npm

4,193 tracked vulnerabilities.

CVE-2026-35633 MEDIUM
OpenClaw < 2026.3.22 - Unbounded Memory Allocation via Remote Media Error Responses
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35632 HIGH
OpenClaw < 2026.2.22 - Symlink Traversal via IDENTITY.md appendFile in agents.create/update
Apr 09, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-35629 HIGH
OpenClaw < 2026.3.25 - Server-Side Request Forgery via Unguarded Configured Base URLs in Channel Extensions
Apr 09, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-35628 MEDIUM
OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Telegram Webhook Rate Limiting
Apr 09, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-35627 MEDIUM
OpenClaw < 2026.3.22 - Unauthenticated Cryptographic Work in Nostr Inbound DM Handling
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35626 MEDIUM
OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35624 MEDIUM
OpenClaw < 2026.3.22 - Policy Confusion via Room Name Collision in Nextcloud Talk
Apr 09, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-35623 MEDIUM
OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Webhook Password Rate Limiting
Apr 09, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-35622 MEDIUM
OpenClaw < 2026.3.22 - Improper Authentication Verification in Google Chat Webhook
Apr 09, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-35618 MEDIUM
OpenClaw < 2026.3.23 - Replay Identity Drift via Query-Only Variants in Plivo V2 Verification
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35617 MEDIUM
OpenClaw < 2026.3.25 - Authorization Bypass via Group Policy Rebinding with Mutable Space displayName
Apr 09, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-39983 HIGH
FTP Command Injection via CRLF in basic-ftp
Apr 09, 2026
CVSS 8.6
EPSS 0.02
CVE-2026-39315 MEDIUM
Unhead <2.1.13 hasDangerousProtocol() - Protocol Filter Bypass
Apr 09, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-39974 HIGH
n8n-MCP <2.47.4 instance-URL Header - Server-Side Request Forgery
Apr 09, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-39943 MEDIUM
Directus exposes sensitive fields in revision history
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-39942 HIGH
Directus <11.17.0 File Management API - Broken Access Control
Apr 09, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-35041 MEDIUM
ReDoS in fast-jwt when using RegExp in allowed* leading to CPU exhaustion during token verification
Apr 09, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-35040 MEDIUM
fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-5842 HIGH
decolua 9router Administrative API Endpoint api authorization
Apr 09, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-5833 MEDIUM
awwaiid mcp-server-taskwarrior index.ts server.setRequestHandler command injection
Apr 09, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-5832 HIGH
atototo api-lab-mcp HTTP http-server.ts test_http_endpoint server-side request forgery
Apr 09, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-5831 MEDIUM
Agions taskflow-ai terminal_execute handlers.ts os command injection
Apr 09, 2026
CVSS 6.3
EPSS 0.01
CVE-2026-40037 MEDIUM
OpenClaw < 2026.3.31 - Unsafe Request Body Replay via fetchWithSsrFGuard Cross-Origin Redirects
Apr 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-39885 HIGH
FrontMCP Affected by SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications
Apr 08, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-39859 HIGH
LiquidJS <10.25.3 renderFile() and parseFile() - Arbitrary File Read
Apr 08, 2026
CVSS 7.5
EPSS 0.00