npm
4,193 tracked vulnerabilities.
CVE-2026-41211
CRITICAL
`vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`
Apr 23, 2026
CVSS 10.0
EPSS 0.00
CVE-2026-41182
MEDIUM
LangSmith SDK: Streaming token events bypass output redaction
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41180
HIGH
PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart
Apr 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-6874
MEDIUM
ericc-ch copilot-api Header token dns rebinding
Apr 23, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-40931
HIGH
Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing
Apr 21, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-39320
HIGH
Signal K Server <2.25.0 WebSocket Subscriptions - Regular Expression Denial of Service
Apr 21, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41331
MEDIUM
OpenClaw < 2026.3.31 - Resource Consumption via Unauthorized Telegram Audio Preflight Transcription
Apr 21, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41330
MEDIUM
OpenClaw < 2026.3.31 - Environment Variable Override via Host Exec Policy
Apr 21, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-41329
CRITICAL
OpenClaw < 2026.3.31 - Sandbox Bypass via Heartbeat Context Inheritance and senderIsOwner Escalation
Apr 21, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-41303
HIGH
OpenClaw < 2026.3.28 - Authorization Bypass in Discord Text Approval Commands
Apr 21, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41302
HIGH
OpenClaw < 2026.3.31 - Server-Side Request Forgery via Unguarded fetch() in Marketplace Plugin Download
Apr 21, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-41301
MEDIUM
OpenClaw 2026.3.22 < 2026.3.31 - Forged Nostr DM Pairing State Creation via Signature Verification Bypass
Apr 21, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41300
MEDIUM
OpenClaw < 2026.3.31 - Attacker-Discovered Endpoint Preservation in Remote Onboarding
Apr 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41299
HIGH
OpenClaw < 2026.3.28 - Client Identity Spoofing in chat.send Gateway Provenance Guard
Apr 21, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41298
MEDIUM
OpenClaw < 2026.4.2 - Authorization Bypass in Session Termination Endpoint
Apr 21, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41297
HIGH
OpenClaw < 2026.3.31 - Server-Side Request Forgery via Marketplace Plugin Download Redirect
Apr 21, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-41296
HIGH
OpenClaw < 2026.3.31 - Sandbox Escape via TOCTOU Race in Remote FS Bridge readFile
Apr 21, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-41295
HIGH
OpenClaw < 2026.4.2 - Untrusted Workspace Channel Shadow Code Execution during Built-in Channel Setup
Apr 21, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41294
HIGH
OpenClaw < 2026.3.28 - Environment Variable Injection via CWD .env File
Apr 21, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-40045
MEDIUM
OpenClaw < 2026.4.2 - Cleartext Credential Transmission via Unencrypted WebSocket Gateway Endpoints
Apr 21, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-41389
MEDIUM
OpenClaw 2026.4.7 < 2026.4.15 - Arbitrary File Read via Unvalidated Tool-Result Media Paths
Apr 20, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-41242
CRITICAL
protobufjs Type Fields - Arbitrary Code Execution
Apr 18, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-40299
MEDIUM
next-intl <4.9.1 Middleware - Open Redirect
Apr 17, 2026
EPSS 0.00
CVE-2026-39313
HIGH
MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport
Apr 16, 2026
EPSS 0.00
CVE-2026-40186
MEDIUM
ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
Apr 15, 2026
CVSS 6.1
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters