npm

4,193 tracked vulnerabilities.

CVE-2026-32024 MEDIUM
OpenClaw < 2026.2.22 - Symlink Traversal in Avatar Handling
Mar 19, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-32023 HIGH
OpenClaw < 2026.2.24 - Approval Gating Bypass via Dispatch-Wrapper Depth-Cap Mismatch in system.run
Mar 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-32022 MEDIUM
OpenClaw < 2026.2.21 - Arbitrary File Read via grep -e Flag Policy Bypass
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32021 MEDIUM
OpenClaw < 2026.2.22 - Authorization Bypass via Display Name Collision in Feishu allowFrom
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32020 LOW
OpenClaw < 2026.2.22 - Arbitrary File Read via Symlink Following in Static File Handler
Mar 19, 2026
CVSS 3.3
EPSS 0.00
CVE-2026-32019 HIGH
OpenClaw < 2026.2.22 - Incomplete IPv4 Special-Use Range Blocking in SSRF Guard
Mar 19, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-32018 LOW
OpenClaw < 2026.2.19 - Race Condition in Sandbox Registry Write Operations
Mar 19, 2026
CVSS 3.6
EPSS 0.00
CVE-2026-32017 HIGH
OpenClaw < 2026.2.19 - Arbitrary File Write via Short-Option Bypass in exec Allowlist
Mar 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-32016 HIGH
OpenClaw < 2026.2.22 - Path Traversal via Basename-Only Allowlist Matching on macOS
Mar 19, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-32015 HIGH
OpenClaw 2026.1.21 < 2026.2.19 - PATH Hijacking Bypass in tools.exec.safeBins Allowlist Validation
Mar 19, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-32014 HIGH
OpenClaw < 2026.2.26 - Node Reconnect Metadata Spoofing via Unsigned Platform Fields
Mar 19, 2026
CVSS 8.0
EPSS 0.00
CVE-2026-32013 HIGH
OpenClaw < 2026.2.25 - Symlink Traversal in agents.files Methods
Mar 19, 2026
CVSS 8.8
EPSS 0.01
CVE-2026-32011 HIGH
OpenClaw < 2026.3.2 - Slow-Request Denial of Service via Pre-Auth Webhook Body Parsing
Mar 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32010 MEDIUM
OpenClaw < 2026.2.22 - Allowlist Bypass via sort --compress-program Parameter
Mar 19, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-32009 MEDIUM
OpenClaw < 2026.2.24 - Binary Hijacking via Static Default Trusted Directories in safeBins
Mar 19, 2026
CVSS 5.7
EPSS 0.00
CVE-2026-32008 MEDIUM
OpenClaw < 2026.2.21 - Arbitrary Local File Read via Browser Navigation Guard
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32007 MEDIUM
OpenClaw < 2026.2.23 - Sandbox Bypass in apply_patch Tool via Workspace-Only Check Bypass
Mar 19, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-32006 LOW
OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Fallback in Group Allowlist
Mar 19, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-32005 MEDIUM
OpenClaw < 2026.2.25 - Authorization Bypass in Interactive Callbacks via Sender Check Skip
Mar 19, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-32004 MEDIUM
OpenClaw < 2026.3.2 - Authentication Bypass via Encoded Path in /api/channels Route
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-32003 MEDIUM
OpenClaw < 2026.2.22 - Remote Code Execution via SHELLOPTS/PS4 Environment Injection in system.run
Mar 19, 2026
CVSS 6.6
EPSS 0.01
CVE-2026-32002 MEDIUM
OpenClaw < 2026.2.23 - Sandbox Boundary Bypass via Image Tool workspaceOnly Bypass
Mar 19, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32001 MEDIUM
OpenClaw < 2026.2.22 - Node Role Device-Identity Bypass via WebSocket Authentication
Mar 19, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-32000 HIGH
OpenClaw < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Tool Execution
Mar 19, 2026
CVSS 7.1
EPSS 0.01
CVE-2026-31999 MEDIUM
OpenClaw 2026.2.26 < 2026.3.1 - Current Working Directory Injection via Windows Wrapper Resolution Fallback
Mar 19, 2026
CVSS 6.3
EPSS 0.00