npm
4,193 tracked vulnerabilities.
CVE-2026-34595
MEDIUM
Parse Server: LiveQuery protected-field guard bypass via array-like logical operator value
Mar 31, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-34574
MEDIUM
Parse Server: Session field immutability bypass via falsy-value guard
Mar 31, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-34573
HIGH
Parse Server: GraphQL complexity validator exponential fragment traversal DoS
Mar 31, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-34532
CRITICAL
Parse Server: Cloud function validator bypass via prototype chain traversal
Mar 31, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-34504
HIGH
OpenClaw < 2026.3.28 - Server-Side Request Forgery via Unguarded Image Download in fal Provider
Mar 31, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-34503
HIGH
OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocation
Mar 31, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-34373
HIGH
Parse Server: GraphQL API endpoint ignores CORS origin restriction
Mar 31, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-34363
MEDIUM
Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers
Mar 31, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-34224
MEDIUM
Parse Server: MFA single-use token bypass via concurrent authData login requests
Mar 31, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-34210
HIGH
mppx has Stripe charge credential replay via missing idempotency check
Mar 31, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-34209
HIGH
mppx Tempo Session Close - Voucher Bypass
Mar 31, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33581
MEDIUM
OpenClaw < 2026.3.24 - Arbitrary File Read via mediaUrl and fileUrl Parameters
Mar 31, 2026
CVSS 6.5
EPSS 0.01
CVE-2026-33580
MEDIUM
OpenClaw < 2026.3.28 - Brute Force Attack via Missing Rate Limiting on Webhook Shared Secret Authentication
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33579
CRITICAL
OpenClaw < 2026.3.28 - Privilege Escalation via Missing Caller Scope Validation in Device Pair Approval
Mar 31, 2026
CVSS 9.9
EPSS 0.01
CVE-2026-33578
MEDIUM
OpenClaw < 2026.3.28 - Sender Policy Allowlist Bypass via Policy Downgrade in Google Chat and Zalouser Extensions
Mar 31, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-33577
HIGH
OpenClaw < 2026.3.28 - Insufficient Scope Validation in node.pair.approve
Mar 31, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-33576
MEDIUM
OpenClaw < 2026.3.28 - Unauthorized Media Download via Zalo Channel
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-34506
MEDIUM
OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowlist Configuration
Mar 31, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-34505
MEDIUM
OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation
Mar 31, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32977
MEDIUM
OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unanchored writeFile Commit Path
Mar 31, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-32971
HIGH
OpenClaw < 2026.3.11 - Node-Host Approval UI Mismatch Allows Execution of Unintended Commands
Mar 31, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-32970
LOW
OpenClaw < 2026.3.11 - Credential Fallback Logic Bypass via Unavailable Local Auth SecretRefs
Mar 31, 2026
CVSS 2.5
EPSS 0.00
CVE-2026-32921
MEDIUM
OpenClaw < 2026.3.8 - Script Content Modification via Mutable Operand Binding in system.run
Mar 31, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-32920
HIGH
OpenClaw < 2026.3.12 - Arbitrary Code Execution via Auto-Discovery of Workspace Plugins
Mar 31, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-32916
CRITICAL
OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthetic Admin Scopes
Mar 31, 2026
CVSS 9.4
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters