npm

4,193 tracked vulnerabilities.

CVE-2026-44288 MEDIUM
protobufjs: Overlong UTF-8 decoding
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-42290 HIGH
protobufjs-cli: OS Command Injection
May 13, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-44240 HIGH
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
May 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44232 HIGH
dssrf: every IPv6 category bypasses is_url_safe
May 12, 2026
EPSS 0.00
CVE-2026-44217 MEDIUM
sse-channel: SSE Injection via unsanitized event fields
May 12, 2026
EPSS 0.00
CVE-2026-42338 MEDIUM
ip-address: XSS in Address6 HTML-emitting methods
May 12, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-43929 HIGH
ssrfcheck: Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs
May 12, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-42260 HIGH
Open-WebSearch: SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname`
May 12, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-45091 CRITICAL
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)
May 12, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-43930 MEDIUM
Parse Server: MFA SMS one-time password accepted twice under concurrent login
May 12, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-8162 HIGH
multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing
May 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-8161 HIGH
multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception
May 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-8159 HIGH
multiparty vulnerable to ReDoS via filename parsing
May 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-6402 MEDIUM
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
May 12, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-43897 HIGH
Link Preview JS: vunerable to IPv6 and internal loopback attacks
May 11, 2026
EPSS 0.00
CVE-2026-43893 HIGH
exiftool-vendored: Argument injection via newline characters in tag names
May 11, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-45005 MEDIUM
OpenClaw < 2026.4.23 - Webhook Route Secret Cache Not Invalidated After Rotation
May 11, 2026
CVSS 6.0
EPSS 0.00
CVE-2026-45004 HIGH
OpenClaw < 2026.4.23 - Arbitrary Code Execution via setup-api.js in Current Working Directory
May 11, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-45003 MEDIUM
OpenClaw < 2026.4.22 - Connector Endpoint Host Override via Workspace dotenv Files
May 11, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-45002 MEDIUM
OpenClaw < 2026.4.20 - Hook Session-Key Bypass via Template Mapping
May 11, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44999 MEDIUM
OpenClaw < 2026.4.20 - Improper Trust Labeling in Isolated Cron Awareness Events
May 11, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44997 MEDIUM
OpenClaw < 2026.4.22 - Security Envelope Constraint Bypass in ACP Child Sessions
May 11, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-44995 HIGH
OpenClaw < 2026.4.20 - Arbitrary Code Execution via MCP stdio Environment Variables
May 11, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-44992 MEDIUM
OpenClaw 2026.4.5 < 2026.4.20 - MiniMax API Host Override via Workspace dotenv
May 11, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-44991 MEDIUM
OpenClaw < 2026.4.21 - Authorization Bypass in Owner-Enforced Commands via Wildcard Channel Senders
May 11, 2026
CVSS 4.2
EPSS 0.00