javascript-npm
javascript-npm
- CVE-2026-49866 - libp2p: CPU DoS via oversized IHAVE and IWANT control message arrays
- CVE-2026-55665 - Grist is spreadsheet software using Python as its formula language
- CVE-2026-56667 - ZITADEL is an open source identity management platform
- CVE-2026-57214 - RabbitMQ is a messaging and streaming broker
- CVE-2026-13461 - When coupled with the SSL bypass vulnerability, JavaScript can be injected into a WebView in the PayRange vers
- CVE-2026-14245 - The miniOrange OTP Login, Verification and SMS Notifications plugin for WordPress is vulnerable to Authenticat
- CVE-2026-55424 - Discourse is an open-source discussion platform
- CVE-2026-59833 - SiYuan is an open-source personal knowledge management system
- CVE-2026-59855 - SiYuan is an open-source personal knowledge management system
- CVE-2026-54527 - JupyterLab Git is a Git extension for JupyterLab
- CVE-2026-55575 - LiquidJS is a Shopify / GitHub Pages compatible template engine in pure JavaScript
- CVE-2026-55596 - Plate is a rich-text editor with AI and shadcn/ui
- CVE-2026-55849 - @cyclonedx/cyclonedx-npm creates CycloneDX Software Bill of Materials from npm projects
- CVE-2026-55878 - Symfony UX is a JavaScript ecosystem for Symfony
- CVE-2026-57256 - When the application opens a PDF and executes JavaScript, it performs abnormal operations on the list box fiel
- CVE-2026-57480 - Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js
- CVE-2026-59802 - PasswordPusher before 2.8.1 accepts data URI schemes in URL push payloads due to insufficient validation in th
- CVE-2026-59869 - js-yaml is a JavaScript YAML parser and dumper
- CVE-2026-59873 - node-tar is a tar archive manipulation library for Node.js
- CVE-2026-59874 - node-tar is a tar archive manipulation library for Node.js
- CVE-2026-53512 - Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
- CVE-2026-53513 - @better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints
- CVE-2026-53514 - Better Auth vulnerable to unauthorized invitation acceptance via unverified email match in organization plugin
- CVE-2026-53516 - Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email
- CVE-2026-53517 - Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption
- CVE-2026-53518 - @better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race t
- CVE-2026-56812 - Improper Check for Unusual or Exceptional Conditions vulnerability in phoenixframework phoenix (Presence JavaS
- CVE-2026-59800 - 9router: Missing Authorization and OS Command Injection
- CVE-2026-14181 - @fastify/middie versions 9.1.0 through 9.3.2 fail to guard the URL normalization step used by the standalone e
- CVE-2026-11589 - The WP Support Plus Responsive Ticket System WordPress plugin through 9.1.2 does not properly validate uploade
- CVE-2026-48795 - @adonisjs/bodyparser has an incomplete fix for CVE-2026-25754
- CVE-2026-49473 - @cedar-policy/authorization-for-expressjs has an authorization bypass via query string manipulation
- CVE-2026-56264 - Crawl4AI before 0.8.7 contains an arbitrary JavaScript execution vulnerability in the Docker API server's /exe
- CVE-2026-58138 - Orkes Conductor 3.21.21 before 3.30.2 contains an unauthenticated remote code execution vulnerability that all
- CVE-2026-10083 - The APCu Manager WordPress plugin before 4.5.0 does not escape APCu object-cache keys before rendering them in
- CVE-2026-56017 - JavaScript::Minifier::XS versions before 0.16 for Perl crash with a NULL pointer dereference when the first me
- CVE-2026-56018 - JavaScript::Minifier::XS versions before 0.16 for Perl leak memory on every call to minify(), allowing unbound
- CVE-2026-48615 - A flaw in Node.js proxy tunnel error handling could expose proxy credentials in ERR_PROXY_TUNNEL error messa
- CVE-2026-48619 - A flaw in Node.js HTTP/2 client allows a server to send an unlimited number of ORIGIN frames, which could lead
- CVE-2026-48801 - LinkifyIt#match scan loop has quadratic algorithmic complexity
- CVE-2026-48930 - A flaw in Node.js TLS hostname handling can cause Embedded-nul hostnames can lead to silent authority rebindin
- CVE-2026-48933 - A flaw in Node.js WebCrypto implementation can crash the process if the input of subtle.encrypt() is a multi
- CVE-2026-49252 - deepstream is vulnerable to prototype pollution
- CVE-2026-49293 - js-toml vulnerable to CPU exhaustion via O(n^2) BigInt construction on radix-prefixed integer literals
- CVE-2026-49357 - Streamable HTTP mode exposes LINE Desktop read/send tools without MCP authentication
- CVE-2026-50016 - pnpm: Transitive dependency alias path traversal allows project path override via symlink replacement
- CVE-2026-48995 - pnpm is a package manager. Prior to 10.33.4 and 11.0.7, a malicious codeload.github.com server can serve whate
- CVE-2026-9086 - A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manag
- CVE-2026-11998 - A flaw in AngularJS' Strict Contextual Escaping (SCE) logic allows bypassing certain SCE policies for resource
- CVE-2026-44726 - Deno is a JavaScript, TypeScript, and WebAssembly runtime
- CVE-2026-49401 - Deno is a JavaScript, TypeScript, and WebAssembly runtime
- CVE-2026-49402 - Deno is a JavaScript, TypeScript, and WebAssembly runtime
- CVE-2026-49241 - The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates
- CVE-2026-50168 - Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript
- CVE-2026-50170 - Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript
- CVE-2026-50178 - The Angular Language Service VS Code Extension provides a rich editing experience for Angular templates
- CVE-2026-54268 - Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript
- CVE-2026-55602 - http-proxy-middleware is node.js http-proxy middleware
- CVE-2026-12048 - Stored cross-site scripting in pgAdmin 4's error-rendering and plan-node-rendering paths
- CVE-2026-58399 - @acastellon/auth: Authentication bypass via spoofable headers in validateToken()
- CVE-2026-48779 - ws is an open source WebSocket client and server for Node.js
- CVE-2026-44486 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-44487 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-44488 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-44492 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-44494 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-44495 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-44496 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-46625 - JavaScript Cookie is a JavaScript API for handling cookies, client-side
- CVE-2025-71319 - image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanentl
- CVE-2026-42570 - Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficien
- CVE-2026-47684 - Sync-in Server: SSRF protection bypass via IPv4-mapped IPv6 addresses in regExpPrivateIP
- CVE-2024-52011 - launch-editor allows users to open files with line numbers in editor from Node.js
- CVE-2026-44724 - systeminformation is a System and OS information library for node.js
- CVE-2026-45357 - LiquidJS has a memory and render limit bypass via unbounded width padding in date filter (strftime)
- CVE-2026-45617 - LiquidJS Vulnerable to ReDoS via Quadratic Backtracking in strip_html Filter Regex
- CVE-2026-42089 - yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation
- CVE-2026-9277 - shell-quote's quote() function did not validate object-token inputs against the operator model used by pars
- CVE-2026-38728 - smtp-server's command parser memory exhaustion denial-of-service
- CVE-2026-46477 - FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover
- CVE-2026-46478 - FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover
- CVE-2026-46479 - FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover
- CVE-2026-43997 - vm2 is an open source vm/sandbox for Node.js
- CVE-2026-43998 - vm2 is an open source vm/sandbox for Node.js
- CVE-2026-43999 - vm2 is an open source vm/sandbox for Node.js
- CVE-2026-44001 - vm2 is an open source vm/sandbox for Node.js
- CVE-2026-44004 - vm2 is an open source vm/sandbox for Node.js
- CVE-2026-44005 - vm2 is an open source vm/sandbox for Node.js
- CVE-2026-44006 - vm2 is an open source vm/sandbox for Node.js
- CVE-2026-44008 - vm2 is an open source vm/sandbox for Node.js
- CVE-2026-44009 - vm2 is an open source vm/sandbox for Node.js
- CVE-2026-44289 - protobufjs compiles protobuf definitions into JavaScript (JS) functions
- CVE-2026-44293 - protobufjs compiles protobuf definitions into JavaScript (JS) functions
- CVE-2026-44578 - Next.js is a React framework for building full-stack web applications
- CVE-2026-45411 - vm2 is an open source vm/sandbox for Node.js
- CVE-2026-8389 - JIT miscompilation in the JavaScript Engine: JIT component
- CVE-2026-8390 - Use-after-free in the JavaScript: WebAssembly component
- CVE-2026-42264 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-41139 - Math.js is an extensive math library for JavaScript and Node.js
- CVE-2026-41672 - xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module
- CVE-2026-41673 - xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module
- CVE-2026-41674 - xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module
- CVE-2026-41675 - xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module
- CVE-2026-24118 - vm2 is an open source vm/sandbox for Node.js
- CVE-2026-24120 - vm2 is an open source vm/sandbox for Node.js
- CVE-2026-24781 - vm2 is an open source vm/sandbox for Node.js
- CVE-2026-26332 - vm2 is an open source vm/sandbox for Node.js
- CVE-2026-26956 - vm2 is an open source vm/sandbox for Node.js
- CVE-2025-14576 - Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loadi
- CVE-2026-40897 - Math.js is an extensive math library for JavaScript and Node.js
- CVE-2026-42033 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-42039 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-42043 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-6754 - Use-after-free in the JavaScript Engine component
- CVE-2026-28291 - simple-git enables running native Git commands from JavaScript
- CVE-2026-5483 - A flaw was found in odh-dashboard in Red Hat Openshift AI
- CVE-2025-62718 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-39983 - basic-ftp is an FTP client for Node.js. Prior to 5.2.1, basic-ftp allows FTP command injection via CRLF sequen
- CVE-2026-39363 - Vite is a frontend tooling framework for JavaScript
- CVE-2026-39364 - Vite is a frontend tooling framework for JavaScript
- CVE-2026-34986 - Go JOSE provides an implementation of the Javascript Object Signing and Encryption set of standards in Go, inc
- CVE-2026-34769 - Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS
- CVE-2026-34771 - Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS
- CVE-2026-34774 - Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS
- CVE-2026-34780 - Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS
- CVE-2026-34601 - xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) DOMParser and XMLSerializer module
- CVE-2026-21710 - A flaw in Node.js HTTP request handling causes an uncaught TypeError when a request is received with a heade
- CVE-2026-33891 - Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript
- CVE-2026-33894 - Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript
- CVE-2026-33895 - Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript
- CVE-2026-33896 - Forge (also called node-forge) is a native implementation of Transport Layer Security in JavaScript
- CVE-2026-33937 - Handlebars provides the power necessary to let users build semantic templates
- CVE-2026-33938 - Handlebars provides the power necessary to let users build semantic templates
- CVE-2026-33939 - Handlebars provides the power necessary to let users build semantic templates
- CVE-2026-33940 - Handlebars provides the power necessary to let users build semantic templates
- CVE-2026-33941 - Handlebars provides the power necessary to let users build semantic templates
- CVE-2026-33943 - Happy DOM is a JavaScript implementation of a web browser without its graphical user interface
- CVE-2026-34226 - Happy DOM is a JavaScript implementation of a web browser without its graphical user interface
- CVE-2026-35633 - OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure
- CVE-2026-4698 - JIT miscompilation in the JavaScript Engine: JIT component
- CVE-2026-33228 - flatted is a circular JSON parser. Prior to version 3.4.2, the parse() function in flatted can use attacker-co
- CVE-2026-31898 - jsPDF is a library to generate PDFs in JavaScript
- CVE-2026-31938 - jsPDF is a library to generate PDFs in JavaScript
- CVE-2026-32304 - Locutus brings stdlibs of other programming languages to JavaScript for educational purposes
- CVE-2026-1526 - The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption durin
- CVE-2026-2229 - ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of th
- CVE-2026-32141 - flatted is a circular JSON parser. Prior to 3.4.0, flatted's parse() function uses a recursive revive() phase
- CVE-2026-28292 - simple-git, an interface for running git commands in any node.js application, has an issue in versions 3.15
- CVE-2026-30951 - Sequelize is a Node.js ORM tool. Prior to 6.37.8, there is SQL injection via unescaped cast type in JSON/JSONB
- CVE-2026-29074 - SVGO, short for SVG Optimizer, is a Node.js library and command-line application for optimizing SVG files
- CVE-2026-29091 - Locutus brings stdlibs of other programming languages to JavaScript for educational purposes
