jQuery MiniColors is a color picker built on jQuery. Prior to version 2.3.6, jQuery MiniColors is prone to cross-site scripting when handling untrusted color names. This issue is patched in version...
6.1CVSS
5.7AI Score
0.001EPSS
Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log...
4.4CVSS
5.7AI Score
0.0005EPSS
@npmcli/arborist, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected...
8.2CVSS
6.3AI Score
0.001EPSS
@npmcli/arborist, the library that calculates dependency trees and manages the node_modules folder hierarchy for the npm command line interface, aims to guarantee that package dependency contracts will be met, and the extraction of package contents will always be performed into the expected...
8.2CVSS
6.5AI Score
0.001EPSS
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of.....
7.7CVSS
6.6AI Score
0.002EPSS
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or...
8.1CVSS
7.8AI Score
0.001EPSS
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package...
7.7CVSS
6.8AI Score
0.002EPSS
The npm-dependency-versions package through 0.3.0 for Node.js allows command injection if an attacker is able to call dependencyVersions with a JSON object in which pkgs is a key, and there are shell metacharacters in a...
9.8CVSS
9.7AI Score
0.002EPSS
All versions of @fastify/oauth2 used a statically generated state parameter at startup time and were used across all requests for all users. The purpose of the Oauth2 state parameter is to prevent Cross-Site-Request-Forgery attacks. As such, it should be unique per user and should be connected to.....
8.8CVSS
8.6AI Score
0.001EPSS
Erxes, an experience operating system (XOS) with a set of plugins, is vulnerable to cross-site scripting in versions 0.22.3 and prior. This results in client-side code execution. The victim must follow a malicious link or be redirected there from malicious web site. There are no known...
9.6CVSS
8.8AI Score
0.041EPSS
textAngular is a text editor for Angular.js. Version 1.5.16 and prior are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. There are no known...
6.1CVSS
6AI Score
0.001EPSS
Vditor is a browser-side Markdown editor. Versions prior to 3.8.7 are vulnerable to copy-paste cross-site scripting (XSS). For this particular type of XSS, the victim needs to be fooled into copying a malicious payload into the text editor. Version 3.8.7 contains a patch for this...
6.1CVSS
5.9AI Score
0.001EPSS
iziModal is a modal plugin with jQuery. Versions prior to 1.6.1 are vulnerable to cross-site scripting (XSS) when handling untrusted modal titles. An attacker who is able to influence the field title when creating a iziModal instance is able to supply arbitrary html or javascript code that will be....
6.1CVSS
5.9AI Score
0.001EPSS
Mind-elixir is a free, open source mind map core. Prior to version 0.18.1, mind-elixir is prone to cross-site scripting when handling untrusted menus. This issue is patched in version...
6.1CVSS
5.8AI Score
0.001EPSS
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part,...
8.6CVSS
7.4AI Score
0.001EPSS
A prototype pollution attack in cached-path-relative versions <=1.0.1 allows an attacker to inject properties on Object.prototype which are then inherited by all the JS objects through the prototype chain causing a DoS...
7.5CVSS
7.3AI Score
0.001EPSS
The npm package "tar" (aka node-tar) before versions 4.4.16, 5.0.8, and 6.1.7 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part,...
8.6CVSS
7.3AI Score
0.001EPSS
npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. --workspaces, --workspace=<name>). Anyone who has run npm pack or npm publish inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and ha...
7.5CVSS
8.3AI Score
0.002EPSS
The package get-npm-package-version before 1.0.7 are vulnerable to Command Injection via main function in...
9.8CVSS
9.6AI Score
0.002EPSS
This affects all versions of package npm-help. The injection point is located in line 13 in index.js file in export.latestVersion()...
9.8CVSS
9.6AI Score
0.002EPSS
9.8CVSS
9.7AI Score
0.003EPSS
The npm package "tar" (aka node-tar) before versions 4.4.18, 5.0.10, and 6.1.9 has an arbitrary file creation/overwrite and arbitrary code execution vulnerability. node-tar aims to guarantee that any file whose location would be outside of the extraction target directory is not extracted. This is,....
8.6CVSS
7.1AI Score
0.001EPSS
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when...
8.2CVSS
7.4AI Score
0.007EPSS
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. node-tar aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is,...
8.2CVSS
7.3AI Score
0.007EPSS
npm-programmatic through 0.0.12 is vulnerable to Command Injection.The packages and option properties are concatenated together without any validation and are used by the 'exec' function...
9.8CVSS
9.4AI Score
0.008EPSS
XSS in buttle npm package version 0.2.0 causes execution of attacker-provided code in the victim's browser when an attacker creates an arbitrary file on the...
6.1CVSS
6.1AI Score
0.001EPSS
Path traversal vulnerability in http-live-simulator npm package version 1.0.5 allows arbitrary path to be accessed on the file system by a remote...
7.5CVSS
7.4AI Score
0.01EPSS
Directory traversal vulnerability in cordova-plugin-ionic-webview versions prior to 2.2.0 (not including 2.0.0-beta.0, 2.0.0-beta.1, 2.0.0-beta.2, and 2.1.0-0) allows remote attackers to access arbitrary files via unspecified...
8.6CVSS
8.3AI Score
0.003EPSS
A stored xss in tianma-static module versions <=1.0.4 allows an attacker to execute arbitrary...
6.1CVSS
6.3AI Score
0.001EPSS
A Path Traversal in Knightjs versions <= 0.0.1 allows an attacker to read content of arbitrary files on a remote...
7.5CVSS
7.3AI Score
0.009EPSS
A path traversal in takeapeek module versions <=0.2.2 allows an attacker to list directory and...
5.3CVSS
5.1AI Score
0.001EPSS
This vulnerability allows remote attackers to deny service on vulnerable installations of npm mosca 2.8.1. Authentication is not required to exploit this vulnerability. The specific flaw exists within the processing of topics. A crafted regular expression can cause the broker to crash. An attacker....
7.5CVSS
7.4AI Score
0.965EPSS
simple-npm-registry is a local npm package cache. simple-npm-registry is vulnerable to a directory traversal issue, giving an attacker access to the filesystem by placing "../" in the...
7.5CVSS
7.3AI Score
0.004EPSS
The module npm-script-demo opened a connection to a command and control server. It has been removed from the npm...
9.8CVSS
8.6AI Score
0.002EPSS