npm
4,193 tracked vulnerabilities.
CVE-2026-42034
MEDIUM
Axios: HTTP adapter streamed uploads bypass maxBodyLength when maxRedirects: 0
Apr 24, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-42033
HIGH
Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking
Apr 24, 2026
CVSS 7.4
EPSS 0.01
CVE-2026-41680
HIGH
Marked: OOM Denial of Service via Infinite Recursion in marked Tokenizer
Apr 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41067
MEDIUM
Astro: XSS via incomplete `</script>` sanitization in `define:vars` allows case-insensitive and whitespace-based bypass
Apr 24, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-40897
HIGH
mathjs 13.1.1-15.1.9 - Remote Code Execution via Expression Parser
Apr 24, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-41324
HIGH
basic-ftp vulnerable to denial of service via unbounded memory consumption in Client.list()
Apr 24, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41305
MEDIUM
PostCSS has XSS via Unescaped </style> in its CSS Stringify Output
Apr 24, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-41359
HIGH
OpenClaw < 2026.3.28 - Privilege Escalation via operator.write to Admin-Class Telegram Config and Cron Persistence
Apr 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41358
MEDIUM
OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41356
MEDIUM
OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41355
HIGH
OpenShell < 2026.3.28 - Arbitrary Code Execution via Mirror Mode Sandbox File Conversion
Apr 23, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-41354
LOW
OpenClaw < 2026.4.2 - Insufficient Scope in Zalo Webhook Replay Dedupe Keys
Apr 23, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-41352
HIGH
OpenClaw < 2026.3.31 - Remote Code Execution via Node Scope Gate Bypass
Apr 23, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-41351
MEDIUM
OpenClaw < 2026.3.31 - Webhook Replay Detection Bypass via Base64 Signature Re-encoding
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41348
MEDIUM
OpenClaw < 2026.3.31 - Group DM Channel Allowlist Bypass via Discord Slash Commands
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41347
HIGH
OpenClaw < 2026.3.31 - Cross-Site Request Forgery via Missing Browser-Origin Validation in HTTP Operator Endpoints
Apr 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41346
MEDIUM
OpenClaw 2026.2.26 < 2026.3.31 - Denial of Service via Improper Pending Pairing Request Cap Enforcement
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41344
MEDIUM
OpenClaw < 2026.3.28 - Privilege Escalation via chat.send /verbose Parameter
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41343
MEDIUM
OpenClaw < 2026.3.31 - Denial of Service via LINE Webhook Handler Pre-Auth Concurrency
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41342
HIGH
OpenClaw < 2026.3.28 - Unauthenticated Discovery Endpoint Credential Exfiltration via Remote Onboarding
Apr 23, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-41341
MEDIUM
OpenClaw < 2026.3.31 - Component Interaction Misclassification in Discord Extension
Apr 23, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41339
MEDIUM
OpenClaw < 2026.4.2 - Information Disclosure via Gateway Connect Snapshot
Apr 23, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41337
MEDIUM
OpenClaw < 2026.3.31 - Callback Origin Mutation in Plivo Voice-call Replay
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41336
HIGH
OpenClaw < 2026.3.31 - Arbitrary Hook Code Execution via OPENCLAW_BUNDLED_HOOKS_DIR Environment Variable Override
Apr 23, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41335
MEDIUM
OpenClaw < 2026.3.31 - Information Disclosure via Control UI Bootstrap JSON
Apr 23, 2026
CVSS 5.3
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters