OsVault/npm/diff

npm2 critical

diff

28 known vulnerabilities · 2 critical · 2 high

CVE-2026-24001

jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch

Published Jan 14, 2026

GHSA-h6ch-v84p-w6p9

Regular Expression Denial of Service (ReDoS)

Published Jun 13, 2019

MAL-2022-1086

Malicious code in argocd-diff-action (npm)

Published Jun 20, 2022

CVE-2026-32065

OpenClaw: system.run approval identity mismatch could execute a different binary than displayed

Published Mar 2, 2026

MAL-2026-3793

Malicious code in simple-date-diff-utils (npm)

Published May 15, 2026

CVE-2022-41713MEDIUM

deep-object-diff vulnerable to Prototype Pollution

Published Nov 4, 2022

MAL-2026-4120

Malicious code in @antv/xflow-diff (npm)

Published May 19, 2026

CVE-2019-10776CRITICAL

OS command injection in git-diff-apply

Published Feb 14, 2020

MAL-2022-6802

Malicious code in updated-object-diff (npm)

Published Jun 20, 2022

MAL-2022-2467

Malicious code in diff-dom-2 (npm)

Published May 18, 2022

CVE-2016-10641HIGH

Downloads Resources over HTTP in node-bsdiff-android

Published Sep 18, 2018

GHSA-qhh4-458h-xwh2

@cyclonedx/cdxgen: Docker registry auth substring match forwards credentials to a different registry

Published May 8, 2026

CVE-2026-35039CRITICAL

Risk: 62.39/100

fast-jwt: Cache Confusion via cacheKeyBuilder Collisions Can Return Claims From a Different Token (Identity/Authorization Mixup)

Published Apr 3, 2026

MAL-2026-5040

Malicious code in @t-in-one/only_difference_payload (npm)

Published May 29, 2026

GHSA-mxmg-3p7m-2ghr

Duplicate Advisory: OpenClaw: system.run approval identity mismatch could execute a different binary than displayed

Published Mar 21, 2026

CVE-2017-1000452HIGH

Samlify vulnerable to Authentication Bypass by allowing tokens to be reused with different usernames

Published Jan 4, 2018

MAL-2022-2560

Malicious code in dom-diff-exporter (npm)

Published May 18, 2022

MAL-2025-7068

Malicious code in @amber-team/report-bundle-diff (npm)

Published Aug 14, 2025

GHSA-vmf3-w455-68vh

node-tar applies PAX size override to intermediary GNU long-name/long-link headers, causing tar parser interpretation differential (file smuggling)

Published Jun 15, 2026

GHSA-xrxm-cp7j-8xf6

@angular/platform-server: URL Parser Differential leading to SSRF Allowlist Bypass

Published Jun 15, 2026

MAL-2026-5844

Malicious code in numdifftools (npm)

Published Jun 15, 2026

CVE-2025-9910

jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin

Published Sep 11, 2025

GHSA-3xv9-89fm-7h4r

OpenClaw: diffs viewer misclassifies proxied remote requests as loopback when `allowRemoteViewer` is disabled

Published Apr 3, 2026

GHSA-9vc9-4jv3-rf86

@hulumi/policies has a HULUMI-H5 bypass via decoy sibling resources targeting a different bucket

Published Jun 10, 2026

MAL-2025-191416

Malicious code in rediff (npm)

Published Nov 24, 2025

MAL-2025-190655

Malicious code in @asyncapi/diff (npm)

Published Nov 24, 2025

GHSA-g2g4-47gv-p72v

CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS

Published May 26, 2026

MAL-2025-191417

Malicious code in rediff-viewer (npm)

Published Nov 24, 2025

Check your entire dependency tree at onceRun dependency scan →