npm

4,193 tracked vulnerabilities.

CVE-2026-7600 MEDIUM
ArtMin96 yii2-mcp-server MCP index.ts yii_execute_command os command injection
May 02, 2026
CVSS 6.3
EPSS 0.01
CVE-2026-7446 HIGH
VetCoders mcp-server-semgrep MCP index.ts create_rule os command injection
Apr 30, 2026
CVSS 7.3
EPSS 0.01
CVE-2026-42615 HIGH
GCHQ CyberChef < 11.0.0 - Cross-Site Scripting via Show Base64 Offsets
Apr 29, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-42432 HIGH
OpenClaw < 2026.4.8 - Command Escalation via Node Pairing Reconnect Bypass
Apr 28, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-42431 HIGH
OpenClaw < 2026.4.8 - Persistent Profile Mutation via node.invoke(browser.proxy) Bypass
Apr 28, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-42430 MEDIUM
OpenClaw < 2026.4.8 - Strict Browser SSRF Bypass via Playwright Redirect Handling
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42429 HIGH
OpenClaw < 2026.4.8 - Privilege Escalation via Gateway Plugin HTTP Authentication
Apr 28, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-42428 HIGH
OpenClaw < 2026.4.8 - Missing Integrity Verification in Package Downloads
Apr 28, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-42427 MEDIUM
OpenClaw < 2026.4.8 - Remote Code Execution via Build Tool Environment Variable Injection
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-42426 HIGH
OpenClaw < 2026.4.8 - Improper Authorization in node.pair.approve via operator.write Scope
Apr 28, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42424 MEDIUM
OpenClaw < 2026.4.8 - Local File Exfiltration via Shared Reply MEDIA Paths
Apr 28, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-42423 HIGH
OpenClaw < 2026.4.8 - strictInlineEval Approval Boundary Bypass via Approval-Timeout Fallback
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42422 HIGH
OpenClaw < 2026.4.8 - Role Bypass in device.token.rotate Function
Apr 28, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42421 MEDIUM
OpenClaw < 2026.4.8 - WebSocket Session Persistence via Shared Gateway Token Rotation
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-42420 MEDIUM
OpenClaw < 2026.4.8 - Improper Base64 Decoding Size Validation
Apr 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41916 MEDIUM
OpenClaw < 2026.4.8 - Stale Authentication State via Config Reload
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41915 MEDIUM
OpenClaw < 2026.4.8 - Git Environment Variable Injection via Unfiltered Exec Environment
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41914 HIGH
OpenClaw < 2026.4.8 - Server-Side Request Forgery in QQ Bot Media Fetch Paths
Apr 28, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-41913 LOW
OpenClaw < 2026.4.4 - Rate-Limit Bypass via Concurrent Async Authentication Attempts
Apr 28, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-41912 HIGH
OpenClaw < 2026.4.8 - Server-Side Request Forgery Policy Bypass via Interaction-Triggered Navigation
Apr 28, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-41911 MEDIUM
OpenClaw < 2026.4.8 - Workspace-Only Filesystem Policy Bypass via docx upload_file/upload_image
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41910 MEDIUM
OpenClaw < 2026.4.8 - Missing Owner-Only Enforcement in /allowlist Cross-Channel Writes
Apr 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41408 MEDIUM
OpenClaw < 2026.3.31 - Disk Exhaustion via Media Download Bypass
Apr 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41407 LOW
OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison
Apr 28, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-41406 MEDIUM
OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Thread History and Quoted Messages
Apr 28, 2026
CVSS 5.4
EPSS 0.00