npm
4,193 tracked vulnerabilities.
CVE-2026-41501
CRITICAL
electerm has Command Injection Vulnerability via runLinux function
May 08, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-41500
CRITICAL
electerm has Command Injection Vulnerability via runMac function
May 08, 2026
CVSS 9.8
EPSS 0.02
CVE-2026-8115
MEDIUM
gyoridavid short-video-maker REST API rest.ts path traversal
May 07, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-42449
HIGH
n8n-MCP: IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders
May 07, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-42047
HIGH
Inngest TypeScript SDK exposes environment variables via serve() handler on unhandled HTTP methods
May 07, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-41692
MEDIUM
i18nextify is vulnerable to DOM XSS via javascript:/data: URL schemes in translated href/src attributes
May 07, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-41691
MEDIUM
i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns
May 07, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41650
MEDIUM
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
May 07, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-41139
HIGH
Unsafe array index getter in mathjs
May 07, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-41675
HIGH
xmldom: XML node injection through unvalidated processing instruction serialization
May 07, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41674
HIGH
xmldom: XML injection through unvalidated DocumentType serialization
May 07, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41673
HIGH
xmldom: Denial of service via uncontrolled recursion in XML serialization
May 07, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-41672
HIGH
xmldom: XML node injection through unvalidated comment serialization
May 07, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44118
HIGH
OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Token Header
May 06, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-44117
MEDIUM
OpenClaw < 2026.4.20 - Server-Side Request Forgery in QQBot Direct Media Upload
May 06, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-44116
HIGH
OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation
May 06, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-44114
HIGH
OpenClaw < 2026.4.20 - Environment Variable Namespace Collision via Workspace dotenv
May 06, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-44113
HIGH
OpenClaw < 2026.4.22 - Time-of-Check/Time-of-Use Race Condition in OpenShell FS Bridge
May 06, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-44112
CRITICAL
OpenClaw < 2026.4.22 - Symlink Swap Race Condition in OpenShell FS Bridge Writes
May 06, 2026
CVSS 9.6
EPSS 0.02
CVE-2026-44109
CRITICAL
OpenClaw < 2026.4.15 - Authentication Bypass in Feishu Webhook and Card-Action Validation
May 06, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-43585
HIGH
OpenClaw < 2026.4.15 - Bearer Token Validation Bypass via Stale SecretRef Resolution
May 06, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-43584
HIGH
OpenClaw < 2026.4.10 - Insufficient Environment Variable Denylist in Exec Policy
May 06, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-43583
MEDIUM
OpenClaw 2026.4.10 < 2026.4.14 - Loss of Group Tool-Policy Context in Delivery Queue Recovery
May 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-43582
MEDIUM
OpenClaw < 2026.4.10 - DNS Rebinding SSRF via Hostname Validation Bypass
May 06, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-43580
HIGH
OpenClaw < 2026.4.10 - Incomplete Navigation Guard Coverage in Browser Interactions
May 06, 2026
CVSS 7.7
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters