npm

3,968 tracked vulnerabilities.

CVE-2026-35663 HIGH
OpenClaw < 2026.3.25 - Privilege Escalation via Backend Reconnect Scope Self-Claim
Apr 10, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35662 MEDIUM
OpenClaw < 2026.3.22 - Missing controlScope Enforcement in Send Action
Apr 10, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-35661 MEDIUM
OpenClaw < 2026.3.25 - Telegram DM-Scoped Inline Button Callback Authorization Bypass
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35660 HIGH
OpenClaw < 2026.3.23 - Insufficient Access Control in Gateway Agent Session Reset
Apr 10, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-35659 MEDIUM
OpenClaw < 2026.3.22 - Unresolved Service Metadata Routing via Bonjour and DNS-SD Discovery
Apr 10, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-35658 MEDIUM
OpenClaw < 2026.3.2 - Filesystem Boundary Bypass in Image Tool
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35657 MEDIUM
OpenClaw < 2026.3.25 - Authorization Bypass in HTTP Session History Route
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35656 MEDIUM
OpenClaw < 2026.3.22 - XFF Loopback Spoofing Bypass in Canvas Authentication and Rate Limiter
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35655 MEDIUM
OpenClaw < 2026.3.22 - Identity Spoofing via rawInput Tool in ACP Permission Resolution
Apr 10, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-35654 MEDIUM
OpenClaw < 2026.3.25 - Authorization Bypass in Microsoft Teams Feedback Invoke
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35653 HIGH
OpenClaw < 2026.3.24 - Incorrect Authorization in POST /reset-profile via browser.request
Apr 10, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-35652 MEDIUM
OpenClaw < 2026.3.22 - Unauthorized Action Execution via Callback Dispatch
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35651 MEDIUM
OpenClaw 2026.2.13 < 2026.3.25 - ANSI Escape Sequence Injection in Approval Prompt
Apr 10, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-35650 HIGH
OpenClaw < 2026.3.22 - Environment Variable Override Bypass via Inconsistent Sanitization
Apr 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-35649 MEDIUM
OpenClaw < 2026.3.22 - Settings Reconciliation Bypass via Empty Allowlist
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35648 LOW
OpenClaw < 2026.3.22 - Policy Bypass via Unvalidated Queued Node Actions
Apr 10, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-35647 MEDIUM
OpenClaw < 2026.3.25 - Direct Message Policy Bypass via Verification Notices
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35643 HIGH
OpenClaw < 2026.3.22 - Arbitrary Code Execution via Unvalidated WebView JavascriptInterface
Apr 10, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35641 HIGH
OpenClaw < 2026.3.24 - Arbitrary Code Execution via .npmrc in Local Plugin/Hook Installation
Apr 10, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-35621 MEDIUM
OpenClaw < 2026.3.24 - Privilege Escalation via chat.send to Allowlist Persistence
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35620 MEDIUM
OpenClaw < 2026.3.24 - Missing Authorization in /send and /allowlist Chat Commands
Apr 10, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-35619 MEDIUM
OpenClaw < 2026.3.24 - Authorization Bypass via HTTP /v1/models Endpoint
Apr 10, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6011 MEDIUM
OpenClaw assertPublicHostname web-fetch.ts server-side request forgery
Apr 10, 2026
CVSS 5.6
EPSS 0.00
CVE-2026-5986 MEDIUM
Zod jsVideoUrlParser util.js getTime redos
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35646 MEDIUM
OpenClaw < 2026.3.25 - Pre-Authentication Rate-Limit Bypass in Webhook Token Validation
Apr 09, 2026
CVSS 4.8
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV