npm

Top products

The 15 most recently published vulnerabilities affecting npm.

• CVE-2026-32728Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries7.6Mar 18, 2026
• CVE-2026-32723SandboxJS timers have an execution-quota bypass (cross-sandbox currentTicks race)4.7Mar 18, 2026
• CVE-2026-32638StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens2.7Mar 18, 2026
• CVE-2026-29112@dicebear/converter vulnerable to ncontrolled memory allocation via crafted SVG dimensions7.5Mar 18, 2026
• CVE-2026-27978Next.js: null origin can bypass Server Actions CSRF checks4.3Mar 17, 2026
• CVE-2026-27977Next.js: null origin can bypass dev HMR websocket CSRF checks5.4Mar 17, 2026
• CVE-2026-32635Angular has XSS in i18n attribute bindings9.0Mar 13, 2026
• CVE-2026-32630file-type affected by ZIP Decompression Bomb DoS via [Content_Types].xml entry5.3Mar 13, 2026
• CVE-2026-32621Apollo Federation has prototype pollution via incomplete key sanitization9.9Mar 13, 2026
• CVE-2026-32594Parse Server GraphQL WebSocket endpoint bypasses security middleware7.3Mar 13, 2026
• CVE-2026-31882Dagu SSE Authentication Bypass in Basic Auth Mode7.5Mar 13, 2026
• CVE-2026-26954SandboxJS has a Sandbox Escape10.0Mar 13, 2026
• CVE-2026-4092Arbitrary File Write via Path Traversal in Google clasp leading to RCE8.8Mar 13, 2026
• CVE-2026-32598OneUptime: Password Reset Token Logged at INFO Level6.5Mar 12, 2026
• CVE-2026-32308OneUptime: Stored XSS via Mermaid Diagram Rendering (securityLevel: "loose")7.6Mar 12, 2026