npm

3,968 tracked vulnerabilities.

CVE-2026-41384 HIGH
OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend
Apr 28, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41383 HIGH
OpenClaw < 2026.4.2 - Arbitrary Remote Directory Deletion via Mis-scoped Mirror Mode Paths
Apr 28, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-41382 MEDIUM
OpenClaw < 2026.3.31 - Discord Voice Ingress Authorization Bypass via Channel and Role Validation Gaps
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41381 MEDIUM
OpenClaw < 2026.3.31 - Access Control Bypass in Discord Voice Manager via Channel Allowlist
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41380 HIGH
OpenClaw < 2026.3.28 - Arbitrary Execution Allowlist via Wrapper Carrier Executables
Apr 28, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-41379 HIGH
OpenClaw < 2026.3.28 - Privilege Escalation via chat.send to Admin-Class Talk Voice Config
Apr 28, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41378 HIGH
OpenClaw < 2026.3.31 - Privilege Escalation to Remote Code Execution via Unrestricted node.event Agent Dispatch
Apr 28, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41377 MEDIUM
OpenClaw < 2026.3.31 - Fail-Open Security Scan Bypass in Plugin Installation
Apr 28, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-41376 MEDIUM
OpenClaw < 2026.3.31 - Matrix Thread Context Allowlist Bypass via Sender Validation
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41375 MEDIUM
OpenClaw < 2026.3.28 - Authorization Bypass in /phone arm and /phone disarm Endpoints
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41374 MEDIUM
OpenClaw < 2026.3.31 - Resource Consumption via Discord Audio Preflight Before Member Authorization
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41373 MEDIUM
OpenClaw < 2026.3.31 - Compiler Binary Substitution via Environment Variable Override in Host Execution Policy
Apr 28, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-41636 HIGH
Apache Thrift: Node.js skip() recursion
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41372 MEDIUM
OpenClaw < 2026.4.2 - Loopback Protection Bypass via Trailing-Dot Localhost in CDP Discovery
Apr 28, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-41369 MEDIUM
OpenClaw < 2026.3.31 - Insufficient Environment Variable Sanitization in Host Execution
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41365 MEDIUM
OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Graph API Thread History
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41364 HIGH
OpenClaw < 2026.3.31 - Arbitrary File Write via Symlink Following in SSH Sandbox Tar Upload
Apr 28, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-41363 MEDIUM
OpenClaw 2026.2.6 < 2026.3.28 - Arbitrary File Read via Feishu upload_image Parameter
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-6951 CRITICAL
simple-git < 3.36.0 - Remote Code Execution via Git Config Option Injection
Apr 25, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-41244 MEDIUM
Mojic: Observable Timing Discrepancy in HMAC Verification
Apr 24, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-41907 HIGH
uuid: Missing buffer bounds check in `v3`/`v5`/`v6` when `buf` is provided
Apr 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42044 MEDIUM
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
Apr 24, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42043 HIGH
Axios <1.15.1, <0.31.1 - Auth Bypass
Apr 24, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-42042 MEDIUM
Axios < 1.15.1 and < 0.31.1 - Cross-Site Request Forgery via withXSRFToken Truthy Value Bypass
Apr 24, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-42041 MEDIUM
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
Apr 24, 2026
CVSS 4.8
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV