npm
4,193 tracked vulnerabilities.
CVE-2026-43576
HIGH
OpenClaw < 2026.4.5 - Second-hop SSRF via CDP /json/version WebSocket URL
May 06, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-23870
HIGH
react-server-dom-webpack 19.0.0-19.0.5, 19.1.0-19.1.6, 19.2.0-19.2.5 - DoS via Crafted HTTP Requests
May 06, 2026
CVSS 7.5
EPSS 0.02
CVE-2026-8026
LOW
FlowiseAI Flowise API Response account.service.ts login information disclosure
May 06, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-43574
MEDIUM
OpenClaw < 2026.4.12 - Improper Authorization via Empty Approver Lists
May 05, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-43573
HIGH
OpenClaw < 2026.4.10 - SSRF Policy Bypass in Existing-Session Browser Interaction Routes
May 05, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-43572
MEDIUM
OpenClaw 2026.4.10 < 2026.4.14 - Missing Sender Authorization in Microsoft Teams SSO Invoke Handler
May 05, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-43571
HIGH
OpenClaw < 2026.4.10 - Untrusted Workspace Plugin Shadow Resolution in Channel Setup
May 05, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-43570
MEDIUM
OpenClaw 2026.3.22 < 2026.4.5 - Symlink Traversal in Remote Marketplace Repository Path Handling
May 05, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-43569
HIGH
OpenClaw < 2026.4.9 - Untrusted Provider Plugin Auto-enablement via Workspace Provider Auth
May 05, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-43568
MEDIUM
OpenClaw 2026.4.5 < 2026.4.10 - Privilege Escalation via Memory Dreaming Configuration in /dreaming Endpoint
May 05, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-43567
MEDIUM
OpenClaw < 2026.4.10 - Path Traversal in screen_record outPath Parameter
May 05, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-43566
CRITICAL
OpenClaw 2026.4.7 < 2026.4.14 - Privilege Escalation via Untrusted Webhook Wake Events
May 05, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-43535
MEDIUM
OpenClaw < 2026.4.14 - Authorization Context Reuse in Collect-Mode Queue Batches
May 05, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-43534
CRITICAL
OpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook Events
May 05, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-43533
HIGH
OpenClaw < 2026.4.10 - Arbitrary Local File Read via QQBot Media Tags
May 05, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-43532
HIGH
OpenClaw 2026.4.7 < 2026.4.10 - Sandbox Media Normalization Bypass via Discord Event Cover Image
May 05, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-43531
HIGH
OpenClaw < 2026.4.9 - Environment Variable Injection via Workspace .env File
May 05, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-43530
HIGH
OpenClaw 2026.2.23 < 2026.4.12 - Weakened Exec Approval Binding via busybox and toybox Applet Execution
May 05, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-43529
LOW
OpenClaw < 2026.4.10 - Time-of-Check-Time-of-Use (TOCTOU) Race Condition in exec Script Preflight Validator
May 05, 2026
CVSS 2.5
EPSS 0.00
CVE-2026-43528
MEDIUM
OpenClaw < 2026.4.14 - Redaction Bypass via sourceConfig and runtimeConfig Aliases
May 05, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-43527
HIGH
OpenClaw < 2026.4.14 - Server-Side Request Forgery via Private Network Navigation
May 05, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-43526
HIGH
OpenClaw < 2026.4.12 - Server-Side Request Forgery via QQBot Reply Media URL Handling
May 05, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-42439
HIGH
OpenClaw < 2026.4.10 - SSRF Policy Bypass in Browser Tabs Action Routes
May 05, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-42438
HIGH
OpenClaw 2026.4.9 < 2026.4.10 - Sender Policy Bypass in Host Media Attachment Reads
May 05, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-42437
HIGH
OpenClaw 2026.4.9 < 2026.4.10 - Denial of Service via Oversized WebSocket Frames in Voice-call Realtime Path
May 05, 2026
CVSS 7.5
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters