npm

3,968 tracked vulnerabilities.

CVE-2026-40045 MEDIUM
OpenClaw < 2026.4.2 - Cleartext Credential Transmission via Unencrypted WebSocket Gateway Endpoints
Apr 21, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-41389 MEDIUM
OpenClaw 2026.4.7 < 2026.4.15 - Arbitrary File Read via Unvalidated Tool-Result Media Paths
Apr 20, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-41242 CRITICAL
protobufjs has an arbitrary code execution issue
Apr 18, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-40299 MEDIUM
next-intl has an open redirect vulnerability
Apr 17, 2026
EPSS 0.00
CVE-2026-39313 HIGH
MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport
Apr 16, 2026
EPSS 0.00
CVE-2026-40186 MEDIUM
ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
Apr 15, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-39857 MEDIUM
Information Disclosure via `choices`/`counts` Query Parameters Bypassing publicApiProjection Field Restrictions
Apr 15, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35569 HIGH
ApostropheCMS: Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS
Apr 15, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-33889 MEDIUM
ApostropheCMS: Stored XSS via CSS Custom Property Injection in `@apostrophecms/color-field` Escaping Style Tag Context
Apr 15, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-33888 MEDIUM
ApostropheCMS: publicApiProjection Bypass via `project` Query Builder in Piece-Type REST API
Apr 15, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-33877 LOW
ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint
Apr 15, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-5758 MEDIUM
Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution
Apr 15, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-39884 HIGH
MCP Server Kubernetes has Argument Injection in its port_forward tool via space-splitting
Apr 15, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-33806 HIGH
fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header
Apr 15, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-6216 LOW
DbGate SVG Icon String FontIcon.svelte cross site scripting
Apr 13, 2026
CVSS 3.5
EPSS 0.00
CVE-2026-28291 HIGH
simple-git has Command Execution via Option-Parsing Bypass
Apr 13, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-40190 MEDIUM
LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`
Apr 10, 2026
CVSS 5.6
EPSS 0.00
CVE-2026-40175 MEDIUM
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
Apr 10, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-35670 MEDIUM
OpenClaw < 2026.3.22 - Webhook Reply Rebinding via Username Resolution in Synology Chat
Apr 10, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-35669 HIGH
OpenClaw < 2026.3.25 - Privilege Escalation via Gateway Plugin HTTP Authentication Scope
Apr 10, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35668 HIGH
OpenClaw < 2026.3.24 - Sandbox Media Root Bypass via Unnormalized mediaUrl and fileUrl Parameters
Apr 10, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-35667 MEDIUM
OpenClaw < 2026.3.24 - Improper Process Termination via Unpatched killProcessTree in shell-utils.ts
Apr 10, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-35666 HIGH
OpenClaw < 2026.3.22 - Allowlist Bypass via Unregistered Time Dispatch Wrapper
Apr 10, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35665 MEDIUM
OpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook Pre-Auth Body Parsing
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35664 MEDIUM
OpenClaw < 2026.3.25 - DM Pairing Bypass via Legacy Card Callbacks
Apr 10, 2026
CVSS 5.3
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV