[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"repo-stars":3,"vuln-CVE-2019-16776":6},{"stargazers_count":4,"fetched_at":5},7,"2026-06-05T02:55:30.529Z",{"id":7,"descriptions":8,"cisa":9,"weaknesses":10,"exploits":40,"aliases":41,"duplicate_of":9,"upstream":43,"downstream":44,"duplicates":75,"related":76,"reserved_at":9,"published_at":102,"modified_at":103,"state":104,"summary":105,"references_raw":114,"kevs":183,"epss":184,"epss_history":187,"metrics":456,"affected":475},"CVE-2019-16776","Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain access to arbitrary files on a user's system when the package is installed. This behavior is still possible through install scripts. This vulnerability bypasses a user using the --ignore-scripts install option.",null,[11],{"_key":12,"id":12,"name":13,"description":14,"type":15,"status":16,"abstraction":17,"likelihood_of_exploit":18,"capec":19},"CWE-22","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.","weakness","Stable","Base","High",[20,24,28,32,36],{"id":21,"name":22,"techniques":23},"CAPEC-126","Path Traversal",[],{"id":25,"name":26,"techniques":27},"CAPEC-64","Using Slashes and URL Encoding Combined to Bypass Validation Logic",[],{"id":29,"name":30,"techniques":31},"CAPEC-76","Manipulating Web Input to File System Calls",[],{"id":33,"name":34,"techniques":35},"CAPEC-78","Using Escaped Slashes in Alternate Encoding",[],{"id":37,"name":38,"techniques":39},"CAPEC-79","Using Slashes in Alternate Encoding",[],[],[42],"GHSA-x8qc-rrcw-4r46",[],[45,47,49,51,53,55,57,59,61,63,65,67,69,71,73],{"_key":46},"SUSE-SU-2020:0043-1",{"_key":48},"SUSE-SU-2020:0063-1",{"_key":50},"SUSE-SU-2020:0104-1",{"_key":52},"SUSE-SU-2020:0247-1",{"_key":54},"SUSE-SU-2020:0429-1",{"_key":56},"OPENSUSE-SU-2020:0059-1",{"_key":58},"RHEA-2020:0330",{"_key":60},"RHSA-2020:0573",{"_key":62},"RHSA-2020:0579",{"_key":64},"RHSA-2020:0597",{"_key":66},"RHSA-2020:0602",{"_key":68},"RHSA-2020:2625",{"_key":70},"MGASA-2020-0372",{"_key":72},"DEBIAN-CVE-2019-16776",{"_key":74},"UBUNTU-CVE-2019-16776",[],[77,78,79,80,81,82,83,84,86,88,90,92,94,96,98,100],{"_key":46},{"_key":48},{"_key":50},{"_key":52},{"_key":54},{"_key":56},{"_key":70},{"_key":85},"CGA-4G2V-Q782-WXQ4",{"_key":87},"CGA-7R52-GVRC-C3PV",{"_key":89},"CGA-F83R-HF7Q-6C4P",{"_key":91},"CGA-HMQ4-GM5H-HPVW",{"_key":93},"CGA-J7G7-G38X-VWR4",{"_key":95},"CGA-M78G-5RXQ-8J78",{"_key":97},"CGA-V37G-XH3F-2MMR",{"_key":99},"CGA-XJXM-8PP6-CV4V",{"_key":101},"CGA-JFFG-QJR2-VV8R","2019-12-13T00:55:16.000Z","2024-08-05T01:24:48.040Z","Modified",{"cisa_kev":106,"cisa_ransomware":106,"cisa_vendor":9,"epss_severity":107,"epss_score":108,"severity":109,"severity_score":110,"severity_version":111,"severity_source":112,"severity_vector":113,"severity_status":104},false,"low",0.01227,"high",8.1,"v3.1","nvd","CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",[115,124,129,133,140,145,150,154,158,162,166,171,175,179],{"url":116,"sources":117,"tags":120},"https://blog.npmjs.org/post/189618601100/binary-planting-with-the-npm-cli",[118,112,119],"cve.org","osv_npm",[121,122,123],"X Refsource MISC","Third Party Advisory","WEB",{"url":125,"sources":126,"tags":127},"https://github.com/npm/cli/security/advisories/GHSA-x8qc-rrcw-4r46",[118,112,119],[128,122,123],"X Refsource CONFIRM",{"url":130,"sources":131,"tags":132},"https://www.oracle.com/security-alerts/cpujan2020.html",[118,112,119],[121,122,123],{"url":134,"sources":135,"tags":136},"http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00027.html",[118,112,119],[137,138,139,122,123],"Vendor Advisory","X Refsource SUSE","Mailing List",{"url":141,"sources":142,"tags":143},"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP/",[118,112],[137,144],"X Refsource FEDORA",{"url":146,"sources":147,"tags":148},"https://access.redhat.com/errata/RHEA-2020:0330",[118,112,119],[137,149,122,123],"X Refsource REDHAT",{"url":151,"sources":152,"tags":153},"https://access.redhat.com/errata/RHSA-2020:0573",[118,112,119],[137,149,122,123],{"url":155,"sources":156,"tags":157},"https://access.redhat.com/errata/RHSA-2020:0579",[118,112,119],[137,149,122,123],{"url":159,"sources":160,"tags":161},"https://access.redhat.com/errata/RHSA-2020:0597",[118,112,119],[137,149,122,123],{"url":163,"sources":164,"tags":165},"https://access.redhat.com/errata/RHSA-2020:0602",[118,112,119],[137,149,122,123],{"url":167,"sources":168,"tags":169},"https://nvd.nist.gov/vuln/detail/CVE-2019-16776",[119],[170],"Advisory",{"url":172,"sources":173,"tags":174},"https://github.com/advisories/GHSA-x8qc-rrcw-4r46",[119],[170],{"url":176,"sources":177,"tags":178},"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Z36UKPO5F3PQ3Q2POMF5LEKXWAH5RUFP",[119],[123],{"url":180,"sources":181,"tags":182},"https://www.npmjs.com/advisories/1436",[119],[123],[],{"date":185,"score":108,"percentile":186},"2026-06-04",0.7948,[188,192,195,197,200,203,206,209,212,215,217,220,223,226,228,232,235,238,241,244,247,250,253,256,258,261,264,267,271,274,277,280,283,285,288,290,293,296,299,302,305,307,310,313,316,319,322,325,328,331,334,337,340,343,346,349,352,355,358,361,364,367,370,372,375,378,381,384,387,390,393,396,399,402,405,409,412,415,418,421,424,427,431,434,437,440,443,446,449,452],{"date":189,"score":190,"percentile":191},"2025-11-04",0.00353,0.56996,{"date":193,"score":190,"percentile":194},"2025-11-05",0.56975,{"date":196,"score":190,"percentile":194},"2025-11-06",{"date":198,"score":190,"percentile":199},"2025-11-07",0.56989,{"date":201,"score":190,"percentile":202},"2025-11-08",0.56993,{"date":204,"score":190,"percentile":205},"2025-11-09",0.5698,{"date":207,"score":190,"percentile":208},"2025-11-10",0.56955,{"date":210,"score":190,"percentile":211},"2025-11-11",0.56967,{"date":213,"score":190,"percentile":214},"2025-11-12",0.56991,{"date":216,"score":190,"percentile":191},"2025-11-13",{"date":218,"score":190,"percentile":219},"2025-11-14",0.56999,{"date":221,"score":190,"percentile":222},"2025-11-15",0.5699,{"date":224,"score":190,"percentile":225},"2025-11-16",0.56973,{"date":227,"score":190,"percentile":211},"2025-11-17",{"date":229,"score":230,"percentile":231},"2025-11-18",0.02687,0.84545,{"date":233,"score":230,"percentile":234},"2025-11-19",0.84546,{"date":236,"score":230,"percentile":237},"2025-11-20",0.84553,{"date":239,"score":190,"percentile":240},"2025-11-21",0.56982,{"date":242,"score":190,"percentile":243},"2025-11-22",0.56978,{"date":245,"score":190,"percentile":246},"2025-11-23",0.56952,{"date":248,"score":190,"percentile":249},"2025-11-24",0.56945,{"date":251,"score":190,"percentile":252},"2025-11-25",0.56948,{"date":254,"score":190,"percentile":255},"2025-11-26",0.56951,{"date":257,"score":190,"percentile":255},"2025-11-27",{"date":259,"score":190,"percentile":260},"2025-11-28",0.56926,{"date":262,"score":190,"percentile":263},"2025-11-29",0.56915,{"date":265,"score":190,"percentile":266},"2025-11-30",0.56908,{"date":268,"score":269,"percentile":270},"2025-12-01",0.00184,0.40429,{"date":272,"score":269,"percentile":273},"2025-12-02",0.40438,{"date":275,"score":269,"percentile":276},"2025-12-03",0.40439,{"date":278,"score":190,"percentile":279},"2025-12-04",0.56909,{"date":281,"score":190,"percentile":282},"2025-12-05",0.56925,{"date":284,"score":190,"percentile":282},"2025-12-06",{"date":286,"score":190,"percentile":287},"2025-12-07",0.56922,{"date":289,"score":190,"percentile":260},"2025-12-08",{"date":291,"score":190,"percentile":292},"2025-12-09",0.56949,{"date":294,"score":190,"percentile":295},"2025-12-10",0.57005,{"date":297,"score":190,"percentile":298},"2025-12-11",0.57029,{"date":300,"score":190,"percentile":301},"2025-12-12",0.57054,{"date":303,"score":190,"percentile":304},"2025-12-13",0.57049,{"date":306,"score":190,"percentile":304},"2025-12-14",{"date":308,"score":190,"percentile":309},"2025-12-15",0.57033,{"date":311,"score":190,"percentile":312},"2025-12-16",0.57044,{"date":314,"score":190,"percentile":315},"2025-12-17",0.57061,{"date":317,"score":190,"percentile":318},"2025-12-18",0.57099,{"date":320,"score":190,"percentile":321},"2025-12-19",0.57107,{"date":323,"score":190,"percentile":324},"2025-12-20",0.57104,{"date":326,"score":190,"percentile":327},"2025-12-21",0.57084,{"date":329,"score":190,"percentile":330},"2025-12-22",0.57066,{"date":332,"score":190,"percentile":333},"2025-12-23",0.57073,{"date":335,"score":190,"percentile":336},"2025-12-24",0.57083,{"date":338,"score":190,"percentile":339},"2025-12-25",0.57127,{"date":341,"score":190,"percentile":342},"2025-12-26",0.57123,{"date":344,"score":190,"percentile":345},"2025-12-27",0.57182,{"date":347,"score":190,"percentile":348},"2025-12-28",0.57095,{"date":350,"score":190,"percentile":351},"2025-12-29",0.57088,{"date":353,"score":190,"percentile":354},"2025-12-30",0.57085,{"date":356,"score":190,"percentile":357},"2025-12-31",0.57122,{"date":359,"score":269,"percentile":360},"2026-01-01",0.40582,{"date":362,"score":269,"percentile":363},"2026-01-02",0.40561,{"date":365,"score":269,"percentile":366},"2026-01-03",0.40554,{"date":368,"score":190,"percentile":369},"2026-01-04",0.57097,{"date":371,"score":190,"percentile":336},"2026-01-05",{"date":373,"score":190,"percentile":374},"2026-01-06",0.57092,{"date":376,"score":190,"percentile":377},"2026-01-07",0.57118,{"date":379,"score":190,"percentile":380},"2026-01-08",0.57138,{"date":382,"score":190,"percentile":383},"2026-01-09",0.57141,{"date":385,"score":190,"percentile":386},"2026-01-10",0.57139,{"date":388,"score":190,"percentile":389},"2026-01-11",0.5712,{"date":391,"score":190,"percentile":392},"2026-01-12",0.57087,{"date":394,"score":190,"percentile":395},"2026-01-13",0.57057,{"date":397,"score":190,"percentile":398},"2026-01-14",0.571,{"date":400,"score":190,"percentile":401},"2026-01-15",0.57105,{"date":403,"score":190,"percentile":404},"2026-01-16",0.57132,{"date":406,"score":407,"percentile":408},"2026-01-17",0.00461,0.63581,{"date":410,"score":407,"percentile":411},"2026-01-18",0.63572,{"date":413,"score":407,"percentile":414},"2026-01-19",0.6356,{"date":416,"score":407,"percentile":417},"2026-01-20",0.63574,{"date":419,"score":407,"percentile":420},"2026-01-21",0.63578,{"date":422,"score":407,"percentile":423},"2026-01-22",0.63585,{"date":425,"score":407,"percentile":426},"2026-01-23",0.63616,{"date":428,"score":429,"percentile":430},"2026-01-24",0.00825,0.73993,{"date":432,"score":429,"percentile":433},"2026-01-25",0.73977,{"date":435,"score":429,"percentile":436},"2026-01-26",0.73974,{"date":438,"score":429,"percentile":439},"2026-01-27",0.73979,{"date":441,"score":429,"percentile":442},"2026-01-28",0.73991,{"date":444,"score":429,"percentile":445},"2026-01-29",0.73992,{"date":447,"score":429,"percentile":448},"2026-01-30",0.73996,{"date":450,"score":429,"percentile":451},"2026-01-31",0.74002,{"date":453,"score":454,"percentile":455},"2026-02-01",0.00414,0.61228,[457,464,473],{"source":118,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":458,"cvss_v4_0":9},{"baseScore":459,"baseSeverity":460,"vectorString":461,"impactScore":462,"exploitabilityScore":463},7.7,"HIGH","CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",9.7,3.3,{"source":112,"cvss_v2_0":465,"cvss_v3_0":9,"cvss_v3_1":470,"cvss_v4_0":9},{"baseScore":466,"baseSeverity":9,"vectorString":467,"impactScore":468,"exploitabilityScore":469},5.5,"AV:N/AC:L/Au:S/C:P/I:P/A:N",4.9,8,{"baseScore":110,"baseSeverity":460,"vectorString":113,"impactScore":471,"exploitabilityScore":472},8.7,7.2,{"source":119,"cvss_v2_0":9,"cvss_v3_0":9,"cvss_v3_1":474,"cvss_v4_0":9},{"baseScore":459,"baseSeverity":9,"vectorString":461,"impactScore":462,"exploitabilityScore":463},[476,484,496,502,507,513,519,526],{"ecosystem":9,"name":477,"vendor":478,"product":477,"cpe_part":479,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":480},"fedora","fedoraproject","o",[481],{"version":482,"is_range":106,"range_type":483,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"31","cpe",{"ecosystem":9,"name":485,"vendor":486,"product":485,"cpe_part":487,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":488},"cli","npm","a",[489],{"version":490,"is_range":491,"range_type":118,"version_start":492,"version_start_type":493,"version_end":494,"version_end_type":495,"fixed_in":9},">= \u003C 6.13.3, \u003C 6.13.3",true,"\u003C 6.13.3","including","6.13.3","excluding",{"ecosystem":497,"name":486,"vendor":497,"product":486,"cpe_part":9,"purl_type":486,"purl_namespace":9,"purl_name":486,"source":9,"versions":498},"Npm",[499],{"version":500,"is_range":491,"range_type":501,"version_start":9,"version_start_type":9,"version_end":494,"version_end_type":495,"fixed_in":9},"lt6_13_3","semver",{"ecosystem":9,"name":486,"vendor":503,"product":486,"cpe_part":487,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":504},"npmjs",[505],{"version":506,"is_range":491,"range_type":483,"version_start":9,"version_start_type":9,"version_end":494,"version_end_type":495,"fixed_in":9},"lt6.13.3",{"ecosystem":9,"name":508,"vendor":509,"product":508,"cpe_part":479,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":510},"leap","opensuse",[511],{"version":512,"is_range":106,"range_type":483,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"15.1",{"ecosystem":9,"name":514,"vendor":515,"product":514,"cpe_part":487,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":516},"graalvm","oracle",[517],{"version":518,"is_range":106,"range_type":483,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"19.3.0.2",{"ecosystem":9,"name":520,"vendor":521,"product":522,"cpe_part":479,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":523},"enterprise linux","redhat","enterprise_linux",[524],{"version":525,"is_range":106,"range_type":483,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"8.0",{"ecosystem":9,"name":527,"vendor":521,"product":528,"cpe_part":479,"purl_type":9,"purl_namespace":9,"purl_name":9,"source":9,"versions":529},"enterprise linux eus","enterprise_linux_eus",[530],{"version":531,"is_range":106,"range_type":483,"version_start":9,"version_start_type":9,"version_end":9,"version_end_type":9,"fixed_in":9},"8.1"]