Vulnerabilities

search
ID
Packages
Summary
Published
arrow_upward
Attributes
MAL-2026-3409
  • npm/mw-filesystem-events-nodream
 Malicious code in mw-filesystem-events-nodream (npm) 2 hours ago
  • No fix available
MAL-2026-3404
  • npm/@matjp/dvi-decode
 Malicious code in @matjp/dvi-decode (npm) 9 hours ago
  • No fix available
GHSA-qp7p-654g-cw7p
  • npm/hono
 Hono has CSS Declaration Injection via Style Object Values in JSX SSR yesterday
  • Fix available
  • Severity - 4.3 (Medium)
GHSA-hm8q-7f3q-5f36
  • npm/hono
 Hono has improper validation of NumericDate claims (exp, nbf, iat) in JWT verify() yesterday
  • Fix available
  • Severity - 3.8 (Low)
GHSA-v6wj-c83f-v46x
  • npm/@profullstack/mcp-server
 @profullstack/mcp-server vulnerable to OS Command Injection in domain_lookup Module yesterday
  • No fix available
  • Severity - 9.8 (Critical)
GHSA-j658-c2gf-x6pq
  • npm/velocityjs
 Velocity.js has a Prototype Pollution vulnerability through #set path assignment yesterday
  • No fix available
  • Severity - 8.3 (High)
GHSA-p77w-8qqv-26rm
  • npm/hono
 Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage yesterday
  • Fix available
  • Severity - 5.3 (Medium)
GHSA-8jr5-6gvj-rfpf
  • npm/@yoda.digital/gitlab-mcp-server
 @yoda.digital/gitlab-mcp-server's SSE transport has no authentication and wildcard CORS, exposing all 86 GitLab tools yesterday
  • Fix available
  • Severity - 8.8 (High)
GHSA-m9g3-3g99-mhpx
  • npm/eventsource-encoder
 eventsource-encoder vulnerable to SSE event injection via unsanitized `event` and `id` fields yesterday
  • Fix available
  • Severity - 5.8 (Medium)
GHSA-5c57-rqjx-35g2
  • npm/cline
 Cline Kanban Server has a Cross-Origin WebSocket Hijacking Vulnerability yesterday
  • No fix available
  • Severity - 9.6 (Critical)
GHSA-fv7c-fp4j-7gwp
  • npm/@babel/plugin-transform-modules-systemjs
 @babel/plugin-transform-modules-systemjs generates arbitrary code when compiling malicious input yesterday
  • Fix available
  • Severity - 8.2 (High)
GHSA-qhh4-458h-xwh2
  • npm/@cyclonedx/cdxgen
 @cyclonedx/cdxgen: Docker registry auth substring match forwards credentials to a different registry yesterday
  • Fix available
  • Severity - 6.9 (Medium)
MAL-2026-3400
  • npm/typo-crypto
 Malicious code in typo-crypto (npm) yesterday
  • No fix available
GHSA-cfw5-68c4-ffqp
  • npm/@mikro-orm/knex
  • npm/@mikro-orm/sql
 MikroORM has SQL injection via runtime-controlled identifiers and JSON-path keys yesterday
  • Fix available
  • Severity - 7.6 (High)
GHSA-v39h-62p7-jpjc
  • npm/fast-uri
 fast-uri vulnerable to host confusion via percent-encoded authority delimiters yesterday
  • Fix available
  • Severity - 7.5 (High)
GHSA-gf5m-wcrh-7928
  • PyPI/open-webui
  • npm/open-webui
 open-webui Vulnerable to Stored XSS via Model Description yesterday
  • Fix available
  • Severity - 7.3 (High)
Load more...