npm

4,193 tracked vulnerabilities.

CVE-2026-39857 MEDIUM
Information Disclosure via `choices`/`counts` Query Parameters Bypassing publicApiProjection Field Restrictions
Apr 15, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35569 HIGH
ApostropheCMS: Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS
Apr 15, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-33889 MEDIUM
ApostropheCMS: Stored XSS via CSS Custom Property Injection in `@apostrophecms/color-field` Escaping Style Tag Context
Apr 15, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-33888 MEDIUM
ApostropheCMS: publicApiProjection Bypass via `project` Query Builder in Piece-Type REST API
Apr 15, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-33877 LOW
ApostropheCMS: User Enumeration via Timing Side Channel in Password Reset Endpoint
Apr 15, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-5758 MEDIUM
Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution
Apr 15, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-39884 HIGH
MCP Server Kubernetes has Argument Injection in its port_forward tool via space-splitting
Apr 15, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-33806 HIGH
fastify vulnerable to Body Schema Validation Bypass via Leading Space in Content-Type Header
Apr 15, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-6216 LOW
DbGate SVG Icon String FontIcon.svelte cross site scripting
Apr 13, 2026
CVSS 3.5
EPSS 0.00
CVE-2026-28291 HIGH
simple-git has Command Execution via Option-Parsing Bypass
Apr 13, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-40190 MEDIUM
LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`
Apr 10, 2026
CVSS 5.6
EPSS 0.00
CVE-2026-40175 MEDIUM
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
Apr 10, 2026
CVSS 4.8
EPSS 0.02
CVE-2026-35670 MEDIUM
OpenClaw < 2026.3.22 - Webhook Reply Rebinding via Username Resolution in Synology Chat
Apr 10, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-35669 HIGH
OpenClaw < 2026.3.25 - Privilege Escalation via Gateway Plugin HTTP Authentication Scope
Apr 10, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35668 HIGH
OpenClaw < 2026.3.24 - Sandbox Media Root Bypass via Unnormalized mediaUrl and fileUrl Parameters
Apr 10, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-35667 MEDIUM
OpenClaw < 2026.3.24 - Improper Process Termination via Unpatched killProcessTree in shell-utils.ts
Apr 10, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-35666 HIGH
OpenClaw < 2026.3.22 - Allowlist Bypass via Unregistered Time Dispatch Wrapper
Apr 10, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35665 MEDIUM
OpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook Pre-Auth Body Parsing
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35664 MEDIUM
OpenClaw < 2026.3.25 - DM Pairing Bypass via Legacy Card Callbacks
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35663 HIGH
OpenClaw < 2026.3.25 - Privilege Escalation via Backend Reconnect Scope Self-Claim
Apr 10, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35662 MEDIUM
OpenClaw < 2026.3.22 - Missing controlScope Enforcement in Send Action
Apr 10, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-35661 MEDIUM
OpenClaw < 2026.3.25 - Telegram DM-Scoped Inline Button Callback Authorization Bypass
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35660 HIGH
OpenClaw < 2026.3.23 - Insufficient Access Control in Gateway Agent Session Reset
Apr 10, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-35659 MEDIUM
OpenClaw < 2026.3.22 - Unresolved Service Metadata Routing via Bonjour and DNS-SD Discovery
Apr 10, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-35658 MEDIUM
OpenClaw < 2026.3.2 - Filesystem Boundary Bypass in Image Tool
Apr 10, 2026
CVSS 6.5
EPSS 0.00