VulnerableCode Package Details - pkg:npm/npm@6.14.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-e2wc-na6c-c3cr Aliases: CVE-2020-15095 GHSA-93f3-23rq-pjfp	npm CLI exposing sensitive information through logs Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like `<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>`. The password value is not redacted and is printed to stdout and also to any generated log files.	6.14.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-qyqn-hwvx-k7gs Aliases: CVE-2026-0775 GHSA-3966-f6p6-2qr9	Duplicate Advisory: npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability ### Duplicate Advisory This advisory has been withdrawn because describes a dependency bump and therefore, per [CVE CNA rule 4.1.12](https://www.cve.org/ResourcesSupport/AllResources/CNARules/#section_4-1_Vulnerability_Determination), is a duplicate of GHSA-34x7-hfp2-rc4v/CVE-2026-24842. Additionally, per https://github.com/npm/cli/issues/8939#issuecomment-3862719883, npm cli should not be listed as an affected product. This link is maintained to preserve external references. ### Original Description npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-e2wc-na6c-c3cr
Aliases:
CVE-2020-15095
GHSA-93f3-23rq-pjfp

npm CLI exposing sensitive information through logs Versions of the npm CLI prior to 6.14.6 are vulnerable to an information exposure vulnerability through log files. The CLI supports URLs like `<protocol>://[<user>[:<password>]@]<hostname>[:<port>][:][/]<path>`. The password value is not redacted and is printed to stdout and also to any generated log files.

6.14.6
Affected by 1 other vulnerability.

VCID-qyqn-hwvx-k7gs
Aliases:
CVE-2026-0775
GHSA-3966-f6p6-2qr9

Duplicate Advisory: npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability ### Duplicate Advisory This advisory has been withdrawn because describes a dependency bump and therefore, per [CVE CNA rule 4.1.12](https://www.cve.org/ResourcesSupport/AllResources/CNARules/#section_4-1_Vulnerability_Determination), is a duplicate of GHSA-34x7-hfp2-rc4v/CVE-2026-24842. Additionally, per https://github.com/npm/cli/issues/8939#issuecomment-3862719883, npm cli should not be listed as an affected product. This link is maintained to preserve external references. ### Original Description npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of npm cli. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the handling of modules. The application loads modules from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-17T00:11:58.324935+00:00	GitLab Importer	Affected by	VCID-qyqn-hwvx-k7gs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/npm/CVE-2026-0775.yml	38.4.0
2026-04-16T21:05:22.883316+00:00	GitLab Importer	Affected by	VCID-e2wc-na6c-c3cr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/npm/CVE-2020-15095.yml	38.4.0
2026-04-12T01:35:45.713047+00:00	GitLab Importer	Affected by	VCID-qyqn-hwvx-k7gs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/npm/CVE-2026-0775.yml	38.3.0
2026-04-11T22:16:50.314713+00:00	GitLab Importer	Affected by	VCID-e2wc-na6c-c3cr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/npm/CVE-2020-15095.yml	38.3.0
2026-04-03T01:44:46.473581+00:00	GitLab Importer	Affected by	VCID-qyqn-hwvx-k7gs	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/npm/CVE-2026-0775.yml	38.1.0
2026-04-02T22:28:58.476453+00:00	GitLab Importer	Affected by	VCID-e2wc-na6c-c3cr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/npm/CVE-2020-15095.yml	38.1.0
2026-04-01T16:46:59.755688+00:00	GitLab Importer	Affected by	VCID-e2wc-na6c-c3cr	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/npm/CVE-2020-15095.yml	38.0.0