npm
4,193 tracked vulnerabilities.
CVE-2026-32728
HIGH
Parse Server File Uploads - Stored Cross-Site Scripting Filter Bypass
Mar 18, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-32638
LOW
StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens
Mar 18, 2026
CVSS 2.7
EPSS 0.00
CVE-2026-32256
HIGH
music-metadata <11.12.3 ASF Parser - Infinite Loop
Mar 18, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-31938
CRITICAL
jsPDF has HTML Injection in New Window paths
Mar 18, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-31898
HIGH
jsPDF <4.2.1 createAnnotation color - PDF Object Injection
Mar 18, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-31865
MEDIUM
Elysia Cookie Value Prototype Pollution
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-27545
MEDIUM
OpenClaw < 2026.2.26 - Approval Bypass via Parent Symlink Current Working Directory Rebind
Mar 18, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-27524
MEDIUM
OpenClaw < 2026.2.21 - Prototype Pollution via Debug Override Path
Mar 18, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-27523
MEDIUM
OpenClaw < 2026.2.24 - Sandbox Bind Validation Bypass via Symlink-Parent Missing-Leaf Paths
Mar 18, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-27522
MEDIUM
OpenClaw < 2026.2.24 - Arbitrary File Read via sendAttachment and setGroupIcon Message Actions
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-22217
MEDIUM
OpenClaw 2026.2.22 < 2026.2.23 - Arbitrary Binary Execution via $SHELL Environment Variable Trusted Prefix Fallback
Mar 18, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-22181
HIGH
OpenClaw < 2026.3.2 - DNS Pinning Bypass via Environment Proxy Configuration in web_fetch
Mar 18, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-22180
MEDIUM
OpenClaw < 2026.3.2 - Path Confinement Bypass in Browser Output and File Write Operations
Mar 18, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-22179
HIGH
OpenClaw < 2026.2.22 - Allowlist Bypass via Command Substitution in system.run
Mar 18, 2026
CVSS 7.2
EPSS 0.01
CVE-2026-22178
MEDIUM
OpenClaw < 2026.2.19 - ReDoS and Regex Injection via Unescaped Feishu Mention Metadata
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-22177
MEDIUM
OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars
Mar 18, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-22175
HIGH
OpenClaw < 2026.2.23 - Exec Approval Bypass via Unrecognized Multiplexer Shell Wrappers
Mar 18, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-22174
MEDIUM
OpenClaw < 2026.2.22 - Gateway Token Disclosure via Chrome CDP Probe
Mar 18, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-22171
HIGH
OpenClaw < 2026.2.19 - Path Traversal in Feishu Media Temporary File Naming
Mar 18, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-22170
MEDIUM
OpenClaw < 2026.2.22 BlueBubbles - Access Control Bypass via Empty allowFrom Configuration
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-22169
MEDIUM
OpenClaw < 2026.2.22 - Allowlist Bypass via sort Configuration in safeBins
Mar 18, 2026
CVSS 6.7
EPSS 0.00
CVE-2026-22168
MEDIUM
OpenClaw < 2026.2.21 - Command Injection via cmd.exe /c Trailing Arguments in system.run
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-29057
MEDIUM
Next.js: HTTP request smuggling in rewrites
Mar 18, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-27980
HIGH
Next.js: Unbounded next/image disk cache growth can exhaust storage
Mar 18, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-27979
HIGH
Next.js 16.0.1-16.1.6 - Postponed Resume Buffering Denial of Service
Mar 18, 2026
CVSS 7.5
EPSS 0.00
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters