PatchSiren

npm CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH npm CVE published 2026-05-26

CVE-2026-9496

CVE-2026-9496 documents a Denial of Service (DoS) vulnerability in the pacote npm package, affecting versions from 11.2.7 onward. The flaw resides in the addGitSha function, where a maliciously crafted spec.rawSpec value can trigger inefficient regex replacement and string-manipulation logic, leading to excessive CPU consumption and potential process stalling or crash. The vulnerability was published to t [truncated]

HIGH npm CVE published 2026-01-23

CVE-2026-0775

CVE-2026-0775 is a HIGH severity vulnerability in npm cli that allows local attackers to escalate privileges. The vulnerability exists within the handling of modules, where the application loads modules from an unsecured location. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The vulnerability was reported by Zerodayin [truncated]