The leading open source vulnerability database

Instantly mitigate vulnerabilities in WordPress websites with Patchstack.

Total49,172
Mitigations15,846
Stats
CVSS0
10
Affected software | Vulnerability
RiskDisclosed
@better-auth/scim>= 1.5.0, < 1.7.0-beta.4
NPM: @better-auth/scim: Account/provider takeover via missing owner binding on non-org SCIM providers
8.3
1 hour ago
better-auth>= 0.3.4, < 1.6.11
NPM: Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows
3.8
1 hour ago
@better-auth/scim>= 1.6.0, < 1.6.11
NPM: Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows
3.8
1 hour ago
better-auth< 1.6.11
NPM: @better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive
8.1
1 hour ago
@better-auth/oauth-provider>= 1.6.0, < 1.6.11
NPM: @better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive
8.1
1 hour ago
@better-auth/sso>= 0.1.0, < 1.6.11
NPM: @better-auth/sso provider registration has server-side request forgery via unvalidated OIDC endpoints
9.6
1 hour ago
better-auth>= 1.4.8-beta.7, < 1.6.0
NPM: Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption
8.1
1 hour ago
@better-auth/oauth-provider>= 1.6.0, < 1.6.11
NPM: Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption
8.1
1 hour ago
better-auth< 1.6.11
NPM: Better Auth has insecure cryptographic defaults in oidcProvider: alg=none advertised and plain PKCE accepted by default
8.7
1 hour ago
better-auth< 1.6.13
NPM: Better Auth has stored XSS in the auth-server origin via javascript: redirect_uri in oidc-provider and mcp
7.7
1 hour ago
better-auth< 1.6.11
NPM: Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email
8.3
1 hour ago
better-auth< 1.6.11
NPM: Better Auth vulnerable to unauthorized invitation acceptance via unverified email match in organization plugin
7.7
1 hour ago
@better-auth/oauth-provider>= 1.4.8, < 1.7.0-beta.4
NPM: @better-auth/oauth-provider may provide access tokens for unauthorized audiences via unbound resource indicators
6.4
1 hour ago
better-auth< 1.6.11
NPM: Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
9.1
2 hours ago
@aborruso/ckan-mcp-server< 0.4.106
NPM: @aborruso/ckan-mcp-server: SSRF via base_url allows access to internal networks (Potential fix bypass of CVE-2026-33060)
5.7
3 hours ago
9router<= 0.4.71
NPM: 9router: Login brute-force protection bypass via spoofed X-Forwarded-For header
7.3
1 day ago
9router<= 0.4.71
NPM: 9routers has Exposure of Sensitive Information and Unprotected Database Import/Export, Allowing Complete Credential Theft and Database Takeover
9.9
1 day ago
9router<= 0.4.41
NPM: 9router has unauthenticated CRUD on /api/providers and Full API Key Leak via /api/usage/stats
10
1 day ago
decompress<= 4.2.1
NPM: Decompress: Archive extraction can create files and links outside of the target directory
9.1
1 day ago
@xhmikosr/decompress< 10.2.1
NPM: Decompress: Archive extraction can create files and links outside of the target directory
9.1
1 day ago