npm
4,193 tracked vulnerabilities.
CVE-2026-33143
HIGH
OneUptime: WhatsApp Webhook Missing Signature Verification
Mar 20, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33142
HIGH
OneUptime: ClickHouse SQL Injection via unvalidated column identifiers in sort, select, and groupBy parameters
Mar 20, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-22172
CRITICAL
OpenClaw < 2026.3.12 - Scope Elevation in WebSocket Shared-Auth Connections
Mar 20, 2026
CVSS 9.9
EPSS 0.01
CVE-2026-33131
HIGH
h3 NodeRequestUrl Host Header - Middleware Bypass
Mar 20, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-33129
MEDIUM
h3 requireBasicAuth - Timing Side Channel
Mar 20, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-33128
HIGH
h3 Event Stream Fields - Server-Sent Events Injection
Mar 20, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33036
HIGH
fast-xml-parser <5.5.6 - Numeric Entity Expansion Denial of Service
Mar 20, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-32763
HIGH
SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.
Mar 20, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-32041
MEDIUM
OpenClaw < 2026.3.1 - Unauthenticated Browser Control Access via Failed Auth Bootstrap
Mar 19, 2026
CVSS 6.9
EPSS 0.00
CVE-2026-32040
MEDIUM
OpenClaw < 2026.2.23 - HTML Injection via Unvalidated Image MIME Type in Data-URL Interpolation
Mar 19, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-32039
MEDIUM
OpenClaw < 2026.2.22 - Sender Authorization Bypass via Identity Collision in toolsBySender
Mar 19, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-32038
CRITICAL
OpenClaw - Sandbox Network Isolation Bypass via docker.network=container Parameter
Mar 19, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-32037
MEDIUM
OpenClaw < 2026.2.22 - Redirect Chain Bypass of Media Host Allowlist in MSTeams Attachment Handling
Mar 19, 2026
CVSS 6.0
EPSS 0.00
CVE-2026-32036
MEDIUM
OpenClaw < 2026.2.26- Authentication Bypass via Encoded Dot-Segment Traversal in /api/channels
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32035
MEDIUM
OpenClaw < 2026.3.2 - Missing Owner Flag Validation in Discord Voice Transcript Handler
Mar 19, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-32034
HIGH
OpenClaw < 2026.2.21 - Insecure Control UI Authentication over Plaintext HTTP
Mar 19, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-32033
MEDIUM
OpenClaw < 2026.2.24 - Path Traversal via @-prefixed Absolute Paths in Workspace Boundary Validation
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32032
HIGH
OpenClaw < 2026.2.22 - Arbitrary Shell Execution via Unvalidated SHELL Environment Variable
Mar 19, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-32031
MEDIUM
OpenClaw < 2026.2.26 - Authentication Bypass via Path Canonicalization Mismatch in /api/channels Gateway
Mar 19, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-32030
HIGH
OpenClaw < 2026.2.19 - Sensitive File Disclosure via stageSandboxMedia Path Traversal
Mar 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32029
MEDIUM
OpenClaw < 2026.2.21 - Client IP Spoofing via X-Forwarded-For Header Parsing
Mar 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32028
MEDIUM
OpenClaw < 2026.2.25 - Missing Authorization Check in Discord DM Reaction Ingress
Mar 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32027
MEDIUM
OpenClaw < 2026.2.26 - Improper Authorization via DM Pairing Store Identity Inheritance in Group Allowlist
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32026
MEDIUM
OpenClaw < 2026.2.24 - Arbitrary File Read via Improper Temporary Path Validation in Sandbox
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32025
HIGH
OpenClaw < 2026.2.25 - Password Brute-Force via Browser-Origin WebSocket Authentication Bypass
Mar 19, 2026
CVSS 7.5
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters