Vulnerabilities

search
ID
Packages
Summary
Published
arrow_upward
Attributes
GHSA-m983-v2ff-wq65
  • npm/parse-server
 LiveQuery protected field leak via shared mutable state across concurrent subscribers 11 minutes ago
  • Fix available
  • Severity - 8.2 (High)
GHSA-px3p-vgh9-m57c
  • npm/@nocobase/plugin-workflow-javascript
 NocoBase Affected by Sandbox Escape to RCE via console._stdout Prototype Chain Traversal in Workflow Script Node 35 minutes ago
  • Fix available
  • Severity - 9.9 (Critical)
GHSA-v9p7-gf3q-h779
  • npm/@tinacms/graphql
 @tinacms/graphql has Path Traversal that leads to overwrite of arbitrary files 44 minutes ago
  • Fix available
  • Severity - 8.1 (High)
MAL-2026-2300
  • npm/eslint-validator
 Malicious code in eslint-validator (npm) 1 hour ago
  • No fix available
MAL-2026-2297
  • npm/earthengine-api
 Malicious code in earthengine-api (npm) 16 hours ago
  • No fix available
MAL-2026-2296
  • npm/bos-decoration-elements
 Malicious code in bos-decoration-elements (npm) 19 hours ago
  • No fix available
GHSA-4hmj-39m8-jwc7
  • npm/openclaw
 OpenClaw has ACP CLI approval prompt ANSI escape sequence injection yesterday
  • Fix available
GHSA-j4c9-w69r-cw33
  • npm/openclaw
 OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State yesterday
  • Fix available
GHSA-mf5g-6r6f-ghhm
  • npm/openclaw
 OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token yesterday
  • Fix available
GHSA-rf6h-5gpw-qrgq
  • npm/openclaw
 OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback yesterday
  • Fix available
GHSA-h4jx-hjr3-fhgc
  • npm/openclaw
 OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin` yesterday
  • Fix available
GHSA-77w2-crqv-cmv3
  • npm/openclaw
 OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing yesterday
  • Fix available
GHSA-3h52-cx59-c456
  • npm/openclaw
 OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation yesterday
  • Fix available
GHSA-rhfg-j8jq-7v2h
  • npm/openclaw
 OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476) yesterday
  • Fix available
GHSA-52q4-3xjc-6778
  • npm/openclaw
 OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName yesterday
  • Fix available
GHSA-q2qc-744p-66r2
  • npm/openclaw
 OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility yesterday
  • Fix available
Load more...