npm

4,193 tracked vulnerabilities.

CVE-2026-42436 HIGH
OpenClaw < 2026.4.14 - Internal Page Content Exposure via Browser Snapshot and Screenshot Routes
May 05, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-42435 HIGH
OpenClaw 2026.2.22 < 2026.4.12 - Shell-Wrapper Detection Bypass via Environment Variable Assignment Injection
May 05, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42434 HIGH
OpenClaw 2026.4.5 < 2026.4.10 - Sandbox Escape via host Parameter Override in Exec Routing
May 05, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42433 MEDIUM
OpenClaw < 2026.4.10 - Unauthorized Matrix Profile Config Persistence Access via operator.write Message Tools
May 05, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-6322 HIGH
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
May 05, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-43870 HIGH
Apache Thrift: Node.js web_server.js multi-vulnerability
May 05, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-6321 HIGH
fast-uri vulnerable to path traversal via percent-encoded dot segments
May 04, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-42237 HIGH
n8n: SQL Injection in Snowflake and MySQL Nodes
May 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42236 HIGH
n8n: Unauthenticated Denial of Service via MCP Client Registration
May 04, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42235 CRITICAL
n8n: XSS via MCP OAuth client
May 04, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-42234 HIGH
n8n: Python Task Runner Sandbox Escape
May 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42233 CRITICAL
n8n: SQL Injection in Oracle Database Node via Limit Field
May 04, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-42232 HIGH
n8n: XML Node Prototype Pollution to RCE
May 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42231 HIGH
n8n: Prototype Pollution in XML Webhook Body Parser Leads to RCE
May 04, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-42230 MEDIUM
n8n: Open Redirect in MCP OAuth Consent Flow
May 04, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-42229 HIGH
n8n: SQL Injection in SeaTable Node
May 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42228 MEDIUM
n8n: Hijacking of Unauthenticated Chat Execution
May 04, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42227 MEDIUM
n8n: Public API Variables IDOR Allows Cross-Project Secret Disclosure
May 04, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42226 HIGH
n8n: Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay
May 04, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-26956 CRITICAL
vm2: WASM Sandbox Escape (Node 25 only)
May 04, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-26332 CRITICAL
vm2: Sandbox Escape
May 04, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-24781 CRITICAL
vm2: Sandbox Breakout Through Inspect
May 04, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-24120 CRITICAL
vm2: Sandbox Breakout Through Promise Species
May 04, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-24118 CRITICAL
VM2 Sandbox Breakout Through __lookupGetter__
May 04, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-7645 MEDIUM
ruvnet sublinear-time-solver MCP server.js export_state path traversal
May 02, 2026
CVSS 6.5
EPSS 0.00