Here are some vulnerabilities I’ve found over the years. It is in no way a complete archive, but it’s a pretty good list of CVEs

2019

• CVE-2019-14772 - verdaccio - Cross-Site Scripting
• verdaccio - Cross-Site Scripting
• electron-native-notify - Malicious Package
• donotinstallthis - Malicious Package
• destroyer-of-worlds - Malicious Package

2018

• boogeyman - Malicious Package

2017

• pgAdmin 4 - XSS leading to RCE
• CVE-2017-16041 - ikst - Downloads Resources over HTTP
• CVE-2017-16086 - ua-parser - ReDoS via long UserAgent header
• CVE-2017-16040 - gfe-sass - Downloads Resources over HTTP
• CVE-2017-16035 - hubl-server - Downloads resources over HTTP
• CVE-2017-16126 - botbait - Tracking Module

2016

• Atom Editor - Misconfiguration allowed code execution on untrusted networks
• CVE-2016-2537 - is-my-json-valid - Regular Expression Denial of Service
• CVE-2016-2515 - hawk - Regular Expression Denial of Service
• CVE-2016-10520 - jadedown - Regular Expression Denial of Service
• CVE-2016-10521 - jshamcrest - Regular Expression Denial of Service
• CVE-2016-4055 - moment - Regular Expression Denial of Service
• CVE-2016-10589 - selenium-binaries - Downloads Resources over HTTP
• CVE-2016-10587 - wasdk - Downloads Resources over HTTP
• CVE-2016-10593 - ibapi - Downloads Resources over HTTP
• CVE-2016-10594 - ipip - Downloads Resources over HTTP
• CVE-2016-10603 - air-sdk - Downloads Resources over HTTP
• CVE-2016-10602 - haxe - Downloads Resources over HTTP
• CVE-2016-10613 - bionode-sra - Downloads Resources over HTTP
• CVE-2016-10621 - fibjs - Downloads Resources over HTTP
• CVE-2016-10624 - selenium-chromedriver - Downloads Resources over HTTP
• CVE-2016-10631 - jvminstall - Downloads Resources over HTTP
• CVE-2016-10629 - nw-with-arm - Downloads Resources over HTTP
• CVE-2016-10562 - iedriver - Downloads Resources over HTTP
• CVE-2016-10627 - scala-bin - Downloads Resources over HTTP
• CVE-2016-10588 - nw - Downloads Resources over HTTP
• CVE-2016-10642 - cmake - Downloads Resources over HTTP
• CVE-2016-10649 - frames-compiler - Downloads Resources over HTTP
• CVE-2016-10582 - closurecompiler - Downloads Resources over HTTP
• CVE-2016-10647 - node-air-sdk - Downloads Resources over HTTP
• CVE-2016-10645 - grunt-images - Downloads Resources over HTTP
• CVE-2016-10666 - tomita-parser - Downloads Resources over HTTP
• CVE-2016-10655 - clang-extra - Downloads Resources over HTTP
• CVE-2016-10657 - co-cli-installer - Downloads Resources over HTTP
• CVE-2016-10668 - libsbml - Downloads Resources over HTTP
• CVE-2016-10671 - mystem-wrapper - Downloads Resources over HTTP
• CVE-2016-10697 - react-native-baidu-voice-synthesizer - Downloads Resources over HTTP
• CVE-2016-10625 - headless-browser-lite - Downloads Resources over HTTP
• CVE-2016-10683 - arcanist - Downloads Resources over HTTP
• CVE-2016-10686 - fis-sass-all - Downloads Resources over HTTP
• CVE-2016-10688 - haxe3 - Downloads Resources over HTTP
• CVE-2016-10580 - nodewebkit - Downloads Resources over HTTP
• CVE-2016-10558 - aerospike - Downloads Resources over HTTP
• CVE-2016-10560 - galenframework-cli - Downloads Resources over HTTP
• CVE-2016-10567 - product-monitor - Downloads Resources over HTTP
• CVE-2016-10694 - alto-saxophone - Downloads Resources over HTTP
• CVE-2016-10539 - negotiator - Regular Expression Denial of Service
• CVE-2016-1000224 - ezseed-transmission - Insecure Defaults Leads to Potential MITM
• CVE-2016-10552 - igniteui - Resources Downloaded over Insecure Protocol
• CVE-2016-10583 - closure-util - Downloads Resources over HTTP
• CVE-2016-10578 - unicode - Downloads Resources over HTTP
• CVE-2016-10557 - appium-chromedriver - Downloads Resources over HTTP
• CVE-2016-10559 - selenium-download - Downloads Resources over HTTP
• CVE-2016-10565 - operadriver - Downloads Resources over HTTP
• CVE-2016-10586 - macaca-chromedriver - Downloads Resources over HTTP
• CVE-2016-10574 - apk-parser3 - Downloads Resources over HTTP
• CVE-2016-10585 - libxl - Downloads Resources over HTTP
• CVE-2016-10568 - geoip-lite-country - Downloads Resources over HTTP
• CVE-2016-10564 - apk-parser - Downloads Resources over HTTP
• CVE-2016-10569 - embedza - Downloads Resources over HTTP
• CVE-2016-10570 - pngcrush-installer - Downloads Resources over HTTP
• CVE-2016-10591 - prince - Downloads Resources over HTTP
• CVE-2016-10596 - imageoptim - Downloads Resources over HTTP
• CVE-2016-10590 - cue-sdk-node - Downloads Resources over HTTP
• CVE-2016-10598 - arrayfire-js - Downloads Resources over HTTP
• CVE-2016-10604 - dalek-browser-chrome - Downloads Resources over HTTP
• CVE-2016-10608 - robot-js - Downloads Resources over HTTP
• CVE-2016-10611 - strider-sauce - Downloads Resources over HTTP
• CVE-2016-10566 - install-nw - Downloads Resources over HTTP
• CVE-2016-10610 - unicode-json - Downloads Resources over HTTP
• CVE-2016-10609 - chromedriver126 - Downloads Resources over HTTP
• CVE-2016-10607 - openframe-glslviewer - Downloads Resources over HTTP
• CVE-2016-10605 - dalek-browser-ie - Downloads Resources over HTTP
• CVE-2016-10622 - nodeschnaps - Downloads Resources over HTTP
• CVE-2016-10571 - bkjs-wand - Downloads Resources over HTTP
• CVE-2016-10576 - fuseki - Downloads Resources over HTTP
• CVE-2016-10618 - node-browser - Downloads Resources over HTTP
• CVE-2016-10620 - atom-node-module-installer - Downloads Resources over HTTP
• CVE-2016-10674 - limbus-buildgen - Downloads Resources over HTTP
• CVE-2016-10617 - box2d-native - Downloads Resources over HTTP
• CVE-2016-10632 - apk-parser2 - Downloads Resources over HTTP
• CVE-2016-10626 - mystem3 - Downloads Resources over HTTP
• CVE-2016-10630 - install-g-test - Downloads Resources over HTTP
• CVE-2016-10572 - mongodb-instance - Downloads Resources over HTTP
• CVE-2016-10635 - broccoli-closure - Downloads Resources over HTTP
• CVE-2016-10640 - node-thulac - Downloads Resources over HTTP
• CVE-2016-10636 - grunt-ccompiler - Downloads Resources over HTTP
• CVE-2016-10638 - js-given - Downloads Resources over HTTP
• CVE-2016-10575 - kindlegen - Downloads Resources over HTTP
• CVE-2016-10652 - prebuild-lwip - Downloads Resources over HTTP
• CVE-2016-10650 - ntfserver - Downloads Resources over HTTP
• CVE-2016-10646 - resourcehacker - Downloads Resources over HTTP
• CVE-2016-10654 - sfml - Downloads Resources over HTTP
• CVE-2016-10665 - herbivore - Downloads Resources over HTTP
• CVE-2016-10667 - selenium-portal - Downloads Resources over HTTP
• CVE-2016-10662 - tomita - Downloads Resources over HTTP
• CVE-2016-10661 - phantomjs-cheniu - Downloads Resources over HTTP
• CVE-2016-10663 - wixtoolset - Downloads Resources over HTTP
• CVE-2016-10656 - qbs - Downloads Resources over HTTP
• CVE-2016-10669 - soci - Downloads Resources over HTTP
• CVE-2016-10659 - poco - Downloads Resources over HTTP
• CVE-2016-10676 - rs-brightcove - Downloads Resources over HTTP
• CVE-2016-10677 - google-closure-tools-latest - Downloads Resources over HTTP
• CVE-2016-10672 - cloudpub-redis - Downloads Resources over HTTP
• CVE-2016-10680 - adamvr-geoip-lite - Downloads Resources over HTTP
• CVE-2016-10679 - selenium-standalone-painful - Downloads Resources over HTTP
• CVE-2016-10684 - healthcenter - Downloads Resources over HTTP
• CVE-2016-10682 - massif - Downloads Resources over HTTP
• CVE-2016-10689 - windows-iedriver - Downloads Resources over HTTP
• CVE-2016-10691 - windows-seleniumjar - Downloads Resources over HTTP
• CVE-2016-10695 - npm-test-sqlite3-trunk - Downloads Resources over HTTP
• CVE-2016-10693 - pm2-kafka - Downloads Resources over HTTP
• CVE-2016-10579 - chromedriver - Downloads Resources over HTTP
• CVE-2016-10577 - ibm_db - Downloads Resources over HTTP
• CVE-2016-10600 - webrtc-native - Downloads Resources over HTTP
• CVE-2016-10584 - dalek-browser-chrome-canary - Downloads Resources over HTTP
• CVE-2016-10599 - sauce-connect - Downloads Resources over HTTP
• CVE-2016-10592 - jser-stat - Downloads Resources over HTTP
• CVE-2016-10601 - webdrvr - Downloads Resources over HTTP
• CVE-2016-10597 - cobalt-cli - Downloads Resources over HTTP
• CVE-2016-10595 - jdf-sass - Downloads Resources over HTTP
• CVE-2016-10612 - dalek-browser-ie-canary - Downloads Resources over HTTP
• CVE-2016-10606 - grunt-webdriver-qunit - Downloads Resources over HTTP
• CVE-2016-10614 - httpsync - Downloads Resources over HTTP
• CVE-2016-10619 - pennyworth - Downloads Resources over HTTP
• CVE-2016-10615 - curses - Downloads Resources over HTTP
• CVE-2016-10616 - openframe-image - Downloads Resources over HTTP
• CVE-2016-10623 - macaca-chromedriver-zxa - Downloads Resources over HTTP
• CVE-2016-10628 - selenium-wrapper - Downloads Resources over HTTP
• CVE-2016-10634 - scalajs-standalone-bin - Downloads Resources over HTTP
• CVE-2016-10641 - node-bsdiff-android - Downloads Resources over HTTP
• CVE-2016-10573 - baryton-saxophone - Downloads Resources over HTTP
• CVE-2016-10637 - haxe-dev - Downloads Resources over HTTP
• CVE-2016-10633 - dwebp-bin - Downloads Resources over HTTP
• CVE-2016-10639 - redis-srvr - Downloads Resources over HTTP
• CVE-2016-10644 - slimerjs-edge - Downloads Resources over HTTP
• CVE-2016-10643 - jstestdriver - Downloads Resources over HTTP
• CVE-2016-10651 - webdriver-launcher - Downloads Resources over HTTP
• CVE-2016-10648 - marionette-socket-host - Downloads Resources over HTTP
• CVE-2016-10653 - xd-testing - Downloads Resources over HTTP
• CVE-2016-10664 - mystem - Downloads Resources over HTTP
• CVE-2016-10658 - native-opencv - Downloads Resources over HTTP
• CVE-2016-10660 - fis-parser-sass-bin - Downloads Resources over HTTP
• CVE-2016-10675 - libsbmlsim - Downloads Resources over HTTP
• CVE-2016-10678 - serc.js - Downloads Resources over HTTP
• CVE-2016-10673 - ipip-coffee - Downloads Resources over HTTP
• CVE-2016-10670 - windows-seleniumjar-mirror - Downloads Resources over HTTP
• CVE-2016-10687 - windows-selenium-chromedriver - Downloads Resources over HTTP
• CVE-2016-10685 - pk-app-wonderbox - Downloads Resources over HTTP
• CVE-2016-10681 - roslib-socketio - Downloads Resources over HTTP
• CVE-2016-10696 - windows-latestchromedriver - Downloads Resources over HTTP
• CVE-2016-10690 - openframe-ascii-image - Downloads Resources over HTTP
• CVE-2016-10692 - haxeshim - Downloads Resources over HTTP
• CVE-2016-10698 - mystem-fix - Downloads Resources over HTTP
• CVE-2016-10581 - steroids - Downloads Resources over HTTP

