npm
4,193 tracked vulnerabilities.
CVE-2026-53862
MEDIUM
OpenClaw < 2026.5.12 - Bootstrap Token Replay via Pending Pairing Scope Widening
Jun 16, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-53861
MEDIUM
OpenClaw < 2026.5.6 - Allowlist Bypass via Combined POSIX Inline Flags on macOS
Jun 16, 2026
CVSS 6.6
EPSS 0.00
CVE-2026-53860
MEDIUM
OpenClaw < 2026.5.7 - Sender Policy Bypass via Mutable Conversation Identifiers in BlueBubbles
Jun 16, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-53859
MEDIUM
OpenClaw < 2026.5.26 - Hostname Validation Bypass via Trailing-Dot Inconsistency
Jun 16, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-53858
HIGH
OpenClaw < 2026.5.2 - Arbitrary Runtime Dependency Loading via STATE_DIRECTORY Environment Variable
Jun 16, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-53857
HIGH
OpenClaw < 2026.5.3 - Mutable Display Name Binding in Zalo allowFrom Policy
Jun 16, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-53856
MEDIUM
OpenClaw 2026.4.23 < 2026.4.24 - Insecure File Permissions in Config Recovery via OpenClaw.json
Jun 16, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-53855
HIGH
OpenClaw < 2026.4.2 - Shell Positional Parameters Bypass in Inline-Eval Checks
Jun 16, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-53854
MEDIUM
OpenClaw < 2026.4.25 - Privilege Escalation via ownerAllowFrom Wildcard Inheritance in Internal/Webchat Commands
Jun 16, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-53853
HIGH
OpenClaw < 2026.5.12 - Argument Pattern Bypass in Exec Allowlist via Linux and macOS
Jun 16, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-53852
MEDIUM
OpenClaw < 2026.4.25 - Scope Bypass via Empty-Scope Device Re-pairing
Jun 16, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-53851
MEDIUM
OpenClaw < 2026.5.12 - Slack Reaction Event Notification Bypass
Jun 16, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-53850
MEDIUM
OpenClaw < 2026.4.25 - Control Scope Enforcement Bypass in Focus Command
Jun 16, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-53849
HIGH
OpenClaw < 2026.5.7 - Privilege Escalation via Mutable Discord Display Names in allowFrom
Jun 16, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-53848
MEDIUM
OpenClaw < 2026.5.26 - Exec Allowlist Bypass via Transparent Command Wrappers
Jun 16, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-53847
MEDIUM
OpenClaw < 2026.5.6 - Privilege Escalation via Active Memory Write Scope
Jun 16, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-53846
HIGH
OpenClaw < 2026.4.29 - Arbitrary Package Manager Execution via Workspace .env npm_execpath
Jun 16, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-53845
MEDIUM
OpenClaw < 2026.5.6 - Skill-Command Dispatch Hook Bypass via Before-Tool-Call Hook Skipping
Jun 16, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-53844
MEDIUM
OpenClaw < 2026.4.29 - Session Visibility Check Bypass in Shared Memory Search
Jun 16, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-53843
HIGH
OpenClaw < 2026.5.26 - Node Token Revocation Bypass via Pairing-Scoped Device Session
Jun 16, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53842
HIGH
OpenClaw < 2026.5.2 - Arbitrary Python Runtime Execution via CLOUDSDK_PYTHON Environment Variable
Jun 16, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-53841
MEDIUM
OpenClaw < 2026.5.12 - Cross-Site Scripting via Unsafe Markdown Links in Exported Session HTML
Jun 16, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-53840
HIGH
OpenClaw < 2026.5.12 - Custom Header Leakage via MCP Streamable HTTP Cross-Origin Redirects
Jun 16, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-42089
HIGH
yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation
Jun 16, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-48714
CRITICAL
i18next-http-middleware < 3.9.7 - Prototype Pollution via missingKeyHandler
Jun 15, 2026
CVSS 9.1
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters