npm
4,193 tracked vulnerabilities.
CVE-2026-7600
MEDIUM
ArtMin96 yii2-mcp-server MCP index.ts yii_execute_command os command injection
May 02, 2026
CVSS 6.3
EPSS 0.01
CVE-2026-7446
HIGH
VetCoders mcp-server-semgrep MCP index.ts create_rule os command injection
Apr 30, 2026
CVSS 7.3
EPSS 0.01
CVE-2026-42615
HIGH
GCHQ CyberChef < 11.0.0 - Cross-Site Scripting via Show Base64 Offsets
Apr 29, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-42432
HIGH
OpenClaw < 2026.4.8 - Command Escalation via Node Pairing Reconnect Bypass
Apr 28, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-42431
HIGH
OpenClaw < 2026.4.8 - Persistent Profile Mutation via node.invoke(browser.proxy) Bypass
Apr 28, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-42430
MEDIUM
OpenClaw < 2026.4.8 - Strict Browser SSRF Bypass via Playwright Redirect Handling
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42429
HIGH
OpenClaw < 2026.4.8 - Privilege Escalation via Gateway Plugin HTTP Authentication
Apr 28, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-42428
HIGH
OpenClaw < 2026.4.8 - Missing Integrity Verification in Package Downloads
Apr 28, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-42427
MEDIUM
OpenClaw < 2026.4.8 - Remote Code Execution via Build Tool Environment Variable Injection
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-42426
HIGH
OpenClaw < 2026.4.8 - Improper Authorization in node.pair.approve via operator.write Scope
Apr 28, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42424
MEDIUM
OpenClaw < 2026.4.8 - Local File Exfiltration via Shared Reply MEDIA Paths
Apr 28, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-42423
HIGH
OpenClaw < 2026.4.8 - strictInlineEval Approval Boundary Bypass via Approval-Timeout Fallback
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42422
HIGH
OpenClaw < 2026.4.8 - Role Bypass in device.token.rotate Function
Apr 28, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42421
MEDIUM
OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shared Gateway Token Rotation
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-42420
MEDIUM
OpenClaw < 2026.4.8 - Improper Base64 Decoding Size Validation
Apr 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41916
MEDIUM
OpenClaw < 2026.4.8 - Stale Authentication State via Config Reload
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41915
MEDIUM
OpenClaw < 2026.4.8 - Git Environment Variable Injection via Unfiltered Exec Environment
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41914
HIGH
OpenClaw < 2026.4.8 - Server-Side Request Forgery in QQ Bot Media Fetch Paths
Apr 28, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-41913
LOW
OpenClaw < 2026.4.4 - Rate-Limit Bypass via Concurrent Async Authentication Attempts
Apr 28, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-41912
HIGH
OpenClaw < 2026.4.8 - Server-Side Request Forgery Policy Bypass via Interaction-Triggered Navigation
Apr 28, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-41911
MEDIUM
OpenClaw < 2026.4.8 - Workspace-Only Filesystem Policy Bypass via docx upload_file/upload_image
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41910
MEDIUM
OpenClaw < 2026.4.8 - Missing Owner-Only Enforcement in /allowlist Cross-Channel Writes
Apr 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41408
MEDIUM
OpenClaw < 2026.3.31 - Disk Exhaustion via Media Download Bypass
Apr 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41407
LOW
OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison
Apr 28, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-41406
MEDIUM
OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Thread History and Quoted Messages
Apr 28, 2026
CVSS 5.4
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters