npm

3,968 tracked vulnerabilities.

CVE-2026-44109 CRITICAL
OpenClaw < 2026.4.15 - Authentication Bypass in Feishu Webhook and Card-Action Validation
May 06, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-43585 HIGH
OpenClaw < 2026.4.15 - Bearer Token Validation Bypass via Stale SecretRef Resolution
May 06, 2026
CVSS 8.1
EPSS 0.00
CVE-2026-43584 HIGH
OpenClaw < 2026.4.10 - Insufficient Environment Variable Denylist in Exec Policy
May 06, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-43583 MEDIUM
OpenClaw 2026.4.10 < 2026.4.14 - Loss of Group Tool-Policy Context in Delivery Queue Recovery
May 06, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-43582 MEDIUM
OpenClaw < 2026.4.10 - DNS Rebinding SSRF via Hostname Validation Bypass
May 06, 2026
CVSS 6.3
EPSS 0.00
CVE-2026-43580 HIGH
OpenClaw < 2026.4.10 - Incomplete Navigation Guard Coverage in Browser Interactions
May 06, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-43576 HIGH
OpenClaw < 2026.4.5 - Second-hop SSRF via CDP /json/version WebSocket URL
May 06, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-23870 HIGH
react-server-dom-webpack 19.0.0-19.0.5, 19.1.0-19.1.6, 19.2.0-19.2.5 - DoS via Crafted HTTP Requests
May 06, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-8026 LOW
FlowiseAI Flowise API Response account.service.ts login information disclosure
May 06, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-43574 MEDIUM
OpenClaw < 2026.4.12 - Improper Authorization via Empty Approver Lists
May 05, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-43573 HIGH
OpenClaw < 2026.4.10 - SSRF Policy Bypass in Existing-Session Browser Interaction Routes
May 05, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-43572 MEDIUM
OpenClaw 2026.4.10 < 2026.4.14 - Missing Sender Authorization in Microsoft Teams SSO Invoke Handler
May 05, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-43571 HIGH
OpenClaw < 2026.4.10 - Untrusted Workspace Plugin Shadow Resolution in Channel Setup
May 05, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-43570 MEDIUM
OpenClaw 2026.3.22 < 2026.4.5 - Symlink Traversal in Remote Marketplace Repository Path Handling
May 05, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-43569 HIGH
OpenClaw < 2026.4.9 - Untrusted Provider Plugin Auto-enablement via Workspace Provider Auth
May 05, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-43568 MEDIUM
OpenClaw 2026.4.5 < 2026.4.10 - Privilege Escalation via Memory Dreaming Configuration in /dreaming Endpoint
May 05, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-43567 MEDIUM
OpenClaw < 2026.4.10 - Path Traversal in screen_record outPath Parameter
May 05, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-43566 CRITICAL
OpenClaw 2026.4.7 < 2026.4.14 - Privilege Escalation via Untrusted Webhook Wake Events
May 05, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-43535 MEDIUM
OpenClaw < 2026.4.14 - Authorization Context Reuse in Collect-Mode Queue Batches
May 05, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-43534 CRITICAL
OpenClaw < 2026.4.10 - Unsanitized External Input in Agent Hook Events
May 05, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-43533 HIGH
OpenClaw < 2026.4.10 - Arbitrary Local File Read via QQBot Media Tags
May 05, 2026
CVSS 8.6
EPSS 0.00
CVE-2026-43532 HIGH
OpenClaw 2026.4.7 < 2026.4.10 - Sandbox Media Normalization Bypass via Discord Event Cover Image
May 05, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-43531 HIGH
OpenClaw < 2026.4.9 - Environment Variable Injection via Workspace .env File
May 05, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-43530 HIGH
OpenClaw 2026.2.23 < 2026.4.12 - Weakened Exec Approval Binding via busybox and toybox Applet Execution
May 05, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-43529 LOW
OpenClaw < 2026.4.10 - Time-of-Check-Time-of-Use (TOCTOU) Race Condition in exec Script Preflight Validator
May 05, 2026
CVSS 2.5
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV