Npm
Products
14- 4 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 0 CVEs
- 0 CVEs
Recent CVEs
16| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-50875 | Hig | 0.53 | 8.1 | 0.00 | Jun 15, 2026 | Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request. | ||
| CVE-2026-45822 | imp | 0.49 | 7.5 | — | Jun 30, 2026 | decode-uri-component: decode-uri-component: Denial of Service via crafted input | ||
| CVE-2025-71330 | Hig | 0.49 | 7.5 | 0.00 | Jun 10, 2026 | image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued… | ||
| CVE-2026-50892 | Med | 0.42 | 6.5 | 0.00 | Jun 15, 2026 | Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request. | ||
| CVE-2026-12143 | Hig | 0.42 | 7.5 | 0.00 | Jun 12, 2026 | form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line… | ||
| CVE-2026-9678 | mod | 0.38 | 5.9 | 0.00 | Jun 17, 2026 | undici: Undici: Information disclosure due to improper cache-control header parsing | ||
| CVE-2026-11525 | low | 0.17 | 3.7 | 0.00 | Jun 17, 2026 | undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header | ||
| CVE-2026-56876 | 0.00 | — | 0.00 | Jun 27, 2026 | extract-zip does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip will extract the symlink without validation, allowing it to point outside the… | |||
| CVE-2026-56762 | 0.00 | — | 0.00 | Jun 23, 2026 | Hono before 4.12.12 does not validate cookie names on the write path in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters (e.g. \r or \n) when an application passes a user-controlled cookie name. This can… | |||
| CVE-2026-12866 | 0.00 | — | 0.00 | Jun 23, 2026 | All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are… | |||
| CVE-2026-56294 | 0.00 | — | 0.00 | Jun 20, 2026 | capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic instrumentation to bypass… | |||
| CVE-2026-56276 | 0.00 | — | 0.00 | Jun 20, 2026 | Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a… | |||
| CVE-2026-56267 | 0.00 | — | 0.00 | Jun 20, 2026 | Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data… | |||
| CVE-2025-71331 | 0.00 | — | 0.00 | Jun 20, 2026 | Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript by sending an iframe payload (e.g., <iframe… | |||
| CVE-2024-58351 | 0.00 | — | 0.01 | Jun 20, 2026 | Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction API. Because this feature is enabled by default with no allow-list of permitted… | |||
| CVE-2026-48716 | 0.00 | — | 0.00 | Jun 18, 2026 | nanobot is a personal AI assistant. In versions 0.1.5.post3 and prior, the WhatsApp bridge in bridge/src/whatsapp.ts constructs a filesystem path using the fileName field from an incoming WhatsApp document message without sanitization. The WhatsApp bridge downloads media… |
- risk 0.53cvss 8.1epss 0.00
Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request.
- risk 0.49cvss 7.5epss —
decode-uri-component: decode-uri-component: Denial of Service via crafted input
- risk 0.49cvss 7.5epss 0.00
image-size through 2.0.2 contains a denial of service vulnerability that allows remote attackers to permanently block the Node.js event loop by supplying a specially crafted ICNS image buffer. Attackers can craft an ICNS buffer containing valid magic bytes and a zero-valued…
- risk 0.42cvss 6.5epss 0.00
Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request.
- risk 0.42cvss 7.5epss 0.00
form-data is a library for creating readable multipart/form-data streams. In versions through 4.0.5, the `field` argument to `FormData#append` and the `filename` option are concatenated verbatim into the `Content-Disposition` header without escaping carriage return (CR), line…
- risk 0.38cvss 5.9epss 0.00
undici: Undici: Information disclosure due to improper cache-control header parsing
- risk 0.17cvss 3.7epss 0.00
undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header
- CVE-2026-56876Jun 27, 2026risk 0.00cvss —epss 0.00
extract-zip does not validate symlink targets when extracting zip archives. When processing a malicious zip file containing a symlink with a relative path like '../../../../etc/passwd', extract-zip will extract the symlink without validation, allowing it to point outside the…
- CVE-2026-56762Jun 23, 2026risk 0.00cvss —epss 0.00
Hono before 4.12.12 does not validate cookie names on the write path in the setCookie(), serialize(), and serializeSigned() functions, allowing invalid characters such as control characters (e.g. \r or \n) when an application passes a user-controlled cookie name. This can…
- CVE-2026-12866Jun 23, 2026risk 0.00cvss —epss 0.00
All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction() API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function(). Because user-controlled expressions are…
- CVE-2026-56294Jun 20, 2026risk 0.00cvss —epss 0.00
capacitor-native-biometric before 12.128.2 contains an authentication bypass vulnerability where the onAuthenticationSucceeded() method fails to validate CryptoObject parameters. Attackers can hook the onAuthenticationSucceeded() function using dynamic instrumentation to bypass…
- CVE-2026-56276Jun 20, 2026risk 0.00cvss —epss 0.00
Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a…
- CVE-2026-56267Jun 20, 2026risk 0.00cvss —epss 0.00
Flowise before 3.0.13 contains an information exposure vulnerability in the POST /api/v1/account/forgot-password endpoint that returns full user objects including PII to unauthenticated attackers. An attacker can enumerate valid email addresses and harvest sensitive user data…
- CVE-2025-71331Jun 20, 2026risk 0.00cvss —epss 0.00
Flowise before 3.0.8 contains a cross-site scripting (XSS) vulnerability caused by insufficient input filtering in chat messages and custom agent functions. An attacker can inject malicious JavaScript by sending an iframe payload (e.g., <iframe…
- CVE-2024-58351Jun 20, 2026risk 0.00cvss —epss 0.01
Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction API. Because this feature is enabled by default with no allow-list of permitted…
- CVE-2026-48716Jun 18, 2026risk 0.00cvss —epss 0.00
nanobot is a personal AI assistant. In versions 0.1.5.post3 and prior, the WhatsApp bridge in bridge/src/whatsapp.ts constructs a filesystem path using the fileName field from an incoming WhatsApp document message without sanitization. The WhatsApp bridge downloads media…