npm
4,193 tracked vulnerabilities.
CVE-2026-42436
HIGH
OpenClaw < 2026.4.14 - Internal Page Content Exposure via Browser Snapshot and Screenshot Routes
May 05, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-42435
HIGH
OpenClaw 2026.2.22 < 2026.4.12 - Shell-Wrapper Detection Bypass via Environment Variable Assignment Injection
May 05, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42434
HIGH
OpenClaw 2026.4.5 < 2026.4.10 - Sandbox Escape via host Parameter Override in Exec Routing
May 05, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42433
MEDIUM
OpenClaw < 2026.4.10 - Unauthorized Matrix Profile Config Persistence Access via operator.write Message Tools
May 05, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-6322
HIGH
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
May 05, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-43870
HIGH
Apache Thrift: Node.js web_server.js multi-vulnerability
May 05, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-6321
HIGH
fast-uri vulnerable to path traversal via percent-encoded dot segments
May 04, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-42237
HIGH
n8n: SQL Injection in Snowflake and MySQL Nodes
May 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42236
HIGH
n8n: Unauthenticated Denial of Service via MCP Client Registration
May 04, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42235
CRITICAL
n8n: XSS via MCP OAuth client
May 04, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-42234
HIGH
n8n: Python Task Runner Sandbox Escape
May 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42233
CRITICAL
n8n: SQL Injection in Oracle Database Node via Limit Field
May 04, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-42232
HIGH
n8n: XML Node Prototype Pollution to RCE
May 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42231
HIGH
n8n: Prototype Pollution in XML Webhook Body Parser Leads to RCE
May 04, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-42230
MEDIUM
n8n: Open Redirect in MCP OAuth Consent Flow
May 04, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-42229
HIGH
n8n: SQL Injection in SeaTable Node
May 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42228
MEDIUM
n8n: Hijacking of Unauthenticated Chat Execution
May 04, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42227
MEDIUM
n8n: Public API Variables IDOR Allows Cross-Project Secret Disclosure
May 04, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42226
HIGH
n8n: Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay
May 04, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-26956
CRITICAL
vm2: WASM Sandbox Escape (Node 25 only)
May 04, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-26332
CRITICAL
vm2: Sandbox Escape
May 04, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-24781
CRITICAL
vm2: Sandbox Breakout Through Inspect
May 04, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-24120
CRITICAL
vm2: Sandbox Breakout Through Promise Species
May 04, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-24118
CRITICAL
VM2 Sandbox Breakout Through __lookupGetter__
May 04, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-7645
MEDIUM
ruvnet sublinear-time-solver MCP server.js export_state path traversal
May 02, 2026
CVSS 6.5
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters