OsVault/npm/content
npm

content

99 known vulnerabilities · 0 critical · 7 high

CVE-2017-16111HIGH

Regular Expression Denial of Service in content

Published Jul 24, 2018
GHSA-pcw7-5633-82vv

Strapi Upload Plugin MIME Validation Bypass via Content API

Published May 14, 2026
CVE-2017-1000042MEDIUM

Content Injection via TileJSON attribute in mapbox.js

Published Nov 9, 2018
CVE-2026-25151

Qwik City has a CSRF Protection Bypass via Content-Type Header Validation

Published Feb 3, 2026
CVE-2024-48913

Hono allows bypass of CSRF Middleware by a request without Content-Type header.

Published Oct 15, 2024
CVE-2026-26980

Ghost has a SQL injection in Content API

Published Feb 18, 2026
CVE-2014-10065MEDIUM

Content Injection in remarkable

Published Aug 31, 2020
CVE-2026-3419

Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation

Published Mar 5, 2026
MAL-2025-190666

Malicious code in @ensdomains/content-hash (npm)

Published Nov 24, 2025
CVE-2026-32630

file-type: ZIP Decompression Bomb DoS via [Content_Types].xml entry

Published Mar 13, 2026
CVE-2024-29181LOW

@strapi/plugin-content-manager leaks data via relations via the Admin Panel

Published Jun 12, 2024
CVE-2024-43787MEDIUM

Hono CSRF middleware can be bypassed using crafted Content-Type header

Published Aug 22, 2024
MAL-2022-4634

Malicious code in mitui-view-content (npm)

Published Jun 20, 2022
CVE-2025-64166

Mercurius: Incorrect Content-Type parsing can lead to CSRF attack

Published Mar 5, 2026
CVE-2022-41919MEDIUM

Fastify: Incorrect Content-Type parsing can lead to CSRF attack

Published Nov 21, 2022
GHSA-c4qm-58hj-j6pj

OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation

Published Apr 17, 2026
MAL-2022-2170

Malicious code in content-tep (npm)

Published Aug 19, 2022
CVE-2026-32728

Parse Server has a stored XSS filter bypass via Content-Type MIME parameter and missing XML extension blocklist entries

Published Mar 16, 2026
MAL-2024-7917

Malicious code in @nc-tools/namp-cms-content-provider (npm)

Published Aug 7, 2024
CVE-2023-40028MEDIUM

Ghost vulnerable to arbitrary file read via symlinks in content import

Published Aug 15, 2023
MAL-2022-6722

Malicious code in ual-content-page (npm)

Published May 16, 2022
GHSA-247c-9743-5963

Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type Header

Published Apr 15, 2026
MAL-2022-6638

Malicious code in treeing-cur-content (npm)

Published Jul 26, 2022
GHSA-3mjm-x6gw-2x42

@grackle-ai/server has Missing Content-Security-Policy and X-Frame-Options Headers

Published Mar 25, 2026
CVE-2022-39288HIGH

fastify vulnerable to denial of service via malicious Content-Type

Published Oct 11, 2022
CVE-2025-2699

GetmeUK ContentTools Cross-Site Scripting (XSS)

Published Mar 24, 2025
CVE-2015-1370MEDIUM

VBScript Content Injection in marked

Published Oct 24, 2017
CVE-2025-46653

Formidable relies on hexoid to prevent guessing of filenames for untrusted executable content

Published Apr 26, 2025
CVE-2021-41164HIGH

Advanced Content Filter (ACF) vulnerability allowing to execute JavaScript code using malformed HTML

Published Nov 17, 2021
CVE-2023-34093MEDIUM

Making all attributes on a content-type public without noticing it

Published Jul 25, 2023
MAL-2024-12131

Malicious code in contentsdk-node (npm)

Published Dec 26, 2024
CVE-2016-10524HIGH

Denial of Service and Content Injection in i18n-node-angular

Published Feb 18, 2019
CVE-2014-6393MEDIUM

No Charset in Content-Type Header in express

Published Oct 23, 2018
MAL-2026-1663

Malicious code in braze-content-card-island (npm)

Published Mar 18, 2026
CVE-2022-35948MEDIUM

Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type

Published Aug 18, 2022
CVE-2026-25223

Fastify's Content-Type header tab character allows body validation bypass

Published Feb 2, 2026
CVE-2026-22036

Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

Published Jan 14, 2026
CVE-2023-23623HIGH

Electron's Content-Secrity-Policy disabling eval not applied consistently in renderers with sandbox disabled

Published Sep 6, 2023
CVE-2018-1000534MEDIUM

Joplin Vulnerable to Cross-site Scripting in Note Content

Published May 14, 2022
CVE-2023-45818MEDIUM

TinyMCE mXSS vulnerability in undo/redo, getContent API, resetContent API, and Autosave plugin

Published Oct 19, 2023
MAL-2026-2455

Malicious code in strapi-plugin-content-sync (npm)

Published Apr 3, 2026
CVE-2026-25155

Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)

Published Feb 3, 2026
GHSA-3xcq-8mjw-h6mx

Strapi Vulnerable to SQL Injection in Content Type Builder

Published May 13, 2026
MAL-2026-287

Malicious code in idel2-content (npm)

Published Jan 16, 2026
CVE-2017-1000043MEDIUM

Content Injection via TileJSON Name in mapbox.js

Published Nov 9, 2018
MAL-2025-3090

Malicious code in adult-content-detection-aws (npm)

Published Apr 3, 2025
MAL-2026-5199

Malicious code in @ethlete/contentful (npm)

Published Jun 5, 2026
MAL-2022-2171

Malicious code in contentsource-connector (npm)

Published Jun 20, 2022
GHSA-g485-8j3v-p6x8

@tdurieux/anonymous_github Vulnerable to XSS via Unsanitized GitHub Repository Content Rendering in Anonymous GitHub Origin

Published May 5, 2026
MAL-2023-485

Malicious code in grouped-content (npm)

Published Mar 31, 2023
MAL-2024-1355

Malicious code in @content-platform/shared (npm)

Published May 9, 2024
MAL-2025-6181

Malicious code in mydealer-content-service (npm)

Published Jul 22, 2025
CVE-2021-21320LOW

User content sandbox can be confused into opening arbitrary documents

Published Mar 3, 2021
CVE-2026-30830

defuddle vulnerable to XSS via unescaped string interpolation in _findContentBySchemaText image tag

Published Mar 6, 2026
CVE-2026-27901

Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent`

Published Feb 26, 2026
GHSA-vf2m-468p-8v99

Axios: HTTP adapter streamed responses bypass maxContentLength

Published May 5, 2026
CVE-2026-0969

next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content

Published Feb 12, 2026
MAL-2026-279

Malicious code in dibels8-content (npm)

Published Jan 16, 2026
MAL-2025-1623

Malicious code in react-content-loader-fork (npm)

Published Feb 28, 2025
MAL-2025-1053

Malicious code in typespublishercontenthash (npm)

Published Feb 3, 2025
MAL-2025-7072

Malicious code in @amber-team/social-content-ai-widget (npm)

Published Aug 14, 2025
CVE-2025-55173

Next.js Content Injection Vulnerability for Image Optimization

Published Aug 29, 2025
CVE-2020-28455HIGH

markdown-it-toc Cross-site Scripting due to title of generated toc and contents of header not being escaped

Published Jul 26, 2022
MAL-2023-337

Malicious code in fc-content (npm)

Published Jun 6, 2023
MAL-2022-292

Malicious code in @goatapp/web-content-components (npm)

Published Jun 20, 2022
MAL-2022-461

Malicious code in @nexthink/content-sharing (npm)

Published Oct 19, 2022
MAL-2026-4378

Malicious code in @databus-service-ui/scroll-up-content (npm)