2015

• CVE-2015-8855 - semver - Regular Expression Denial of Service
• CVE-2015-9239 - ansi2html - Regular Expression Denial of Service
• CVE-2015-8315 - ms - Regular Expression Denial of Service
• CVE-2015-8858 - uglify-js - Regular Expression Denial of Service
• CVE-2015-9241 - hapi - Denial of Service

2014

• CVE-2014-0030 - Apache Roller XML-RPC susceptible to XXE Attacks
• CVE-2014-10066 - fancy-server - Directory Traversal
• CVE-2014-1850,CVE-2014-3743 - marked - Multiple Content Injection Vulnerabilities
• CVE-2014-3741 - printer - Potential Command Injection
• CVE-2014-10065 - remarkable - Content Injection
• CVE-2014-8881 - bleach - Regular Expression Denial of Service

2013

• CVE-2013-7381 - libnotify - Potential Command Injection
• CVE-2013-7379 - tomato - API Admin Auth Weakness

2012

• npm Registry sha password exposure
• OpenFire Code Execution
• Nagios Enterprise Config Manager Log Persistent XSS
• Nagios Enterprise XIWindow Reflected XSS
• Pandora FMS 4.0.2 System Audit Log XSS

2010

• MiFi Geopwn - Sprint / Verizon MiFi geo location theft
• CVE-2010-4534 - Django admin interface sensitive data exposure
• CVE-2010-0713 - Zenoss Multiple Admin CSRF
• CVE-2010-0712 - Zenoss before 2.5 Multiple SQLi
• CVE-2010-2290 - McAfee UTM Firewall Reflected Cross-Site Scripting (XSS)
• Nagios XI users.php SQL Injection
• Spiceworks Multiple Vulnerabilities (XSS & CSRF)
• JForum 2.1.8 findUser reflected XSS
• JForum 2.1.8 bookmarks CSRF & XSS

2009

• CVE-2009-1027 - OpenCart Order By Blind SQL Injection
• CVE-2009-1070 - ExpressionEngine Persistent Cross-Site Scripting
• Zabbix Multiple Frontend CSRF (RCE)
• CVE-2009-2361 - osTicket Admin Login Blind SQL Injection
• CVE-2009-3427 - Ticket Subject Persistent XSS in Kayako SupportSuite
• Open-Realty SQL Injection

2008

• Encompass Web PACS Forced Browsing Vulnerability
• Open-Realty Multiple XSS Vulnerabilities

2006

• SYMSA1095 - Symantec Security Information Manager Authentication bypass
• Symantec Enterprise Firewall Privilege Escalation
• CVE-2006-4092 - Simpliciti Locked Browser Jail Breakout Vulnerability

2005

• CVE-2005-1204 - Neslo Desktop Rover DoS
• University of Phoenix - Outlook Express Unauthorized Configuration Manipulation
• JohnyTech Encrypted Messenger DoS