npm

3,968 tracked vulnerabilities.

CVE-2026-32045 MEDIUM
OpenClaw < 2026.2.21 - Authentication Bypass in HTTP Gateway Routes via Tokenless Tailscale Auth
Mar 21, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-32043 MEDIUM
OpenClaw < 2026.2.25 - Time-of-Check-Time-of-Use via Mutable Symlink in system.run cwd Parameter
Mar 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33228 CRITICAL
flatted: Prototype Pollution via parse()
Mar 20, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-33226 HIGH
Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview
Mar 20, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-32887 HIGH
Effect Bug: `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC
Mar 20, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-33151 HIGH
socket.io allows an unbounded number of binary attachments
Mar 20, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33143 HIGH
OneUptime: WhatsApp Webhook Missing Signature Verification
Mar 20, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33142 HIGH
OneUptime: ClickHouse SQL Injection via unvalidated column identifiers in sort, select, and groupBy parameters
Mar 20, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-22172 CRITICAL
OpenClaw < 2026.3.12 - Scope Elevation in WebSocket Shared-Auth Connections
Mar 20, 2026
CVSS 9.9
EPSS 0.00
CVE-2026-33131 HIGH
h3 has a middleware bypass with one gadget
Mar 20, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-33129 MEDIUM
h3 has an observable timing discrepancy in basic auth utils
Mar 20, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-33128 HIGH
h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields
Mar 20, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33036 HIGH
fast-xml-parser <5.5.6 - Numeric Entity Expansion Denial of Service
Mar 20, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32763 HIGH
SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.
Mar 20, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-32041 MEDIUM
OpenClaw < 2026.3.1 - Unauthenticated Browser Control Access via Failed Auth Bootstrap
Mar 19, 2026
CVSS 6.9
EPSS 0.00
CVE-2026-32040 MEDIUM
OpenClaw < 2026.2.23 - HTML Injection via Unvalidated Image MIME Type in Data-URL Interpolation
Mar 19, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-32039 MEDIUM
OpenClaw < 2026.2.22 - Sender Authorization Bypass via Identity Collision in toolsBySender
Mar 19, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-32038 CRITICAL
OpenClaw - Sandbox Network Isolation Bypass via docker.network=container Parameter
Mar 19, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-32037 MEDIUM
OpenClaw < 2026.2.22 - Redirect Chain Bypass of Media Host Allowlist in MSTeams Attachment Handling
Mar 19, 2026
CVSS 6.0
EPSS 0.00
CVE-2026-32036 MEDIUM
OpenClaw < 2026.2.26- Authentication Bypass via Encoded Dot-Segment Traversal in /api/channels
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32035 MEDIUM
OpenClaw < 2026.3.2 - Missing Owner Flag Validation in Discord Voice Transcript Handler
Mar 19, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-32034 HIGH
OpenClaw < 2026.2.21 - Insecure Control UI Authentication over Plaintext HTTP
Mar 19, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-32033 MEDIUM
OpenClaw < 2026.2.24 - Path Traversal via @-prefixed Absolute Paths in Workspace Boundary Validation
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32032 HIGH
OpenClaw < 2026.2.22 - Arbitrary Shell Execution via Unvalidated SHELL Environment Variable
Mar 19, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-32031 MEDIUM
OpenClaw < 2026.2.26 - Authentication Bypass via Path Canonicalization Mismatch in /api/channels Gateway
Mar 19, 2026
CVSS 4.8
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV