npm
4,193 tracked vulnerabilities.
CVE-2026-39857
MEDIUM
Information Disclosure via `choices`/`counts` Query Parameters Bypassing publicApiProjection Field Restrictions
Apr 15, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35569
HIGH
ApostropheCMS: Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS
Apr 15, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-33889
MEDIUM
ApostropheCMS: Stored XSS via CSS Custom Property Injection in `@apostrophecms/color-field` Escaping Style Tag Context
Apr 15, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-33888
MEDIUM
ApostropheCMS: publicApiProjection Bypass via `project` Query Builder in Piece-Type REST API
Apr 15, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-33877
LOW
ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint
Apr 15, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-5758
MEDIUM
Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution
Apr 15, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-39884
HIGH
MCP Server Kubernetes has Argument Injection in its port_forward tool via space-splitting
Apr 15, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-33806
HIGH
fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header
Apr 15, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-6216
LOW
DbGate SVG Icon String FontIcon.svelte cross site scripting
Apr 13, 2026
CVSS 3.5
EPSS 0.00
CVE-2026-28291
HIGH
simple-git has Command Execution via Option-Parsing Bypass
Apr 13, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-40190
MEDIUM
LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`
Apr 10, 2026
CVSS 5.6
EPSS 0.00
CVE-2026-40175
MEDIUM
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
Apr 10, 2026
CVSS 4.8
EPSS 0.02
CVE-2026-35670
MEDIUM
OpenClaw < 2026.3.22 - Webhook Reply Rebinding via Username Resolution in Synology Chat
Apr 10, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-35669
HIGH
OpenClaw < 2026.3.25 - Privilege Escalation via Gateway Plugin HTTP Authentication Scope
Apr 10, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35668
HIGH
OpenClaw < 2026.3.24 - Sandbox Media Root Bypass via Unnormalized mediaUrl and fileUrl Parameters
Apr 10, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-35667
MEDIUM
OpenClaw < 2026.3.24 - Improper Process Termination via Unpatched killProcessTree in shell-utils.ts
Apr 10, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-35666
HIGH
OpenClaw < 2026.3.22 - Allowlist Bypass via Unregistered Time Dispatch Wrapper
Apr 10, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35665
MEDIUM
OpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook Pre-Auth Body Parsing
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35664
MEDIUM
OpenClaw < 2026.3.25 - DM Pairing Bypass via Legacy Card Callbacks
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35663
HIGH
OpenClaw < 2026.3.25 - Privilege Escalation via Backend Reconnect Scope Self-Claim
Apr 10, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35662
MEDIUM
OpenClaw < 2026.3.22 - Missing controlScope Enforcement in Send Action
Apr 10, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-35661
MEDIUM
OpenClaw < 2026.3.25 - Telegram DM-Scoped Inline Button Callback Authorization Bypass
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35660
HIGH
OpenClaw < 2026.3.23 - Insufficient Access Control in Gateway Agent Session Reset
Apr 10, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-35659
MEDIUM
OpenClaw < 2026.3.22 - Unresolved Service Metadata Routing via Bonjour and DNS-SD Discovery
Apr 10, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-35658
MEDIUM
OpenClaw < 2026.3.2 - Filesystem Boundary Bypass in Image Tool
Apr 10, 2026
CVSS 6.5
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters