npm - @openrewrite/recipes-nodejs - Versions diffs - 0.38.0-20260203-172000 → 0.38.0 - Mend

@openrewrite/recipes-nodejs 0.38.0-20260203-172000 → 0.38.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/dist/resources/advisories-npm.csv +120 -16
package/package.json +1 -1

package/dist/resources/advisories-npm.csv CHANGED Viewed

@@ -630,7 +630,7 @@ CVE-2018-11093,2018-05-23T20:37:46Z,"Cross-Site Scripting in @ckeditor/ckeditor5
 CVE-2018-11537,2022-05-14T03:05:44Z,"Auth0 angular-jwt misinterprets allowlist as regex",angular-jwt,0,0.1.10,,MODERATE,CWE-20,
 CVE-2018-11615,2018-08-31T06:22:50Z,"Mosca REDoS Vulnerability",mosca,0,2.8.2,,HIGH,CWE-185;CWE-20,
 CVE-2018-11647,2022-05-14T03:09:04Z,"oauth2orize-fprm XSS vulnerability",oauth2orize-fprm,0,0.2.1,,MODERATE,CWE-79,
-CVE-2018-12457,2022-05-13T01:49:36Z,"express-cart allows any user to create an admin user",express-cart,0,,,HIGH,CWE-732,
+CVE-2018-12457,2022-05-13T01:49:36Z,"express-cart allows any user to create an admin user",express-cart,0,1.1.6,,HIGH,CWE-732,
 CVE-2018-13339,2022-05-14T03:04:23Z,"Angular Redactor XSS Vulnerability",angular-redactor,0,,1.1.6,MODERATE,CWE-79,
 CVE-2018-13797,2018-09-06T23:24:21Z,"Command Injection in macaddress",macaddress,0,0.2.9,,CRITICAL,CWE-78,
 CVE-2018-13863,2018-09-17T20:44:58Z,"js-bson vulnerable to REDoS",bson,0.5.0,1.0.5,,HIGH,CWE-185;CWE-400,
@@ -1442,7 +1442,7 @@ CVE-2020-7795,2022-08-03T00:00:57Z,"get-npm-package-version Command Injection vu
 CVE-2020-8116,2020-07-29T20:56:59Z,"dot-prop Prototype Pollution vulnerability",dot-prop,0,4.2.1,,HIGH,CWE-1321;CWE-425;CWE-471,
 CVE-2020-8116,2020-07-29T20:56:59Z,"dot-prop Prototype Pollution vulnerability",dot-prop,5.0.0,5.1.1,,HIGH,CWE-1321;CWE-425;CWE-471,
 CVE-2020-8123,2021-12-10T17:22:01Z,"Uncontrolled Resource Consumption in strapi",strapi-admin,0,3.0.0-beta.18.4,,MODERATE,CWE-400,
-CVE-2020-8124,2022-01-06T20:30:34Z,"Improper Validation and Sanitization in url-parse",url-parse,0,1.4.5,,MODERATE,CWE-20,
+CVE-2020-8124,2022-01-06T20:30:34Z,"Improper Validation and Sanitization in url-parse",url-parse,0.1.0,1.4.5,,MODERATE,CWE-20,
 CVE-2020-8125,2021-04-13T15:41:24Z,"Improper Input Validation in klona",klona,0,1.1.1,,HIGH,CWE-20,
 CVE-2020-8127,2021-05-10T18:47:10Z,"Cross-site Scripting in reveal.js",reveal.js,0,3.9.2,,MODERATE,CWE-79,
 CVE-2020-8128,2021-04-13T15:25:24Z,"Server-Side Request Forgery and Inclusion of Functionality from Untrusted Control Sphere in jsreport",jsreport,0,2.6.0,,HIGH,CWE-829;CWE-918,
@@ -1729,7 +1729,7 @@ CVE-2021-27290,2021-03-19T21:24:36Z,"Regular Expression Denial of Service (ReDoS
 CVE-2021-27292,2021-05-06T16:11:13Z,"Regular Expression Denial of Service (ReDoS) in ua-parser-js",ua-parser-js,0.7.14,0.7.24,,HIGH,CWE-400,
 CVE-2021-27405,2021-03-01T20:44:44Z,"Regular expression Denial of Service in @progfay/scrapbox-parser",@progfay/scrapbox-parser,0,6.0.3,,MODERATE,CWE-400,
 CVE-2021-27405,2021-03-01T20:44:44Z,"Regular expression Denial of Service in @progfay/scrapbox-parser",@progfay/scrapbox-parser,7.0.0,7.0.2,,MODERATE,CWE-400,
-CVE-2021-27515,2021-05-06T16:10:51Z,"Path traversal in url-parse",url-parse,0,1.5.0,,MODERATE,CWE-23,
+CVE-2021-27515,2021-05-06T16:10:51Z,"Path traversal in url-parse",url-parse,0.1.0,1.5.0,,MODERATE,CWE-23,
 CVE-2021-27516,2021-03-01T20:03:53Z,"URIjs Hostname spoofing via backslashes in URL",urijs,0,1.19.6,,HIGH,CWE-20,
 CVE-2021-27524,2023-08-11T15:30:46Z,"Margox Braft-Editor Cross-site Scripting Vulnerability",braft-editor,0,,2.3.8,MODERATE,CWE-79,
 CVE-2021-27884,2021-03-26T16:49:26Z,"Weak JSON Web Token in yapi-vendor",yapi-vendor,0,1.9.3,,MODERATE,CWE-330,
@@ -1852,7 +1852,7 @@ CVE-2021-36383,2022-05-24T19:07:30Z,"Xen Orchestra Mishandles Authorization",xo-
 CVE-2021-36383,2022-05-24T19:07:30Z,"Xen Orchestra Mishandles Authorization",xo-web,0,,5.80.0,MODERATE,CWE-863,
 CVE-2021-3645,2021-09-13T20:16:54Z,"merge vulnerable to Prototype Pollution",@viking04/merge,0,1.0.2,,CRITICAL,CWE-1321;CWE-915,
 CVE-2021-3647,2021-07-19T21:22:36Z,"URIjs Vulnerable to Hostname spoofing via backslashes in URL ",urijs,0,1.19.7,,MODERATE,CWE-601,
-CVE-2021-3664,2021-08-10T16:07:08Z,"Open redirect in url-parse",url-parse,0,1.5.2,,MODERATE,CWE-601,
+CVE-2021-3664,2021-08-10T16:07:08Z,"Open redirect in url-parse",url-parse,0.1.0,1.5.2,,MODERATE,CWE-601,
 CVE-2021-3666,2021-09-14T20:25:35Z,"body-parser-xml vulnerable to Prototype Pollution",body-parser-xml,0,2.0.3,,HIGH,CWE-1321;CWE-915,
 CVE-2021-36686,2023-01-26T21:30:29Z,"Cross-site Scripting in yapi-vendor",yapi-vendor,0,,1.9.1,MODERATE,CWE-79,
 CVE-2021-36716,2021-12-10T17:25:21Z,"Improper Input Validation in is-email",is-email,0,1.0.1,,HIGH,CWE-20;CWE-400,
@@ -2036,7 +2036,7 @@ CVE-2022-0624,2022-06-29T00:00:57Z,"Authorization Bypass in parse-path",parse-pa
 CVE-2022-0639,2022-02-18T00:00:33Z,"url-parse Incorrectly parses URLs that include an '@'",url-parse,0,1.5.7,,MODERATE,CWE-639,
 CVE-2022-0654,2022-02-24T00:00:54Z,"Cookie exposure in requestretry",requestretry,0,7.0.0,,HIGH,CWE-200,
 CVE-2022-0686,2022-02-21T00:00:21Z,"Authorization Bypass Through User-Controlled Key in url-parse",url-parse,0,1.5.8,,CRITICAL,CWE-639,
-CVE-2022-0691,2022-02-22T00:00:30Z,"url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.",url-parse,0,1.5.9,,MODERATE,CWE-639,
+CVE-2022-0691,2022-02-22T00:00:30Z,"url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.",url-parse,0.1.0,1.5.9,,MODERATE,CWE-639,
 CVE-2022-0722,2022-06-28T00:01:01Z,"Hostname confusion in parse-url",parse-url,0,6.0.1,,HIGH,CWE-200,
 CVE-2022-0748,2022-03-18T00:01:11Z,"Arbitrary code execution in post-loader",post-loader,0.0.0,,,CRITICAL,CWE-79,
 CVE-2022-0764,2022-02-27T00:00:15Z,"Command injection in strapi",strapi,0,4.1.0,,MODERATE,CWE-77;CWE-78,
@@ -2234,7 +2234,7 @@ CVE-2022-25876,2022-07-02T00:00:19Z,"Server-Side Request Forgery in link-preview
 CVE-2022-25878,2022-05-28T00:00:20Z,"Prototype Pollution in protobufjs",protobufjs,6.10.0,6.10.3,,HIGH,CWE-1321,
 CVE-2022-25878,2022-05-28T00:00:20Z,"Prototype Pollution in protobufjs",protobufjs,6.11.0,6.11.3,,HIGH,CWE-1321,
 CVE-2022-25881,2023-01-31T06:30:26Z,"http-cache-semantics vulnerable to Regular Expression Denial of Service",http-cache-semantics,0,4.1.1,,HIGH,CWE-1333,
-CVE-2022-25883,2023-06-21T06:30:28Z,"semver vulnerable to Regular Expression Denial of Service",semver,0,5.7.2,,HIGH,CWE-1333,
+CVE-2022-25883,2023-06-21T06:30:28Z,"semver vulnerable to Regular Expression Denial of Service",semver,2.0.0-alpha,5.7.2,,HIGH,CWE-1333,
 CVE-2022-25883,2023-06-21T06:30:28Z,"semver vulnerable to Regular Expression Denial of Service",semver,6.0.0,6.3.1,,HIGH,CWE-1333,
 CVE-2022-25883,2023-06-21T06:30:28Z,"semver vulnerable to Regular Expression Denial of Service",semver,7.0.0,7.5.2,,HIGH,CWE-1333,
 CVE-2022-25885,2022-11-01T12:00:30Z,"muhammara and hummus vulnerable to null pointer dereference on bad response object",hummus,1.0.0,1.0.111,,HIGH,CWE-690,
@@ -3088,7 +3088,7 @@ CVE-2024-28181,2024-03-15T19:53:50Z,"TurboBoost Commands vulnerable to arbitrary
 CVE-2024-28181,2024-03-15T19:53:50Z,"TurboBoost Commands vulnerable to arbitrary method invocation",@turbo-boost/commands,0.2.0,0.2.2,,HIGH,CWE-74,
 CVE-2024-28238,2024-03-12T20:47:18Z,"Session Token in URL in directus",directus,0,10.10.0,,LOW,CWE-200;CWE-598,
 CVE-2024-28239,2024-03-12T20:50:48Z,"URL Redirection to Untrusted Site in OAuth2/OpenID in directus",directus,0,10.10.0,,MODERATE,CWE-601,
-CVE-2024-28243,2024-03-25T19:38:18Z,"KaTeX's maxExpand bypassed by `\edef`",katex,0.10.0-beta,0.16.10,,MODERATE,CWE-606;CWE-674,
+CVE-2024-28243,2024-03-25T19:38:18Z,"KaTeX's maxExpand bypassed by `\edef`",katex,0.12.0,0.16.10,,MODERATE,CWE-606;CWE-674,
 CVE-2024-28244,2024-03-25T19:38:29Z,"KaTeX's maxExpand bypassed by Unicode sub/superscripts",katex,0.15.4,0.16.10,,MODERATE,CWE-606;CWE-674,
 CVE-2024-28245,2024-03-25T19:38:34Z,"KaTeX's `\includegraphics` does not escape filename",katex,0.11.0,0.16.10,,MODERATE,CWE-116,
 CVE-2024-28246,2024-03-25T19:38:37Z,"KaTeX missing normalization of the protocol in URLs allows bypassing forbidden protocols",katex,0.11.0,0.16.10,,MODERATE,CWE-184,
@@ -3538,7 +3538,8 @@ CVE-2024-53847,2024-12-09T20:38:42Z,"Trix editor subject to XSS vulnerabilities
 CVE-2024-53847,2024-12-09T20:38:42Z,"Trix editor subject to XSS vulnerabilities on copy & paste",trix,2.0.0,2.1.9,,MODERATE,CWE-79,
 CVE-2024-53866,2024-12-10T22:42:41Z,"pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion",pnpm,0,9.15.0,,MODERATE,CWE-346;CWE-426,
 CVE-2024-5389,2024-06-10T00:30:39Z,"lunary-ai/lunary Access Control Vulnerability in Prompt Variation Management",lunary,0,1.4.9,,MODERATE,CWE-1220,
-CVE-2024-53900,2024-12-02T21:31:20Z,"Mongoose search injection vulnerability",mongoose,0,6.13.5,,HIGH,CWE-89,
+CVE-2024-53900,2024-12-02T21:31:20Z,"Mongoose search injection vulnerability",mongoose,3.6.0-rc0,5.13.23,,HIGH,CWE-89,
+CVE-2024-53900,2024-12-02T21:31:20Z,"Mongoose search injection vulnerability",mongoose,6.0.0-rc0,6.13.5,,HIGH,CWE-89,
 CVE-2024-53900,2024-12-02T21:31:20Z,"Mongoose search injection vulnerability",mongoose,7.0.0-rc0,7.8.3,,HIGH,CWE-89,
 CVE-2024-53900,2024-12-02T21:31:20Z,"Mongoose search injection vulnerability",mongoose,8.0.0-rc0,8.8.3,,HIGH,CWE-89,
 CVE-2024-53983,2024-12-02T21:36:21Z,"Backstage Scaffolder plugin vulnerable to Server-Side Request Forgery","@backstage/plugin-scaffolder-node",0,0.4.12,,MODERATE,CWE-918,
@@ -3654,11 +3655,12 @@ CVE-2025-1398,2025-03-17T15:31:50Z,"Mattermost Desktop App allows the bypass of
 CVE-2025-14284,2025-12-09T18:30:35Z,"@tiptap/extension-link vulnerable to Cross-site Scripting (XSS)",@tiptap/extension-link,0,2.10.4,,LOW,CWE-79,
 CVE-2025-14505,2026-01-08T21:30:34Z,"Elliptic Uses a Cryptographic Primitive with a Risky Implementation",elliptic,0,,6.6.1,LOW,CWE-1240,
 CVE-2025-1467,2025-02-23T18:30:24Z,"tarteaucitron Cross-site Scripting (XSS)",tarteaucitronjs,0,1.17.0,,LOW,CWE-79,
-CVE-2025-14874,2025-12-18T09:30:30Z,"Nodemailer is vulnerable to DoS through Uncontrolled Recursion",nodemailer,0,7.0.11,,MODERATE,CWE-674;CWE-703,
+CVE-2025-14874,2025-12-01T20:44:25Z,"Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls",nodemailer,0,7.0.11,,LOW,CWE-703,
 CVE-2025-15104,2026-01-16T15:31:25Z,"Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability",vnu-jar,0,,26.1.11,MODERATE,CWE-918,
 CVE-2025-1520,2025-04-23T18:30:58Z,"PostHog Plugin Server SQL Injection Vulnerability",@posthog/plugin-server,0,,1.10.7,HIGH,CWE-89,
 CVE-2025-15265,2026-01-15T20:13:33Z,"svelte vulnerable to Cross-site Scripting",svelte,5.46.0,5.46.4,,MODERATE,CWE-79,
 CVE-2025-15284,2025-12-30T21:02:54Z,"qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",qs,0,6.14.1,,HIGH,CWE-20,
+CVE-2025-15536,2026-01-18T09:30:27Z,"Open Chinese Convert has Out-of-bounds Write",opencc,0,1.2.0,,LOW,CWE-119;CWE-787,
 CVE-2025-1691,2025-02-27T15:31:51Z,"MongoDB Shell may be susceptible to Control Character Injection via autocomplete",mongosh,0,2.3.9,,HIGH,CWE-74,
 CVE-2025-1692,2025-02-27T15:31:51Z,"MongoDB Shell may be susceptible to control character injection via pasting",mongosh,0,2.3.9,,MODERATE,CWE-150,
 CVE-2025-1693,2025-02-27T15:31:51Z,"MongoDB Shell may be susceptible to control character Injection via shell output",mongosh,0,2.3.9,,LOW,CWE-150,
@@ -3937,7 +3939,7 @@ CVE-2025-49595,2025-07-03T14:06:01Z,"n8n Vulnerable to Denial of Service via Mal
 CVE-2025-49596,2025-06-13T22:15:26Z,"MCP Inspector proxy server lacks authentication between the Inspector client and proxy","@modelcontextprotocol/inspector",0,0.14.1,,CRITICAL,CWE-306,
 CVE-2025-49826,2025-07-03T21:14:48Z,"Next.JS vulnerability can lead to DoS via cache poisoning ",next,15.0.4-canary.51,15.1.8,,HIGH,CWE-444,
 CVE-2025-50183,2025-06-18T14:41:25Z,"OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer","@openlist-frontend/openlist-frontend",0,4.0.0-rc.4,,MODERATE,CWE-79,
-CVE-2025-50537,2026-01-26T18:31:29Z,"eslint has a Stack Overflow when serializing objects with circular references",eslint,0,9.26.0,,MODERATE,CWE-674,
+CVE-2025-50537,2026-01-26T18:31:29Z,"Withdrawn Advisory: eslint has a Stack Overflow when serializing objects with circular references",eslint,0,9.26.0,,MODERATE,CWE-674,
 CVE-2025-50538,2025-10-03T21:47:37Z,"Flowise is vulnerable to stored XSS via ""View Messages"" allows credential theft in FlowiseAI admin panel",flowise,0,3.0.8,,CRITICAL,CWE-79,
 CVE-2025-50864,2025-08-20T15:31:42Z,"elysia-cors Origin Validation Error",@elysiajs/cors,0,1.3.1,,MODERATE,CWE-178;CWE-346,
 CVE-2025-50979,2025-08-27T18:31:55Z,"NodeBB SQL Injection vulnerability",nodebb,0,,4.3.0,HIGH,CWE-89,
@@ -4215,7 +4217,21 @@ CVE-2025-59430,2025-09-22T21:09:27Z,"Mesh Connect JS SDK Vulnerable to Cross Sit
 CVE-2025-59433,2025-09-22T18:01:01Z,"@conventional-changelog/git-client has Argument Injection vulnerability","@conventional-changelog/git-client",0,2.0.0,,MODERATE,CWE-88,
