npm
4,193 tracked vulnerabilities.
CVE-2026-47140
CRITICAL
vm2: NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
Jun 12, 2026
CVSS 10.0
EPSS 0.01
CVE-2026-47139
HIGH
vm2: NodeVM network builtin exclusions bypass via internal _http_client and _http_server
Jun 12, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-47137
CRITICAL
vm2 < 3.11.4 - Remote Code Execution via NodeVM Patch Bypass
Jun 12, 2026
CVSS 10.0
EPSS 0.00
CVE-2026-47135
HIGH
vm2: Sandbox escape via unblocked cross-realm Symbol.for keys + missing bridge write-trap symbol checks
Jun 12, 2026
CVSS 8.7
EPSS 0.00
CVE-2026-47131
CRITICAL
vm2: Sandbox Escape
Jun 12, 2026
CVSS 10.0
EPSS 0.00
CVE-2026-47200
MEDIUM
Nuxt: Route middleware not enforced when rendering `.server.vue` pages via `/__nuxt_island/page_*`
Jun 12, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-46342
MEDIUM
Nuxt: `__nuxt_island` endpoint does not bind responses to request props, enabling shared-cache poisoning
Jun 12, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-45669
MEDIUM
Nuxt: Reflected XSS in `navigateTo()` external redirect
Jun 12, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-53819
HIGH
OpenClaw < 2026.5.27 - Arbitrary Homebrew Executable Execution via Workspace .env Override
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53818
MEDIUM
OpenClaw < 2026.4.24 - Owner-Only Tool Policy Bypass via MCP Loopback
Jun 11, 2026
CVSS 6.6
EPSS 0.00
CVE-2026-53817
HIGH
OpenClaw < 2026.5.22 - Control UI Locality Spoofing in Device Pairing
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53816
HIGH
OpenClaw < 2026.5.18 - Exec Lifecycle Event Forgery via Paired Node
Jun 11, 2026
CVSS 7.2
EPSS 0.00
CVE-2026-53815
MEDIUM
OpenClaw < 2026.5.19 - Channel Allowlist Bypass in Message Read Actions
Jun 11, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-53814
HIGH
OpenClaw < 2026.5.20 - Privilege Escalation via Hook-Triggered CLI MCP Tool Authority
Jun 11, 2026
CVSS 8.3
EPSS 0.00
CVE-2026-53813
HIGH
OpenClaw < 2026.4.25 - Arbitrary Artifact Loading via Fake Package Root Resolution
Jun 11, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-53812
HIGH
OpenClaw < 2026.5.18 - Private-Network Navigation Bypass via Browser Act Interactions
Jun 11, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-53811
HIGH
OpenClaw < 2026.5.7 - Privilege Escalation via Mutable Display Names in Matrix allowFrom
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53810
HIGH
OpenClaw < 2026.5.18 - Arbitrary Code Execution via Unscanned Marketplace Runtime Extension Metadata
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-53809
LOW
OpenClaw < 2026.4.25 - Provider Alias Confusion in Embedded Runner Policy
Jun 11, 2026
CVSS 3.8
EPSS 0.00
CVE-2026-53806
HIGH
OpenClaw < 2026.5.12 - Shell Option Parsing Bypass in Exec Revalidation
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-47250
MEDIUM
mcp-server-kubernetes: kubectl-generic flag injection enables Kubernetes bearer token exfiltration
Jun 11, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-46519
HIGH
mcp-server-kubernetes Affected By Tool Access Control Bypass: Presentation-Layer Filtering Without Execution-Layer Enforcement
Jun 11, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-49982
HIGH
node-tmp 0.2.6 - Path Traversal via Non-String Template Values
Jun 11, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-44705
HIGH
tmp: Path Traversal via unsanitized prefix/postfix enables directory escape
Jun 11, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-44496
HIGH
Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection
Jun 11, 2026
CVSS 7.5
EPSS 0.01
Products
openclaw 433
parse-server 98
flowise 67
n8n 67
directus 53
electron 48
next 47
vm2 41
axios 33
hono 30
undici 30
nocodb 25
pnpm 25
ghost 22
vite 20
tinymce 18
astro 17
ckeditor4 15
fuxa-server 15
jspdf 15
tar 15
joplin 14
liquidjs 14
nodebb 14
sequelize 14
flowise-components 13
react-router 13
signalk-server 13
angular 12
dompurify 12
Quick Filters