Npm

This hub aggregates every CVE we track for Npm, a product in the oss libraries space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 12 most recently published vulnerabilities affecting Npm.

• CVE-2026-0775npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability7.0Jan 23, 2026
• CVE-2022-29244npm packing does not respect root-level ignore files in workspaces7.5Jun 13, 2022
• CVE-2021-43616The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with t...9.0Nov 13, 2021
• CVE-2021-35225Netpath Horizontal Privilege Escalation Vulnerability: NPM 2020.2.55.0Oct 21, 2021
• CVE-2021-26700Visual Studio Code npm-script Extension Remote Code Execution Vulnerability7.8Feb 25, 2021
• CVE-2020-15095Sensitive information exposure through logs in npm cli4.4Jul 7, 2020
• CVE-2019-16777Arbitrary File Overwrite in npm CLI7.7Dec 13, 2019
• CVE-2019-16776Unauthorized File Access in npm CLI before before version 6.13.37.7Dec 13, 2019
• CVE-2019-16775Unauthorized File Access in npm CLI before before version 6.13.37.7Dec 13, 2019
• CVE-2018-7408An issue was discovered in an npm 5.7.0 2018-02-21 pre-release (marked as "next: 5.7.0" and therefore automatically installed by an "npm upgrade -g npm" command, and also announced in the vendor's ...7.8Feb 22, 2018
• CVE-2016-3956The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before 4.4.2, and 5 before 5.10.0, includes bearer tokens with arbitrary requests, ...7.5Jul 2, 2016
• CVE-2013-4116lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking...3.3Apr 22, 2014