npm

4,193 tracked vulnerabilities.

CVE-2026-41333 LOW
OpenClaw < 2026.3.31 - Authentication Rate Limiting Bypass via Fake DeviceToken
Apr 23, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-41332 MEDIUM
OpenClaw < 2026.3.28 - Code Execution via Missing Environment Variable Blocklist
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41274 CRITICAL
Flowise: Cypher Injection in GraphCypherQAChain
Apr 23, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-41279 HIGH
Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials
Apr 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41278 HIGH
Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs
Apr 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41277 HIGH
Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)
Apr 23, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41276 CRITICAL
Flowise: AccountService resetPassword Authentication Bypass Vulnerability
Apr 23, 2026
CVSS 9.8
EPSS 0.07
CVE-2026-41275 HIGH
Flowise: Password Reset Link Sent Over Unsecured HTTP
Apr 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41273 HIGH
Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow
Apr 23, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-41272 HIGH
Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure)
Apr 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41271 HIGH
Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains
Apr 23, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-41270 HIGH
Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox
Apr 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41269 HIGH
Flowise: File Upload Validation Bypass in createAttachment
Apr 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41268 CRITICAL
Flowise: Flowise Parameter Override Bypass Remote Command Execution
Apr 23, 2026
CVSS 9.8
EPSS 0.14
CVE-2026-41267 HIGH
Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association
Apr 23, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-41266 HIGH
Flowise: Sensitive Data Leak in public-chatbotConfig
Apr 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41265 CRITICAL
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability
Apr 23, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-41264 CRITICAL
Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability
Apr 23, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-41138 HIGH
Flowise AirtableAgent.ts - Pandas Code Injection RCE
Apr 23, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-41137 HIGH
Flowise: Code Injection in CSVAgent leads to Authenticated RCE
Apr 23, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-41908 MEDIUM
OpenClaw < 2026.4.20 - Scope Enforcement Bypass in Assistant-Media Route
Apr 23, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41240 MEDIUM
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
Apr 23, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-41239 MEDIUM
DOMPurify 1.0.10-3.3.x RETURN_DOM - SAFE_FOR_TEMPLATES Bypass
Apr 23, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-41238 MEDIUM
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
Apr 23, 2026
CVSS 6.9
EPSS 0.00
CVE-2026-41679 CRITICAL
Paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass
Apr 23, 2026
CVSS 10.0
EPSS 0.02