4,026 CVEs

11 in CISA KEV

npm Vulnerabilities

CVE security advisories and vulnerability history for npm.

4,026

Total CVEs

Published

11

In CISA KEV

Exploited in the wild

1,062

Public exploits

With known exploit

7.0

Avg CVSS

2009–2026

Overview

npm has 4,026 published CVE records since 2009, of which 11 are in CISA's Known Exploited Vulnerabilities catalog and 1,062 have a known public exploit. The average CVSS base score across scored CVEs is 7.0.

This page aggregates every publicly disclosed vulnerability (CVE) affecting npm products, with severity breakdowns, the most-affected products, the most common weakness types, and the latest disclosures.

Severity and exploitation

How the CVSS severity of npm's CVEs breaks down, plus how many are exploited in the wild or have public exploit code.

Critical388

High1,165

Medium1,140

Low130

1,203 additional CVEs have no CVSS severity score.

In CISA’s Known Exploited Vulnerabilities catalog

11

11 of npm's CVEs are confirmed exploited in the wild.

Public exploits

1,062

1,062 of npm's CVEs have a known public exploit available.

Most affected products

The npm products with the most published CVEs.

openclaw405 CVEs
parse-server106 CVEs
parse92 CVEs
n8n62 CVEs
debian linux58 CVEs
directus53 CVEs
fedora52 CVEs
next.js51 CVEs

Common weakness types

The CWE weakness categories most often found in npm CVEs. Follow any weakness for its full explanation.

CNAs that assign these CVEs

The CVE Numbering Authorities that publish npm CVE records.

Disclosure activity by year

How many npm CVEs were published each year.

2019

149

2020

351

2021

376

2022

418

2023

289

2024

282

2025

396

2026

1,123

Latest npm CVEs

The most recently disclosed vulnerabilities affecting npm.

CryptPad: Sanitizer Bypass in Diffmarked.js Allows Arbitrary HTML Injection and Potential XSS
CWE-79
Medium · CVSS 6.1
EPSS 0.0%2026-05-20
TeleJSON < 6.0.0 DOM-based XSS via parse() Function
CWE-79
Medium · CVSS 6.1
EPSS 0.0%2026-05-20
Medium vulnerability · 2026-05-19
CWE-409
Medium · CVSS 6.9
EPSS 0.1%2026-05-19
High vulnerability · 2026-05-19
CWE-1284
High · CVSS 8.7
EPSS 0.1%2026-05-19
High vulnerability · 2026-05-18
CWE-77
High · CVSS 8.8
EPSS 0.3%2026-05-18
qs.stringify crashes on null/undefined entries in comma-format arrays under encodeValuesOnly
CWE-476
Medium · CVSS 6.3
EPSS 0.0%2026-05-16
Open WebUI: Stored XSS in Banner Component via Improper Sanitization Order
CWE-79
High · CVSS 8.1
EPSS 0.0%2026-05-15
Open WebUI: Stored Cross-Site Scripting in SVG Renderer
CWE-80
Medium · CVSS 5.1
EPSS 0.0%2026-05-15
Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution
CWE-862
High · CVSS 7.2
EPSS 0.1%2026-05-15
Open WebUI: Stored XSS via Model Description
CWE-79
High · CVSS 7.3
EPSS 0.0%2026-05-15
Turborepo: Login callback CSRF/session fixation
CWE-352
Medium · CVSS 5.1
EPSS 0.0%2026-05-15
Turborepo: Unexpected local code execution during Yarn Berry detection
CWE-426
Unscored
EPSS 0.1%2026-05-15

Track new npm CVEs as they are disclosed and get AI-written analysis and remediation guidance.

Monitor npm CVEs

Other vendors

Browse vulnerabilities for other tracked vendors.

composer5,054 CVEs Oracle Corporation4,928 CVEs pip4,735 CVEs canonical4,309 CVEs mozilla3,612 CVEs opensuse3,298 CVEs Siemens3,230 CVEs apache2,972 CVEs

Browse all vendors

Frequently asked questions

Common questions about npm vulnerabilities.

How many CVEs does npm have?

npm has 4,026 published CVE records since 2009, including 1,519 in the last two years.

How many npm CVEs are in CISA KEV?

Yes — 11 of npm's CVEs are listed in CISA's Known Exploited Vulnerabilities catalog, confirmed exploited in the wild and carrying a CISA remediation deadline.

Which npm products have the most CVEs?

The npm products with the most published CVEs are openclaw, parse-server, parse, n8n, debian linux.

What are the most common weakness types in npm CVEs?

npm's CVEs most often map to these CWE weakness types: CWE-79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')), CWE-22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')), CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')), CWE-311 (Missing Encryption of Sensitive Data).

Are there public exploits for npm vulnerabilities?

Yes — 1,062 of npm's CVEs have a known public exploit.

How many critical npm vulnerabilities are there?

npm has 388 critical and 1,165 high-severity CVEs.

What is the average severity of npm CVEs?

The average CVSS base score across npm's scored CVEs is 7.0.

References

Vulnerability data is sourced from the CVE Program; severity, KEV, and exploit signals are aggregated by RadicalNotion.AI.

Track npm vulnerabilities

Monitor new npm vulnerabilities as they are disclosed, with AI-written analysis and remediation guidance.

Start free See pricing