Npm Cli vulnerabilities

5 known vulnerabilities affecting npm/cli.

Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH2MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2026-0775HIGHCVSS 7.0v10.9.02026-01-23
CVE-2026-0775 [HIGH] CWE-732 CVE-2026-0775: npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the
cvelistv5nvd
CVE-2020-15095MEDIUMCVSS 4.4fixed in 6.14.62020-07-07
CVE-2020-15095 [MEDIUM] CWE-532 CVE-2020-15095: Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability thro Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like "://[[:]@][:][:][/]". The password value is not redacted and is printed to stdout and also to any generated log files.
cvelistv5nvd
CVE-2019-16776HIGHCVSS 8.1fixed in 6.13.32019-12-13
CVE-2019-16776 [HIGH] CWE-22 CVE-2019-16776: Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to preve Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the
cvelistv5nvd
CVE-2019-16775MEDIUMCVSS 6.5fixed in 6.13.32019-12-13
CVE-2019-16775 [MEDIUM] CWE-61 CVE-2019-16775: Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible fo Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publisher to create a symlink pointing to arbitrary files
cvelistv5nvd
CVE-2019-16777MEDIUMCVSS 6.5fixed in 6.13.42019-12-13
CVE-2019-16777 [MEDIUM] CWE-22 CVE-2019-16777: Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to p Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of packages that also create a serve binary would overwri
cvelistv5nvd