npm

3,968 tracked vulnerabilities.

CVE-2026-41137 CRITICAL
Flowise: Code Injection in CSVAgent leads to Authenticated RCE
Apr 23, 2026
EPSS 0.00
CVE-2026-41908 MEDIUM
OpenClaw < 2026.4.20 - Scope Enforcement Bypass in Assistant-Media Route
Apr 23, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41240 MEDIUM
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
Apr 23, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-41239 MEDIUM
DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode
Apr 23, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-41238 MEDIUM
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
Apr 23, 2026
CVSS 6.9
EPSS 0.00
CVE-2026-41679 CRITICAL
Paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass
Apr 23, 2026
CVSS 10.0
EPSS 0.01
CVE-2026-41211 CRITICAL
`vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`
Apr 23, 2026
CVSS 10.0
EPSS 0.00
CVE-2026-41182 MEDIUM
LangSmith SDK: Streaming token events bypass output redaction
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41180 HIGH
PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart
Apr 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-6874 MEDIUM
ericc-ch copilot-api Header token dns rebinding
Apr 23, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-40931 HIGH
Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing
Apr 21, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-39320 HIGH
Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths
Apr 21, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41331 MEDIUM
OpenClaw < 2026.3.31 - Resource Consumption via Unauthorized Telegram Audio Preflight Transcription
Apr 21, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41330 MEDIUM
OpenClaw < 2026.3.31 - Environment Variable Override via Host Exec Policy
Apr 21, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-41329 CRITICAL
OpenClaw < 2026.3.31 - Sandbox Bypass via Heartbeat Context Inheritance and senderIsOwner Escalation
Apr 21, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-41303 HIGH
OpenClaw < 2026.3.28 - Authorization Bypass in Discord Text Approval Commands
Apr 21, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41302 HIGH
OpenClaw < 2026.3.31 - Server-Side Request Forgery via Unguarded fetch() in Marketplace Plugin Download
Apr 21, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-41301 MEDIUM
OpenClaw 2026.3.22 < 2026.3.31 - Forged Nostr DM Pairing State Creation via Signature Verification Bypass
Apr 21, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41300 MEDIUM
OpenClaw < 2026.3.31 - Attacker-Discovered Endpoint Preservation in Remote Onboarding
Apr 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41299 HIGH
OpenClaw < 2026.3.28 - Client Identity Spoofing in chat.send Gateway Provenance Guard
Apr 21, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41298 MEDIUM
OpenClaw < 2026.4.2 - Authorization Bypass in Session Termination Endpoint
Apr 21, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41297 HIGH
OpenClaw < 2026.3.31 - Server-Side Request Forgery via Marketplace Plugin Download Redirect
Apr 21, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-41296 HIGH
OpenClaw < 2026.3.31 - Sandbox Escape via TOCTOU Race in Remote FS Bridge readFile
Apr 21, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-41295 HIGH
OpenClaw < 2026.4.2 - Untrusted Workspace Channel Shadow Code Execution during Built-in Channel Setup
Apr 21, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41294 HIGH
OpenClaw < 2026.3.28 - Environment Variable Injection via CWD .env File
Apr 21, 2026
CVSS 8.6
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV