npm

3,968 tracked vulnerabilities.

CVE-2026-32944 HIGH
Parse Server crash via deeply nested query condition operators
Mar 18, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32943 LOW
Parse Server has a password reset token single-use bypass via concurrent requests
Mar 18, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-32886 HIGH
Parse Server's Cloud function dispatch crashes server via prototype chain traversal
Mar 18, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32878 HIGH
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
Mar 18, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32770 MEDIUM
Parse Server: LiveQuery subscription with invalid regular expression crashes server
Mar 18, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-32742 MEDIUM
Parse Server session creation endpoint allows overwriting server-generated session fields
Mar 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-32728 HIGH
Parse Server File Uploads - Stored Cross-Site Scripting Filter Bypass
Mar 18, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-32638 LOW
StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens
Mar 18, 2026
CVSS 2.7
EPSS 0.00
CVE-2026-32256 HIGH
music-metadata <11.12.3 ASF Parser - Infinite Loop
Mar 18, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-31938 CRITICAL
jsPDF has HTML Injection in New Window paths
Mar 18, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-31898 HIGH
jsPDF <4.2.1 createAnnotation color - PDF Object Injection
Mar 18, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-31865 MEDIUM
Elysia Cookie Value Prototype Pollution
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-27545 MEDIUM
OpenClaw < 2026.2.26 - Approval Bypass via Parent Symlink Current Working Directory Rebind
Mar 18, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-27524 MEDIUM
OpenClaw < 2026.2.21 - Prototype Pollution via Debug Override Path
Mar 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-27523 MEDIUM
OpenClaw < 2026.2.24 - Sandbox Bind Validation Bypass via Symlink-Parent Missing-Leaf Paths
Mar 18, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-27522 MEDIUM
OpenClaw < 2026.2.24 - Arbitrary File Read via sendAttachment and setGroupIcon Message Actions
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-22217 MEDIUM
OpenClaw 2026.2.22 < 2026.2.23 - Arbitrary Binary Execution via $SHELL Environment Variable Trusted Prefix Fallback
Mar 18, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-22181 HIGH
OpenClaw < 2026.3.2 - DNS Pinning Bypass via Environment Proxy Configuration in web_fetch
Mar 18, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-22180 MEDIUM
OpenClaw < 2026.3.2 - Path Confinement Bypass in Browser Output and File Write Operations
Mar 18, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-22179 HIGH
OpenClaw < 2026.2.22 - Allowlist Bypass via Command Substitution in system.run
Mar 18, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-22178 MEDIUM
OpenClaw < 2026.2.19 - ReDoS and Regex Injection via Unescaped Feishu Mention Metadata
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-22177 MEDIUM
OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars
Mar 18, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-22175 HIGH
OpenClaw < 2026.2.23 - Exec Approval Bypass via Unrecognized Multiplexer Shell Wrappers
Mar 18, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-22174 MEDIUM
OpenClaw < 2026.2.22 - Gateway Token Disclosure via Chrome CDP Probe
Mar 18, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-22171 HIGH
OpenClaw < 2026.2.19 - Path Traversal in Feishu Media Temporary File Naming
Mar 18, 2026
CVSS 8.2
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV