npm
npm
- CVE-2026-6734 - Impact When using Socks5ProxyAgent security control bypass
- GHSA-72R4-9C5J-MJ57 - pnpm security control bypass
- GHSA-FR4H-3CPH-29XV - pnpm security control bypass
- GHSA-QRV3-253H-G69C - pnpm path traversal
- GHSA-qrv3-253h-g69c - pnpm configDependencies symlink traversal
- CVE-2025-71336 - Flowise Custom MCP auth bypass RCE
- CVE-2026-11417 - aws-cdk-lib NodejsFunction bundling command injection
- CVE-2026-53633 - Vitest Browser Mode CDP API RCE
- CVE-2026-54257 - Electron Buffer heap under/overflow
- CVE-2026-54271 - protobufjs-cli JSON descriptor code injection
- CVE-2026-54281 - Nest Fastify trailing-slash middleware bypass
- CVE-2026-48054 - OpenZeppelin Wizard generated test code injection
- CVE-2026-48063 - Baileys protocolMessage spoofing and state corruption
- CVE-2026-48068 - grpc-js malformed request server crash
- CVE-2026-48069 - grpc-js malformed compressed message crash
- CVE-2026-48146 - Budibase OAuth2 validation SSRF
- CVE-2026-48150 - Budibase workspace builder to global admin escalation
- CVE-2026-48151 - Budibase webhook schema auth bypass
- CVE-2026-48152 - Budibase REST datasource auth exfiltration
- GHSA-gv7w-rqvm-qjhr - esbuild Deno binary integrity RCE
- CVE-2025-11953 - React Native CLI Metro command injection
- CVE-2025-12735 - expr-eval context function RCE
- CVE-2025-49596 - MCP Inspector proxy unauthenticated RCE
- CVE-2025-53967 - Framelink Figma MCP curl command injection
- CVE-2025-55182 - React Server Components RCE
- CVE-2025-6514 - mcp-remote OAuth command injection
- CVE-2026-44990 - sanitize-html xmp raw-text XSS
- CVE-2026-34841 - @usebruno/cli axios supply-chain RAT
- CVE-2026-44895 - GitLab MCP Server SSE auth bypass
- GHSA-jpvj-wpmj-h7rv - @cap-js/openapi package compromise
- CVE-2026-26329 - OpenClaw browser upload file read
- CVE-2026-27494 - n8n Python Code node sandbox escape
- CVE-2026-34077 - React Router Single Fetch serialization DoS
- CVE-2026-40181 - React Router protocol-relative open redirect
- CVE-2026-44974 - @hapi/content parameter smuggling upload-filter bypass
- CVE-2026-6321 - fast-uri encoded path traversal
- CVE-2026-23869 - React Server Components DoS
- CVE-2026-27606 - Rollup path traversal arbitrary write
- CVE-2026-33245 - React Router RSC redirect XSS
- CVE-2026-33696 - n8n GSuiteAdmin prototype pollution RCE
- CVE-2026-41680 - marked tokenizer OOM denial of service
- CVE-2026-45321 - TanStack npm supply-chain compromise
- CVE-2026-47668 - DbGate JSON script runner unauthenticated RCE
- CVE-2026-47669 - DbGate archive unzip arbitrary write RCE
- CVE-2026-47670 - DbGate loadReader dynamic import RCE
- CVE-2026-47759 - TinyMCE data-mce attribute XSS
- CVE-2026-47760 - TinyMCE nested SVG sanitizer XSS
- CVE-2026-47761 - TinyMCE media data-mce-object XSS
- CVE-2026-47762 - TinyMCE mce:protected comment XSS
- CVE-2026-49143 - browserstack-runner log handler RCE
- GHSA-63gr-g7jc-v8rg - AgenticMail MCP HTTP auth bypass
- CVE-2026-25049 - n8n expression escape RCE
- CVE-2026-41242 - protobufjs generated-code RCE
- CVE-2026-42211 - React Router Framework Mode deserialization RCE
- CVE-2026-42342 - React Router __manifest path-expansion DoS
- CVE-2026-47423 - DOMPurify selectedcontent re-clone XSS
- CVE-2026-47428 - Vitest browser otelCarrier token RCE
- CVE-2026-47429 - Vitest UI API file read and RCE
- CVE-2026-48017 - DbGate loadReader functionName RCE
- GHSA-m99r-2hxc-cp3q - Flowise MCP security bypass RCE
- CVE-2026-25244 - WebdriverIO BrowserStack branch command injection
- CVE-2026-43898 - SandboxJS Function.caller sandbox escape
- GHSA-v6wj-c83f-v46x - profullstack MCP server command injection
- CVE-2026-45033 - GitHub Copilot CLI nested bare repo RCE
- CVE-2026-44007 - vm2 NodeVM nesting sandbox escape
- CVE-2026-45109 - Next.js segment-prefetch middleware bypass
- GHSA-54pg-9963-v8vg - Intercom client package compromise
- CVE-2026-41428 - Budibase public endpoint auth bypass
- GHSA-xmxx/GHSA-mr34/GHSA-2gvc - OpenClaw gateway boundary hardening
- CVE-2026-40933 - Flowise MCP adapter command execution
- CVE-2026-42349 - Clerk combined authorization bypass
- CVE-2026-41265 - Flowise Airtable Agent code injection RCE
- CVE-2026-41478 - Saltcorn mobile-sync SQL injection
- CVE-2026-41507 - math-codegen string literal RCE
- CVE-2026-42231 - n8n XML webhook prototype pollution RCE
- CVE-2026-42232 - n8n XML node prototype pollution RCE
- CVE-2026-42449 - n8n-mcp IPv4-mapped IPv6 SSRF
- GHSA-3xx2/GHSA-47wq - Paperclip agent key tenant-boundary bypass
- GHSA-vr7g-88fq-vhq3 - Paperclip workspace cleanup command injection
- GHSA-xh72/GHSA-xmxx - OpenClaw agent-surface fail-closed bypasses