npm
4,193 tracked vulnerabilities.
CVE-2026-44288
MEDIUM
protobufjs: Overlong UTF-8 decoding
May 13, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-42290
HIGH
protobufjs-cli: OS Command Injection
May 13, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-44240
HIGH
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
May 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44232
HIGH
dssrf: every IPv6 category bypasses is_url_safe
May 12, 2026
EPSS 0.00
CVE-2026-44217
MEDIUM
sse-channel: SSE Injection via unsanitized event fields
May 12, 2026
EPSS 0.00
CVE-2026-42338
MEDIUM
ip-address: XSS in Address6 HTML-emitting methods
May 12, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-43929
HIGH
ssrfcheck: Server-Side Request Forgery (SSRF) and Incomplete List of Disallowed Inputs
May 12, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-42260
HIGH
Open-WebSearch: SSRF in `fetchWebContent` MCP tool: bracketed IPv6 literals and non-resolving hostname check bypass `isPrivateOrLocalHostname`
May 12, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-45091
CRITICAL
sealed-env: TOTP secret embedded in unseal token payload (enterprise mode)
May 12, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-43930
MEDIUM
Parse Server: MFA SMS one-time password accepted twice under concurrent login
May 12, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-8162
HIGH
multiparty vulnerable to Denial of Service via Uncaught Exception in filename* parameter parsing
May 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-8161
HIGH
multiparty vulnerable to Denial of Service via Prototype Pollution leading to Uncaught Exception
May 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-8159
HIGH
multiparty vulnerable to ReDoS via filename parsing
May 12, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-6402
MEDIUM
webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins
May 12, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-43897
HIGH
Link Preview JS: vunerable to IPv6 and internal loopback attacks
May 11, 2026
EPSS 0.00
CVE-2026-43893
HIGH
exiftool-vendored: Argument injection via newline characters in tag names
May 11, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-45005
MEDIUM
OpenClaw < 2026.4.23 - Webhook Route Secret Cache Not Invalidated After Rotation
May 11, 2026
CVSS 6.0
EPSS 0.00
CVE-2026-45004
HIGH
OpenClaw < 2026.4.23 - Arbitrary Code Execution via setup-api.js in Current Working Directory
May 11, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-45003
MEDIUM
OpenClaw < 2026.4.22 - Connector Endpoint Host Override via Workspace dotenv Files
May 11, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-45002
MEDIUM
OpenClaw < 2026.4.20 - Hook Session-Key Bypass via Template Mapping
May 11, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44999
MEDIUM
OpenClaw < 2026.4.20 - Improper Trust Labeling in Isolated Cron Awareness Events
May 11, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44997
MEDIUM
OpenClaw < 2026.4.22 - Security Envelope Constraint Bypass in ACP Child Sessions
May 11, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-44995
HIGH
OpenClaw < 2026.4.20 - Arbitrary Code Execution via MCP stdio Environment Variables
May 11, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-44992
MEDIUM
OpenClaw 2026.4.5 < 2026.4.20 - MiniMax API Host Override via Workspace dotenv
May 11, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-44991
MEDIUM
OpenClaw < 2026.4.21 - Authorization Bypass in Owner-Enforced Commands via Wildcard Channel Senders
May 11, 2026
CVSS 4.2
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters