npm

3,968 tracked vulnerabilities.

CVE-2026-43528 MEDIUM
OpenClaw < 2026.4.14 - Redaction Bypass via sourceConfig and runtimeConfig Aliases
May 05, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-43527 HIGH
OpenClaw < 2026.4.14 - Server-Side Request Forgery via Private Network Navigation
May 05, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-43526 HIGH
OpenClaw < 2026.4.12 - Server-Side Request Forgery via QQBot Reply Media URL Handling
May 05, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-42439 HIGH
OpenClaw < 2026.4.10 - SSRF Policy Bypass in Browser Tabs Action Routes
May 05, 2026
CVSS 8.5
EPSS 0.00
CVE-2026-42438 HIGH
OpenClaw 2026.4.9 < 2026.4.10 - Sender Policy Bypass in Host Media Attachment Reads
May 05, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-42437 HIGH
OpenClaw 2026.4.9 < 2026.4.10 - Denial of Service via Oversized WebSocket Frames in Voice-call Realtime Path
May 05, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42436 HIGH
OpenClaw < 2026.4.14 - Internal Page Content Exposure via Browser Snapshot and Screenshot Routes
May 05, 2026
CVSS 7.7
EPSS 0.00
CVE-2026-42435 HIGH
OpenClaw 2026.2.22 < 2026.4.12 - Shell-Wrapper Detection Bypass via Environment Variable Assignment Injection
May 05, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42434 HIGH
OpenClaw 2026.4.5 < 2026.4.10 - Sandbox Escape via host Parameter Override in Exec Routing
May 05, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42433 MEDIUM
OpenClaw < 2026.4.10 - Unauthorized Matrix Profile Config Persistence Access via operator.write Message Tools
May 05, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-6322 HIGH
fast-uri vulnerable to host confusion via percent-encoded authority delimiters
May 05, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-43870 HIGH
Apache Thrift: Node.js web_server.js multi-vulnerability
May 05, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-6321 HIGH
fast-uri vulnerable to path traversal via percent-encoded dot segments
May 04, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42237 HIGH
n8n: SQL Injection in Snowflake and MySQL Nodes
May 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42236 HIGH
n8n: Unauthenticated Denial of Service via MCP Client Registration
May 04, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-42235 CRITICAL
n8n: XSS via MCP OAuth client
May 04, 2026
CVSS 9.6
EPSS 0.00
CVE-2026-42234 HIGH
n8n: Python Task Runner Sandbox Escape
May 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42233 CRITICAL
n8n: SQL Injection in Oracle Database Node via Limit Field
May 04, 2026
CVSS 9.8
EPSS 0.00
CVE-2026-42232 HIGH
n8n: XML Node Prototype Pollution to RCE
May 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42231 HIGH
n8n: Prototype Pollution in XML Webhook Body Parser Leads to RCE
May 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42230 MEDIUM
n8n: Open Redirect in MCP OAuth Consent Flow
May 04, 2026
CVSS 6.1
EPSS 0.00
CVE-2026-42229 HIGH
n8n: SQL Injection in SeaTable Node
May 04, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-42228 MEDIUM
n8n: Hijacking of Unauthenticated Chat Execution
May 04, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42227 MEDIUM
n8n: Public API Variables IDOR Allows Cross-Project Secret Disclosure
May 04, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-42226 HIGH
n8n: Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay
May 04, 2026
CVSS 7.5
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV