npm
4,193 tracked vulnerabilities.
CVE-2026-31998
HIGH
OpenClaw 2026.2.22 < 2026.2.24 - Authorization Bypass in Synology Chat Plugin via Empty allowedUserIds
Mar 19, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-31997
MEDIUM
OpenClaw < 2026.3.1 - Executable Rebind via Unbound PATH-token in system.run Approvals
Mar 19, 2026
CVSS 6.0
EPSS 0.00
CVE-2026-31996
MEDIUM
OpenClaw < 2026.2.19 - safeBins stdin-only bypass via sort output and recursive grep flags
Mar 19, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-31995
MEDIUM
OpenClaw 2026.1.21 < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Extension
Mar 19, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-31994
HIGH
OpenClaw < 2026.2.19 - Local Command Injection via Unsafe cmd Argument Handling in Windows Scheduled Task Script Generation
Mar 19, 2026
CVSS 7.1
EPSS 0.01
CVE-2026-31993
MEDIUM
OpenClaw < 2026.2.22 - Allowlist Parsing Mismatch in system.run Shell Chains
Mar 19, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-31992
HIGH
OpenClaw < 2026.2.23 - Allowlist Exec-Guard Bypass via env -S
Mar 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-31991
LOW
OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Leakage in Signal Group Allowlist
Mar 19, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-31990
MEDIUM
OpenClaw < 2026.3.2 - Symlink Traversal in stageSandboxMedia Destination
Mar 19, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-31989
HIGH
OpenClaw < 2026.3.1 - Server-Side Request Forgery via web_search Citation Redirect
Mar 19, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-29608
MEDIUM
OpenClaw 2026.3.1 < 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting
Mar 19, 2026
CVSS 6.7
EPSS 0.00
CVE-2026-29607
MEDIUM
OpenClaw < 2026.2.22 - Authorization Bypass via allow-always Wrapper Persistence
Mar 19, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-28460
HIGH
OpenClaw < 2026.2.22 - Allowlist Bypass via Shell Line-Continuation Command Substitution in system.run
Mar 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-28449
MEDIUM
OpenClaw < 2026.2.25 - Webhook Replay Attack via Missing Durable Replay Suppression
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-27566
HIGH
OpenClaw < 2026.2.22 - Allowlist Bypass via Wrapper Binary Unwrapping in system.run
Mar 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-22176
MEDIUM
OpenClaw < 2026.2.19 - Command Injection via Unescaped Environment Variables in Windows Scheduled Task Script Generation
Mar 19, 2026
CVSS 6.1
EPSS 0.01
CVE-2026-32730
HIGH
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
Mar 18, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-33163
MEDIUM
Parse Server leaks protected fields via LiveQuery afterEvent trigger
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33042
MEDIUM
Parse Server affected by empty authData bypassing credential requirement on signup
Mar 18, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32944
HIGH
Parse Server crash via deeply nested query condition operators
Mar 18, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32943
LOW
Parse Server Password Reset Tokens - Race Condition
Mar 18, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-32886
HIGH
Parse Server's Cloud function dispatch crashes server via prototype chain traversal
Mar 18, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-32878
HIGH
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
Mar 18, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32770
MEDIUM
Parse Server: LiveQuery subscription with invalid regular expression crashes server
Mar 18, 2026
CVSS 5.9
EPSS 0.01
CVE-2026-32742
MEDIUM
Parse Server session creation endpoint allows overwriting server-generated session fields
Mar 18, 2026
CVSS 4.3
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters