npm — vulnerability landscape

Every CVE-affected package in the npm ecosystem, sorted by risk.

Last updated 6/5/2026, 4:49:27 AM

#	Package	CVEs	KEV	Max EPSS
1	electron	48	3	93.3%
2	n8n	67	1	65.8%
3	vite	20	1	89.8%
4	systeminformation	13	1	94.0%
5	jquery	8	1	34.7%
6	react-server-dom-webpack	7	1	82.0%
7	react-server-dom-turbopack	7	1	82.0%
8	react-server-dom-parcel	7	1	82.0%
9	mongo-express	4	1	94.4%
10	@tanstack/vue-router-ssr-query	1	1	17.1%
11	@tanstack/react-router	1	1	17.1%
12	@tanstack/router-generator	1	1	17.1%
13	@tanstack/react-start-server	1	1	17.1%
14	@tanstack/vue-start-server	1	1	17.1%
15	@tanstack/router-devtools	1	1	17.1%
16	@tanstack/solid-start	1	1	17.1%
17	@tanstack/eslint-plugin-start	1	1	17.1%
18	@tanstack/vue-start-client	1	1	17.1%
19	@tanstack/solid-start-server	1	1	17.1%
20	@tanstack/react-router-devtools	1	1	17.1%
21	eslint-plugin-prettier	1	1	14.7%
22	@tanstack/solid-router	1	1	17.1%
23	@tanstack/router-ssr-query-core	1	1	17.1%
24	@tanstack/valibot-adapter	1	1	17.1%
25	@tanstack/zod-adapter	1	1	17.1%
26	napi-postinstall	1	1	14.7%
27	synckit	1	1	14.7%
28	@tanstack/router-vite-plugin	1	1	17.1%
29	@tanstack/react-start-client	1	1	17.1%
30	@tanstack/solid-router-devtools	1	1	17.1%
31	@tanstack/router-utils	1	1	17.1%
32	@tanstack/start-static-server-functions	1	1	17.1%
33	eslint-config-prettier	1	1	14.7%
34	@tanstack/router-cli	1	1	17.1%
35	@tanstack/router-core	1	1	17.1%
36	@tanstack/vue-router-devtools	1	1	17.1%
37	@tanstack/router-plugin	1	1	17.1%
38	puppeteer	1	1	89.9%
39	@tanstack/start-storage-context	1	1	17.1%
40	@tanstack/history	1	1	17.1%
41	@tanstack/vue-router	1	1	17.1%
42	@tanstack/start-plugin-core	1	1	17.1%
43	@tanstack/react-start-rsc	1	1	17.1%
44	@tanstack/vue-start	1	1	17.1%
45	@pkgr/core	1	1	14.7%
46	@tanstack/arktype-adapter	1	1	17.1%
47	@tanstack/solid-router-ssr-query	1	1	17.1%
48	@react-native-community/cli-server-api	1	1	20.1%
49	@tanstack/nitro-v2-vite-plugin	1	1	17.1%
50	@tanstack/react-router-ssr-query	1	1	17.1%
51	@tanstack/start-fn-stubs	1	1	17.1%
52	@tanstack/solid-start-client	1	1	17.1%
53	@tanstack/react-start	1	1	17.1%
54	@tanstack/start-server-core	1	1	17.1%
55	@tanstack/eslint-plugin-router	1	1	17.1%
56	@tanstack/start-client-core	1	1	17.1%
57	got-fetch	1	1	14.7%
58	@react-native-community/cli	1	1	20.1%
59	@tanstack/router-devtools-core	1	1	17.1%
60	@tanstack/virtual-file-routes	1	1	17.1%
61	openclaw	404	—	1.0%
62	parse-server	108	—	75.6%
63	flowise	63	—	87.7%
64	directus	53	—	0.9%
65	next	47	—	92.8%
66	vm2	41	—	84.6%
67	nocodb	33	—	3.8%
68	axios	30	—	13.1%
69	hono	26	—	1.7%
70	@anthropic-ai/claude-code	24	—	0.5%
71	undici	22	—	0.6%
72	ghost	21	—	94.1%
73	@openzeppelin/contracts	19	—	0.9%
74	fuxa-server	19	—	65.5%
75	@openzeppelin/contracts-upgradeable	18	—	0.9%
76	astro	17	—	10.8%
77	@haxtheweb/haxcms-nodejs	16	—	4.0%
78	sequelize	15	—	3.5%
79	tar	15	—	85.0%
80	jspdf	15	—	0.7%
81	liquidjs	15	—	0.3%
82	ckeditor4	15	—	65.5%
83	joplin	14	—	15.3%
84	tinymce	14	—	5.1%
85	nodebb	14	—	56.8%
86	flowise-components	14	—	1.2%
87	@nyariv/sandboxjs	14	—	1.5%
88	signalk-server	13	—	0.1%
89	dompurify	13	—	2.6%
90	jsrsasign	12	—	1.8%
91	angular	12	—	4.3%
92	matrix-js-sdk	12	—	0.9%
93	@directus/api	12	—	0.8%
94	protobufjs	12	—	1.7%
95	strapi	12	—	94.0%
96	pnpm	12	—	1.7%
97	svelte	12	—	0.7%
98	@evershop/evershop	12	—	1.3%
99	node-forge	12	—	2.1%
100	handlebars	12	—	24.8%
101	react-router	12	—	0.5%
102	sillytavern	11	—	2.6%
103	@strapi/strapi	11	—	17.9%
104	@oneuptime/common	11	—	0.4%
105	electerm	11	—	0.8%
106	apostrophe	11	—	0.4%
107	@lobehub/chat	11	—	73.3%
108	marked	11	—	1.1%
109	bootstrap	10	—	9.8%
110	shescape	10	—	1.1%
111	sanitize-html	10	—	1.8%
112	fast-xml-parser	10	—	0.9%
113	payload	10	—	1.0%
114	fastify	10	—	5.9%
115	lodash	10	—	14.8%
116	clawdbot	10	—	0.2%
117	@sveltejs/kit	10	—	0.3%
118	npm	9	—	3.2%
119	matrix-appservice-irc	9	—	0.8%
120	xmldom	9	—	1.3%
121	validator	9	—	0.6%
122	open-webui	9	—	2.7%
123	uptime-kuma	9	—	65.7%
124	next-auth	9	—	0.9%
125	mermaid	9	—	0.5%
126	lodash-es	8	—	14.8%
127	matrix-react-sdk	8	—	0.8%
128	steal	8	—	0.5%
129	@builder.io/qwik-city	8	—	0.2%
130	fast-jwt	8	—	2.1%
131	url-parse	8	—	1.7%
132	@xmldom/xmldom	8	—	1.2%
133	urijs	8	—	0.6%
134	elliptic	8	—	3.9%
135	editor.md	8	—	0.5%
136	@budibase/server	8	—	0.3%
137	locutus	8	—	1.7%
138	nuxt	8	—	2.1%
139	@astrojs/node	7	—	5.1%
140	studiocms	7	—	0.1%
141	jquery-ui	7	—	31.2%
142	mattermost-desktop	7	—	1.5%
143	@strapi/plugin-users-permissions	7	—	91.0%
144	snyk-broker	7	—	0.6%
145	simple-git	7	—	41.7%
146	hermes-engine	7	—	1.6%
147	mongoose	7	—	55.3%
148	qs	7	—	1.5%
149	@backstage/plugin-scaffolder-backend	7	—	9.1%
150	vega	7	—	0.5%
151	total.js	7	—	53.3%
152	tarteaucitronjs	7	—	0.5%
153	n8n-mcp	7	—	0.1%
154	@auth0/nextjs-auth0	7	—	0.6%
155	multer	7	—	0.2%
156	swagger-ui	6	—	80.4%
157	bootstrap-sass	6	—	9.8%
158	hapi	6	—	35.8%
159	rsshub	6	—	1.4%
160	@frangoteam/fuxa	6	—	93.4%
161	prismjs	6	—	1.8%
162	@fedify/fedify	6	—	0.4%
163	parse-url	6	—	0.4%
164	express	6	—	0.3%
165	openpgp	6	—	1.1%
166	@angular/ssr	6	—	0.1%
167	@tinacms/cli	6	—	6.5%
168	aaptjs	6	—	1.2%
169	koa	5	—	0.5%
170	@keystone-6/core	5	—	2.1%
171	keystone	5	—	9.8%
172	katex	5	—	0.5%
173	minimatch	5	—	0.5%
174	serve	5	—	0.7%
175	better-auth	5	—	0.3%
176	happy-dom	5	—	0.7%
177	h3	5	—	0.1%
178	safe-eval	5	—	8.1%
179	@steipete/summarize	5	—	0.1%
180	rendertron	5	—	0.4%
181	yarn	5	—	1.0%
182	seroval	5	—	0.3%
183	xlsx	5	—	8.8%
184	froala-editor	5	—	2.2%
185	ws	5	—	66.1%
186	@perfood/couch-auth	5	—	0.1%
187	vditor	5	—	0.3%
188	path-to-regexp	5	—	0.3%
189	oneuptime	5	—	0.5%
190	vega-functions	5	—	0.5%
191	auth0-js	5	—	0.3%
192	total4	5	—	56.9%
193	trix	5	—	0.6%
194	ua-parser-js	5	—	2.6%
195	ejs	5	—	93.5%
196	dojo	5	—	43.2%
197	@tinacms/graphql	5	—	0.2%
198	mysql2	5	—	68.3%
199	devalue	5	—	0.2%
200	convict	5	—	1.7%
201	mathjs	5	—	1.7%
202	lodash-amd	5	—	14.8%
203	budibase	5	—	0.1%
204	kysely	4	—	0.1%
205	brace-expansion	4	—	0.5%
206	langsmith	4	—	0.0%
207	jquery-validation	4	—	1.1%
208	jsonwebtoken	4	—	37.5%
209	@strapi/admin	4	—	0.3%
210	@intlify/vue-i18n-core	4	—	0.5%
211	hummus	4	—	2.6%
212	socket.io-parser	4	—	0.8%
213	snyk	4	—	4.7%
214	@hono/node-server	4	—	0.5%
215	@apollo/gateway	4	—	0.6%
216	serialize-javascript	4	—	2.9%
217	basic-ftp	4	—	2.0%
218	remarkable	4	—	0.4%
219	@saltcorn/server	4	—	0.2%
220	yui	4	—	0.3%
221	follow-redirects	4	—	1.3%
222	xdlocalstorage	4	—	0.4%
223	postcss	4	—	0.3%
224	@finos/git-proxy	4	—	0.2%
225	vue-i18n	4	—	0.5%
226	webpack	4	—	1.6%
227	@feathersjs/authentication-oauth	4	—	0.1%
228	webpack-dev-server	4	—	0.2%
229	petite-vue-i18n	4	—	0.5%
230	wrangler	4	—	0.2%
231	valine	4	—	1.6%
232	passport-wsfed-saml2	4	—	0.4%
233	@fastify/middie	4	—	0.1%
234	parse-dashboard	4	—	0.0%
235	express-cart	4	—	0.9%
236	@actual-app/sync-server	4	—	0.2%
237	elysia	4	—	0.2%
238	engine.io	4	—	4.1%
239	nodemailer	4	—	0.5%
240	@node-saml/node-saml	4	—	4.6%
241	aws-iot-device-sdk-v2	4	—	0.3%
242	tar-fs	4	—	1.0%
243	erxes	4	—	84.5%
244	auth0-lock	4	—	0.8%
245	moment	4	—	3.1%
246	mongosh	4	—	0.4%
247	meshcentral	4	—	1.4%
248	mcp-server-kubernetes	4	—	0.3%
249	mercurius	4	—	0.4%
250	muhammara	4	—	2.6%
251	convert-svg-core	4	—	2.0%
252	angular-expressions	4	—	30.3%
253	code-server	4	—	0.4%
254	@angular/core	4	—	1.2%
255	materialize-css	4	—	0.3%
256	@builder.io/qwik	4	—	26.2%
257	@budibase/backend-core	4	—	0.1%
258	@clerk/nextjs	4	—	0.3%
259	libxmljs	4	—	4.1%
260	@uppy/companion	4	—	0.5%
261	yapi-vendor	4	—	0.4%
262	browserify-shim	3	—	0.6%
263	@langchain/community	3	—	0.1%
264	keycloak-connect	3	—	1.7%
265	json-pointer	3	—	1.0%
266	@strapi/utils	3	—	3.2%
267	jose-node-cjs-runtime	3	—	0.6%
268	@strapi/core	3	—	0.0%
269	jose	3	—	0.6%
270	jose-node-esm-runtime	3	—	0.6%
271	@strapi/plugin-content-manager	3	—	0.4%
272	jointjs	3	—	1.5%
273	@jmondi/url-to-png	3	—	0.4%
274	layui	3	—	1.7%
275	@janhq/core	3	—	73.6%
276	stimulsoft-dashboards-js	3	—	30.5%
277	@intlify/core-base	3	—	0.5%
278	blamer	3	—	4.7%
279	immer	3	—	0.5%
280	@intlify/core	3	—	0.5%
281	socket.io	3	—	0.4%
282	snowflake-sdk	3	—	0.6%
283	http-proxy-middleware	3	—	0.4%
284	@adonisjs/bodyparser	3	—	0.1%
285	i18next-http-middleware	3	—	0.1%
286	slpjs	3	—	0.4%
287	simplehttpserver	3	—	0.4%
288	simple-markdown	3	—	0.5%
289	slp-validate	3	—	0.4%
290	set-in	3	—	3.9%
291	sm-crypto	3	—	0.0%
292	send	3	—	4.8%
293	samlify	3	—	0.2%
294	@sequelize/core	3	—	0.4%
295	grunt	3	—	2.4%
296	@samanhappy/mcphub	3	—	0.6%
297	glance	3	—	0.7%
298	safer-eval	3	—	10.8%
299	sails	3	—	0.5%
300	@backstage/plugin-techdocs-node	3	—	0.0%