npm

3,968 tracked vulnerabilities.

CVE-2026-42040 LOW
Axios <1.15.1, <0.31.1 - Info Disclosure
Apr 24, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-42039 HIGH
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
Apr 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42038 MEDIUM
Axios <1.15.1, <0.31.1 - Proxy Bypass
Apr 24, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-42037 MEDIUM
Axios 1.0.0-1.15.0 - Header Injection
Apr 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-42036 MEDIUM
Axios: HTTP adapter streamed responses bypass maxContentLength
Apr 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-42035 HIGH
Axios: Header Injection via Prototype Pollution
Apr 24, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-42034 MEDIUM
Axios: HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0
Apr 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-42033 HIGH
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
Apr 24, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-41680 HIGH
Marked: OOM Denial of Service via Infinite Recursion in marked Tokenizer
Apr 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41067 MEDIUM
Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass
Apr 24, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-40897 HIGH
mathjs 13.1.1-15.1.9 - Remote Code Execution via Expression Parser
Apr 24, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41324 HIGH
basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()
Apr 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41305 MEDIUM
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
Apr 24, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-41359 HIGH
OpenClaw < 2026.3.28 - Privilege Escalation via operator.write to Admin-Class Telegram Config and Cron Persistence
Apr 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41358 MEDIUM
OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41356 MEDIUM
OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41355 HIGH
OpenShell < 2026.3.28 - Arbitrary Code Execution via Mirror Mode Sandbox File Conversion
Apr 23, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-41354 LOW
OpenClaw < 2026.4.2 - Insufficient Scope in Zalo Webhook Replay Dedupe Keys
Apr 23, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-41352 HIGH
OpenClaw < 2026.3.31 - Remote Code Execution via Node Scope Gate Bypass
Apr 23, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41351 MEDIUM
OpenClaw < 2026.3.31 - Webhook Replay Detection Bypass via Base64 Signature Re-encoding
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41348 MEDIUM
OpenClaw < 2026.3.31 - Group DM Channel Allowlist Bypass via Discord Slash Commands
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41347 HIGH
OpenClaw < 2026.3.31 - Cross-Site Request Forgery via Missing Browser-Origin Validation in HTTP Operator Endpoints
Apr 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41346 MEDIUM
OpenClaw 2026.2.26 < 2026.3.31 - Denial of Service via Improper Pending Pairing Request Cap Enforcement
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41344 MEDIUM
OpenClaw < 2026.3.28 - Privilege Escalation via chat.send /verbose Parameter
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41343 MEDIUM
OpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency
Apr 23, 2026
CVSS 5.3
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV