npm
3,968 tracked vulnerabilities.
CVE-2026-43943
HIGH
electerm: RCE via malicious SSH server filename in openFileWithEditor
May 08, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-43942
MEDIUM
electerm: Full process.env exposed to renderer via window.pre.env in electerm
May 08, 2026
CVSS 5.5
EPSS 0.00
CVE-2026-43941
CRITICAL
Unvalidated shell.openExternal in electerm allows arbitrary protocol execution via terminal link click
May 08, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-43940
HIGH
electerm: Path traversal in electerm runWidget leads to arbitrary code execution
May 08, 2026
CVSS 8.4
EPSS 0.00
CVE-2026-42264
HIGH
Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking
May 08, 2026
CVSS 7.4
EPSS 0.00
CVE-2026-41900
HIGH
OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Environment
May 08, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41501
CRITICAL
electerm has Command Injection Vulnerability via runLinux function
May 08, 2026
CVSS 9.8
EPSS 0.01
CVE-2026-41500
CRITICAL
electerm has Command Injection Vulnerability via runMac function
May 08, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-8115
MEDIUM
gyoridavid short-video-maker REST API rest.ts path traversal
May 07, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-42449
HIGH
n8n-MCP: IPv4-mapped IPv6 addresses bypass SSRF protection in validateUrlSync(), enabling full SSRF for SDK embedders
May 07, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-42047
HIGH
Inngest TypeScript SDK exposes environment variables via serve() handler on unhandled HTTP methods
May 07, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-41692
MEDIUM
i18nextify is vulnerable to DOM XSS via javascript:/data: URL schemes in translated href/src attributes
May 07, 2026
CVSS 4.7
EPSS 0.00
CVE-2026-41691
MEDIUM
i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns
May 07, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41650
MEDIUM
fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters
May 07, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-41139
HIGH
Unsafe array index getter in mathjs
May 07, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41675
HIGH
xmldom: XML node injection through unvalidated processing instruction serialization
May 07, 2026
EPSS 0.00
CVE-2026-41674
HIGH
xmldom: XML injection through unvalidated DocumentType serialization
May 07, 2026
EPSS 0.00
CVE-2026-41673
HIGH
xmldom: Denial of service via uncontrolled recursion in XML serialization
May 07, 2026
EPSS 0.00
CVE-2026-41672
HIGH
xmldom: XML node injection through unvalidated comment serialization
May 07, 2026
EPSS 0.00
CVE-2026-44118
HIGH
OpenClaw < 2026.4.22 - Owner Context Spoofing via Bearer Token Header
May 06, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-44117
MEDIUM
OpenClaw < 2026.4.20 - Server-Side Request Forgery in QQBot Direct Media Upload
May 06, 2026
CVSS 5.8
EPSS 0.00
CVE-2026-44116
HIGH
OpenClaw < 2026.4.22 - Server-Side Request Forgery in Zalo Photo URL Validation
May 06, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-44114
HIGH
OpenClaw < 2026.4.20 - Environment Variable Namespace Collision via Workspace dotenv
May 06, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-44113
HIGH
OpenClaw < 2026.4.22 - Time-of-Check/Time-of-Use Race Condition in OpenShell FS Bridge
May 06, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-44112
CRITICAL
OpenClaw < 2026.4.22 - Symlink Swap Race Condition in OpenShell FS Bridge Writes
May 06, 2026
CVSS 9.6
EPSS 0.00
Products
openclaw 393
parse-server 92
n8n 62
directus 53
electron 48
flowise 48
next 47
vm2 32
hono 25
nocodb 25
axios 24
undici 22
ghost 21
vite 19
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
nodebb 14
sequelize 14
tinymce 14
flowise-components 13
signalk-server 13
angular 12
dompurify 12
handlebars 12
jsrsasign 12
matrix-js-sdk 12
Quick Filters