npm
4,193 tracked vulnerabilities.
CVE-2026-35657
MEDIUM
OpenClaw < 2026.3.25 - Authorization Bypass in HTTP Session History Route
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35656
MEDIUM
OpenClaw < 2026.3.22 - XFF Loopback Spoofing Bypass in Canvas Authentication and Rate Limiter
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35655
MEDIUM
OpenClaw < 2026.3.22 - Identity Spoofing via rawInput Tool in ACP Permission Resolution
Apr 10, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-35654
MEDIUM
OpenClaw < 2026.3.25 - Authorization Bypass in Microsoft Teams Feedback Invoke
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35653
HIGH
OpenClaw < 2026.3.24 - Incorrect Authorization in POST /reset-profile via browser.request
Apr 10, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-35652
MEDIUM
OpenClaw < 2026.3.22 - Unauthorized Action Execution via Callback Dispatch
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35651
MEDIUM
OpenClaw 2026.2.13 < 2026.3.25 - ANSI Escape Sequence Injection in Approval Prompt
Apr 10, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-35650
HIGH
OpenClaw < 2026.3.22 - Environment Variable Override Bypass via Inconsistent Sanitization
Apr 10, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-35649
MEDIUM
OpenClaw < 2026.3.22 - Settings Reconciliation Bypass via Empty Allowlist
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35648
LOW
OpenClaw < 2026.3.22 - Policy Bypass via Unvalidated Queued Node Actions
Apr 10, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-35647
MEDIUM
OpenClaw < 2026.3.25 - Direct Message Policy Bypass via Verification Notices
Apr 10, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35643
HIGH
OpenClaw < 2026.3.22 - Arbitrary Code Execution via Unvalidated WebView JavascriptInterface
Apr 10, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35641
HIGH
OpenClaw < 2026.3.24 - Arbitrary Code Execution via .npmrc in Local Plugin/Hook Installation
Apr 10, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-35621
MEDIUM
OpenClaw < 2026.3.24 - Privilege Escalation via chat.send to Allowlist Persistence
Apr 10, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35620
MEDIUM
OpenClaw < 2026.3.24 - Missing Authorization in /send and /allowlist Chat Commands
Apr 10, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-35619
MEDIUM
OpenClaw < 2026.3.24 - Authorization Bypass via HTTP /v1/models Endpoint
Apr 10, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-6011
MEDIUM
OpenClaw assertPublicHostname web-fetch.ts server-side request forgery
Apr 10, 2026
CVSS 5.6
EPSS 0.00
CVE-2026-5986
MEDIUM
Zod jsVideoUrlParser util.js getTime redos
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35646
MEDIUM
OpenClaw < 2026.3.25 - Pre-Authentication Rate-Limit Bypass in Webhook Token Validation
Apr 09, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-35645
HIGH
OpenClaw < 2026.3.25 - Privilege Escalation via Synthetic operator.admin in deleteSession
Apr 09, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-35640
MEDIUM
OpenClaw < 2026.3.25 - Denial of Service via Unauthenticated Webhook Request Parsing
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35639
HIGH
OpenClaw < 2026.3.22 - Privilege Escalation via device.pair.approve Scope Validation
Apr 09, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-35637
HIGH
OpenClaw < 2026.3.22 - Premature Cite Expansion Before Authorization in Channel and DM
Apr 09, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-35635
MEDIUM
OpenClaw < 2026.3.22 - Webhook Path Route Replacement Vulnerability in Synology Chat
Apr 09, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-35634
MEDIUM
OpenClaw < 2026.3.23 - Authentication Bypass via Local-Direct Requests in Canvas Gateway
Apr 09, 2026
CVSS 5.1
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters