VYPR
Vendor

Npm

Products
14
CVEs
16
Across products
16
Status
Private

Products

14

Recent CVEs

16
  • CVE-2026-50875HigJun 15, 2026
    risk 0.53cvss 8.1epss 0.00

    Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request.

  • CVE-2026-45822impJun 30, 2026
    risk 0.49cvss 7.5epss

    decode-uri-component: decode-uri-component: Denial of Service via crafted input

  • CVE-2025-71330HigJun 10, 2026
    risk 0.49cvss 7.5epss 0.00

    image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued…

  • CVE-2026-50892MedJun 15, 2026
    risk 0.42cvss 6.5epss 0.00

    Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request.

  • CVE-2026-12143HigJun 12, 2026
    risk 0.42cvss 7.5epss 0.00

    form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line…

  • CVE-2026-9678modJun 17, 2026
    risk 0.38cvss 5.9epss 0.00

    undici: Undici: Information disclosure due to improper cache-control header parsing

  • CVE-2026-11525lowJun 17, 2026
    risk 0.17cvss 3.7epss 0.00

    undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header

  • CVE-2026-56876Jun 27, 2026
    risk 0.00cvss epss 0.00

    extract-zip does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip will extract the symlink without validation, allowing it to point outside the…

  • CVE-2026-56762Jun 23, 2026
    risk 0.00cvss epss 0.00

    Hono before 4.12.12 does not validate cookie names on the write path in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters (e.g. \r or \n) when an application passes a user-controlled cookie name. This can…

  • CVE-2026-12866Jun 23, 2026
    risk 0.00cvss epss 0.00

    All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are…

  • CVE-2026-56294Jun 20, 2026
    risk 0.00cvss epss 0.00

    capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic instrumentation to bypass…

  • CVE-2026-56276Jun 20, 2026
    risk 0.00cvss epss 0.00

    Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a…

  • CVE-2026-56267Jun 20, 2026
    risk 0.00cvss epss 0.00

    Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data…

  • CVE-2025-71331Jun 20, 2026
    risk 0.00cvss epss 0.00

    Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript by sending an iframe payload (e.g., <iframe…

  • CVE-2024-58351Jun 20, 2026
    risk 0.00cvss epss 0.01

    Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction API. Because this feature is enabled by default with no allow-list of permitted…

  • CVE-2026-48716Jun 18, 2026
    risk 0.00cvss epss 0.00

    nanobot is a personal AI assistant. In versions 0.1.5.post3 and prior, the WhatsApp bridge in bridge/src/whatsapp.ts constructs a filesystem path using the fileName field from an incoming WhatsApp document message without sanitization. The WhatsApp bridge downloads media…