npm

4,193 tracked vulnerabilities.

CVE-2026-41501 CRITICAL
electerm has Command Injection Vulnerability via runLinux function
May 08, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-41500 CRITICAL
electerm has Command Injection Vulnerability via runMac function
May 08, 2026
CVSS 9.8
EPSS 0.02
CVE-2026-8115 MEDIUM
gyoridavid short-video-maker REST API rest.ts path traversal
May 07, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-42449 HIGH
n8n-MCP: IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders
May 07, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-42047 HIGH
Inngest TypeScript SDK exposes environment variables via serve() handler on unhandled HTTP methods
May 07, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-41692 MEDIUM
i18nextify is vulnerable to DOM XSS via javascript:/data: URL schemes in translated href/src attributes
May 07, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-41691 MEDIUM
i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns
May 07, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41650 MEDIUM
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
May 07, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-41139 HIGH
Unsafe array index getter in mathjs
May 07, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-41675 HIGH
xmldom: XML node injection through unvalidated processing instruction serialization
May 07, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41674 HIGH
xmldom: XML injection through unvalidated DocumentType serialization
May 07, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41673 HIGH
xmldom: Denial of service via uncontrolled recursion in XML serialization
May 07, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-41672 HIGH
xmldom: XML node injection through unvalidated comment serialization
May 07, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44118 HIGH
OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Token Header
May 06, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-44117 MEDIUM
OpenClaw < 2026.4.20 - Server-Side Request Forgery in QQBot Direct Media Upload
May 06, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-44116 HIGH
OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation
May 06, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-44114 HIGH
OpenClaw < 2026.4.20 - Environment Variable Namespace Collision via Workspace dotenv
May 06, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-44113 HIGH
OpenClaw < 2026.4.22 - Time-of-Check/Time-of-Use Race Condition in OpenShell FS Bridge
May 06, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-44112 CRITICAL
OpenClaw < 2026.4.22 - Symlink Swap Race Condition in OpenShell FS Bridge Writes
May 06, 2026
CVSS 9.6
EPSS 0.02
CVE-2026-44109 CRITICAL
OpenClaw < 2026.4.15 - Authentication Bypass in Feishu Webhook and Card-Action Validation
May 06, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-43585 HIGH
OpenClaw < 2026.4.15 - Bearer Token Validation Bypass via Stale SecretRef Resolution
May 06, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-43584 HIGH
OpenClaw < 2026.4.10 - Insufficient Environment Variable Denylist in Exec Policy
May 06, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-43583 MEDIUM
OpenClaw 2026.4.10 < 2026.4.14 - Loss of Group Tool-Policy Context in Delivery Queue Recovery
May 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-43582 MEDIUM
OpenClaw < 2026.4.10 - DNS Rebinding SSRF via Hostname Validation Bypass
May 06, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-43580 HIGH
OpenClaw < 2026.4.10 - Incomplete Navigation Guard Coverage in Browser Interactions
May 06, 2026
CVSS 7.7
EPSS 0.00