 CVE-2025-59471,2026-01-27T19:18:25Z,"Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration",next,10.0.0,15.5.10,,MODERATE,CWE-400;CWE-770,
 CVE-2025-59471,2026-01-27T19:18:25Z,"Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration",next,15.6.0-canary.0,16.1.5,,MODERATE,CWE-400;CWE-770,
-CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.0.0-canary.0,15.6.0-canary.61,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.0.0-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.0.1-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.0.2-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.0.3-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.0.4-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.1.1-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.2.0-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.2.1-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.2.2-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.3.0-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.3.1-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.4.0-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.4.2-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.5.1-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.6.0-canary.0,15.6.0-canary.61,,MODERATE,CWE-400;CWE-409;CWE-770,
 CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,16.0.0-beta.0,16.1.5,,MODERATE,CWE-400;CWE-409;CWE-770,
 CVE-2025-59526,2025-09-22T18:03:47Z,"Mailgen: HTML injection vulnerability in plaintext e-mails",mailgen,0,2.0.30,,MODERATE,CWE-79,
 CVE-2025-59527,2025-09-15T19:53:46Z,"FlowiseAI/Flowise has Server-Side Request Forgery (SSRF) vulnerability",flowise,3.0.5,3.0.6,,HIGH,CWE-918,
@@ -4239,6 +4255,7 @@ CVE-2025-59936,2025-09-26T14:27:01Z,"get-jwks: poisoned JWKS cache allows post-f
 CVE-2025-60542,2025-10-29T18:30:33Z,"TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update",typeorm,0,0.3.26,,HIGH,CWE-89,
 CVE-2025-60794,2025-11-20T15:30:24Z,"@perfood/couch-auth may expose session tokens, passwords",@perfood/couch-auth,0,,0.21.2,MODERATE,CWE-316,
 CVE-2025-6087,2025-06-16T19:37:16Z,"OpenNext for Cloudflare (opennextjs-cloudflare) has a SSRF vulnerability via /_next/image endpoint",@opennextjs/cloudflare,0,1.3.0,,HIGH,CWE-918,
+CVE-2025-61140,2026-01-28T18:30:47Z,"JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js",jsonpath,0,1.2.0,,MODERATE,CWE-1321,
 CVE-2025-61668,2025-10-01T15:53:43Z," @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user ",@plone/volto,0,16.34.1,,HIGH,CWE-476;CWE-754,
 CVE-2025-61668,2025-10-01T15:53:43Z," @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user ",@plone/volto,17.0.0,17.22.2,,HIGH,CWE-476;CWE-754,
 CVE-2025-61668,2025-10-01T15:53:43Z," @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user ",@plone/volto,18.0.0,18.27.2,,HIGH,CWE-476;CWE-754,
@@ -4252,6 +4269,7 @@ CVE-2025-61913,2025-10-09T15:21:39Z,"Flowise is vulnerable to arbitrary file wri
 CVE-2025-61913,2025-10-09T15:21:39Z,"Flowise is vulnerable to arbitrary file write through its WriteFileTool ",flowise,0,3.0.8,,CRITICAL,CWE-22,
 CVE-2025-61913,2025-10-09T15:21:39Z,"Flowise is vulnerable to arbitrary file write through its WriteFileTool ",flowise-components,0,3.0.8,,CRITICAL,CWE-22,
 CVE-2025-61914,2025-12-26T17:30:19Z,"n8n's Possible Stored XSS in ""Respond to Webhook"" Node May Execute Outside iframe Sandbox",n8n,0,1.114.0,,HIGH,CWE-79,
+CVE-2025-61917,2026-02-04T17:48:11Z,"n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner",n8n,1.65.0,1.114.3,,HIGH,CWE-200;CWE-668,
 CVE-2025-61925,2025-10-10T23:41:29Z,"Astro's `X-Forwarded-Host` is reflected without validation",astro,0,5.14.3,,MODERATE,CWE-20;CWE-470,
 CVE-2025-61927,2025-10-10T23:46:42Z,"Happy DOM: VM Context Escape can lead to Remote Code Execution",happy-dom,0,20.0.0,,CRITICAL,CWE-94,
 CVE-2025-61928,2025-10-09T15:40:50Z,"Better Auth: Unauthenticated API key creation through api-key plugin",better-auth,0,1.3.26,,HIGH,CWE-285;CWE-306,
@@ -4406,6 +4424,7 @@ CVE-2025-68150,2025-12-16T22:35:40Z,"Parse Server is vulnerable to Server-Side R
 CVE-2025-68150,2025-12-16T22:35:40Z,"Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter",parse-server,9.0.0,9.1.1-alpha.1,,HIGH,CWE-918,
 CVE-2025-68154,2025-12-16T22:37:23Z,"systeminformation has a Command Injection vulnerability in fsSize() function on Windows",systeminformation,0,5.27.14,,HIGH,CWE-78,
 CVE-2025-68155,2025-12-16T22:32:26Z,"@vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint",@vitejs/plugin-rsc,0,0.5.8,,HIGH,CWE-22;CWE-73,
+CVE-2025-68157,2026-02-05T18:35:28Z,"webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence",webpack,5.49.0,5.104.0,,LOW,CWE-918,
 CVE-2025-68272,2026-01-02T15:20:05Z,"Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding",signalk-server,0,2.19.0,,HIGH,CWE-400;CWE-770,
 CVE-2025-68273,2026-01-02T15:22:11Z,"Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints",signalk-server,0,2.19.0,,MODERATE,CWE-200,
 CVE-2025-68278,2025-12-18T18:45:41Z,"tinacms is vulnerable to arbitrary code execution",@tinacms/cli,0,2.0.4,,HIGH,CWE-94,
@@ -4417,6 +4436,7 @@ CVE-2025-68429,2025-12-18T18:49:21Z,"Storybook manager bundle may expose environ
 CVE-2025-68429,2025-12-18T18:49:21Z,"Storybook manager bundle may expose environment variables during build",storybook,8.0.0,8.6.15,,HIGH,CWE-200;CWE-538;CWE-541,
 CVE-2025-68429,2025-12-18T18:49:21Z,"Storybook manager bundle may expose environment variables during build",storybook,9.0.0,9.1.17,,HIGH,CWE-200;CWE-538;CWE-541,
 CVE-2025-68457,2025-12-19T19:17:26Z,"Orejime has executable code in HTML attributes",orejime,0,2.3.2,,LOW,CWE-79,
+CVE-2025-68458,2026-02-05T18:38:10Z,"webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior",webpack,5.49.0,5.104.1,,LOW,CWE-918,
 CVE-2025-68470,2026-01-08T20:48:21Z,"React Router has unexpected external redirect via untrusted paths",react-router,6.0.0,6.30.2,,MODERATE,CWE-601,
 CVE-2025-68470,2026-01-08T20:48:21Z,"React Router has unexpected external redirect via untrusted paths",react-router,7.0.0,7.9.6,,MODERATE,CWE-601,
 CVE-2025-68475,2025-12-22T21:36:55Z,"Fedify has ReDoS Vulnerability in HTML Parsing Regex",@fedify/fedify,0,1.6.13,,HIGH,CWE-1333,
@@ -4442,6 +4462,10 @@ CVE-2025-69256,2025-12-31T22:05:32Z,"serverless MCP Server vulnerable to Command
 CVE-2025-69262,2026-01-07T18:51:07Z,"pnpm vulnerable to Command Injection via environment variable substitution",pnpm,6.25.0,10.27.0,,HIGH,CWE-78;CWE-94,
 CVE-2025-69263,2026-01-07T19:06:59Z,"pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies",pnpm,0,10.26.0,,HIGH,CWE-494,
