npm
3,968 tracked vulnerabilities.
CVE-2026-45002
MEDIUM
OpenClaw < 2026.4.20 - Hook Session-Key Bypass via Template Mapping
May 11, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44999
MEDIUM
OpenClaw < 2026.4.20 - Improper Trust Labeling in Isolated Cron Awareness Events
May 11, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-44997
MEDIUM
OpenClaw < 2026.4.22 - Security Envelope Constraint Bypass in ACP Child Sessions
May 11, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-44995
HIGH
OpenClaw < 2026.4.20 - Arbitrary Code Execution via MCP stdio Environment Variables
May 11, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-44992
MEDIUM
OpenClaw 2026.4.5 < 2026.4.20 - MiniMax API Host Override via Workspace dotenv
May 11, 2026
CVSS 5.0
EPSS 0.00
CVE-2026-44991
MEDIUM
OpenClaw < 2026.4.21 - Authorization Bypass in Owner-Enforced Commands via Wildcard Channel Senders
May 11, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-43995
CRITICAL
Flowise: SSRF Protection Bypass via Direct node-fetch / axios Usage (Patch Enforcement Failure)
May 11, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-42856
HIGH
Network-AI: Missing authentication on MCP HTTP endpoint allows unauthenticated privileged tool calls
May 11, 2026
EPSS 0.00
CVE-2026-30635
HIGH
automagik-genie 2.5.27 - Command Injection
May 11, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-44643
CRITICAL
Angular Expressions - Remote Code Execution using filters
May 11, 2026
CVSS 10.0
EPSS 0.00
CVE-2026-41893
HIGH
Signal K Server's WebSocket Login Endpoint Lacks Rate Limiting (Credential Brute-Force)
May 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41311
HIGH
LiquidJS is vulnerable to Denial of Service via circular block reference in layout
May 09, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-44694
CRITICAL
n8n-MCP: Authenticated SSRF in n8n-mcp webhook and API client paths
May 08, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-42282
MEDIUM
n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode
May 08, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-42190
MEDIUM
RedwoodSDK: Same-site CSRF in in server actions
May 08, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41495
MEDIUM
n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests
May 08, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-42353
HIGH
Path traversal / SSRF in i18next-http-middleware via user-controlled language and namespace parameters
May 08, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-41886
HIGH
locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor
May 08, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41885
MEDIUM
Path traversal / URL injection via unsanitised lng/ns/projectId/version in i18next-locize-backend
May 08, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41693
HIGH
i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite
May 08, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-41690
HIGH
Prototype pollution and path traversal in i18next-http-middleware via user-controlled language and namespace parameters
May 08, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-41683
HIGH
HTTP response splitting and DoS in i18next-http-middleware via unsanitised Content-Language header
May 08, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-41591
MEDIUM
Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping
May 08, 2026
CVSS 6.4
EPSS 0.00
CVE-2026-41507
CRITICAL
Remote Code Execution (RCE) via String Literal Injection into math-codegen
May 08, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-43944
CRITICAL
electerm: dangerous code can be run through links or command line
May 08, 2026
CVSS 9.6
EPSS 0.00
Products
openclaw 393
parse-server 92
n8n 62
directus 53
electron 48
flowise 48
next 47
vm2 32
hono 25
nocodb 25
axios 24
undici 22
ghost 21
vite 19
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
nodebb 14
sequelize 14
tinymce 14
flowise-components 13
signalk-server 13
angular 12
dompurify 12
handlebars 12
jsrsasign 12
matrix-js-sdk 12
Quick Filters