npm
4,193 tracked vulnerabilities.
CVE-2026-32899
MEDIUM
OpenClaw < 2026.2.25 - Sender Policy Bypass in Slack Reaction and Pin Event Handlers
Mar 21, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-32898
MEDIUM
OpenClaw < 2026.2.23 - ACP Permission Auto-Approval Bypass via Untrusted Tool Metadata
Mar 21, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32897
LOW
OpenClaw < 2026.2.22 - Authentication Token Reuse in Owner ID Prompt Hashing Fallback
Mar 21, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-32896
MEDIUM
OpenClaw < 2026.2.21 - Unauthenticated Webhook Access via Passwordless Fallback in BlueBubbles Plugin
Mar 21, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-32895
MEDIUM
OpenClaw < 2026.2.26 - Sender Authorization Bypass in Slack System Event Handlers
Mar 21, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32067
LOW
OpenClaw < 2026.2.26 - Cross-Account Authorization Bypass in DM Pairing Store
Mar 21, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-32065
MEDIUM
OpenClaw < 2026.2.25 - Approval Identity Mismatch in system.run Command Execution
Mar 21, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-32064
HIGH
OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer
Mar 21, 2026
CVSS 7.7
EPSS 0.01
CVE-2026-32058
LOW
OpenClaw < 2026.2.26 - Approval Context-Binding Weakness in system.run via host=node
Mar 21, 2026
CVSS 2.6
EPSS 0.00
CVE-2026-32057
HIGH
OpenClaw < 2026.2.25 - Authentication Bypass via Control UI client.id Parameter
Mar 21, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-32056
HIGH
OpenClaw < 2026.2.22 - Remote Code Execution via Shell Startup Environment Variable Injection in system.run
Mar 21, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-32055
HIGH
OpenClaw < 2026.2.26 - Workspace Path Boundary Bypass via Non-existent Symlink
Mar 21, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-32054
MEDIUM
OpenClaw < 2026.2.25 - Symlink Traversal in Browser Trace/Download Path Handling
Mar 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32053
MEDIUM
OpenClaw < 2026.2.23 - Twilio Webhook Replay Bypass via Randomized Event ID Normalization
Mar 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32052
MEDIUM
OpenClaw < 2026.2.24 - Hidden Command Execution via Shell-Wrapper Positional argv Carriers
Mar 21, 2026
CVSS 6.4
EPSS 0.01
CVE-2026-32050
LOW
OpenClaw < 2026.2.25 - Unauthorized Reaction Status Event Enqueue via Access Check Bypass
Mar 21, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-32049
HIGH
OpenClaw < 2026.2.22 - Denial of Service via Inbound Media Download Byte Limit Bypass
Mar 21, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-32048
HIGH
OpenClaw < 2026.3.1 - Sandbox Escape via Cross-Agent sessions_spawn
Mar 21, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32046
MEDIUM
OpenClaw < 2026.2.21 - OS-level Sandbox Bypass via --no-sandbox Flag
Mar 21, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32045
MEDIUM
OpenClaw < 2026.2.21 - Authentication Bypass in HTTP Gateway Routes via Tokenless Tailscale Auth
Mar 21, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-32043
MEDIUM
OpenClaw < 2026.2.25 - Time-of-Check-Time-of-Use via Mutable Symlink in system.run cwd Parameter
Mar 21, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33228
CRITICAL
flatted: Prototype Pollution via parse()
Mar 20, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-33226
HIGH
Budibase Unrestricted Server-Side Request Forgery (SSRF) via REST Datasource Query Preview
Mar 20, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-32887
HIGH
Effect Bug: `AsyncLocalStorage` context lost/contaminated inside Effect fibers under concurrent load with RPC
Mar 20, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-33151
HIGH
socket.io allows an unbounded number of binary attachments
Mar 20, 2026
CVSS 7.5
EPSS 0.01
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters