OsVault/npm/public

npm2 critical

public

53 known vulnerabilities · 2 critical · 2 high

CVE-2018-3731HIGH

Path Traversal in public

Published Jul 18, 2018

CVE-2018-16480MEDIUM

Tnantoka/public XSS Vulnerability

Published Feb 7, 2019

CVE-2018-3747MEDIUM

Cross-Site Scripting in public

Published Oct 10, 2018

GHSA-4jpm-cgx2-8h37

Flowise: Sensitive Data Leak in public-chatbotConfig

Published Apr 16, 2026

GHSA-6vp2-6r7m-2jvx

Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour

Published May 19, 2026

GHSA-6f7g-v4pp-r667

Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow in Flowise

Published Apr 16, 2026

GHSA-8783-3wgf-jggf

Budibase: Authentication Bypass via Unanchored Regex in Public Endpoint Matcher — Unauthenticated Access to Protected Endpoints

Published Apr 16, 2026

GHSA-c276-fj82-f2pq

ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions

Published Apr 16, 2026

CVE-2024-56159

Astro's server source code is exposed to the public if sourcemaps are enabled

Published Dec 19, 2024

CVE-2026-28395

OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback

Published Feb 17, 2026

CVE-2023-42282CRITICAL

NPM IP package incorrectly identifies some private IP addresses as public

Published Feb 8, 2024

CVE-2026-30854

Parse Server: GraphQL `__type` introspection bypass via inline fragments when public introspection is disabled

Published Mar 9, 2026

CVE-2024-36423MEDIUM

Flowise Cross-site Scripting in /api/v1/public-chatflows/id

Published Aug 5, 2024

CVE-2023-40027LOW

When `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible

Published Aug 15, 2023

MAL-2022-6721

Malicious code in ua-publication-manager (npm)

Published Jul 21, 2022

CVE-2024-43788MEDIUM

Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS

Published Aug 27, 2024

MAL-2022-705

Malicious code in @visiology-public-utilities/language-utils (npm)

Published Jun 1, 2022

GHSA-w47f-j8rh-wx87

Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs

Published Apr 17, 2026

CVE-2023-34093MEDIUM

Making all attributes on a content-type public without noticing it

Published Jul 25, 2023

CVE-2025-58751

Vite middleware may serve files starting with the same name with the public directory

Published Sep 9, 2025

MAL-2022-5013

Malicious code in octavius-public (npm)

Published Jun 20, 2022

MAL-2022-5514

Malicious code in public-method-library (npm)

Published Jun 20, 2022

MAL-2022-5516

Malicious code in publicrepoui (npm)

Published Jun 20, 2022

MAL-2024-1565

Malicious code in aws-public (npm)

Published Jun 11, 2024

CVE-2026-34950CRITICAL

Risk: 62.39/100

fast-jwt: Incomplete fix for CVE-2023-48223: JWT Algorithm Confusion via Whitespace-Prefixed RSA Public Key

Published Apr 2, 2026

GHSA-756q-gq9h-fp22

n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure

Published Apr 29, 2026

CVE-2016-1000223

Forgeable Public/Private Tokens in jws

Published Sep 1, 2020

MAL-2025-6000

Malicious code in public-tools-and-demos (npm)

Published Jul 15, 2025

GHSA-xhq9-58fw-859p

ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API

Published Apr 16, 2026

CVE-2026-4600

jsrsasign: DSA signatures or X.509 certificates can be forged via DSA domain-parameter validation in KJUR.crypto.DSA.setPublic

Published Mar 23, 2026

MAL-2022-7174

Malicious code in wix-public (npm)

Published Jun 20, 2022

MAL-2025-7985

Malicious code in @ginger-team/public-ui (npm)

Published Aug 14, 2025

CVE-2016-10555MEDIUM

Forgeable Public/Private Tokens in jwt-simple

Published Nov 6, 2018

MAL-2026-4289

Malicious code in @stockrepublic/republic-components (npm)

Published May 24, 2026

MAL-2026-2077

Malicious code in @emilgroup/public-api-sdk-node (npm)

Published Mar 22, 2026

MAL-2023-619

Malicious code in network_security_private_communication_in_a_public_world_solution_manual_pdfzip_best__0sm (npm)

Published May 9, 2023

MAL-2023-8026

Malicious code in docs-public-api (npm)

Published Aug 21, 2023

MAL-2026-482

Malicious code in public-site-boostmoney-ui (npm)

Published Jan 23, 2026

MAL-2026-483

Malicious code in public-site-cms-ui (npm)

Published Jan 23, 2026

GHSA-3644-q5cj-c5c7

LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust boundary warning

Published May 13, 2026

CVE-2024-29415HIGH

ip SSRF improper categorization in isPublic

Published Jun 2, 2024

GHSA-4w6r-5c2j-qf5f

NocoDB: Hidden Column Exposure in Public Shared View Endpoints

Published Jun 5, 2026

GHSA-9wgh-m22w-9xj8

NocoDB: Hidden LTAR Column Exposure in Public Shared-View Relation Endpoints

Published Jun 5, 2026

MAL-2026-2274

Malicious code in autoshipment-public-front (npm)

Published Mar 28, 2026

GHSA-h3jj-5f3v-3685

n8n: Public API Execution Retry Authorization Bypass

Published Jun 16, 2026

MAL-2026-2058

Malicious code in @emilgroup/public-api-sdk (npm)

Published Mar 22, 2026

CVE-2026-4258

sjcl is missing point-on-curve validation in sjcl.ecc.basicKey.publicKey

Published Mar 17, 2026

MAL-2026-1938

Malicious code in @metaplex-foundations/umi-public-keys (npm)

Published Mar 20, 2026

MAL-2026-5971

Malicious code in @public-for-cdao/hooks (npm)

Published Jun 17, 2026

MAL-2026-4014

Malicious code in @antv/gi-public-data (npm)

Published May 19, 2026

GHSA-2vff-hj5x-8gq7

n8n: Prototype Pollution enables confused-deputy execution via public webhooks

Published Jun 16, 2026

GHSA-6xp4-cf37-ppjh

Budibase: Workspace-scoped builder escalates to global admin via /api/public/v1/roles/assign

Published Jun 12, 2026

MAL-2022-5515

Malicious code in public-portal-ui (npm)

Published Jun 20, 2022

Check your entire dependency tree at onceRun dependency scan →