npm

3,968 tracked vulnerabilities.

CVE-2026-34405 MEDIUM
Nuxt OG Image vulnerable to reflected XSS via query parameter injection into HTML attributes
Mar 31, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-34404 HIGH
Nuxt OG Image vulnerable to DoS via image generation
Mar 31, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-4800 HIGH
lodash vulnerable to Code Injection via `_.template` imports key names
Mar 31, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-34784 HIGH
Parse Server: Streaming file download bypasses afterFind file trigger authorization
Mar 31, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34215 MEDIUM
Parse Server: Auth data exposed via verify password endpoint
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-2950 MEDIUM
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34595 MEDIUM
Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value
Mar 31, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-34574 MEDIUM
Parse Server: Session field immutability bypass via falsy-value guard
Mar 31, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34573 HIGH
Parse Server: GraphQL complexity validator exponential fragment traversal DoS
Mar 31, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34532 CRITICAL
Parse Server: Cloud function validator bypass via prototype chain traversal
Mar 31, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-34504 HIGH
OpenClaw < 2026.3.28 - Server-Side Request Forgery via Unguarded Image Download in fal Provider
Mar 31, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-34503 HIGH
OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation
Mar 31, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-34373 HIGH
Parse Server: GraphQL API endpoint ignores CORS origin restriction
Mar 31, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-34363 MEDIUM
Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers
Mar 31, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34224 MEDIUM
Parse Server: MFA single-use token bypass via concurrent authData login requests
Mar 31, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-34210 HIGH
mppx has Stripe charge credential replay via missing idempotency check
Mar 31, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-34209 HIGH
mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality
Mar 31, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33581 MEDIUM
OpenClaw < 2026.3.24 - Arbitrary File Read via mediaUrl and fileUrl Parameters
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33580 MEDIUM
OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33579 CRITICAL
OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval
Mar 31, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-33578 MEDIUM
OpenClaw < 2026.3.28 - Sender Policy Allowlist Bypass via Policy Downgrade in Google Chat and Zalouser Extensions
Mar 31, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-33577 HIGH
OpenClaw < 2026.3.28 - Insufficient Scope Validation in node.pair.approve
Mar 31, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-33576 MEDIUM
OpenClaw < 2026.3.28 - Unauthorized Media Download via Zalo Channel
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34506 MEDIUM
OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration
Mar 31, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-34505 MEDIUM
OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation
Mar 31, 2026
CVSS 6.5
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV