npm packages — vulnerability index
These pages aggregate every CVE that affects a given npm package, sourced from NVD's CPE matching.
About these pages
Each entry below links to the full CVE history for that npm package: severity, CVSS, KEV flag, summary, and the original NVD record. Counts update as new advisories land — typically within hours of publication. The catalog is curated and bounded to ~100 high-impact packages; expansion to PyPI / Maven / crates / Go-modules follows the same shape.
All packages (71)
| Package | CVEs | KEV | Highest CVSS | Latest disclosed |
|---|---|---|---|---|
| Next.js | 51 | 1 | 10.0 | 2026-05-13 |
| Electron | 46 | — | 9.8 | 2026-06-23 |
| axios | 34 | — | 9.9 | 2026-06-11 |
| Angular | 31 | — | 8.8 | 2026-06-22 |
| undici | 30 | — | 7.5 | 2026-06-17 |
| Nuxt | 22 | — | 9.8 | 2026-06-23 |
| Vite | 22 | 1 | 8.3 | 2026-06-22 |
| Sequelize | 14 | — | 10.0 | 2026-03-10 |
| node-tar | 14 | — | 8.8 | 2026-06-22 |
| jQuery | 11 | 1 | 7.5 | 2020-05-19 |
| marked | 11 | — | 7.5 | 2026-04-24 |
| Fastify | 10 | — | 7.5 | 2026-04-15 |
| Handlebars | 10 | — | 9.8 | 2026-03-27 |
| lodash | 10 | — | 9.1 | 2026-03-31 |
| NestJS | 9 | — | 9.8 | 2026-06-22 |
| multer | 9 | — | 7.5 | 2026-06-15 |
| Express | 7 | — | 7.5 | 2024-10-29 |
| Ember.js | 6 | — | 6.1 | 2022-06-30 |
| Mongoose | 6 | — | 9.8 | 2026-05-14 |
| React | 6 | 1 | 10.0 | 2026-01-26 |
| qs | 6 | — | 7.5 | 2026-05-17 |
| EJS | 5 | — | 9.8 | 2023-05-04 |
| Koa | 5 | — | 7.5 | 2026-02-26 |
| minimatch | 5 | — | 7.5 | 2026-02-26 |
| webpack-dev-server | 5 | — | 7.5 | 2026-06-15 |
| Socket.IO | 4 | — | 7.5 | 2026-03-20 |
| hapi | 4 | — | 7.5 | 2018-06-04 |
| jsonwebtoken | 4 | — | 9.8 | 2022-12-23 |
| moment | 4 | — | 7.5 | 2022-07-06 |
| webpack | 4 | — | 9.8 | 2026-02-05 |
| ws | 4 | — | 7.5 | 2026-06-17 |
| node-fetch | 3 | — | 6.1 | 2022-08-01 |
| tough-cookie | 3 | — | 7.5 | 2023-07-01 |
| Ajv | 2 | — | 5.6 | 2026-02-11 |
| Parcel | 2 | — | 7.5 | 2025-09-17 |
| Vue | 2 | — | 4.8 | 2024-10-15 |
| body-parser | 2 | — | 7.5 | 2025-11-24 |
| cookie | 2 | — | 7.5 | 2024-10-04 |
| debug | 2 | — | 3.5 | 2025-09-15 |
| formidable | 2 | — | 9.8 | 2025-04-26 |
| request | 2 | — | 6.1 | 2023-03-16 |
| send | 2 | — | 5.3 | 2024-09-10 |
| serve-static | 2 | — | 5.0 | 2024-09-10 |
| underscore | 2 | — | 5.9 | 2026-03-03 |
| uuid | 2 | — | 7.5 | 2026-04-24 |
| JSON5 | 1 | — | 7.1 | 2022-12-24 |
| Passport | 1 | — | 4.8 | 2022-07-01 |
| Pug | 1 | — | 6.8 | 2021-03-03 |
| async | 1 | — | 7.8 | 2022-04-06 |
| bcrypt | 1 | — | 5.9 | 2020-07-01 |
| got | 1 | — | 5.3 | 2022-06-18 |
| minimist | 1 | — | 5.6 | 2020-03-11 |
| morgan | 1 | — | 9.8 | 2019-03-21 |
| react-dom | 1 | — | 6.1 | 2018-12-31 |
| semver | 1 | — | 5.3 | 2023-06-21 |
| sharp | 1 | — | 6.5 | 2022-05-25 |
| Backbone.js | 0 | — | — | — |
| ESLint | 0 | — | — | — |
| Helmet | 0 | — | — | — |
| Jest | 0 | — | — | — |
| Knex.js | 0 | — | — | — |
| Mocha | 0 | — | — | — |
| Prettier | 0 | — | — | — |
| ShellJS | 0 | — | — | — |
| chalk | 0 | — | — | — |
| commander | 0 | — | — | — |
| cookie-parser | 0 | — | — | — |
| cors | 0 | — | — | — |
| dotenv | 0 | — | — | — |
| validator | 0 | — | — | — |
| yargs | 0 | — | — | — |