npm
4,193 tracked vulnerabilities.
CVE-2026-34043
MEDIUM
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
Mar 31, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-33574
MEDIUM
OpenClaw < 2026.3.8 - Path Traversal via Tools Root Rebinding in Skills Download
Mar 29, 2026
CVSS 6.2
EPSS 0.00
CVE-2026-33572
HIGH
OpenClaw < 2026.2.17 - Insufficient File Permissions in Session Transcript Files
Mar 29, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-32980
HIGH
OpenClaw < 2026.3.13 - Resource Exhaustion via Unauthenticated Telegram Webhook Request
Mar 29, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-32979
HIGH
OpenClaw < 2026.3.11 - Unbound Interpreter and Runtime Commands Bypass in node-host Approval
Mar 29, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-32978
HIGH
OpenClaw < 2026.3.11 - Approval Bypass via Unrecognized Script Runners
Mar 29, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-32974
HIGH
OpenClaw < 2026.3.12 - Forged Event Injection via Feishu Webhook Verification Token
Mar 29, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-32918
HIGH
OpenClaw < 2026.3.11 - Session Sandbox Escape via session_status Tool
Mar 29, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-33994
CRITICAL
Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521
Mar 27, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-33993
CRITICAL
Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
Mar 27, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-34226
HIGH
Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies
Mar 27, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33979
HIGH
Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)
Mar 27, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-33943
HIGH
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
Mar 27, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-33941
HIGH
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options
Mar 27, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-33940
HIGH
Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial
Mar 27, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-33939
HIGH
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
Mar 27, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33938
HIGH
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
Mar 27, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-33937
CRITICAL
Handlebars.js has JavaScript Injection via AST Type Confusion
Mar 27, 2026
CVSS 9.8
EPSS 0.02
CVE-2026-33916
MEDIUM
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
Mar 27, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-33896
HIGH
node-forge <1.4.0 Certificate Chain Verification - basicConstraints Bypass
Mar 27, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-33895
HIGH
Forge has signature forgery in Ed25519 due to missing S > L check
Mar 27, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33894
HIGH
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field
Mar 27, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33891
HIGH
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
Mar 27, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33750
MEDIUM
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
Mar 27, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33672
MEDIUM
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
Mar 26, 2026
CVSS 5.3
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters