npm

4,193 tracked vulnerabilities.

CVE-2026-41211 CRITICAL
`vite-plus/binding` has path traversal `downloadPackageManager()` that leads to writes outside of `VP_HOME`
Apr 23, 2026
CVSS 10.0
EPSS 0.00
CVE-2026-41182 MEDIUM
LangSmith SDK: Streaming token events bypass output redaction
Apr 23, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41180 HIGH
PsiTransfer: Upload PATCH path traversal can create `config.<NODE_ENV>.js` and lead to code execution on restart
Apr 23, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-6874 MEDIUM
ericc-ch copilot-api Header token dns rebinding
Apr 23, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-40931 HIGH
Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing
Apr 21, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-39320 HIGH
Signal K Server <2.25.0 WebSocket Subscriptions - Regular Expression Denial of Service
Apr 21, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41331 MEDIUM
OpenClaw < 2026.3.31 - Resource Consumption via Unauthorized Telegram Audio Preflight Transcription
Apr 21, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41330 MEDIUM
OpenClaw < 2026.3.31 - Environment Variable Override via Host Exec Policy
Apr 21, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-41329 CRITICAL
OpenClaw < 2026.3.31 - Sandbox Bypass via Heartbeat Context Inheritance and senderIsOwner Escalation
Apr 21, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-41303 HIGH
OpenClaw < 2026.3.28 - Authorization Bypass in Discord Text Approval Commands
Apr 21, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41302 HIGH
OpenClaw < 2026.3.31 - Server-Side Request Forgery via Unguarded fetch() in Marketplace Plugin Download
Apr 21, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-41301 MEDIUM
OpenClaw 2026.3.22 < 2026.3.31 - Forged Nostr DM Pairing State Creation via Signature Verification Bypass
Apr 21, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41300 MEDIUM
OpenClaw < 2026.3.31 - Attacker-Discovered Endpoint Preservation in Remote Onboarding
Apr 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41299 HIGH
OpenClaw < 2026.3.28 - Client Identity Spoofing in chat.send Gateway Provenance Guard
Apr 21, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-41298 MEDIUM
OpenClaw < 2026.4.2 - Authorization Bypass in Session Termination Endpoint
Apr 21, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41297 HIGH
OpenClaw < 2026.3.31 - Server-Side Request Forgery via Marketplace Plugin Download Redirect
Apr 21, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-41296 HIGH
OpenClaw < 2026.3.31 - Sandbox Escape via TOCTOU Race in Remote FS Bridge readFile
Apr 21, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-41295 HIGH
OpenClaw < 2026.4.2 - Untrusted Workspace Channel Shadow Code Execution during Built-in Channel Setup
Apr 21, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41294 HIGH
OpenClaw < 2026.3.28 - Environment Variable Injection via CWD .env File
Apr 21, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-40045 MEDIUM
OpenClaw < 2026.4.2 - Cleartext Credential Transmission via Unencrypted WebSocket Gateway Endpoints
Apr 21, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-41389 MEDIUM
OpenClaw 2026.4.7 < 2026.4.15 - Arbitrary File Read via Unvalidated Tool-Result Media Paths
Apr 20, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-41242 CRITICAL
protobufjs Type Fields - Arbitrary Code Execution
Apr 18, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-40299 MEDIUM
next-intl <4.9.1 Middleware - Open Redirect
Apr 17, 2026
EPSS 0.00
CVE-2026-39313 HIGH
MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport
Apr 16, 2026
EPSS 0.00
CVE-2026-40186 MEDIUM
ApostropheCMS: sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
Apr 15, 2026
CVSS 6.1
EPSS 0.00