npm
4,193 tracked vulnerabilities.
CVE-2026-41405
HIGH
OpenClaw < 2026.3.31 - Resource Exhaustion via Unauthenticated MS Teams Webhook Body Parsing
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41404
HIGH
OpenClaw < 2026.3.31 - Operator Admin Privilege Escalation via Trusted-Proxy Authentication
Apr 28, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41403
LOW
OpenClaw < 2026.3.31 - Access Control Bypass via Proxied Remote Request Misclassification
Apr 28, 2026
CVSS 2.9
EPSS 0.00
CVE-2026-41402
MEDIUM
OpenClaw < 2026.3.31 - Webhook Replay Cache Cross-Target messageId Scope Bypass
Apr 28, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-41400
MEDIUM
OpenClaw < 2026.3.31 - Resource Consumption via Oversized WebSocket Frames in voice-call
Apr 28, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-41399
HIGH
OpenClaw < 2026.3.28 - Denial of Service via Unbounded Pre-auth WebSocket Upgrades
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41398
MEDIUM
OpenClaw - Unauthorized Agent Request Dispatch via Untrusted Local-Network Pages in iOS A2UI Bridge
Apr 28, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-41397
MEDIUM
OpenClaw < 2026.3.31 - Sandbox Escape via Unrestricted File Sync and Symlink Traversal
Apr 28, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-41396
HIGH
OpenClaw < 2026.3.31 - Environment Variable Override of Plugin Trust Root
Apr 28, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41395
HIGH
OpenClaw < 2026.3.28 - Webhook Replay via Query Parameter Reordering in Plivo V3
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41394
HIGH
OpenClaw < 2026.3.31 - Unauthorized Operator Scope Access in Unauthenticated Plugin-Auth Routes
Apr 28, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-41393
MEDIUM
OpenClaw < 2026.3.31 - Arbitrary DNS Authority Acceptance and Credential Exfiltration via Wide-Area Discovery
Apr 28, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-41392
MEDIUM
OpenClaw < 2026.3.31 - Exec Allowlist Bypass via Shell Init-File Options
Apr 28, 2026
CVSS 6.7
EPSS 0.00
CVE-2026-41391
MEDIUM
OpenClaw < 2026.3.31 - Environment Variable Bypass in Package Index URL Handling
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41390
HIGH
OpenClaw < 2026.3.28 - Exec Allowlist Bypass via Unregistered /usr/bin/script Wrapper
Apr 28, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-41388
MEDIUM
OpenClaw < 2026.3.31 - Configuration Rehydration via Empty-Array Revocation Handling
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41387
HIGH
OpenClaw < 2026.3.22 - Supply Chain Redirection via Incomplete Host Environment Sanitization
Apr 28, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41386
CRITICAL
OpenClaw < 2026.3.22 - Privilege Escalation via Unbound Bootstrap Setup Codes
Apr 28, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-41385
MEDIUM
OpenClaw < 2026.3.31 - Nostr Private Key Exposure via config.get Redaction Bypass
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41384
HIGH
OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend
Apr 28, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41383
HIGH
OpenClaw < 2026.4.2 - Arbitrary Remote Directory Deletion via Mis-scoped Mirror Mode Paths
Apr 28, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-41382
MEDIUM
OpenClaw < 2026.3.31 - Discord Voice Ingress Authorization Bypass via Channel and Role Validation Gaps
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41381
MEDIUM
OpenClaw < 2026.3.31 - Access Control Bypass in Discord Voice Manager via Channel Allowlist
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41380
HIGH
OpenClaw < 2026.3.28 - Arbitrary Execution Allowlist via Wrapper Carrier Executables
Apr 28, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-41379
HIGH
OpenClaw < 2026.3.28 - Privilege Escalation via chat.send to Admin-Class Talk Voice Config
Apr 28, 2026
CVSS 7.1
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters