BETA Shoulder ist in der Beta — Befunde können manchmal falsch sein. Dein Feedback bestimmt, was wir als Nächstes beheben. Feedback teilen

Bedrohungszentrum

Ist diese Schwachstelle real, ausgenutzt oder nur Rauschen?

Fügen Sie ein Paket, CVE oder Sicherheitsbedenken ein. Wir beweisen es, erklären es und zeigen die Lösung.

Versuchen Sie zu suchen nach

log4j CVE-2021-44228 express CWE-79 (XSS) jsonwebtoken SQL injection

Akzeptiert: Paketnamen, Paket@Version, CVE-IDs, CWE-IDs, npm/PyPI-URLs

Live-Sicherheitswarnungen

Alle anzeigen →

npm/@mastra/auth-auth0 CRITICAL

Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed

3 versions flagged · Latest 0.10.0

3 alerts View briefing →

npm/@mastra/[email protected] CRITICAL

OIDC trusted-publisher / SLSA provenance attestation lost vs prior version — publishing pipeline bypassed (account takeover or stolen token signature)

View briefing →

npm/@mastra/[email protected] CRITICAL

OIDC trusted-publisher / SLSA provenance attestation lost vs prior version — publishing pipeline bypassed (account takeover or stolen token signature)

View briefing →

npm/@mastra/[email protected] CRITICAL

OIDC trusted-publisher / SLSA provenance attestation lost vs prior version — publishing pipeline bypassed (account takeover or stolen token signature)

View briefing →

npm/@mastra/[email protected] HIGH

Publisher email transitioned to a known anonymous-by-design / burner provider — account-takeover signal

View briefing →

Bemerkenswerte Schwachstellen

Updated 1h ago

CVE-2025-68613 CRITICAL (10)

n8n Vulnerable to Remote Code Execution via Expression Injection

KEV EPSS 76.497% CWE-913

CVE-2026-39987 CRITICAL (9.8)

Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass

KEV EPSS 55.208999999999996% CWE-306

CVE-2026-33017 CRITICAL (9.8)

Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint

KEV EPSS 41.243% CWE-94 CWE-95 CWE-306

CVE-2026-27483 HIGH (8.8)

MindsDB: Path Traversal in /api/files Leading to Remote Code Execution

1 exploit EPSS 18.791% CWE-22

CVE-2026-27966 CRITICAL (9.8)

Langflow has Remote Code Execution in CSV Agent

EPSS 35.107% CWE-94

Bedrohungen erkunden

OWASP Top 10

Das Standard-Referenzdokument für Webanwendungssicherheit

CWE-Index

Common Weakness Enumeration

Erkennungsregeln

Finden Sie Regeln für Ihren Tech-Stack

Häufigste erkannte Schwächen

Alle anzeigen →

CWE-200 14 rules

Exposure of Sensitive Information to an Unauthorized Actor

CWE-20 13 rules

Improper Input Validation

CWE-798 11 rules

Use of Hard-coded Credentials

CWE-94 10 rules

Improper Control of Generation of Code ('Code Injection')

CWE-250 10 rules

Execution with Unnecessary Privileges

CWE-942 9 rules

Permissive Cross-domain Policy with Untrusted Domains

CWE-400 8 rules

Uncontrolled Resource Consumption

CWE-639 8 rules

Authorization Bypass Through User-Controlled Key

Paket-Sicherheitsstatus

No known vulnerabilities

No known vulnerabilities

No known vulnerabilities

No known vulnerabilities

No known vulnerabilities

jsonwebtoken npm

No known vulnerabilities

Scannen Sie von Ihrem Terminal

Führen Sie Shoulder lokal aus, um Pakete vor der Installation zu analysieren, oder scannen Sie Ihr gesamtes Projekt auf Schwachstellen.

npx @shoulderdev/cli check <package>

npx @shoulderdev/cli trust .