npm

4,193 tracked vulnerabilities.

CVE-2026-34043 MEDIUM
Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects
Mar 31, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-33574 MEDIUM
OpenClaw < 2026.3.8 - Path Traversal via Tools Root Rebinding in Skills Download
Mar 29, 2026
CVSS 6.2
EPSS 0.00
CVE-2026-33572 HIGH
OpenClaw < 2026.2.17 - Insufficient File Permissions in Session Transcript Files
Mar 29, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-32980 HIGH
OpenClaw < 2026.3.13 - Resource Exhaustion via Unauthenticated Telegram Webhook Request
Mar 29, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-32979 HIGH
OpenClaw < 2026.3.11 - Unbound Interpreter and Runtime Commands Bypass in node-host Approval
Mar 29, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-32978 HIGH
OpenClaw < 2026.3.11 - Approval Bypass via Unrecognized Script Runners
Mar 29, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-32974 HIGH
OpenClaw < 2026.3.12 - Forged Event Injection via Feishu Webhook Verification Token
Mar 29, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-32918 HIGH
OpenClaw < 2026.3.11 - Session Sandbox Escape via session_status Tool
Mar 29, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-33994 CRITICAL
Locutus Prototype Pollution due to incomplete fix for CVE-2026-25521
Mar 27, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-33993 CRITICAL
Locutus has Prototype Pollution via __proto__ Key Injection in unserialize()
Mar 27, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-34226 HIGH
Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies
Mar 27, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33979 HIGH
Express XSS Sanitizer: allowedTags/allowedAttributes bypass leads to permissive sanitization (XSS risk)
Mar 27, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-33943 HIGH
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
Mar 27, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-33941 HIGH
Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options
Mar 27, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-33940 HIGH
Handlebars.js has JavaScript Injection via AST Type Confusion when passing an object as dynamic partial
Mar 27, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-33939 HIGH
Handlebars.js has Denial of Service via Malformed Decorator Syntax in Template Compilation
Mar 27, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33938 HIGH
Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block
Mar 27, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-33937 CRITICAL
Handlebars.js has JavaScript Injection via AST Type Confusion
Mar 27, 2026
CVSS 9.8
EPSS 0.02
CVE-2026-33916 MEDIUM
Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection
Mar 27, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-33896 HIGH
node-forge <1.4.0 Certificate Chain Verification - basicConstraints Bypass
Mar 27, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-33895 HIGH
Forge has signature forgery in Ed25519 due to missing S > L check
Mar 27, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33894 HIGH
Forge has signature forgery in RSA-PKCS due to ASN.1 extra field
Mar 27, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33891 HIGH
Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input
Mar 27, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33750 MEDIUM
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
Mar 27, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33672 MEDIUM
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
Mar 26, 2026
CVSS 5.3
EPSS 0.00