npm

4,193 tracked vulnerabilities.

CVE-2026-47140 CRITICAL
vm2: NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
Jun 12, 2026
CVSS 10.0
EPSS 0.01
CVE-2026-47139 HIGH
vm2: NodeVM network builtin exclusions bypass via internal _http_client and _http_server
Jun 12, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-47137 CRITICAL
vm2 < 3.11.4 - Remote Code Execution via NodeVM Patch Bypass
Jun 12, 2026
CVSS 10.0
EPSS 0.00
CVE-2026-47135 HIGH
vm2: Sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks
Jun 12, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-47131 CRITICAL
vm2: Sandbox Escape
Jun 12, 2026
CVSS 10.0
EPSS 0.00
CVE-2026-47200 MEDIUM
Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
Jun 12, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-46342 MEDIUM
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning
Jun 12, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-45669 MEDIUM
Nuxt: Reflected XSS in `navigateTo()` external redirect
Jun 12, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-53819 HIGH
OpenClaw < 2026.5.27 - Arbitrary Homebrew Executable Execution via Workspace .env Override
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53818 MEDIUM
OpenClaw < 2026.4.24 - Owner-Only Tool Policy Bypass via MCP Loopback
Jun 11, 2026
CVSS 6.6
EPSS 0.00
CVE-2026-53817 HIGH
OpenClaw < 2026.5.22 - Control UI Locality Spoofing in Device Pairing
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53816 HIGH
OpenClaw < 2026.5.18 - Exec Lifecycle Event Forgery via Paired Node
Jun 11, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-53815 MEDIUM
OpenClaw < 2026.5.19 - Channel Allowlist Bypass in Message Read Actions
Jun 11, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-53814 HIGH
OpenClaw < 2026.5.20 - Privilege Escalation via Hook-Triggered CLI MCP Tool Authority
Jun 11, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-53813 HIGH
OpenClaw < 2026.4.25 - Arbitrary Artifact Loading via Fake Package Root Resolution
Jun 11, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-53812 HIGH
OpenClaw < 2026.5.18 - Private-Network Navigation Bypass via Browser Act Interactions
Jun 11, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-53811 HIGH
OpenClaw < 2026.5.7 - Privilege Escalation via Mutable Display Names in Matrix allowFrom
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53810 HIGH
OpenClaw < 2026.5.18 - Arbitrary Code Execution via Unscanned Marketplace Runtime Extension Metadata
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53809 LOW
OpenClaw < 2026.4.25 - Provider Alias Confusion in Embedded Runner Policy
Jun 11, 2026
CVSS 3.8
EPSS 0.00
CVE-2026-53806 HIGH
OpenClaw < 2026.5.12 - Shell Option Parsing Bypass in Exec Revalidation
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-47250 MEDIUM
mcp-server-kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration
Jun 11, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-46519 HIGH
mcp-server-kubernetes Affected By Tool Access Control Bypass: Presentation-Layer Filtering Without Execution-Layer Enforcement
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-49982 HIGH
node-tmp 0.2.6 - Path Traversal via Non-String Template Values
Jun 11, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-44705 HIGH
tmp: Path Traversal via unsanitized prefix/postfix enables directory escape
Jun 11, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-44496 HIGH
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
Jun 11, 2026
CVSS 7.5
EPSS 0.01