npm

4,193 tracked vulnerabilities.

CVE-2026-34595 MEDIUM
Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value
Mar 31, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-34574 MEDIUM
Parse Server: Session field immutability bypass via falsy-value guard
Mar 31, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34573 HIGH
Parse Server: GraphQL complexity validator exponential fragment traversal DoS
Mar 31, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34532 CRITICAL
Parse Server: Cloud function validator bypass via prototype chain traversal
Mar 31, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-34504 HIGH
OpenClaw < 2026.3.28 - Server-Side Request Forgery via Unguarded Image Download in fal Provider
Mar 31, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-34503 HIGH
OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation
Mar 31, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-34373 HIGH
Parse Server: GraphQL API endpoint ignores CORS origin restriction
Mar 31, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-34363 MEDIUM
Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers
Mar 31, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34224 MEDIUM
Parse Server: MFA single-use token bypass via concurrent authData login requests
Mar 31, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-34210 HIGH
mppx has Stripe charge credential replay via missing idempotency check
Mar 31, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-34209 HIGH
mppx Tempo Session Close - Voucher Bypass
Mar 31, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33581 MEDIUM
OpenClaw < 2026.3.24 - Arbitrary File Read via mediaUrl and fileUrl Parameters
Mar 31, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-33580 MEDIUM
OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33579 CRITICAL
OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval
Mar 31, 2026
CVSS 9.9
EPSS 0.01
CVE-2026-33578 MEDIUM
OpenClaw < 2026.3.28 - Sender Policy Allowlist Bypass via Policy Downgrade in Google Chat and Zalouser Extensions
Mar 31, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-33577 HIGH
OpenClaw < 2026.3.28 - Insufficient Scope Validation in node.pair.approve
Mar 31, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-33576 MEDIUM
OpenClaw < 2026.3.28 - Unauthorized Media Download via Zalo Channel
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34506 MEDIUM
OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration
Mar 31, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-34505 MEDIUM
OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32977 MEDIUM
OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unanchored writeFile Commit Path
Mar 31, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-32971 HIGH
OpenClaw < 2026.3.11 - Node-Host Approval UI Mismatch Allows Execution of Unintended Commands
Mar 31, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-32970 LOW
OpenClaw < 2026.3.11 - Credential Fallback Logic Bypass via Unavailable Local Auth SecretRefs
Mar 31, 2026
CVSS 2.5
EPSS 0.00
CVE-2026-32921 MEDIUM
OpenClaw < 2026.3.8 - Script Content Modification via Mutable Operand Binding in system.run
Mar 31, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-32920 HIGH
OpenClaw < 2026.3.12 - Arbitrary Code Execution via Auto-Discovery of Workspace Plugins
Mar 31, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-32916 CRITICAL
OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes
Mar 31, 2026
CVSS 9.4
EPSS 0.00