npm

4,193 tracked vulnerabilities.

CVE-2026-31998 HIGH
OpenClaw 2026.2.22 < 2026.2.24 - Authorization Bypass in Synology Chat Plugin via Empty allowedUserIds
Mar 19, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-31997 MEDIUM
OpenClaw < 2026.3.1 - Executable Rebind via Unbound PATH-token in system.run Approvals
Mar 19, 2026
CVSS 6.0
EPSS 0.00
CVE-2026-31996 MEDIUM
OpenClaw < 2026.2.19 - safeBins stdin-only bypass via sort output and recursive grep flags
Mar 19, 2026
CVSS 4.4
EPSS 0.00
CVE-2026-31995 MEDIUM
OpenClaw 2026.1.21 < 2026.2.19 - Command Injection via Windows Shell Fallback in Lobster Extension
Mar 19, 2026
CVSS 5.3
EPSS 0.01
CVE-2026-31994 HIGH
OpenClaw < 2026.2.19 - Local Command Injection via Unsafe cmd Argument Handling in Windows Scheduled Task Script Generation
Mar 19, 2026
CVSS 7.1
EPSS 0.01
CVE-2026-31993 MEDIUM
OpenClaw < 2026.2.22 - Allowlist Parsing Mismatch in system.run Shell Chains
Mar 19, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-31992 HIGH
OpenClaw < 2026.2.23 - Allowlist Exec-Guard Bypass via env -S
Mar 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-31991 LOW
OpenClaw < 2026.2.26 - Authorization Bypass via DM Pairing-Store Leakage in Signal Group Allowlist
Mar 19, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-31990 MEDIUM
OpenClaw < 2026.3.2 - Symlink Traversal in stageSandboxMedia Destination
Mar 19, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-31989 HIGH
OpenClaw < 2026.3.1 - Server-Side Request Forgery via web_search Citation Redirect
Mar 19, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-29608 MEDIUM
OpenClaw 2026.3.1 < 2026.3.2 - Approval Integrity Bypass via system.run argv Rewriting
Mar 19, 2026
CVSS 6.7
EPSS 0.00
CVE-2026-29607 MEDIUM
OpenClaw < 2026.2.22 - Authorization Bypass via allow-always Wrapper Persistence
Mar 19, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-28460 HIGH
OpenClaw < 2026.2.22 - Allowlist Bypass via Shell Line-Continuation Command Substitution in system.run
Mar 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-28449 MEDIUM
OpenClaw < 2026.2.25 - Webhook Replay Attack via Missing Durable Replay Suppression
Mar 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-27566 HIGH
OpenClaw < 2026.2.22 - Allowlist Bypass via Wrapper Binary Unwrapping in system.run
Mar 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-22176 MEDIUM
OpenClaw < 2026.2.19 - Command Injection via Unescaped Environment Variables in Windows Scheduled Task Script Generation
Mar 19, 2026
CVSS 6.1
EPSS 0.01
CVE-2026-32730 HIGH
ApostropheCMS MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
Mar 18, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-33163 MEDIUM
Parse Server leaks protected fields via LiveQuery afterEvent trigger
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-33042 MEDIUM
Parse Server affected by empty authData bypassing credential requirement on signup
Mar 18, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-32944 HIGH
Parse Server crash via deeply nested query condition operators
Mar 18, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32943 LOW
Parse Server Password Reset Tokens - Race Condition
Mar 18, 2026
CVSS 3.1
EPSS 0.00
CVE-2026-32886 HIGH
Parse Server's Cloud function dispatch crashes server via prototype chain traversal
Mar 18, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-32878 HIGH
Parse Server vulnerable to schema poisoning via prototype pollution in deep copy
Mar 18, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-32770 MEDIUM
Parse Server: LiveQuery subscription with invalid regular expression crashes server
Mar 18, 2026
CVSS 5.9
EPSS 0.01
CVE-2026-32742 MEDIUM
Parse Server session creation endpoint allows overwriting server-generated session fields
Mar 18, 2026
CVSS 4.3
EPSS 0.00