- CVE-2026-3520 - Multer is a node.js middleware for handling multipart/form-data
- CVE-2026-2359 - Multer is a node.js middleware for handling multipart/form-data
- CVE-2026-3304 - Multer is a node.js middleware for handling multipart/form-data
- CVE-2026-27959 - Koa is middleware for Node.js using ES2017 async functions
- CVE-2026-2758 - Use-after-free in the JavaScript: GC component
- CVE-2026-2762 - Integer overflow in the JavaScript: Standard Library component
- CVE-2026-2763 - Use-after-free in the JavaScript Engine component
- CVE-2026-2764 - JIT miscompilation, use-after-free in the JavaScript Engine: JIT component
- CVE-2026-2765 - Use-after-free in the JavaScript Engine component
- CVE-2026-2766 - Use-after-free in the JavaScript Engine: JIT component
- CVE-2026-2767 - Use-after-free in the JavaScript: WebAssembly component
- CVE-2026-2795 - Use-after-free in the JavaScript: GC component
- CVE-2026-2796 - JIT miscompilation in the JavaScript: WebAssembly component
- CVE-2026-2797 - Use-after-free in the JavaScript: GC component
- CVE-2026-2472 - Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (
- CVE-2026-25535 - jsPDF is a library to generate PDFs in JavaScript
- CVE-2026-25755 - jsPDF is a library to generate PDFs in JavaScript
- CVE-2026-25940 - jsPDF is a library to generate PDFs in JavaScript
- CVE-2026-26280 - systeminformation is a System and OS information library for node.js
- CVE-2026-26318 - systeminformation is a System and OS information library for node.js
- CVE-2026-1615 - Versions of the package jsonpath before 1.3.0 are vulnerable to Arbitrary Code Injection via unsafe evaluation
- CVE-2026-25639 - Axios is a promise based HTTP client for the browser and Node.js
- CVE-2026-25640 - Pydantic AI is a Python agent framework for building applications and workflows with Generative AI
- CVE-2026-25521 - Locutus brings stdlibs of other programming languages to JavaScript for educational purposes
- CVE-2026-25223 - Fastify is a fast and low overhead web framework, for Node.js
- CVE-2026-24737 - jsPDF is a library to generate PDFs in JavaScript
- CVE-2026-25153 - Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides co
- CVE-2025-57283 - The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability
- CVE-2026-24842 - node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for h
- CVE-2026-0775 - npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability
- CVE-2026-24001 - jsdiff is a JavaScript text differencing implementation
- CVE-2025-55130 - A flaw in Node.js’s Permissions model allows attackers to bypass --allow-fs-read and --allow-fs-write rest
- CVE-2025-55131 - A flaw in Node.js's buffer allocation logic can expose uninitialized memory when allocations are interrupted,
- CVE-2025-59465 - A malformed HTTP/2 HEADERS frame with oversized, invalid HPACK data can cause Node.js to crash by triggeri
- CVE-2026-23950 - node-tar,a Tar for Node.js, has a race condition vulnerability in versions up to and including 7.5.3
- CVE-2021-47839 - Marky 0.0.1 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious
- CVE-2026-22774 - Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficien
- CVE-2026-22775 - Svelte devalue is a JavaScript library that serializes values into strings when JSON.stringify isn't sufficien
- CVE-2025-59057 - React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0
- CVE-2026-21884 - React Router is a router for React. In @remix-run/react version prior to 2.17.3
- CVE-2026-22029 - React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 throug
- CVE-2025-69263 - pnpm is a package manager. Versions 10.26.2 and below store HTTP tarball dependencies (and git-hosted tarballs
- CVE-2025-69264 - pnpm is a package manager. Versions 10.0.0 through 10.25 allow git-hosted dependencies to execute arbitrary co
- CVE-2025-68428 - jsPDF is a library to generate PDFs in JavaScript
- CVE-2025-67288 - An arbitrary file upload vulnerability in Umbraco CMS v16.3.3 allows attackers to execute arbitrary code by up
- CVE-2025-7443 - The BerqWP – Automated All-In-One Page Speed Optimization for Core Web Vitals, Cache, CDN, Images, CSS, and Ja
- CVE-2025-8101 - Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)
- CVE-2024-55591 - An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] affecting FortiOS version
- CVE-2024-21490 - This affects versions of the package angular from 1.3.0; versions of the package angularjs from 1.3.0