npm
3,968 tracked vulnerabilities.
CVE-2026-41342
HIGH
OpenClaw < 2026.3.28 - Unauthenticated Discovery Endpoint Credential Exfiltration via Remote Onboarding
Apr 23, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-41341
MEDIUM
OpenClaw < 2026.3.31 - Component Interaction Misclassification in Discord Extension
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41339
MEDIUM
OpenClaw < 2026.4.2 - Information Disclosure via Gateway Connect Snapshot
Apr 23, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41337
MEDIUM
OpenClaw < 2026.3.31 - Callback Origin Mutation in Plivo Voice-call Replay
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41336
HIGH
OpenClaw < 2026.3.31 - Arbitrary Hook Code Execution via OPENCLAW_BUNDLED_HOOKS_DIR Environment Variable Override
Apr 23, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41335
MEDIUM
OpenClaw < 2026.3.31 - Information Disclosure via Control UI Bootstrap JSON
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41333
LOW
OpenClaw < 2026.3.31 - Authentication Rate Limiting Bypass via Fake DeviceToken
Apr 23, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-41332
MEDIUM
OpenClaw < 2026.3.28 - Code Execution via Missing Environment Variable Blocklist
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41274
CRITICAL
Flowise: Cypher Injection in GraphCypherQAChain
Apr 23, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-41279
HIGH
Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials
Apr 23, 2026
EPSS 0.00
CVE-2026-41278
HIGH
Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs
Apr 23, 2026
EPSS 0.00
CVE-2026-41277
HIGH
Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)
Apr 23, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41276
CRITICAL
Flowise: AccountService resetPassword Authentication Bypass Vulnerability
Apr 23, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-41275
HIGH
Flowise: Password Reset Link Sent Over Unsecured HTTP
Apr 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41273
HIGH
Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow
Apr 23, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-41272
HIGH
Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure)
Apr 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41271
HIGH
Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains
Apr 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41270
HIGH
Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox
Apr 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41269
HIGH
Flowise: File Upload Validation Bypass in createAttachment
Apr 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41268
HIGH
Flowise: Flowise Parameter Override Bypass Remote Command Execution
Apr 23, 2026
CVSS 7.7
EPSS 0.01
CVE-2026-41267
HIGH
Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association
Apr 23, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-41266
HIGH
Flowise: Sensitive Data Leak in public-chatbotConfig
Apr 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41265
CRITICAL
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability
Apr 23, 2026
EPSS 0.00
CVE-2026-41264
CRITICAL
Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability
Apr 23, 2026
EPSS 0.00
CVE-2026-41138
HIGH
Flowise AirtableAgent.ts - Pandas Code Injection RCE
Apr 23, 2026
CVSS 8.8
EPSS 0.00
Products
openclaw 393
parse-server 92
n8n 62
directus 53
electron 48
flowise 48
next 47
vm2 32
hono 25
nocodb 25
axios 24
undici 22
ghost 21
vite 19
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
nodebb 14
sequelize 14
tinymce 14
flowise-components 13
signalk-server 13
angular 12
dompurify 12
handlebars 12
jsrsasign 12
matrix-js-sdk 12
Quick Filters