 CVE-2025-69264,2026-01-07T19:07:43Z,"pnpm v10+ Bypass ""Dependency lifecycle scripts execution disabled by default""",pnpm,10.0.0,10.26.0,,HIGH,CWE-693,
+CVE-2025-69970,2026-02-03T18:30:47Z,"FUXA contains an insecure default configuration vulnerability",fuxa-server,0,,1.2.7,HIGH,CWE-306,
+CVE-2025-69971,2026-02-03T18:30:47Z,"FUXA contains a hard-coded credential vulnerability",fuxa-server,0,,1.2.7,HIGH,CWE-798,
+CVE-2025-69981,2026-02-03T18:30:47Z,"FUXA contains an Unrestricted File Upload vulnerability",fuxa-server,0,,1.2.7,HIGH,CWE-306,
+CVE-2025-69983,2026-02-03T18:30:47Z,"FUXA allows Remote Code Execution (RCE) via the project import functionality.",fuxa-server,0,,1.2.7,HIGH,CWE-78,
 CVE-2025-7338,2025-07-17T21:01:54Z,"Multer vulnerable to Denial of Service via unhandled exception from malformed request",multer,1.4.4-lts.1,2.0.2,,HIGH,CWE-248,
 CVE-2025-7339,2025-07-17T21:17:19Z,"on-headers is vulnerable to http response header manipulation",on-headers,0,1.1.0,,LOW,CWE-241,
 CVE-2025-7783,2025-07-21T19:04:54Z,"form-data uses unsafe random function in form-data for choosing boundary",form-data,0,2.5.4,,CRITICAL,CWE-330,
@@ -4467,6 +4491,7 @@ CVE-2025-9862,2025-09-15T20:31:14Z,"Ghost vulnerable to Server Side Request Forg
 CVE-2025-9862,2025-09-15T20:31:14Z,"Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark",ghost,6.0.0,6.0.9,,MODERATE,CWE-918,
 CVE-2025-9910,2025-09-11T06:30:23Z,"jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin",jsondiffpatch,0,0.7.2,,MODERATE,CWE-79,
 CVE-2026-0621,2026-01-05T21:30:33Z,"Anthropic's MCP TypeScript SDK has a ReDoS vulnerability","@modelcontextprotocol/sdk",0,1.25.2,,HIGH,CWE-1333,
+CVE-2026-0775,2026-01-23T06:31:24Z,"Duplicate Advisory: npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability",npm,0,,11.8.0,HIGH,CWE-732,
 CVE-2026-0824,2026-01-10T15:31:22Z,"QuestDB UI's Web Console is Vulnerable to Cross-Site Scripting",@questdb/web-console,0,1.1.10,,LOW,CWE-79,
 CVE-2026-0933,2026-01-21T23:00:35Z,"Wrangler affected by OS Command Injection in `wrangler pages deploy`",wrangler,2.0.15,3.114.17,,HIGH,CWE-78,
 CVE-2026-0933,2026-01-21T23:00:35Z,"Wrangler affected by OS Command Injection in `wrangler pages deploy`",wrangler,4.0.0,4.59.1,,HIGH,CWE-78,
@@ -4475,6 +4500,7 @@ CVE-2026-1470,2026-01-27T15:30:32Z,"n8n Unsafe Workflow Expression Evaluation Al
 CVE-2026-1470,2026-01-27T15:30:32Z,"n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution",n8n,2.0.0,2.4.5,,CRITICAL,CWE-95,
 CVE-2026-1470,2026-01-27T15:30:32Z,"n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution",n8n,2.5.0,2.5.1,,CRITICAL,CWE-95,
 CVE-2026-1513,2026-01-28T03:30:30Z,"billboard.js is vulnerable to XSS during chart option binding",billboard.js,0,3.18.0,,HIGH,CWE-79,
+CVE-2026-1664,2026-02-03T18:42:01Z,"Cloudflare Agents SDK has Insecure Direct Object Reference (IDOR) via Header-Based Email Routing",agents,0,0.3.7,,MODERATE,CWE-639,
 CVE-2026-21440,2026-01-02T18:58:32Z,"AdonisJS Path Traversal in Multipart File Handling",@adonisjs/bodyparser,0,10.1.2,,CRITICAL,CWE-22,
 CVE-2026-21440,2026-01-02T18:58:32Z,"AdonisJS Path Traversal in Multipart File Handling",@adonisjs/bodyparser,11.0.0-next.0,11.0.0-next.6,,CRITICAL,CWE-22,
 CVE-2026-21852,2026-01-21T01:00:31Z,"Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation","@anthropic-ai/claude-code",0,2.0.65,,MODERATE,CWE-522,
@@ -4482,6 +4508,7 @@ CVE-2026-21858,2026-01-07T19:20:19Z,"n8n Vulnerable to Unauthenticated File Acce
 CVE-2026-21877,2026-01-06T17:48:24Z,"n8n Vulnerable to RCE via Arbitrary File Write",n8n,0.123.0,1.121.3,,CRITICAL,CWE-434,
 CVE-2026-21884,2026-01-08T20:50:05Z,"React Router SSR XSS in ScrollRestoration",@remix-run/react,0,2.17.3,,HIGH,CWE-79,
 CVE-2026-21884,2026-01-08T20:50:05Z,"React Router SSR XSS in ScrollRestoration",react-router,7.0.0,7.12.0,,HIGH,CWE-79,
+CVE-2026-21893,2026-02-04T17:49:38Z,"n8n Vulnerable to Command Injection in Community Package Installation",n8n,0.187.0,1.120.3,,CRITICAL,CWE-20;CWE-78,
 CVE-2026-21894,2026-01-07T19:22:54Z,"n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks",n8n,0.150.0,2.2.2,,MODERATE,CWE-290,
 CVE-2026-22028,2026-01-07T19:28:15Z,"Preact has JSON VNode Injection issue",preact,10.26.5,10.26.10,,HIGH,CWE-843,
 CVE-2026-22028,2026-01-07T19:28:15Z,"Preact has JSON VNode Injection issue",preact,10.27.0,10.27.3,,HIGH,CWE-843,
@@ -4534,10 +4561,11 @@ CVE-2026-22817,2026-01-13T21:51:44Z,"Hono JWT Middleware's JWT Algorithm Confusi
 CVE-2026-22818,2026-01-13T21:52:03Z,"Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks ""alg"" (untrusted header.alg fallback)",hono,0,4.11.4,,HIGH,CWE-347,
 CVE-2026-22819,2026-01-13T21:53:30Z,"Outray has a Race Condition in the cli's webapp",outray,0,0.1.5,,MODERATE,CWE-366,
 CVE-2026-22820,2026-01-13T21:53:44Z,"Outray cli is vulnerable to race conditions in tunnels creation",outray,0,0.1.5,,MODERATE,CWE-367,
+CVE-2026-23515,2026-02-02T18:10:32Z,"Signal K set-system-time plugin vulnerable to RCE - Command Injection",@signalk/set-system-time,0,1.5.0,,CRITICAL,CWE-78,
 CVE-2026-23522,2026-01-20T17:14:39Z,"Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion",@lobehub/chat,0,,1.143.2,LOW,CWE-284,
 CVE-2026-23527,2026-01-15T20:10:51Z,"h3 v1 has Request Smuggling (TE.TE) issue",h3,0,1.15.5,,HIGH,CWE-444,
 CVE-2026-23634,2026-01-15T20:14:31Z,"Pepr Has Overly Permissive RBAC ClusterRole in Admin Mode",pepr,0,1.0.5,,LOW,CWE-272;CWE-276,
-CVE-2026-23733,2026-01-20T17:54:49Z,"Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)",@lobehub/chat,0,,1.143.2,MODERATE,CWE-94,
+CVE-2026-23733,2026-01-20T17:54:49Z,"Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)",@lobehub/chat,0,,1.143.2,CRITICAL,CWE-94,
 CVE-2026-23735,2026-01-16T21:09:08Z,"GraphQL Modules has a Race Condition issue",graphql-modules,2.2.1,2.4.1,,HIGH,CWE-362,
 CVE-2026-23735,2026-01-16T21:09:08Z,"GraphQL Modules has a Race Condition issue",graphql-modules,3.0.0,3.1.1,,HIGH,CWE-362,
 CVE-2026-23736,2026-01-21T15:41:14Z,"seroval Affected by Prototype Pollution via JSON Deserialization",seroval,0,1.4.1,,HIGH,CWE-1321,
@@ -4558,6 +4586,9 @@ CVE-2026-23864,2026-01-29T15:00:30Z,"React Server Components have multiple Denia
 CVE-2026-23888,2026-01-26T21:02:49Z,"pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)",pnpm,0,10.28.1,,MODERATE,CWE-22;CWE-23;CWE-426,
 CVE-2026-23889,2026-01-26T21:02:44Z,"pnpm has Windows-specific tarball Path Traversal",pnpm,0,10.28.1,,MODERATE,CWE-22,
 CVE-2026-23890,2026-01-26T21:02:39Z,"pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin",pnpm,0,10.28.1,,MODERATE,CWE-23,
+CVE-2026-23897,2026-02-04T18:02:26Z,"Apollo Serve vulnerable to Denial of Service with `startStandaloneServer`",@apollo/server,4.2.0,4.13.0,,HIGH,CWE-1333,
+CVE-2026-23897,2026-02-04T18:02:26Z,"Apollo Serve vulnerable to Denial of Service with `startStandaloneServer`",@apollo/server,5.0.0,5.4.0,,HIGH,CWE-1333,
+CVE-2026-23897,2026-02-04T18:02:26Z,"Apollo Serve vulnerable to Denial of Service with `startStandaloneServer`",apollo-server,2.0.0,,3.13.0,HIGH,CWE-1333,
 CVE-2026-23947,2026-01-21T01:01:13Z,"Orval has a code injection via unsanitized x-enum-descriptions in enum generation",@orval/core,0,7.19.0,,CRITICAL,CWE-77,
 CVE-2026-23947,2026-01-21T01:01:13Z,"Orval has a code injection via unsanitized x-enum-descriptions in enum generation",@orval/core,8.0.0-rc.0,8.0.2,,CRITICAL,CWE-77,
 CVE-2026-23950,2026-01-21T01:05:49Z,"Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS",tar,0,7.5.4,,HIGH,CWE-176,
@@ -4571,6 +4602,8 @@ CVE-2026-24001,2026-01-14T21:34:12Z,"jsdiff has a Denial of Service vulnerabilit
 CVE-2026-24001,2026-01-14T21:34:12Z,"jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch",diff,5.0.0,5.2.2,,LOW,CWE-1333;CWE-400,
 CVE-2026-24001,2026-01-14T21:34:12Z,"jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch",diff,6.0.0,8.0.3,,LOW,CWE-1333;CWE-400,
 CVE-2026-24006,2026-01-22T18:02:22Z,"Seroval affected by Denial of Service via Deeply Nested Objects",seroval,0,1.4.1,,HIGH,CWE-770,
+CVE-2026-24040,2026-02-02T18:20:02Z,"jsPDF has Shared State Race Condition in addJS Plugin",jspdf,0,4.1.0,,MODERATE,CWE-200;CWE-362,
+CVE-2026-24043,2026-02-02T18:28:29Z,"jsPDF Vulnerable to Stored XMP Metadata Injection (Spoofing & Integrity Violation)",jspdf,0,4.1.0,,MODERATE,CWE-20;CWE-74,
 CVE-2026-24046,2026-01-21T22:36:36Z,"Backstage has a Possible Symlink Path Traversal in Scaffolder Actions","@backstage/backend-defaults",0,0.12.2,,HIGH,CWE-22;CWE-59,
 CVE-2026-24046,2026-01-21T22:36:36Z,"Backstage has a Possible Symlink Path Traversal in Scaffolder Actions","@backstage/backend-defaults",0.13.0,0.13.2,,HIGH,CWE-22;CWE-59,
 CVE-2026-24046,2026-01-21T22:36:36Z,"Backstage has a Possible Symlink Path Traversal in Scaffolder Actions","@backstage/backend-defaults",0.14.0,0.14.1,,HIGH,CWE-22;CWE-59,
@@ -4583,14 +4616,19 @@ CVE-2026-24047,2026-01-21T22:40:51Z,"@backstage/cli-common has a possible `resol
 CVE-2026-24048,2026-01-21T22:49:37Z,"Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`","@backstage/backend-defaults",0,0.12.2,,LOW,CWE-918,
 CVE-2026-24048,2026-01-21T22:49:37Z,"Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`","@backstage/backend-defaults",0.13.0,0.13.2,,LOW,CWE-918,
 CVE-2026-24048,2026-01-21T22:49:37Z,"Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`","@backstage/backend-defaults",0.14.0,0.14.1,,LOW,CWE-918,
+CVE-2026-24052,2026-02-03T19:15:59Z,"Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains","@anthropic-ai/claude-code",0,1.0.111,,HIGH,CWE-601,
+CVE-2026-24053,2026-02-03T19:32:01Z,"Claude Code has a Path Restriction Bypass via ZSH Clobber which Allows Arbitrary File Writes","@anthropic-ai/claude-code",0,2.0.74,,HIGH,CWE-22;CWE-78,
 CVE-2026-24056,2026-01-26T21:02:33Z,"pnpm has symlink traversal in file:/git dependencies",pnpm,0,10.28.2,,MODERATE,CWE-22;CWE-59,
 CVE-2026-24131,2026-01-26T21:29:58Z,"pnpm has Path Traversal via arbitrary file permission modification ",pnpm,0,10.28.2,,MODERATE,CWE-22;CWE-732,
 CVE-2026-24132,2026-01-22T18:09:13Z,"Orval Mock Generation Code Injection via const",@orval/mock,0,7.20.0,,HIGH,CWE-77,
 CVE-2026-24132,2026-01-22T18:09:13Z,"Orval Mock Generation Code Injection via const",@orval/mock,8.0.0-rc.0,8.0.3,,HIGH,CWE-77,
+CVE-2026-24133,2026-02-02T18:29:13Z,"jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder",jspdf,0,4.1.0,,HIGH,CWE-20;CWE-400;CWE-770,
 CVE-2026-24134,2026-01-27T22:13:52Z,"StudioCMS has Authorization Bypass Through User-Controlled Key",studiocms,0,0.2.0,,MODERATE,CWE-639;CWE-862,
 CVE-2026-24398,2026-01-27T19:01:43Z,"Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing",hono,0,4.11.7,,MODERATE,CWE-185,
 CVE-2026-24472,2026-01-27T19:04:17Z,"Hono cache middleware ignores ""Cache-Control: private"" leading to Web Cache Deception",hono,0,4.11.7,,MODERATE,CWE-524;CWE-613,
 CVE-2026-24473,2026-01-27T19:09:01Z,"Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)",hono,0,4.11.7,,MODERATE,CWE-200;CWE-284;CWE-668,
+CVE-2026-24737,2026-02-02T18:29:49Z,"jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution",jspdf,0,4.1.0,,HIGH,CWE-116,
+CVE-2026-24763,2026-02-02T23:39:47Z,"OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable",clawdbot,0,2026.1.29,,HIGH,CWE-78,
 CVE-2026-24766,2026-01-28T21:41:26Z,"NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS",nocodb,0,0.301.0,,MODERATE,CWE-1321,
 CVE-2026-24767,2026-01-28T21:41:18Z,"NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality",nocodb,0,0.301.0,,MODERATE,CWE-918,
 CVE-2026-24768,2026-01-28T21:41:10Z,"NocoDB has Unvalidated Redirect in Login Flow via continueAfterSignIn Parameter",nocodb,0,0.301.0,,MODERATE,CWE-601,
@@ -4601,13 +4639,75 @@ CVE-2026-24778,2026-01-28T16:11:59Z,"Ghost vulnerable to XSS via malicious Porta
 CVE-2026-24778,2026-01-28T16:11:59Z,"Ghost vulnerable to XSS via malicious Portal preview links",ghost,5.43.0,5.121.0,,HIGH,CWE-79,
 CVE-2026-24778,2026-01-28T16:11:59Z,"Ghost vulnerable to XSS via malicious Portal preview links",ghost,6.0.0,6.15.0,,HIGH,CWE-79,
 CVE-2026-24842,2026-01-28T16:35:31Z,"node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal",tar,0,7.5.7,,HIGH,CWE-22;CWE-59,
+CVE-2026-24884,2026-02-03T17:42:18Z,"Compressing Vulnerable to Arbitrary File Write via Symlink Extraction",compressing,0,1.10.4,,HIGH,CWE-59,
+CVE-2026-24884,2026-02-03T17:42:18Z,"Compressing Vulnerable to Arbitrary File Write via Symlink Extraction",compressing,2.0.0,2.0.1,,HIGH,CWE-59,
+CVE-2026-24887,2026-02-03T19:33:32Z,"Claude Code has a Command Injection in find Command Bypasses User Approval Prompt","@anthropic-ai/claude-code",0,2.0.72,,HIGH,CWE-78;CWE-94,
 CVE-2026-24888,2026-01-29T15:18:33Z,"Maker.js has Unsafe Property Copying in makerjs.extendObject",makerjs,0,0.19.2,,MODERATE,CWE-1321,
 CVE-2026-24909,2026-01-28T00:31:42Z,"vlt Mishandles Path Sanitization for tar",@vltpkg/tar,0,1.0.0-rc.10,,MODERATE,CWE-23,
 CVE-2026-25047,2026-01-29T22:21:32Z,"deepHas vulnerable to Prototype Pollution via constructor.prototype",deephas,0,1.0.8,,CRITICAL,CWE-1321,
+CVE-2026-25049,2026-02-04T18:03:09Z,"n8n Has Expression Escape Vulnerability Leading to RCE",n8n,0,1.123.17,,CRITICAL,CWE-913,
+CVE-2026-25049,2026-02-04T18:03:09Z,"n8n Has Expression Escape Vulnerability Leading to RCE",n8n,2.0.0,2.5.2,,CRITICAL,CWE-913,
 CVE-2026-25050,2026-01-30T19:35:40Z,"Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy",@vendure/core,0,3.5.3,,LOW,CWE-202,
+CVE-2026-25051,2026-02-04T18:15:51Z,"n8n's Improper CSP Enforcement in Webhook Responses May Allow Stored XSS",n8n,0,1.122.5,,HIGH,CWE-79,
+CVE-2026-25051,2026-02-04T18:15:51Z,"n8n's Improper CSP Enforcement in Webhook Responses May Allow Stored XSS",n8n,1.123.0,1.123.2,,HIGH,CWE-79,
+CVE-2026-25052,2026-02-04T18:25:29Z,"n8n's Improper File Access Controls Allow Arbitrary File Read by Authenticated Users",n8n,0,1.123.18,,CRITICAL,CWE-367,
+CVE-2026-25052,2026-02-04T18:25:29Z,"n8n's Improper File Access Controls Allow Arbitrary File Read by Authenticated Users",n8n,2.0.0,2.5.0,,CRITICAL,CWE-367,
+CVE-2026-25053,2026-02-04T18:38:13Z,"n8n has OS Command Injection in Git Node",n8n,0,1.123.10,,CRITICAL,CWE-78,
+CVE-2026-25053,2026-02-04T18:38:13Z,"n8n has OS Command Injection in Git Node",n8n,2.0.0,2.5.0,,CRITICAL,CWE-78,
+CVE-2026-25054,2026-02-04T19:35:20Z,"n8n Has Stored Cross-site Scripting via Markdown Rendering in Workflow UI",n8n,0,1.123.9,,HIGH,CWE-79,
+CVE-2026-25054,2026-02-04T19:35:20Z,"n8n Has Stored Cross-site Scripting via Markdown Rendering in Workflow UI",n8n,2.0.0,2.2.1,,HIGH,CWE-79,
+CVE-2026-25055,2026-02-04T19:36:29Z,"n8n Vulnerable to Arbitrary File Write on Remote Systems via SSH Node",n8n,0,1.123.12,,HIGH,CWE-22,
+CVE-2026-25055,2026-02-04T19:36:29Z,"n8n Vulnerable to Arbitrary File Write on Remote Systems via SSH Node",n8n,2.0.0,2.4.0,,HIGH,CWE-22,
+CVE-2026-25056,2026-02-04T19:39:41Z,"n8n Merge Node has Arbitrary File Write leading to RCE",n8n,0,1.118.0,,CRITICAL,CWE-434;CWE-693,
+CVE-2026-25056,2026-02-04T19:39:41Z,"n8n Merge Node has Arbitrary File Write leading to RCE",n8n,2.0.0,2.4.0,,CRITICAL,CWE-434;CWE-693,
+CVE-2026-25115,2026-02-04T19:42:03Z,"n8n has a Python sandbox escape",n8n,0,2.4.8,,CRITICAL,CWE-693,
 CVE-2026-25128,2026-01-30T20:10:14Z,"fast-xml-parser has RangeError DoS Numeric Entities Bug",fast-xml-parser,4.3.6,5.3.4,,HIGH,CWE-248,
 CVE-2026-25141,2026-01-30T21:17:25Z,"Orval has Code Injection via unsanitized x-enum-descriptions using JS comments",@orval/core,7.19.0,7.21.0,,CRITICAL,CWE-84;CWE-94,
 CVE-2026-25141,2026-01-30T21:17:25Z,"Orval has Code Injection via unsanitized x-enum-descriptions using JS comments",@orval/core,8.0.0,8.2.0,,CRITICAL,CWE-84;CWE-94,
+CVE-2026-25142,2026-02-02T20:17:39Z,"SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE",@nyariv/sandboxjs,0,0.8.27,,CRITICAL,CWE-94,
+CVE-2026-25148,2026-02-03T20:47:55Z,"Qwik SSR XSS via Unsafe Virtual Node Serialization",@builder.io/qwik-city,0,1.19.0,,MODERATE,CWE-79,
+CVE-2026-25149,2026-02-03T20:58:25Z,"Qwik City Open Redirect via fixTrailingSlash",@builder.io/qwik-city,0,1.19.0,,LOW,CWE-601,
+CVE-2026-25150,2026-02-03T20:49:22Z,"Prototype Pollution via FormData Processing in Qwik City",@builder.io/qwik-city,0,1.19.0,,CRITICAL,CWE-1321,
+CVE-2026-25151,2026-02-03T20:49:58Z,"Qwik City has a CSRF Protection Bypass via Content-Type Header Validation",@builder.io/qwik-city,0,1.19.0,,MODERATE,CWE-352,
+CVE-2026-25152,2026-02-02T14:36:39Z,"@backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator","@backstage/plugin-techdocs-node",0,1.13.11,,MODERATE,CWE-22,
+CVE-2026-25152,2026-02-02T14:36:39Z,"@backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator","@backstage/plugin-techdocs-node",1.14.0,1.14.1,,MODERATE,CWE-22,
+CVE-2026-25153,2026-02-02T20:19:58Z,"@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks","@backstage/plugin-techdocs-node",0,1.13.11,,HIGH,CWE-94,
+CVE-2026-25153,2026-02-02T20:19:58Z,"@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks","@backstage/plugin-techdocs-node",1.14.0,1.14.1,,HIGH,CWE-94,
+CVE-2026-25155,2026-02-03T20:59:18Z,"Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)",@builder.io/qwik-city,0,1.12.0,,MODERATE,CWE-352,
+CVE-2026-25157,2026-02-02T23:41:35Z,"OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand",clawdbot,0,2026.1.29,,HIGH,CWE-78,
+CVE-2026-25223,2026-02-02T22:23:29Z,"Fastify's Content-Type header tab character allows body validation bypass",fastify,0,5.7.2,,HIGH,CWE-436,
+CVE-2026-25224,2026-02-02T22:25:05Z,"Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream",fastify,0,5.7.3,,LOW,CWE-770,
+CVE-2026-25228,2026-02-02T22:26:31Z,"SignalK Server has Path Traversal leading to information disclosure",signalk-server,0,2.20.3,,MODERATE,CWE-22,
+CVE-2026-25253,2026-02-02T23:41:05Z,"OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl",clawdbot,0,2026.1.29,,HIGH,CWE-668,
+CVE-2026-25475,2026-02-04T19:02:51Z,"OpenClaw Vulnerable to Local File Inclusion via MEDIA: Path Extraction",openclaw,0,2026.1.30,,MODERATE,CWE-200;CWE-22,
+CVE-2026-25520,2026-02-05T20:41:28Z,"@nyariv/sandboxjs has a Sandbox Escape issue",@nyariv/sandboxjs,0,0.8.29,,CRITICAL,CWE-74,
+CVE-2026-25521,2026-02-02T22:21:54Z,"locutus is vulnerable to Prototype Pollution",locutus,2.0.12,2.0.39,,CRITICAL,CWE-1321,
+CVE-2026-25533,2026-02-05T17:49:35Z,"Sandbox escape via infinite recursion and error objects",@enclave-vm/core,0,2.10.1,,MODERATE,CWE-835,
+CVE-2026-25533,2026-02-05T17:49:35Z,"Sandbox escape via infinite recursion and error objects",enclave-vm,0,,2.7.0,MODERATE,CWE-835,
+CVE-2026-25536,2026-02-04T20:04:16Z,"@modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse","@modelcontextprotocol/sdk",1.10.0,1.26.0,,HIGH,CWE-362,
+CVE-2026-25544,2026-02-05T20:51:38Z,"@payloadcms/drizzle has SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters",@payloadcms/drizzle,0,3.73.0,,CRITICAL,CWE-89,
+CVE-2026-25546,2026-02-04T20:02:32Z,"godot-mcp has Command Injection via unsanitized projectPath",@coding-solo/godot-mcp,0,0.1.1,,HIGH,CWE-78,
+CVE-2026-25547,2026-02-03T19:41:15Z,"@isaacs/brace-expansion has Uncontrolled Resource Consumption",@isaacs/brace-expansion,0,5.0.1,,HIGH,CWE-1333,
+CVE-2026-25574,2026-02-05T21:02:20Z,"payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments)",payload,0,3.74.0,,MODERATE,CWE-639,
+CVE-2026-25581,2026-02-06T18:34:30Z,"SCEditor has DOM XSS via emoticon URL/HTML injection",sceditor,0,3.2.1,,MODERATE,CWE-79,
+CVE-2026-25586,2026-02-05T21:04:58Z,"@nyariv/sandboxjs has Sandbox Escape via Prototype Whitelist Bypass and Host Prototype Pollution",@nyariv/sandboxjs,0,0.8.29,,CRITICAL,CWE-74,
+CVE-2026-25587,2026-02-05T21:05:59Z,"@nyariv/sandboxjs has a Sandbox Escape vulnerability",@nyariv/sandboxjs,0,0.8.29,,CRITICAL,CWE-74;CWE-94,
+CVE-2026-25593,2026-02-04T20:06:46Z,"OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply",openclaw,0,2026.1.20,,HIGH,CWE-20;CWE-306;CWE-78,
+CVE-2026-25630,2026-02-04T20:07:34Z,"survey-pdf Upgraded jsPDF Version Due to Security Vulnerability",survey-pdf,0,1.12.59,,CRITICAL,CWE-35;CWE-73,
+CVE-2026-25630,2026-02-04T20:07:34Z,"survey-pdf Upgraded jsPDF Version Due to Security Vulnerability",survey-pdf,2.0.0,2.5.5,,CRITICAL,CWE-35;CWE-73,
+CVE-2026-25631,2026-02-04T20:33:27Z,"n8n's domain allowlist bypass enables credential exfiltration",n8n,0,1.121.0,,MODERATE,CWE-20,
+CVE-2026-25641,2026-02-05T21:33:04Z,"@nyariv/sandboxjs vulnerable to sandbox escape via TOCTOU bug on keys in property accesses",@nyariv/sandboxjs,0,0.8.29,,CRITICAL,CWE-367;CWE-74,
+CVE-2026-25651,2026-02-06T18:54:33Z,"client-certificate-auth Vulnerable to Open Redirect via Host Header Injection in HTTP-to-HTTPS redirect",client-certificate-auth,0.2.1,1.0.0,,MODERATE,CWE-601,
+CVE-2026-25722,2026-02-06T19:02:41Z,"Claude Code Vulnerable to Command Injection via Directory Change Bypasses Write Protection","@anthropic-ai/claude-code",0,2.0.57,,HIGH,CWE-20;CWE-78,
+CVE-2026-25723,2026-02-06T19:04:51Z,"Claude Code Vulnerable to Command Injection via Piped sed Command Bypasses File Write Restrictions","@anthropic-ai/claude-code",0,2.0.55,,HIGH,CWE-20;CWE-78,
+CVE-2026-25724,2026-02-06T19:08:04Z,"Claude Code has Permission Deny Bypass Through Symbolic Links","@anthropic-ai/claude-code",0,2.1.7,,LOW,CWE-285;CWE-61,
+CVE-2026-25725,2026-02-06T19:14:33Z,"Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json","@anthropic-ai/claude-code",0,2.1.2,,HIGH,CWE-501;CWE-668,
+CVE-2026-25751,2026-02-05T00:33:44Z,"FUXA Unauthenticated Exposure of Plaintext Database Credentials",fuxa-server,0,1.2.10,,CRITICAL,CWE-306;CWE-312,
+CVE-2026-25752,2026-02-05T00:38:25Z,"FUXA Unauthenticated Remote Arbitrary Device Tag Write",fuxa-server,0,1.2.10,,CRITICAL,CWE-862,
+CVE-2026-25754,2026-02-06T19:27:30Z,"AdonisJS multipart body parsing has Prototype Pollution issue",@adonisjs/bodyparser,0,10.1.3,,HIGH,CWE-1321,
+CVE-2026-25754,2026-02-06T19:27:30Z,"AdonisJS multipart body parsing has Prototype Pollution issue",@adonisjs/bodyparser,11.0.0-next.0,11.0.0-next.9,,HIGH,CWE-1321,
+CVE-2026-25762,2026-02-06T19:53:55Z,"AdonisJS vulnerable to Denial of Service (DoS) via Unrestricted Memory Buffering in PartHandler during File Type Detection",@adonisjs/bodyparser,0,10.1.3,,HIGH,CWE-400;CWE-770,
+CVE-2026-25762,2026-02-06T19:53:55Z,"AdonisJS vulnerable to Denial of Service (DoS) via Unrestricted Memory Buffering in PartHandler during File Type Detection",@adonisjs/bodyparser,11.0.0-next.0,11.0.0-next.9,,HIGH,CWE-400;CWE-770,
 GHSA-224h-p7p5-rh85,2020-09-01T17:32:26Z,"Directory Traversal in wenluhong1",wenluhong1,0.0.0,,,HIGH,CWE-22,
 GHSA-224p-v68g-5g8f,2025-08-26T18:45:55Z,"GraphQL Armor Max-Depth Plugin Bypass via fragment caching","@escape.tech/graphql-armor-max-depth",0,2.4.2,,MODERATE,CWE-400,
 GHSA-226w-6hhj-69hp,2020-09-03T19:06:52Z,"Malicious Package in cal_rd",cal_rd,0.0.0,,,CRITICAL,CWE-506,
@@ -4658,6 +4758,7 @@ GHSA-2w9p-xf5h-qwj3,2023-03-27T03:30:16Z,"Duplicate Advisory: pullit Command Inj
 GHSA-2xv3-h762-ccxv,2019-05-29T19:18:02Z,"Out-of-bounds Read in concat-with-sourcemaps",concat-with-sourcemaps,1.0.0,1.0.6,,MODERATE,CWE-125,
 GHSA-2xw5-3767-qxvm,2020-09-11T21:21:20Z,"Malicious Package in ng-ui-library",ng-ui-library,1.0.987,1.0.990,,CRITICAL,CWE-506,
 GHSA-3233-rgx3-c2wh,2018-10-09T00:38:09Z,"Moderate severity vulnerability that affects mustache",mustache,0,2.2.1,,MODERATE,,
+GHSA-32cc-x95p-fxcg,2026-02-05T00:36:30Z,"FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration",fuxa-server,0,1.2.10,,CRITICAL,CWE-1188;CWE-321,
 GHSA-32vw-r77c-gm67,2020-08-03T17:57:05Z,"Withdrawn Advisory: marked cross-site scripting vulnerability",marked,0,0.3.3,,MODERATE,,
 GHSA-33gc-f8v9-v8hm,2020-09-01T20:41:40Z,"Malicious Package in ladder-text-js",ladder-text-js,0,,,CRITICAL,CWE-506,
 GHSA-353r-3v84-9pjj,2020-09-01T20:40:36Z,"Malicious Package in nothing-js",nothing-js,0,,,CRITICAL,CWE-506,
@@ -4679,7 +4780,7 @@ GHSA-3cpj-mj3q-82wr,2020-09-04T16:49:43Z,"Malicious Package in bs58chek",bs58che
 GHSA-3f44-xw83-3pmg,2026-01-13T20:29:12Z,"Renovate vulnerable to arbitrary command injection via helmv3 manager and malicious Chart.yaml file",renovate,31.51.0,40.33.0,,MODERATE,CWE-77,
 GHSA-3f95-w5h5-fq86,2020-09-11T21:22:24Z,"Prototype Pollution in mergify",mergify,0,,,MODERATE,CWE-1321,
 GHSA-3f97-rj68-2pjf,2020-09-03T21:48:35Z,"Malicious Package in buffe2-xor",buffe2-xor,0.0.0,,,CRITICAL,CWE-506,
-GHSA-3fc5-9x9m-vqc4,2019-06-03T17:31:32Z,"Privilege Escalation in express-cart",express-cart,0,1.1.6,,CRITICAL,,
+GHSA-3fc5-9x9m-vqc4,2019-06-03T17:31:32Z,"Duplicate Advisory: Privilege Escalation in express-cart",express-cart,0,1.1.6,,CRITICAL,,
 GHSA-3g4j-r53p-22wx,2025-10-17T18:31:09Z,"Duplicate Advisory: FlowiseAI Pre-Auth Arbitrary Code Execution",flowise,3.0.5,3.0.6,,CRITICAL,CWE-94,
 GHSA-3gpc-w23c-w59w,2020-09-04T15:02:06Z,"Sandbox Breakout / Arbitrary Code Execution in pitboss-ng",pitboss-ng,0,2.0.0,,CRITICAL,,
 GHSA-3h99-v4qw-p2h5,2020-09-03T19:41:56Z,"Malicious Package in coinpayment",coinpayment,0.0.0,,,CRITICAL,CWE-506,
@@ -4703,6 +4804,7 @@ GHSA-44vf-8ffm-v2qh,2020-09-02T15:42:47Z,"Sensitive Data Exposure in rails-sessi
 GHSA-457r-cqc8-9vj9,2022-11-23T15:39:50Z,"sweetalert2 v10.16.10 and above contains hidden functionality",sweetalert2,10.16.10,11.22.4,,LOW,CWE-912,
 GHSA-4627-w373-375v,2020-09-11T21:22:24Z,"Malicious Package in grunt-radical",grunt-radical,0.0.14,0.0.13,,CRITICAL,,
 GHSA-46fh-8fc5-xcwx,2020-09-03T18:09:16Z,"Prototype Pollution in lodash.defaultsdeep",lodash.defaultsdeep,0,4.6.1,,HIGH,CWE-1321,
+GHSA-46j5-6fg5-4gv3,2025-12-18T09:30:30Z,"Duplicate Advisory: Nodemailer is vulnerable to DoS through Uncontrolled Recursion",nodemailer,0,7.0.11,,MODERATE,CWE-674;CWE-703,
 GHSA-4859-gpc7-4j66,2019-06-05T21:24:29Z,"Command Injection in dot",dot,0,,1.1.2,MODERATE,CWE-77,
 GHSA-48gc-5j93-5cfq,2020-09-11T21:15:54Z,"Path Traversal in serve",serve,0,10.1.2,,HIGH,CWE-22,
 GHSA-4964-cjrr-jg97,2020-09-02T21:38:43Z,"Malicious Package in jqeury",jqeury,0,,,CRITICAL,CWE-506,
@@ -4746,7 +4848,7 @@ GHSA-4x7c-cx64-49w8,2020-08-19T22:06:03Z,"Regular Expression Denial of Service i
 GHSA-4x7c-cx64-49w8,2020-08-19T22:06:03Z,"Regular Expression Denial of Service in is-my-json-valid",is-my-json-valid,2.0.0,2.17.2,,LOW,,
 GHSA-4x7w-frcq-v4m3,2020-09-03T20:38:47Z,"Path Traversal in @wturyn/swagger-injector",@wturyn/swagger-injector,0.0.0,,,CRITICAL,CWE-22,
 GHSA-4xcv-9jjx-gfj3,2019-07-05T21:07:58Z,"Denial of Service in mem",mem,0,4.0.0,,MODERATE,CWE-400,
-GHSA-4xf9-pgvv-xx67,2020-09-03T20:27:46Z,"Regular Expression Denial of Service in simple-markdown",simple-markdown,0,0.5.2,,MODERATE,CWE-400,
+GHSA-4xf9-pgvv-xx67,2020-09-03T20:27:46Z,"Duplicate Advisory: Regular Expression Denial of Service in simple-markdown",simple-markdown,0,0.5.2,,MODERATE,CWE-400,
 GHSA-4xg9-g7qj-jhg4,2020-09-03T20:46:36Z,"Malicious Package in comander",comander,0.0.0,,,CRITICAL,CWE-506,
 GHSA-4xgp-xrg3-c73w,2020-09-11T21:10:29Z,"Malicious Package in commqnder",commqnder,0,,,CRITICAL,CWE-506,
 GHSA-52c9-458g-whrf,2020-09-03T22:58:17Z,"Malicious Package in js-3ha3",js-3ha3,0.0.0,,,CRITICAL,CWE-506,
@@ -4949,6 +5051,7 @@ GHSA-87qp-7cw8-8q9c,2024-03-25T06:30:24Z,"Duplicate Advisory: web3-utils Prototy
 GHSA-87qw-7v97-w34r,2020-09-02T18:33:18Z,"Malicious Package in asinc",asinc,0,,,CRITICAL,CWE-506,
 GHSA-886v-mm6p-4m66,2019-06-05T09:48:02Z,"High severity vulnerability that affects gun",gun,0,0.2019.416,,HIGH,CWE-22,
 GHSA-88h9-fc6v-jcw7,2020-09-03T20:28:51Z,"Unintended Require in larvitbase-www",larvitbase-www,0.0.0,,,MODERATE,,
+GHSA-88qh-cphv-996c,2026-02-05T00:37:30Z,"FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API",fuxa-server,0,1.2.10,,CRITICAL,CWE-22;CWE-306,
 GHSA-88xx-23mf-rcj2,2020-09-03T22:51:52Z,"Malicious Package in bs-sha3",bs-sha3,0.0.0,,,CRITICAL,CWE-506,
 GHSA-8948-ffc6-jg52,2019-06-06T15:32:21Z,"Insecure Default Configuration in redbird",redbird,0,,0.9.0,MODERATE,CWE-20,
 GHSA-8c8c-4vfj-rrpc,2020-09-01T19:05:11Z,"Reflected Cross-Site Scripting in redis-commander",redis-commander,0.0.0,0.5.0,,LOW,CWE-79,
@@ -5165,7 +5268,7 @@ GHSA-g8jc-mm3c-cwhj,2020-09-02T20:31:06Z,"Malicious Package in reques",reques,0,
 GHSA-g8m7-qhv7-9h5x,2019-07-05T21:07:14Z,"Path Traversal in serve-here.js",serve-here,0,,3.2.0,HIGH,CWE-22,
 GHSA-g8q2-24jh-5hpc,2018-07-27T14:47:52Z,"High severity vulnerability that affects jquery-ui",jquery-ui,0,1.12.0,,HIGH,,
 GHSA-g8vp-6hv4-m67c,2020-09-11T21:23:29Z,"Command Injection in entitlements",entitlements,0,1.3.0,,HIGH,CWE-77,
-GHSA-g95f-p29q-9xw4,2019-06-06T15:30:30Z,"Regular Expression Denial of Service in braces",braces,0,2.3.1,,LOW,CWE-185;CWE-400,
+GHSA-g95f-p29q-9xw4,2019-06-06T15:30:30Z,"Duplicate Advisory: Regular Expression Denial of Service in braces",braces,0,2.3.1,,LOW,CWE-185;CWE-400,
 GHSA-g9cg-h3jm-cwrc,2020-09-03T15:47:23Z,"Prototype Pollution in @hapi/subtext",@hapi/pez,0,5.0.1,,HIGH,CWE-1321,
 GHSA-g9jg-w8vm-g96v,2025-12-31T22:07:25Z,"Trix has a stored XSS vulnerability through its attachment attribute",trix,0,2.1.16,,MODERATE,CWE-79,
 GHSA-g9r4-xpmj-mj65,2020-09-04T15:06:32Z,"Prototype Pollution in handlebars",handlebars,0,3.0.8,,HIGH,CWE-1321,
@@ -5464,6 +5567,7 @@ GHSA-qv2g-99x4-45x6,2021-01-29T18:12:07Z,"Malicious npm package: discord-fix",di
 GHSA-qv78-398w-cxp7,2020-09-11T21:08:19Z,"Malicious Package in shrugging-logging",shrugging-logging,0,,,CRITICAL,CWE-506,
 GHSA-qx4v-6gc5-f2vv,2019-06-20T14:32:56Z,"Regular Expression Denial of Service",esm,0,3.1.0,,MODERATE,CWE-400,
 GHSA-qxrj-x7rm-2h49,2020-09-03T17:05:59Z,"Malicious Package in dhkey",dhkey,0.0.0,,,CRITICAL,CWE-506,
+GHSA-r2c6-8jc8-g32w,2026-02-02T00:30:23Z,"Duplicate Advisory: 1-Click RCE via Authentication Token Exfiltration From gatewayUrl",clawdbot,0,2026.1.29,,HIGH,CWE-669,
 GHSA-r2gr-fhmr-66c5,2021-05-10T18:38:11Z,"Duplicate Advisory: ""Arbitrary code execution in socket.io-file""",socket.io-file,0,,2.0.31,HIGH,CWE-20,
 GHSA-r2rg-683g-ff96,2020-09-03T19:40:12Z,"Malicious Package in axios-http",axios-http,0.0.0,,,CRITICAL,CWE-506,
 GHSA-r2vw-jgq9-jqx2,2020-09-03T15:54:11Z,"Improper Authorization in @sap-cloud-sdk/core",@sap-cloud-sdk/core,1.19.0,1.21.2,,HIGH,CWE-285,
@@ -5498,7 +5602,6 @@ GHSA-r9cj-xj33-4q42,2020-09-03T22:21:54Z,"Malicious Package in buffgr-xor",buffg
 GHSA-r9q4-w3fm-wrm2,2020-09-02T21:21:43Z,"Cross-Site Scripting in google-closure-library",google-closure-library,0,20190301.0.0,,MODERATE,CWE-79,
 GHSA-rc4v-99cr-pjcm,2023-10-17T14:21:16Z,"Prototype Pollution in ali-security/mongoose","@seal-security/mongoose-fixed",5.3.3,5.3.4,,CRITICAL,CWE-1321,
 GHSA-rch7-f4h5-x9rj,2019-08-23T00:04:52Z,"Identity Spoofing in libp2p-secio",libp2p-secio,0,0.9.0,,CRITICAL,CWE-290,
-GHSA-rcmh-qjqh-p98v,2025-12-01T20:44:25Z,"Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls",nodemailer,0,7.0.11,,LOW,CWE-703,
 GHSA-rcv7-4w2m-gj9v,2020-09-03T23:24:26Z,"Malicious Package in sj-tw-test-security",sj-tw-test-security,0.0.0,,,CRITICAL,CWE-506,
 GHSA-rffp-mc78-wjf7,2020-09-02T18:26:48Z,"Command Injection in cocos-utils",cocos-utils,0,,,HIGH,CWE-77,
 GHSA-rggq-f2wf-m6cp,2020-09-02T18:31:08Z,"Malicious Package in jajajejejiji",jajajejejiji,0,,,CRITICAL,CWE-506,
@@ -5559,6 +5662,7 @@ GHSA-vv52-3mrp-455m,2020-09-03T15:53:36Z,"Malicious Package in m-backdoor",m-bac
 GHSA-vv7g-pjw9-4qj9,2020-09-03T17:03:56Z,"Malicious Package in scrytsy",scrytsy,0.0.0,,,CRITICAL,CWE-506,
 GHSA-vvfh-mvjv-w38q,2020-09-04T15:28:19Z,"Malicious Package in babel-loadre",babel-loadre,0.0.0,,,CRITICAL,CWE-506,
 GHSA-vw7g-jq9m-3q9v,2020-09-02T18:23:35Z,"Unauthorized File Access in glance",glance,0,3.0.7,,MODERATE,,
+GHSA-vwcg-c828-9822,2026-02-05T00:27:53Z,"FUXA Unauthenticated Remote Code Execution via Admin JWT Minting",fuxa-server,0,1.2.10,,CRITICAL,CWE-285;CWE-287,
 GHSA-vx5w-cxch-wwc9,2020-09-03T19:02:27Z,"Path Traversal in f-serv",f-serv,0.0.0,,,CRITICAL,CWE-22,
 GHSA-vxfp-qmpq-6826,2020-09-03T17:38:09Z,"Malicious Package in hpmm",hpmm,0.0.0,,,CRITICAL,CWE-506,
 GHSA-vxp4-25qp-86qh,2017-10-24T18:33:36Z,"Moderate severity vulnerability that affects ember",ember,1.12.0,1.12.2,,MODERATE,,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@openrewrite/recipes-nodejs",
-  "version": "0.38.0-20260203-172000",
+  "version": "0.38.0",
   "license": "Moderne Source Available License",
   "description": "OpenRewrite recipes for Node.js library migrations.",
   "homepage": "https://github.com/moderneinc/rewrite-node",