Live data from GitHub and npm, updated daily.
Data last fetched: 2026-06-29
4 active CVEs reported via OSV.dev
webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence
Webpack's AutoPublicPathRuntimeModule has a DOM Clobbering Gadget that leads to XSS
webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior
Cross-realm object access in Webpack 5
Get SLA-backed support, security patches, and direct access to senior engineers for Webpack — without relying on volunteer maintainers.