npm

3,968 tracked vulnerabilities.

CVE-2026-41912 HIGH
OpenClaw < 2026.4.8 - Server-Side Request Forgery Policy Bypass via Interaction-Triggered Navigation
Apr 28, 2026
CVSS 7.6
EPSS 0.00
CVE-2026-41911 MEDIUM
OpenClaw < 2026.4.8 - Workspace-Only Filesystem Policy Bypass via docx upload_file/upload_image
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41910 MEDIUM
OpenClaw < 2026.4.8 - Missing Owner-Only Enforcement in /allowlist Cross-Channel Writes
Apr 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41408 MEDIUM
OpenClaw < 2026.3.31 - Disk Exhaustion via Media Download Bypass
Apr 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-41407 LOW
OpenClaw < 2026.4.2 - Timing Side Channel in Shared-Secret Comparison
Apr 28, 2026
CVSS 3.7
EPSS 0.00
CVE-2026-41406 MEDIUM
OpenClaw < 2026.3.31 - Sender Allowlist Bypass via Thread History and Quoted Messages
Apr 28, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-41405 HIGH
OpenClaw < 2026.3.31 - Resource Exhaustion via Unauthenticated MS Teams Webhook Body Parsing
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41404 HIGH
OpenClaw < 2026.3.31 - Operator Admin Privilege Escalation via Trusted-Proxy Authentication
Apr 28, 2026
CVSS 8.8
EPSS 0.00
CVE-2026-41403 LOW
OpenClaw < 2026.3.31 - Access Control Bypass via Proxied Remote Request Misclassification
Apr 28, 2026
CVSS 2.9
EPSS 0.00
CVE-2026-41402 MEDIUM
OpenClaw < 2026.3.31 - Webhook Replay Cache Cross-Target messageId Scope Bypass
Apr 28, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-41400 MEDIUM
OpenClaw < 2026.3.31 - Resource Consumption via Oversized WebSocket Frames in voice-call
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41399 HIGH
OpenClaw < 2026.3.28 - Denial of Service via Unbounded Pre-auth WebSocket Upgrades
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41398 MEDIUM
OpenClaw - Unauthorized Agent Request Dispatch via Untrusted Local-Network Pages in iOS A2UI Bridge
Apr 28, 2026
CVSS 4.6
EPSS 0.00
CVE-2026-41397 MEDIUM
OpenClaw < 2026.3.31 - Sandbox Escape via Unrestricted File Sync and Symlink Traversal
Apr 28, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-41396 HIGH
OpenClaw < 2026.3.31 - Environment Variable Override of Plugin Trust Root
Apr 28, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41395 HIGH
OpenClaw < 2026.3.28 - Webhook Replay via Query Parameter Reordering in Plivo V3
Apr 28, 2026
CVSS 7.5
EPSS 0.00
CVE-2026-41394 HIGH
OpenClaw < 2026.3.31 - Unauthorized Operator Scope Access in Unauthenticated Plugin-Auth Routes
Apr 28, 2026
CVSS 8.2
EPSS 0.00
CVE-2026-41393 MEDIUM
OpenClaw < 2026.3.31 - Arbitrary DNS Authority Acceptance and Credential Exfiltration via Wide-Area Discovery
Apr 28, 2026
CVSS 4.8
EPSS 0.00
CVE-2026-41392 MEDIUM
OpenClaw < 2026.3.31 - Exec Allowlist Bypass via Shell Init-File Options
Apr 28, 2026
CVSS 6.7
EPSS 0.00
CVE-2026-41391 MEDIUM
OpenClaw < 2026.3.31 - Environment Variable Bypass in Package Index URL Handling
Apr 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-41390 HIGH
OpenClaw < 2026.3.28 - Exec Allowlist Bypass via Unregistered /usr/bin/script Wrapper
Apr 28, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-41388 MEDIUM
OpenClaw < 2026.3.31 - Configuration Rehydration via Empty-Array Revocation Handling
Apr 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-41387 HIGH
OpenClaw < 2026.3.22 - Supply Chain Redirection via Incomplete Host Environment Sanitization
Apr 28, 2026
CVSS 7.8
EPSS 0.00
CVE-2026-41386 CRITICAL
OpenClaw < 2026.3.22 - Privilege Escalation via Unbound Bootstrap Setup Codes
Apr 28, 2026
CVSS 9.1
EPSS 0.00
CVE-2026-41385 MEDIUM
OpenClaw < 2026.3.31 - Nostr Private Key Exposure via config.get Redaction Bypass
Apr 28, 2026
CVSS 6.5
EPSS 0.00
Products
openclaw 393 parse-server 92 n8n 62 directus 53 electron 48 flowise 48 next 47 vm2 32 hono 25 nocodb 25 axios 24 undici 22 ghost 21 vite 19 astro 17 ckeditor4 15 fuxa-server 15 jspdf 15 tar 15 joplin 14 nodebb 14 sequelize 14 tinymce 14 flowise-components 13 signalk-server 13 angular 12 dompurify 12 handlebars 12 jsrsasign 12 matrix-js-sdk 12
Quick Filters
Critical CVEs With Exploits In CISA KEV