npm

3,968 tracked vulnerabilities.

CVE-2026-32004 MEDIUM
OpenClaw < 2026.3.2 - Authentication Bypass via Encoded Path in /api/channels Route
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32003 MEDIUM
OpenClaw < 2026.2.22 - Remote Code Execution via SHELLOPTS/PS4 Environment Injection in system.run
Mar 19, 2026
CVSS 6.6
EPSS 0.00
CVE-2026-32002 MEDIUM
OpenClaw < 2026.2.23 - Sandbox Boundary Bypass via Image Tool workspaceOnly Bypass
Mar 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32001 MEDIUM
OpenClaw < 2026.2.22 - Node Role Device-Identity Bypass via WebSocket Authentication
Mar 19, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32000 HIGH
OpenClaw < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Tool Execution
Mar 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-31999 MEDIUM
OpenClaw 2026.2.26 < 2026.3.1 - Current Working Directory Injection via Windows Wrapper Resolution Fallback
Mar 19, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-31998 HIGH
OpenClaw 2026.2.22 < 2026.2.24 - Authorization Bypass in Synology Chat Plugin via Empty allowedUserIds
Mar 19, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-31997 MEDIUM
OpenClaw < 2026.3.1 - Executable Rebind via Unbound PATH-token in system.run Approvals
Mar 19, 2026
CVSS 6.0
EPSS 0.00
CVE-2026-31996 MEDIUM
OpenClaw < 2026.2.19 - safeBins stdin-only bypass via sort output and recursive grep flags
Mar 19, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-31995 MEDIUM
OpenClaw 2026.1.21 < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Extension
Mar 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-31994 HIGH
OpenClaw < 2026.2.19 - Local Command Injection via Unsafe cmd Argument Handling in Windows Scheduled Task Script Generation
Mar 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-31993 MEDIUM
OpenClaw < 2026.2.22 - Allowlist Parsing Mismatch in system.run Shell Chains
Mar 19, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-31992 HIGH
OpenClaw < 2026.2.23 - Allowlist Exec-Guard Bypass via env -S
Mar 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-31991 LOW
OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Leakage in Signal Group Allowlist
Mar 19, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-31990 MEDIUM
OpenClaw < 2026.3.2 - Symlink Traversal in stageSandboxMedia Destination
Mar 19, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-31989 HIGH
OpenClaw < 2026.3.1 - Server-Side Request Forgery via web_search Citation Redirect
Mar 19, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-29608 MEDIUM
OpenClaw 2026.3.1 < 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting
Mar 19, 2026
CVSS 6.7
EPSS 0.00
CVE-2026-29607 MEDIUM
OpenClaw < 2026.2.22 - Authorization Bypass via allow-always Wrapper Persistence
Mar 19, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-28460 HIGH
OpenClaw < 2026.2.22 - Allowlist Bypass via Shell Line-Continuation Command Substitution in system.run
Mar 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-28449 MEDIUM
OpenClaw < 2026.2.25 - Webhook Replay Attack via Missing Durable Replay Suppression
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-27566 HIGH
OpenClaw < 2026.2.22 - Allowlist Bypass via Wrapper Binary Unwrapping in system.run
Mar 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-22176 MEDIUM
OpenClaw < 2026.2.19 - Command Injection via Unescaped Environment Variables in Windows Scheduled Task Script Generation
Mar 19, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-32730 HIGH
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
Mar 18, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-33163 MEDIUM
Parse Server leaks protected fields via LiveQuery afterEvent trigger
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33042 MEDIUM
Parse Server affected by empty authData bypassing credential requirement on signup
Mar 18, 2026
CVSS 5.3
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV