npm
4,193 tracked vulnerabilities.
CVE-2026-41378
HIGH
OpenClaw < 2026.3.31 - Privilege Escalation to Remote Code Execution via Unrestricted node.event Agent Dispatch
Apr 28, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41377
MEDIUM
OpenClaw < 2026.3.31 - Fail-Open Security Scan Bypass in Plugin Installation
Apr 28, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-41376
MEDIUM
OpenClaw < 2026.3.31 - Matrix Thread Context Allowlist Bypass via Sender Validation
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41375
MEDIUM
OpenClaw < 2026.3.28 - Authorization Bypass in /phone arm and /phone disarm Endpoints
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41374
MEDIUM
OpenClaw < 2026.3.31 - Resource Consumption via Discord Audio Preflight Before Member Authorization
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41373
MEDIUM
OpenClaw < 2026.3.31 - Compiler Binary Substitution via Environment Variable Override in Host Execution Policy
Apr 28, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-41636
HIGH
Apache Thrift: Node.js skip() recursion
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41372
MEDIUM
OpenClaw < 2026.4.2 - Loopback Protection Bypass via Trailing-Dot Localhost in CDP Discovery
Apr 28, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-41369
MEDIUM
OpenClaw < 2026.3.31 - Insufficient Environment Variable Sanitization in Host Execution
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41365
MEDIUM
OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Graph API Thread History
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41364
HIGH
OpenClaw < 2026.3.31 - Arbitrary File Write via Symlink Following in SSH Sandbox Tar Upload
Apr 28, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-41363
MEDIUM
OpenClaw 2026.2.6 < 2026.3.28 - Arbitrary File Read via Feishu upload_image Parameter
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-6951
CRITICAL
simple-git < 3.36.0 - Remote Code Execution via Git Config Option Injection
Apr 25, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-41244
MEDIUM
Mojic: Observable Timing Discrepancy in HMAC Verification
Apr 24, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-41907
HIGH
uuid: Missing buffer bounds check in `v3`/`v5`/`v6` when `buf` is provided
Apr 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42044
MEDIUM
Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in `parseReviver`
Apr 24, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-42043
HIGH
Axios <1.15.1, <0.31.1 - Auth Bypass
Apr 24, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-42042
MEDIUM
Axios < 1.15.1 and < 0.31.1 - Cross-Site Request Forgery via withXSRFToken Truthy Value Bypass
Apr 24, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-42041
MEDIUM
Axios: Authentication Bypass via Prototype Pollution Gadget in `validateStatus` Merge Strategy
Apr 24, 2026
CVSS 4.8
EPSS 0.01
CVE-2026-42040
LOW
Axios <1.15.1, <0.31.1 - Info Disclosure
Apr 24, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-42039
HIGH
Axios: unbounded recursion in toFormData causes DoS via deeply nested request data
Apr 24, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-42038
MEDIUM
Axios <1.15.1, <0.31.1 - Proxy Bypass
Apr 24, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-42037
MEDIUM
Axios 1.0.0-1.15.0 - Header Injection
Apr 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-42036
MEDIUM
Axios: HTTP adapter streamed responses bypass maxContentLength
Apr 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-42035
HIGH
Axios: Header Injection via Prototype Pollution
Apr 24, 2026
CVSS 7.4
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters