npm
4,193 tracked vulnerabilities.
CVE-2026-34426
HIGH
OpenClaw - Approval Bypass via Environment Variable Normalization
Apr 02, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-34425
MEDIUM
OpenClaw - Shell-Bleed Protection Preflight Validation Bypass
Apr 02, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34725
HIGH
dbgate-web: Stored XSS in applicationIcon leads to potential RCE in Electron due to unsafe renderer configuration
Apr 02, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-34601
HIGH
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34526
MEDIUM
SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6
Apr 02, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-34524
HIGH
SillyTavern: Path traversal in `/api/chats/export` and `/api/chats/delete` allows arbitrary file read/delete within user data root
Apr 02, 2026
CVSS 8.3
EPSS 0.01
CVE-2026-34523
MEDIUM
SillyTavern: Path traversal allows file existence oracle
Apr 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34522
HIGH
SillyTavern: Path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory
Apr 02, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-35038
MEDIUM
signalk-server: Arbitrary Prototype Read via `from` Field Bypass
Apr 02, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34083
MEDIUM
signalk-server: OAuth Authorization Code Theft via Unvalidated Host Header in OIDC Flow
Apr 02, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-33951
HIGH
signalk-server: Unauthenticated Source Priorities Manipulation
Apr 02, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33950
CRITICAL
signalk-server: Privilege Escalation by Admin Role Injection via /enableSecurity
Apr 02, 2026
CVSS 9.4
EPSS 0.00
CVE-2026-5327
MEDIUM
efforthye fast-filesystem-mcp index.ts handleGetDiskUsage command injection
Apr 02, 2026
CVSS 6.3
EPSS 0.01
CVE-2026-5323
MEDIUM
priyankark a11y-mcp index.js A11yServer server-side request forgery
Apr 02, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34749
MEDIUM
Payload <3.79.1 Authentication Flow - CSRF Protection Bypass
Apr 01, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34747
HIGH
Payload <3.79.1 Query Handling - SQL Injection
Apr 01, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-34746
HIGH
Payload has Authenticated SSRF via Upload Functionality
Apr 01, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-34751
CRITICAL
Payload has Unvalidated Input in Password Recovery Endpoints
Apr 01, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-2265
MEDIUM
Replicator 1.0.5 is vulnerable to Remote Code Execution through Insecure Deserialization
Apr 01, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34405
MEDIUM
Nuxt OG Image vulnerable to reflected XSS via query parameter injection into HTML attributes
Mar 31, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-34404
HIGH
Nuxt OG Image vulnerable to DoS via image generation
Mar 31, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-4800
HIGH
lodash vulnerable to Code Injection via `_.template` imports key names
Mar 31, 2026
CVSS 8.1
EPSS 0.02
CVE-2026-34784
HIGH
Parse Server: Streaming file download bypasses afterFind file trigger authorization
Mar 31, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34215
MEDIUM
Parse Server: Auth data exposed via verify password endpoint
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-2950
MEDIUM
lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`
Mar 31, 2026
CVSS 6.5
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters