npm
4,193 tracked vulnerabilities.
CVE-2026-41333
LOW
OpenClaw < 2026.3.31 - Authentication Rate Limiting Bypass via Fake DeviceToken
Apr 23, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-41332
MEDIUM
OpenClaw < 2026.3.28 - Code Execution via Missing Environment Variable Blocklist
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41274
CRITICAL
Flowise: Cypher Injection in GraphCypherQAChain
Apr 23, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-41279
HIGH
Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials
Apr 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41278
HIGH
Flowise: Public chatflow endpoints return unsanitized flowData including plaintext API keys, passwords, and credential IDs
Apr 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41277
HIGH
Flowise: Mass Assignment in DocumentStore Create Endpoint Leads to Cross-Workspace Object Takeover (IDOR)
Apr 23, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41276
CRITICAL
Flowise: AccountService resetPassword Authentication Bypass Vulnerability
Apr 23, 2026
CVSS 9.8
EPSS 0.07
CVE-2026-41275
HIGH
Flowise: Password Reset Link Sent Over Unsecured HTTP
Apr 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41273
HIGH
Flowise: Unauthenticated OAuth 2.0 Access Token Disclosure via Public Chatflow
Apr 23, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-41272
HIGH
Flowise: SSRF Protection Bypass (TOCTOU & Default Insecure)
Apr 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41271
HIGH
Flowise: APIChain Prompt Injection SSRF in GET/POST API Chains
Apr 23, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-41270
HIGH
Flowise: SSRF Protection Bypass via Unprotected Built-in HTTP Modules in Custom Function Sandbox
Apr 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41269
HIGH
Flowise: File Upload Validation Bypass in createAttachment
Apr 23, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41268
CRITICAL
Flowise: Flowise Parameter Override Bypass Remote Command Execution
Apr 23, 2026
CVSS 9.8
EPSS 0.14
CVE-2026-41267
HIGH
Flowise: Improper Mass Assignment in Account Registration Enables Unauthorized Organization Association
Apr 23, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-41266
HIGH
Flowise: Sensitive Data Leak in public-chatbotConfig
Apr 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41265
CRITICAL
Flowise: Airtable_Agent Code Injection Remote Code Execution Vulnerability
Apr 23, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-41264
CRITICAL
Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability
Apr 23, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-41138
HIGH
Flowise AirtableAgent.ts - Pandas Code Injection RCE
Apr 23, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-41137
HIGH
Flowise: Code Injection in CSVAgent leads to Authenticated RCE
Apr 23, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-41908
MEDIUM
OpenClaw < 2026.4.20 - Scope Enforcement Bypass in Assistant-Media Route
Apr 23, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41240
MEDIUM
DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)
Apr 23, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-41239
MEDIUM
DOMPurify 1.0.10-3.3.x RETURN_DOM - SAFE_FOR_TEMPLATES Bypass
Apr 23, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-41238
MEDIUM
DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback
Apr 23, 2026
CVSS 6.9
EPSS 0.00
CVE-2026-41679
CRITICAL
Paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass
Apr 23, 2026
CVSS 10.0
EPSS 0.02
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters