Is this vulnerability real, exploited, or noise?
Paste a package, CVE, or security concern. We prove it, explain it, and show the fix.
Accepts: package names, package@version, CVE IDs, CWE IDs, npm/PyPI/crates.io URLs, or prefix syntax (pypi:requests)
Live Security Alerts
View all →Newly-introduced runtime execution surface (eval / shell / network) on a package published inside a coordinated burst of uninspectable ballooned bundles by the same maintainer account - stage-1 dropper precursor, failing closed
Burst publisher with new account
A dist-tag (e.g. latest) was moved to this version while it was less than 1 hour old — publish-side compromise indicator
Burst publisher with new account
Bulk env-var sweep + shell exec at runtime — credential-stealer
Notable Vulnerabilities
Updated 37m agon8n Vulnerable to Remote Code Execution via Expression Injection
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
Unauthenticated Remote Code Execution in Langflow via Public Flow Build Endpoint
MindsDB: Path Traversal in /api/files Leading to Remote Code Execution
Langflow has Remote Code Execution in CSV Agent
Weaknesses You Should Know About
View all →Exposure of Sensitive Information to an Unauthorized Actor
Improper Input Validation
Use of Hard-coded Credentials
Improper Control of Generation of Code ('Code Injection')
Execution with Unnecessary Privileges
Permissive Cross-domain Policy with Untrusted Domains
Uncontrolled Resource Consumption
Authorization Bypass Through User-Controlled Key
Package Security Status
Scan from your terminal
Run Shoulder locally to analyze packages before installing them, or scan your entire project for vulnerabilities.
npx @shoulderdev/cli check <package>
npx @shoulderdev/cli trust .