npm
3,968 tracked vulnerabilities.
CVE-2026-32977
MEDIUM
OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unanchored writeFile Commit Path
Mar 31, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-32971
HIGH
OpenClaw < 2026.3.11 - Node-Host Approval UI Mismatch Allows Execution of Unintended Commands
Mar 31, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-32970
LOW
OpenClaw < 2026.3.11 - Credential Fallback Logic Bypass via Unavailable Local Auth SecretRefs
Mar 31, 2026
CVSS 2.5
EPSS 0.00
CVE-2026-32921
MEDIUM
OpenClaw < 2026.3.8 - Script Content Modification via Mutable Operand Binding in system.run
Mar 31, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-32920
HIGH
OpenClaw < 2026.3.12 - Arbitrary Code Execution via Auto-Discovery of Workspace Plugins
Mar 31, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-32916
CRITICAL
OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes
Mar 31, 2026
CVSS 9.4
EPSS 0.00
CVE-2026-34043
MEDIUM
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
Mar 31, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-33574
MEDIUM
OpenClaw < 2026.3.8 - Path Traversal via Tools Root Rebinding in Skills Download
Mar 29, 2026
CVSS 6.2
EPSS 0.00
CVE-2026-33572
HIGH
OpenClaw < 2026.2.17 - Insufficient File Permissions in Session Transcript Files
Mar 29, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-32980
HIGH
OpenClaw < 2026.3.13 - Resource Exhaustion via Unauthenticated Telegram Webhook Request
Mar 29, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32979
HIGH
OpenClaw < 2026.3.11 - Unbound Interpreter and Runtime Commands Bypass in node-host Approval
Mar 29, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-32978
HIGH
OpenClaw < 2026.3.11 - Approval Bypass via Unrecognized Script Runners
Mar 29, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-32974
HIGH
OpenClaw < 2026.3.12 - Forged Event Injection via Feishu Webhook Verification Token
Mar 29, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-32918
HIGH
OpenClaw < 2026.3.11 - Session Sandbox Escape via session_status Tool
Mar 29, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-33994
CRITICAL
Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521
Mar 27, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-33993
CRITICAL
Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
Mar 27, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-34226
HIGH
Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies
Mar 27, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33979
HIGH
Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)
Mar 27, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-33943
HIGH
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
Mar 27, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-33941
HIGH
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options
Mar 27, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-33940
HIGH
Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial
Mar 27, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-33939
HIGH
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
Mar 27, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33938
HIGH
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
Mar 27, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-33937
CRITICAL
Handlebars.js has JavaScript Injection via AST Type Confusion
Mar 27, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-33916
MEDIUM
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
Mar 27, 2026
CVSS 4.7
EPSS 0.00
Products
openclaw 393
parse-server 92
n8n 62
directus 53
electron 48
flowise 48
next 47
vm2 32
hono 25
nocodb 25
axios 24
undici 22
ghost 21
vite 19
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
nodebb 14
sequelize 14
tinymce 14
flowise-components 13
signalk-server 13
angular 12
dompurify 12
handlebars 12
jsrsasign 12
matrix-js-sdk 12
Quick Filters