npm

4,193 tracked vulnerabilities.

CVE-2026-32728 HIGH
Parse Server File Uploads - Stored Cross-Site Scripting Filter Bypass
Mar 18, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-32638 LOW
StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens
Mar 18, 2026
CVSS 2.7
EPSS 0.00
CVE-2026-32256 HIGH
music-metadata <11.12.3 ASF Parser - Infinite Loop
Mar 18, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-31938 CRITICAL
jsPDF has HTML Injection in New Window paths
Mar 18, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-31898 HIGH
jsPDF <4.2.1 createAnnotation color - PDF Object Injection
Mar 18, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-31865 MEDIUM
Elysia Cookie Value Prototype Pollution
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-27545 MEDIUM
OpenClaw < 2026.2.26 - Approval Bypass via Parent Symlink Current Working Directory Rebind
Mar 18, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-27524 MEDIUM
OpenClaw < 2026.2.21 - Prototype Pollution via Debug Override Path
Mar 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-27523 MEDIUM
OpenClaw < 2026.2.24 - Sandbox Bind Validation Bypass via Symlink-Parent Missing-Leaf Paths
Mar 18, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-27522 MEDIUM
OpenClaw < 2026.2.24 - Arbitrary File Read via sendAttachment and setGroupIcon Message Actions
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-22217 MEDIUM
OpenClaw 2026.2.22 < 2026.2.23 - Arbitrary Binary Execution via $SHELL Environment Variable Trusted Prefix Fallback
Mar 18, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-22181 HIGH
OpenClaw < 2026.3.2 - DNS Pinning Bypass via Environment Proxy Configuration in web_fetch
Mar 18, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-22180 MEDIUM
OpenClaw < 2026.3.2 - Path Confinement Bypass in Browser Output and File Write Operations
Mar 18, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-22179 HIGH
OpenClaw < 2026.2.22 - Allowlist Bypass via Command Substitution in system.run
Mar 18, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-22178 MEDIUM
OpenClaw < 2026.2.19 - ReDoS and Regex Injection via Unescaped Feishu Mention Metadata
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-22177 MEDIUM
OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars
Mar 18, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-22175 HIGH
OpenClaw < 2026.2.23 - Exec Approval Bypass via Unrecognized Multiplexer Shell Wrappers
Mar 18, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-22174 MEDIUM
OpenClaw < 2026.2.22 - Gateway Token Disclosure via Chrome CDP Probe
Mar 18, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-22171 HIGH
OpenClaw < 2026.2.19 - Path Traversal in Feishu Media Temporary File Naming
Mar 18, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-22170 MEDIUM
OpenClaw < 2026.2.22 BlueBubbles - Access Control Bypass via Empty allowFrom Configuration
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-22169 MEDIUM
OpenClaw < 2026.2.22 - Allowlist Bypass via sort Configuration in safeBins
Mar 18, 2026
CVSS 6.7
EPSS 0.00
CVE-2026-22168 MEDIUM
OpenClaw < 2026.2.21 - Command Injection via cmd.exe /c Trailing Arguments in system.run
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-29057 MEDIUM
Next.js: HTTP request smuggling in rewrites
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-27980 HIGH
Next.js: Unbounded next/image disk cache growth can exhaust storage
Mar 18, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-27979 HIGH
Next.js 16.0.1-16.1.6 - Postponed Resume Buffering Denial of Service
Mar 18, 2026
CVSS 7.5
EPSS 0.00