Published May 25, 2026
MAL-2022-460

Malicious code in @nexthink/content-admin-list (npm)

Published Oct 19, 2022
MAL-2026-4524

Malicious code in claude-content-writer (npm)

Published May 21, 2026
MAL-2024-1354

Malicious code in @content-platform/fadam-module (npm)

Published May 9, 2024
MAL-2022-176

Malicious code in @codacontent/fetlife-assets (npm)

Published Jun 20, 2022
GHSA-gvmj-g25r-r7wr

DOMPurify: SAFE_FOR_TEMPLATES bypass - template expressions survive sanitization inside <template> content when using DOM output modes

Published Jun 15, 2026
MAL-2025-1621

Malicious code in pp-react-content-loader (npm)

Published Feb 28, 2025
GHSA-rp9w-3fw7-7cwq

DOMPurify IN_PLACE Sanitization Bypass via Attached Shadow Root Inside <template>.content

Published Jun 15, 2026
MAL-2025-192564

Malicious code in sdbao-content-report (npm)

Published Dec 12, 2025
MAL-2025-192565

Malicious code in sdbao-content-sems (npm)

Published Dec 12, 2025
CVE-2023-41167MEDIUM

@webiny/react-rich-text-renderer vulnerable to insecure rendering of rich text content

Published Aug 24, 2023
CVE-2014-3743MEDIUM

Multiple Content Injection Vulnerabilities in marked

Published Aug 31, 2020
GHSA-v228-72c7-fx8j

open-websearch has SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname`

Published May 5, 2026
MAL-2025-3724

Malicious code in client-aem-content-engine (npm)

Published May 11, 2025
GHSA-c3h8-g69v-pjrg

i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header

Published Apr 22, 2026
GHSA-87xg-pxx2-7hvx

DOMPurify XSS via selectedcontent re-clone

Published Jun 1, 2026
MAL-2026-1980

Malicious code in svg-content-validation (npm)

Published Mar 20, 2026
GHSA-36hh-x5p5-jgc8

@hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters

Published May 27, 2026
MAL-2026-5465

Malicious code in getd-content-management (npm)

Published Jun 9, 2026
MAL-2026-1856

Malicious code in static-content-cannabis (npm)

Published Mar 18, 2026
GHSA-rv63-4mwf-qqc2

hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`

Published Jun 16, 2026
CVE-2023-36472MEDIUM

Strapi may leak sensitive user information, user reset password, tokens via content-manager views

Published Sep 13, 2023
MAL-2022-4620

Malicious code in mitui-comp-content (npm)

Published Jun 20, 2022
CVE-2026-35213
Risk: 44.38/100

@hapi/content: Regular Expression Denial of Service (ReDoS) in HTTP header parsing

Published Apr 4, 2026
MAL-2026-141

Malicious code in rt-long-form-content (npm)

Published Jan 7, 2026
CVE-2026-35200MEDIUM
Risk: 30.18/100

Parse Server: File upload Content-Type override via extension mismatch

Published Apr 4, 2026
GHSA-m3q2-p4fw-w38m

Cross-site scripting via <NoScript> slot content in Nuxt's head components

Published Jun 16, 2026
MAL-2022-6966

Malicious code in volpino-italiano-content (npm)

Published Jul 26, 2022
GHSA-fvhg-p4hf-79x3

@cyntler/react-doc-viewer's TXTRenderer fails to sanitize file content and explicitly casts raw data as a ReactNode

Published May 20, 2026
CVE-2025-53624

docusaurus-plugin-content-gists vulnerability exposes GitHub Personal Access Token

Published Jul 9, 2025
MAL-2026-6168

Malicious code in macos-contentprovider-optimizingassets (npm)

Published Jun 17, 2026
CVE-2026-34771HIGH
Risk: 37.51/100

Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks

Published Apr 3, 2026
MAL-2022-3591

Malicious code in helix-contentsource-connector (npm)

Published Jun 20, 2022
Check your entire dependency tree at onceRun dependency scan →