.2→1.13.2CVE-2021-3223high
2021-01-29Path traversal in Node-RED-Dashboard
node-red-dashboard
< 2.26.2→2.26.2CVE-2024-21911medium
2021-01-06Cross-site scripting vulnerability in TinyMCE
tinymce
< 5.6.0→5.6.0TinyMCE
< 5.6.0→5.6.0tinymce/tinymce
< 5.6.0→5.6.0CVE-2020-26291mediumCVSS: 6.5
2020-12-30Hostname spoofing via backslashes in URL
urijs
< 1.19.4→1.19.4Advertisement
CVE-2020-26288lowCVSS: 7.7
2020-12-28Parse Server stores password in plain text
parse-server
< 4.5.0→4.5.0CVE-2020-7789mediumCVSS: 5.6
2020-12-21OS Command Injection in node-notifier
node-notifier
< 8.0.1→8.0.1CVE-2020-7788highCVSS: 7.3
2020-12-10ini before 1.3.6 vulnerable to Prototype Pollution via ini.parse
ini
< 1.3.6→1.3.6CVE-2020-15242mediumCVSS: 4.7
2020-10-08Open Redirect in Next.js versions
next
>= 9.5.0, < 9.5.4→9.5.4CVE-2020-6506mediumCVSS: 6.5
2020-10-02Android WebView Universal Cross-site Scripting
react-native-webview
<= 10.10.2→11.0.0Advertisement
CVE-2020-7720highCVSS: 8.8
2020-09-14Prototype Pollution in node-forge
node-forge
< 0.10.0→0.10.0GHSA-4wcx-c9c4-89p2criticalCVSS: 9.8
2020-09-11Malicious Package in react-datepicker-plus
react-datepicker-plus
>= 2.4.2, <= 2.4.3→2.4.6GHSA-5g6j-8hv4-vfgjhigh
2020-09-11Cross-Site Scripting in node-red
node-red
< 0.18.6→0.18.6GHSA-9v62-24cr-58cxmediumCVSS: 5.9
2020-09-11Denial of Service in node-sass
node-sass
>= 3.3.0, < 4.13.1→4.13.1GHSA-mvch-rh6h-2m47criticalCVSS: 9.8
2020-09-11Malicious Package in equest
equest
>= 0Advertisement
GHSA-r863-p739-275ccriticalCVSS: 9.8
2020-09-11Malicious Package in reuest
reuest
>= 0GHSA-8qx4-r7fx-xc4vcriticalCVSS: 9.8
2020-09-11Malicious Package in requst
requst
>= 0CVE-2020-15168lowCVSS: 2.6
2020-09-10The `size` option isn't honored after following a redirect in node-fetch
node-fetch
>= 3.0.0-beta.1, <= 3.0.0-beta.8→3.0.0-beta.9node-fetch
>= 2.0.0, < 2.6.1→2.6.1CVE-2020-24660mediumCVSS: 6.5
2020-09-09Lack of URL normalization may lead to authorization bypass when URL access rules are used
lemonldap-ng-handler
< 0.5.2→0.5.2GHSA-5vj8-3v2h-h38vhigh
2020-09-04Remote Code Execution in next
next
>= 0.9.9, < 5.1.0→5.1.0Advertisement
GHSA-whv6-rj84-2vh2high
2020-09-04Cross-Site Scripting in nextcloud-vue-collections
nextcloud-vue-collections
< 0.4.2→0.4.2GHSA-hrpp-f84w-xhfgmediumCVSS: 5.3
2020-09-04Outdated Static Dependency in vue-moment
vue-moment
< 4.1.0→4.1.0CVE-2013-7035mediumCVSS: 6.5
2020-09-04Cross-Site Scripting in react
react
>= 0.4.0, < 0.4.2→0.4.2react
>= 0.5.0, < 0.5.2→0.5.2GHSA-hg79-j56m-fxgvhigh
2020-09-04Cross-Site Scripting in react
react
>= 0.0.1, < 0.14.0→0.14.0Advertisement