npm

3,968 tracked vulnerabilities.

CVE-2026-28457 MEDIUM
OpenClaw <2026.2.14 - Path Traversal
Mar 05, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-28456 HIGH
OpenClaw 2026.1.5-2026.2.14 - Code Injection
Mar 05, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-28454 HIGH
OpenClaw < 2026.2.2 - Unauthenticated Privileged Command Execution via Telegram Webhook Spoofing
Mar 05, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-28453 HIGH
OpenClaw <2026.2.14 - Path Traversal
Mar 05, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-28452 MEDIUM
OpenClaw < 2026.2.14 - Denial of Service via Unguarded Archive Extraction
Mar 05, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-28451 HIGH
OpenClaw < 2026.2.14 - Server-Side Request Forgery via Feishu Extension Media Fetching
Mar 05, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-28450 MEDIUM
OpenClaw < 2026.2.12 - Unauthenticated Profile Tampering via Nostr Plugin HTTP Endpoints
Mar 05, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-28448 HIGH
OpenClaw 2026.1.29-2026.2.1 - Auth Bypass
Mar 05, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-28447 HIGH
OpenClaw 2026.1.29-beta.1-2026.2.1 - Path Traversal
Mar 05, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-28446 CRITICAL
OpenClaw < 2026.2.2 - Authentication Bypass via Empty Caller ID or Suffix Matching
Mar 05, 2026
CVSS 9.4
EPSS 0.01
CVE-2026-28395 MEDIUM
OpenClaw 2026.1.14-1 - Info Disclosure
Mar 05, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-28393 HIGH
OpenClaw <2026.2.14 - Path Traversal
Mar 05, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-28392 HIGH
OpenClaw <2026.2.14 - Privilege Escalation
Mar 05, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-28391 CRITICAL
OpenClaw <2026.2.2 - Command Injection
Mar 05, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-28343 MEDIUM
CKEditor5 29.0.0-47.6.0 - Cross-Site Scripting via General HTML Support Feature
Mar 05, 2026
CVSS 6.4
EPSS 0.00
CVE-2026-29053 HIGH
Ghost 0.7.2-6.19.0 - Code Injection
Mar 05, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-29086 MEDIUM
Hono < 4.12.4 - Cookie Attribute Injection via Set-Cookie Header
Mar 04, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-29085 MEDIUM
Hono < 4.12.4 - Server-Sent Events Injection via Unvalidated Event Fields
Mar 04, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-29045 HIGH
Hono < 4.12.4 - Unauthenticated Path Traversal via URL-Encoded Slash Bypass
Mar 04, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-3520 HIGH
Multer < 2.1.1 - Denial of Service via Malformed Request
Mar 04, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-27601 MEDIUM
Underscore.js < 1.13.8 - Denial of Service via Recursive Data Structure in _.flatten and _.isEqual
Mar 03, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-3484 MEDIUM
PhialsBasement nmap-mcp-server - Command Injection
Mar 03, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-0540 MEDIUM
DOMPurify 2.5.3-2.5.8/3.1.3-3.3.1 - XSS
Mar 03, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-3455 MEDIUM
mailparser < 3.9.3 - Cross-Site Scripting via textToHtml URL Sanitization Bypass
Mar 03, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-28401 MEDIUM
NocoDB < 0.301.3 - Stored Cross-Site Scripting via Rich Text Cell Rendering
Mar 02, 2026
CVSS 5.4
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV