npm

4,193 tracked vulnerabilities.

CVE-2026-33143 HIGH
OneUptime: WhatsApp Webhook Missing Signature Verification
Mar 20, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-33142 HIGH
OneUptime: ClickHouse SQL Injection via unvalidated column identifiers in sort, select, and groupBy parameters
Mar 20, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-22172 CRITICAL
OpenClaw < 2026.3.12 - Scope Elevation in WebSocket Shared-Auth Connections
Mar 20, 2026
CVSS 9.9
EPSS 0.01
CVE-2026-33131 HIGH
h3 NodeRequestUrl Host Header - Middleware Bypass
Mar 20, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-33129 MEDIUM
h3 requireBasicAuth - Timing Side Channel
Mar 20, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-33128 HIGH
h3 Event Stream Fields - Server-Sent Events Injection
Mar 20, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-33036 HIGH
fast-xml-parser <5.5.6 - Numeric Entity Expansion Denial of Service
Mar 20, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-32763 HIGH
SQL Injection via unsanitized JSON path keys when ignoring/silencing compilation errors or using `Kysely<any>`.
Mar 20, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-32041 MEDIUM
OpenClaw < 2026.3.1 - Unauthenticated Browser Control Access via Failed Auth Bootstrap
Mar 19, 2026
CVSS 6.9
EPSS 0.00
CVE-2026-32040 MEDIUM
OpenClaw < 2026.2.23 - HTML Injection via Unvalidated Image MIME Type in Data-URL Interpolation
Mar 19, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-32039 MEDIUM
OpenClaw < 2026.2.22 - Sender Authorization Bypass via Identity Collision in toolsBySender
Mar 19, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-32038 CRITICAL
OpenClaw - Sandbox Network Isolation Bypass via docker.network=container Parameter
Mar 19, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-32037 MEDIUM
OpenClaw < 2026.2.22 - Redirect Chain Bypass of Media Host Allowlist in MSTeams Attachment Handling
Mar 19, 2026
CVSS 6.0
EPSS 0.00
CVE-2026-32036 MEDIUM
OpenClaw < 2026.2.26- Authentication Bypass via Encoded Dot-Segment Traversal in /api/channels
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32035 MEDIUM
OpenClaw < 2026.3.2 - Missing Owner Flag Validation in Discord Voice Transcript Handler
Mar 19, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-32034 HIGH
OpenClaw < 2026.2.21 - Insecure Control UI Authentication over Plaintext HTTP
Mar 19, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-32033 MEDIUM
OpenClaw < 2026.2.24 - Path Traversal via @-prefixed Absolute Paths in Workspace Boundary Validation
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32032 HIGH
OpenClaw < 2026.2.22 - Arbitrary Shell Execution via Unvalidated SHELL Environment Variable
Mar 19, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-32031 MEDIUM
OpenClaw < 2026.2.26 - Authentication Bypass via Path Canonicalization Mismatch in /api/channels Gateway
Mar 19, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-32030 HIGH
OpenClaw < 2026.2.19 - Sensitive File Disclosure via stageSandboxMedia Path Traversal
Mar 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32029 MEDIUM
OpenClaw < 2026.2.21 - Client IP Spoofing via X-Forwarded-For Header Parsing
Mar 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32028 MEDIUM
OpenClaw < 2026.2.25 - Missing Authorization Check in Discord DM Reaction Ingress
Mar 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32027 MEDIUM
OpenClaw < 2026.2.26 - Improper Authorization via DM Pairing Store Identity Inheritance in Group Allowlist
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32026 MEDIUM
OpenClaw < 2026.2.24 - Arbitrary File Read via Improper Temporary Path Validation in Sandbox
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32025 HIGH
OpenClaw < 2026.2.25 - Password Brute-Force via Browser-Origin WebSocket Authentication Bypass
Mar 19, 2026
CVSS 7.5
EPSS 0.00