npm

3,968 tracked vulnerabilities.

CVE-2026-26322 HIGH
OpenClaw < 2026.2.14 - Server-Side Request Forgery via Gateway Tool URL Override
Feb 19, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-26321 HIGH
OpenClaw <2026.2.14 - Path Traversal
Feb 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-26320 MEDIUM
OpenClaw macOS 2026.2.6-2026.2.13 - Command Injection
Feb 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-26319 HIGH
OpenClaw < 2026.2.14 - Unauthenticated Webhook Spoofing via Missing Telnyx Signature Verification
Feb 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-26317 HIGH
OpenClaw < 2026.2.14 - Cross-Site Request Forgery via Unvalidated Origin/Referer
Feb 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-26316 HIGH
OpenClaw < 2026.2.13 - Incorrect Authorization via BlueBubbles Webhook Loopback Bypass
Feb 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-26278 HIGH
fast-xml-parser 4.1.3-5.3.5 - XML External Entity Injection via Unrestricted Entity Expansion
Feb 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-25940 HIGH
jspdf < 4.2.0 - Arbitrary PDF Object Injection via Acroform Module
Feb 19, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-25755 HIGH
jsPDF < 4.2.0 - Code Injection via addJS Method
Feb 19, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-25535 HIGH
jsPDF < 4.2.0 - Denial of Service via GIF Image Header Parsing
Feb 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-25474 HIGH
OpenClaw < 2026.2.1 - Insufficient Verification of Telegram Webhook Secret Token
Feb 19, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-24764 LOW
OpenClaw <=2026.2.2 - Command Injection
Feb 19, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-26226 MEDIUM
beautiful-mermaid < 0.1.3 - Cross-Site Scripting via SVG Attribute Injection
Feb 13, 2026
EPSS 0.00
CVE-2026-1721 MEDIUM
npm agents < 0.3.10 - Reflected Cross-Site Scripting via OAuth Callback Error Description
Feb 13, 2026
EPSS 0.00
CVE-2026-26185 MEDIUM
Directus < 11.14.1 - Timing-Based User Enumeration via Password Reset
Feb 12, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-2327 MEDIUM
markdown-it 13.0.0-14.1.0 - Regular Expression Denial of Service via Linkify Function
Feb 12, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-2391 LOW
qs 6.7.0-6.14.2 - Comma Array Limit Denial of Service
Feb 12, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-0969 HIGH
next-mdx-remote 4.3.0-5.9.9 - Remote Code Execution via MDX Content Deserialization
Feb 12, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-26021 CRITICAL
set-in 2.0.1-2.0.4 - Prototype Pollution via Array.prototype
Feb 11, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-25951 HIGH
FUXA < 1.2.11 - Authenticated Path Traversal and Remote Code Execution via Nested Traversal Sequences
Feb 09, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-25939 CRITICAL
FUXA 1.2.8-1.2.10 - Unauthenticated Authorization Bypass via Scheduler Modification
Feb 09, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-25938 CRITICAL
FUXA 1.2.8-1.2.10 - Unauthenticated Remote Code Execution via Node-RED Plugin
Feb 09, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-25895 CRITICAL
FUXA < 1.2.10 - Unauthenticated Path Traversal and Arbitrary File Write
Feb 09, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-25894 CRITICAL
FUXA <1.2.9 - Remote Code Execution
Feb 09, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-25893 CRITICAL
FUXA < 1.2.10 - Unauthenticated Authentication Bypass via Heartbeat Refresh API
Feb 09, 2026
CVSS 9.8
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV