npm Inc.
Security Scorecard
Score
100A
Total CVEs
7
Patch Rate
100%
7 patched
Avg Response
-
days to patch
Critical Gaps
0
exploitable, no detection
Severity Breakdown
Critical1
High6
Medium0
Low0
Patch Status
Patched7 (100%)
Partial/Workaround0 (0%)
Unpatched0 (0%)
CVEs (8)
| CVE ID | Title | Severity | Score | Days | Patch |
|---|---|---|---|---|---|
| CVE-2026-0775 | npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability | High | 7.0 | - | Patched |
| CVE-2021-47837 | Markdownify XSS | High | 7.2 | - | Patched |
| CVE-2025-61686 | React Router Vulnerability | Critical | 9.1 | - | Patched |
| CVE-2025-14874 | Nodemailer DoS Vulnerability | High | 7.5 | - | Patched |
| CVE-2025-65512 | MCP Server Vulnerability | High | 7.5 | - | Patched |
| CVE-2025-65513 | Fetch-MCP SSRF | High | 7.5 | - | Patched |
| CVE-2025-58754 | Axios DoS via data: URL decode | High | 7.5 | - | Patched |
| CVE-2025-68154 | - | N/A | - | 2d | Unpatched |