SecAlerts
CVE ListPricingSign Up
npm logo

npm

Security Risk Profile

54
/100
medium

Security Risk Score

Comprehensive risk assessment based on 58 vulnerabilities, EPSS scores, exploitation status, and remediation availability.

📅 Data spans from March 8, 2021 to present

58
Total CVEs
14
Critical+High
5
Exploited
6
Unpatched

Threat Assessment

Avg CVSS
7.2
Base severity
Avg EPSS
0%
Exploit probability
Unpatched
6
Critical/High
Risk Level
54/100
medium
⚠️ 5 Active Exploits

Severity Distribution

Critical
1
High
13
Medium
4
Low
2

Exploit Likelihood

>50% chance
0
20-50%
0
5-20%
0
<5%
0

Age Distribution

Common Weaknesses (CWE)

1
SSRF
2
2
XSS
2
3
Command Injection
1
4
Input Validation
1

Most Affected Products

1. npm package6
2. npm registry4
3. npm eslint-config-prettier4
4. npm/cli3
5. npm cli3

Recent Vulnerabilities

See more →
CVE-2026-0775
CVSS 7.8high

(0Day) npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

1/23/2026🔧 No Patch
ZDI-26-043
CVSS 7.8high

(0Day) npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

1/12/2026🔧 No Patch
ZDI-CAN-25430
CVSS 7.8high

ZDI-26-043: (0Day) npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

1/12/2026🔧 No Patch
https://www.theregister.com/2025/12/22/whatsapp_npm_package_message_steal/
unknown

Poisoned WhatsApp API package steals messages and accounts

12/22/2025🔧 No Patch
https://www.bleepingcomputer.com/news/security/shai-hulud-20-npm-malware-attack-exposed-up-to-400-000-dev-secrets/
unknown

Shai-Hulud 2.0 NPM malware attack exposed up to 400,000 dev secrets

12/2/2025🔧 No Patch
CVE-2025-13466
CVSS 5.5medium

body-parser vulnerable to denial of service when url encoding is used

11/24/2025
https://www.bleepingcomputer.com/news/security/shai-hulud-malware-infects-500-npm-packages-leaks-secrets-on-github/
unknown

Shai-Hulud malware infects 500 npm packages, leaks secrets on GitHub

11/24/2025🔧 No Patch
https://www.theregister.com/2025/11/24/shai_hulud_npm_worm/
unknown

Shai-Hulud worm returns, belches secrets to 25K GitHub repos

11/24/2025🔧 No Patch
https://www.bleepingcomputer.com/news/security/malicious-npm-packages-abuse-adspect-redirects-to-evade-security/
unknown

Malicious NPM packages abuse Adspect redirects to evade security

11/17/2025🔧 No Patch
https://www.theregister.com/2025/11/14/selfreplicating_supplychain_attack_poisons_150k/
unknown

Crims poison 150K+ npm packages with token-farming malware

11/14/2025🔧 No Patch

Monitor npm in Real-Time

Get instant alerts when new vulnerabilities are discovered. Stay ahead of security threats with SecAlerts.

Start Free TrialBook a Demo
Powered bySecAlerts

Monitor Your Software Stack in Real-Time

Get instant alerts when vulnerabilities are discovered in your software stack. Stay ahead of security threats with SecAlerts.

Start Free TrialBook a Demo
AboutNewsDocumentationTermsContact

© 2026 SecAlerts Pty Ltd. All rights reserved.

npm Security Vulnerabilities & Risk Score | 58 CVEs | SecAlerts - SecAlerts