npm
4,193 tracked vulnerabilities.
CVE-2026-35633
MEDIUM
OpenClaw < 2026.3.22 - Unbounded Memory Allocation via Remote Media Error Responses
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35632
HIGH
OpenClaw < 2026.2.22 - Symlink Traversal via IDENTITY.md appendFile in agents.create/update
Apr 09, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-35629
HIGH
OpenClaw < 2026.3.25 - Server-Side Request Forgery via Unguarded Configured Base URLs in Channel Extensions
Apr 09, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-35628
MEDIUM
OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Telegram Webhook Rate Limiting
Apr 09, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-35627
MEDIUM
OpenClaw < 2026.3.22 - Unauthenticated Cryptographic Work in Nostr Inbound DM Handling
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35626
MEDIUM
OpenClaw < 2026.3.22 - Unauthenticated Resource Exhaustion via Voice Call Webhook
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-35624
MEDIUM
OpenClaw < 2026.3.22 - Policy Confusion via Room Name Collision in Nextcloud Talk
Apr 09, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-35623
MEDIUM
OpenClaw < 2026.3.25 - Brute-Force Attack via Missing Webhook Password Rate Limiting
Apr 09, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-35622
MEDIUM
OpenClaw < 2026.3.22 - Improper Authentication Verification in Google Chat Webhook
Apr 09, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-35618
MEDIUM
OpenClaw < 2026.3.23 - Replay Identity Drift via Query-Only Variants in Plivo V2 Verification
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-35617
MEDIUM
OpenClaw < 2026.3.25 - Authorization Bypass via Group Policy Rebinding with Mutable Space displayName
Apr 09, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-39983
HIGH
FTP Command Injection via CRLF in basic-ftp
Apr 09, 2026
CVSS 8.6
EPSS 0.02
CVE-2026-39315
MEDIUM
Unhead <2.1.13 hasDangerousProtocol() - Protocol Filter Bypass
Apr 09, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-39974
HIGH
n8n-MCP <2.47.4 instance-URL Header - Server-Side Request Forgery
Apr 09, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-39943
MEDIUM
Directus exposes sensitive fields in revision history
Apr 09, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-39942
HIGH
Directus <11.17.0 File Management API - Broken Access Control
Apr 09, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-35041
MEDIUM
ReDoS in fast-jwt when using RegExp in allowed* leading to CPU exhaustion during token verification
Apr 09, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-35040
MEDIUM
fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)
Apr 09, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-5842
HIGH
decolua 9router Administrative API Endpoint api authorization
Apr 09, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-5833
MEDIUM
awwaiid mcp-server-taskwarrior index.ts server.setRequestHandler command injection
Apr 09, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-5832
HIGH
atototo api-lab-mcp HTTP http-server.ts test_http_endpoint server-side request forgery
Apr 09, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-5831
MEDIUM
Agions taskflow-ai terminal_execute handlers.ts os command injection
Apr 09, 2026
CVSS 6.3
EPSS 0.01
CVE-2026-40037
MEDIUM
OpenClaw < 2026.3.31 - Unsafe Request Body Replay via fetchWithSsrFGuard Cross-Origin Redirects
Apr 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-39885
HIGH
FrontMCP Affected by SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications
Apr 08, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-39859
HIGH
LiquidJS <10.25.3 renderFile() and parseFile() - Arbitrary File Read
Apr 08, 2026
CVSS 7.5
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters