@openrewrite/recipes-nodejs 0.38.0-20260203-172000 → 0.38.1

package/dist/resources/advisories-npm.csv

@@ -630,7 +630,7 @@ CVE-2018-11093,2018-05-23T20:37:46Z,"Cross-Site Scripting in @ckeditor/ckeditor5
 CVE-2018-11537,2022-05-14T03:05:44Z,"Auth0 angular-jwt misinterprets allowlist as regex",angular-jwt,0,0.1.10,,MODERATE,CWE-20,
 CVE-2018-11615,2018-08-31T06:22:50Z,"Mosca REDoS Vulnerability",mosca,0,2.8.2,,HIGH,CWE-185;CWE-20,
 CVE-2018-11647,2022-05-14T03:09:04Z,"oauth2orize-fprm XSS vulnerability",oauth2orize-fprm,0,0.2.1,,MODERATE,CWE-79,
-CVE-2018-12457,2022-05-13T01:49:36Z,"express-cart allows any user to create an admin user",express-cart,0,,,HIGH,CWE-732,
+CVE-2018-12457,2022-05-13T01:49:36Z,"express-cart allows any user to create an admin user",express-cart,0,1.1.6,,HIGH,CWE-732,
 CVE-2018-13339,2022-05-14T03:04:23Z,"Angular Redactor XSS Vulnerability",angular-redactor,0,,1.1.6,MODERATE,CWE-79,
 CVE-2018-13797,2018-09-06T23:24:21Z,"Command Injection in macaddress",macaddress,0,0.2.9,,CRITICAL,CWE-78,
 CVE-2018-13863,2018-09-17T20:44:58Z,"js-bson vulnerable to REDoS",bson,0.5.0,1.0.5,,HIGH,CWE-185;CWE-400,
@@ -1442,7 +1442,7 @@ CVE-2020-7795,2022-08-03T00:00:57Z,"get-npm-package-version Command Injection vu
 CVE-2020-8116,2020-07-29T20:56:59Z,"dot-prop Prototype Pollution vulnerability",dot-prop,0,4.2.1,,HIGH,CWE-1321;CWE-425;CWE-471,
 CVE-2020-8116,2020-07-29T20:56:59Z,"dot-prop Prototype Pollution vulnerability",dot-prop,5.0.0,5.1.1,,HIGH,CWE-1321;CWE-425;CWE-471,
 CVE-2020-8123,2021-12-10T17:22:01Z,"Uncontrolled Resource Consumption in strapi",strapi-admin,0,3.0.0-beta.18.4,,MODERATE,CWE-400,
-CVE-2020-8124,2022-01-06T20:30:34Z,"Improper Validation and Sanitization in url-parse",url-parse,0,1.4.5,,MODERATE,CWE-20,
+CVE-2020-8124,2022-01-06T20:30:34Z,"Improper Validation and Sanitization in url-parse",url-parse,0.1.0,1.4.5,,MODERATE,CWE-20,
 CVE-2020-8125,2021-04-13T15:41:24Z,"Improper Input Validation in klona",klona,0,1.1.1,,HIGH,CWE-20,
 CVE-2020-8127,2021-05-10T18:47:10Z,"Cross-site Scripting in reveal.js",reveal.js,0,3.9.2,,MODERATE,CWE-79,
 CVE-2020-8128,2021-04-13T15:25:24Z,"Server-Side Request Forgery and Inclusion of Functionality from Untrusted Control Sphere in jsreport",jsreport,0,2.6.0,,HIGH,CWE-829;CWE-918,
@@ -1729,7 +1729,7 @@ CVE-2021-27290,2021-03-19T21:24:36Z,"Regular Expression Denial of Service (ReDoS
 CVE-2021-27292,2021-05-06T16:11:13Z,"Regular Expression Denial of Service (ReDoS) in ua-parser-js",ua-parser-js,0.7.14,0.7.24,,HIGH,CWE-400,
 CVE-2021-27405,2021-03-01T20:44:44Z,"Regular expression Denial of Service in @progfay/scrapbox-parser",@progfay/scrapbox-parser,0,6.0.3,,MODERATE,CWE-400,
 CVE-2021-27405,2021-03-01T20:44:44Z,"Regular expression Denial of Service in @progfay/scrapbox-parser",@progfay/scrapbox-parser,7.0.0,7.0.2,,MODERATE,CWE-400,
-CVE-2021-27515,2021-05-06T16:10:51Z,"Path traversal in url-parse",url-parse,0,1.5.0,,MODERATE,CWE-23,
+CVE-2021-27515,2021-05-06T16:10:51Z,"Path traversal in url-parse",url-parse,0.1.0,1.5.0,,MODERATE,CWE-23,
 CVE-2021-27516,2021-03-01T20:03:53Z,"URIjs Hostname spoofing via backslashes in URL",urijs,0,1.19.6,,HIGH,CWE-20,
 CVE-2021-27524,2023-08-11T15:30:46Z,"Margox Braft-Editor Cross-site Scripting Vulnerability",braft-editor,0,,2.3.8,MODERATE,CWE-79,
 CVE-2021-27884,2021-03-26T16:49:26Z,"Weak JSON Web Token in yapi-vendor",yapi-vendor,0,1.9.3,,MODERATE,CWE-330,
@@ -1852,7 +1852,7 @@ CVE-2021-36383,2022-05-24T19:07:30Z,"Xen Orchestra Mishandles Authorization",xo-
 CVE-2021-36383,2022-05-24T19:07:30Z,"Xen Orchestra Mishandles Authorization",xo-web,0,,5.80.0,MODERATE,CWE-863,
 CVE-2021-3645,2021-09-13T20:16:54Z,"merge vulnerable to Prototype Pollution",@viking04/merge,0,1.0.2,,CRITICAL,CWE-1321;CWE-915,
 CVE-2021-3647,2021-07-19T21:22:36Z,"URIjs Vulnerable to Hostname spoofing via backslashes in URL ",urijs,0,1.19.7,,MODERATE,CWE-601,
-CVE-2021-3664,2021-08-10T16:07:08Z,"Open redirect in url-parse",url-parse,0,1.5.2,,MODERATE,CWE-601,
+CVE-2021-3664,2021-08-10T16:07:08Z,"Open redirect in url-parse",url-parse,0.1.0,1.5.2,,MODERATE,CWE-601,
 CVE-2021-3666,2021-09-14T20:25:35Z,"body-parser-xml vulnerable to Prototype Pollution",body-parser-xml,0,2.0.3,,HIGH,CWE-1321;CWE-915,
 CVE-2021-36686,2023-01-26T21:30:29Z,"Cross-site Scripting in yapi-vendor",yapi-vendor,0,,1.9.1,MODERATE,CWE-79,
 CVE-2021-36716,2021-12-10T17:25:21Z,"Improper Input Validation in is-email",is-email,0,1.0.1,,HIGH,CWE-20;CWE-400,
@@ -1952,6 +1952,9 @@ CVE-2021-41720,2021-12-03T20:37:32Z,"Withdrawn: Arbitrary code execution in loda
 CVE-2021-42057,2022-05-24T19:19:42Z,"Obsidian Dataview vulnerable to code injection due to unsafe eval",obsidian-dataview,0,0.4.13,,HIGH,CWE-94,
 CVE-2021-42227,2021-10-18T19:44:32Z,"Cross site scripting in kindeditor",kindeditor,0,,4.1.12,MODERATE,CWE-79,
 CVE-2021-42228,2021-10-18T19:44:06Z,"Cross Site Request Forgery in kindeditor",kindeditor,0,,4.1.12,HIGH,CWE-352,
+CVE-2021-4229,2021-10-22T20:38:14Z,"Embedded malware in ua-parser-js",ua-parser-js,0.7.29,0.7.30,,HIGH,CWE-829;CWE-912,
+CVE-2021-4229,2021-10-22T20:38:14Z,"Embedded malware in ua-parser-js",ua-parser-js,0.8.0,0.8.1,,HIGH,CWE-829;CWE-912,
+CVE-2021-4229,2021-10-22T20:38:14Z,"Embedded malware in ua-parser-js",ua-parser-js,1.0.0,1.0.1,,HIGH,CWE-829;CWE-912,
 CVE-2021-4231,2022-05-27T00:01:08Z,"Angular vulnerable to Cross-site Scripting",@angular/core,0,10.2.5,,MODERATE,CWE-79,
 CVE-2021-4231,2022-05-27T00:01:08Z,"Angular vulnerable to Cross-site Scripting",@angular/core,11.0.0,11.0.5,,MODERATE,CWE-79,
 CVE-2021-4231,2022-05-27T00:01:08Z,"Angular vulnerable to Cross-site Scripting",@angular/core,11.1.0-next.0,11.1.0-next.3,,MODERATE,CWE-79,
@@ -2028,15 +2031,15 @@ CVE-2022-0401,2022-02-02T00:01:46Z,"Path Traversal in w-zip",w-zip,0,1.0.12,,CRI
 CVE-2022-0436,2022-04-13T00:00:16Z,"Path Traversal in Grunt",grunt,0,1.5.2,,MODERATE,CWE-22,
 CVE-2022-0437,2022-02-06T00:00:54Z,"Cross-site Scripting in karma",karma,0,6.3.14,,MODERATE,CWE-79,
 CVE-2022-0508,2022-02-09T00:00:31Z,"Server-Side Request Forgery in @peertube/embed-api",@peertube/embed-api,0,4.1.0-rc.1,,MODERATE,CWE-918,
-CVE-2022-0512,2022-02-15T00:02:46Z,"Authorization bypass in url-parse",url-parse,0,1.5.6,,MODERATE,CWE-639,
+CVE-2022-0512,2022-02-15T00:02:46Z,"Authorization bypass in url-parse",url-parse,0.1.0,1.5.6,,MODERATE,CWE-639,
 CVE-2022-0528,2022-03-04T00:00:19Z,"Incorrect Authorization in @uppy/companion",@uppy/companion,0,3.3.1,,HIGH,CWE-200;CWE-863;CWE-918,
 CVE-2022-0536,2022-02-10T00:00:31Z,"Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects",follow-redirects,0,1.14.8,,MODERATE,CWE-200;CWE-212,
 CVE-2022-0613,2022-02-17T00:00:35Z,"Authorization Bypass Through User-Controlled Key in urijs",urijs,0,1.19.8,,MODERATE,CWE-639,
 CVE-2022-0624,2022-06-29T00:00:57Z,"Authorization Bypass in parse-path",parse-path,0,5.0.0,,HIGH,CWE-639,
-CVE-2022-0639,2022-02-18T00:00:33Z,"url-parse Incorrectly parses URLs that include an '@'",url-parse,0,1.5.7,,MODERATE,CWE-639,
+CVE-2022-0639,2022-02-18T00:00:33Z,"url-parse Incorrectly parses URLs that include an '@'",url-parse,1.0.0,1.5.7,,MODERATE,CWE-639,
 CVE-2022-0654,2022-02-24T00:00:54Z,"Cookie exposure in requestretry",requestretry,0,7.0.0,,HIGH,CWE-200,
 CVE-2022-0686,2022-02-21T00:00:21Z,"Authorization Bypass Through User-Controlled Key in url-parse",url-parse,0,1.5.8,,CRITICAL,CWE-639,
-CVE-2022-0691,2022-02-22T00:00:30Z,"url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.",url-parse,0,1.5.9,,MODERATE,CWE-639,
+CVE-2022-0691,2022-02-22T00:00:30Z,"url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.",url-parse,0.1.0,1.5.9,,MODERATE,CWE-639,
 CVE-2022-0722,2022-06-28T00:01:01Z,"Hostname confusion in parse-url",parse-url,0,6.0.1,,HIGH,CWE-200,
 CVE-2022-0748,2022-03-18T00:01:11Z,"Arbitrary code execution in post-loader",post-loader,0.0.0,,,CRITICAL,CWE-79,
 CVE-2022-0764,2022-02-27T00:00:15Z,"Command injection in strapi",strapi,0,4.1.0,,MODERATE,CWE-77;CWE-78,
@@ -2234,7 +2237,7 @@ CVE-2022-25876,2022-07-02T00:00:19Z,"Server-Side Request Forgery in link-preview
 CVE-2022-25878,2022-05-28T00:00:20Z,"Prototype Pollution in protobufjs",protobufjs,6.10.0,6.10.3,,HIGH,CWE-1321,
 CVE-2022-25878,2022-05-28T00:00:20Z,"Prototype Pollution in protobufjs",protobufjs,6.11.0,6.11.3,,HIGH,CWE-1321,
 CVE-2022-25881,2023-01-31T06:30:26Z,"http-cache-semantics vulnerable to Regular Expression Denial of Service",http-cache-semantics,0,4.1.1,,HIGH,CWE-1333,
-CVE-2022-25883,2023-06-21T06:30:28Z,"semver vulnerable to Regular Expression Denial of Service",semver,0,5.7.2,,HIGH,CWE-1333,
+CVE-2022-25883,2023-06-21T06:30:28Z,"semver vulnerable to Regular Expression Denial of Service",semver,2.0.0-alpha,5.7.2,,HIGH,CWE-1333,
 CVE-2022-25883,2023-06-21T06:30:28Z,"semver vulnerable to Regular Expression Denial of Service",semver,6.0.0,6.3.1,,HIGH,CWE-1333,
 CVE-2022-25883,2023-06-21T06:30:28Z,"semver vulnerable to Regular Expression Denial of Service",semver,7.0.0,7.5.2,,HIGH,CWE-1333,
 CVE-2022-25885,2022-11-01T12:00:30Z,"muhammara and hummus vulnerable to null pointer dereference on bad response object",hummus,1.0.0,1.0.111,,HIGH,CWE-690,
@@ -3088,7 +3091,7 @@ CVE-2024-28181,2024-03-15T19:53:50Z,"TurboBoost Commands vulnerable to arbitrary
 CVE-2024-28181,2024-03-15T19:53:50Z,"TurboBoost Commands vulnerable to arbitrary method invocation",@turbo-boost/commands,0.2.0,0.2.2,,HIGH,CWE-74,
 CVE-2024-28238,2024-03-12T20:47:18Z,"Session Token in URL in directus",directus,0,10.10.0,,LOW,CWE-200;CWE-598,
 CVE-2024-28239,2024-03-12T20:50:48Z,"URL Redirection to Untrusted Site in OAuth2/OpenID in directus",directus,0,10.10.0,,MODERATE,CWE-601,
-CVE-2024-28243,2024-03-25T19:38:18Z,"KaTeX's maxExpand bypassed by `\edef`",katex,0.10.0-beta,0.16.10,,MODERATE,CWE-606;CWE-674,
+CVE-2024-28243,2024-03-25T19:38:18Z,"KaTeX's maxExpand bypassed by `\edef`",katex,0.12.0,0.16.10,,MODERATE,CWE-606;CWE-674,
 CVE-2024-28244,2024-03-25T19:38:29Z,"KaTeX's maxExpand bypassed by Unicode sub/superscripts",katex,0.15.4,0.16.10,,MODERATE,CWE-606;CWE-674,
 CVE-2024-28245,2024-03-25T19:38:34Z,"KaTeX's `\includegraphics` does not escape filename",katex,0.11.0,0.16.10,,MODERATE,CWE-116,
 CVE-2024-28246,2024-03-25T19:38:37Z,"KaTeX missing normalization of the protocol in URLs allows bypassing forbidden protocols",katex,0.11.0,0.16.10,,MODERATE,CWE-184,
@@ -3538,7 +3541,8 @@ CVE-2024-53847,2024-12-09T20:38:42Z,"Trix editor subject to XSS vulnerabilities
 CVE-2024-53847,2024-12-09T20:38:42Z,"Trix editor subject to XSS vulnerabilities on copy & paste",trix,2.0.0,2.1.9,,MODERATE,CWE-79,
 CVE-2024-53866,2024-12-10T22:42:41Z,"pnpm no-script global cache poisoning via overrides / `ignore-scripts` evasion",pnpm,0,9.15.0,,MODERATE,CWE-346;CWE-426,
 CVE-2024-5389,2024-06-10T00:30:39Z,"lunary-ai/lunary Access Control Vulnerability in Prompt Variation Management",lunary,0,1.4.9,,MODERATE,CWE-1220,
-CVE-2024-53900,2024-12-02T21:31:20Z,"Mongoose search injection vulnerability",mongoose,0,6.13.5,,HIGH,CWE-89,
+CVE-2024-53900,2024-12-02T21:31:20Z,"Mongoose search injection vulnerability",mongoose,3.6.0-rc0,5.13.23,,HIGH,CWE-89,
+CVE-2024-53900,2024-12-02T21:31:20Z,"Mongoose search injection vulnerability",mongoose,6.0.0-rc0,6.13.5,,HIGH,CWE-89,
 CVE-2024-53900,2024-12-02T21:31:20Z,"Mongoose search injection vulnerability",mongoose,7.0.0-rc0,7.8.3,,HIGH,CWE-89,
 CVE-2024-53900,2024-12-02T21:31:20Z,"Mongoose search injection vulnerability",mongoose,8.0.0-rc0,8.8.3,,HIGH,CWE-89,
 CVE-2024-53983,2024-12-02T21:36:21Z,"Backstage Scaffolder plugin vulnerable to Server-Side Request Forgery","@backstage/plugin-scaffolder-node",0,0.4.12,,MODERATE,CWE-918,
@@ -3654,11 +3658,12 @@ CVE-2025-1398,2025-03-17T15:31:50Z,"Mattermost Desktop App allows the bypass of
 CVE-2025-14284,2025-12-09T18:30:35Z,"@tiptap/extension-link vulnerable to Cross-site Scripting (XSS)",@tiptap/extension-link,0,2.10.4,,LOW,CWE-79,
 CVE-2025-14505,2026-01-08T21:30:34Z,"Elliptic Uses a Cryptographic Primitive with a Risky Implementation",elliptic,0,,6.6.1,LOW,CWE-1240,
 CVE-2025-1467,2025-02-23T18:30:24Z,"tarteaucitron Cross-site Scripting (XSS)",tarteaucitronjs,0,1.17.0,,LOW,CWE-79,
-CVE-2025-14874,2025-12-18T09:30:30Z,"Nodemailer is vulnerable to DoS through Uncontrolled Recursion",nodemailer,0,7.0.11,,MODERATE,CWE-674;CWE-703,
+CVE-2025-14874,2025-12-01T20:44:25Z,"Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls",nodemailer,0,7.0.11,,HIGH,CWE-703,
 CVE-2025-15104,2026-01-16T15:31:25Z,"Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability",vnu-jar,0,,26.1.11,MODERATE,CWE-918,
 CVE-2025-1520,2025-04-23T18:30:58Z,"PostHog Plugin Server SQL Injection Vulnerability",@posthog/plugin-server,0,,1.10.7,HIGH,CWE-89,
 CVE-2025-15265,2026-01-15T20:13:33Z,"svelte vulnerable to Cross-site Scripting",svelte,5.46.0,5.46.4,,MODERATE,CWE-79,
 CVE-2025-15284,2025-12-30T21:02:54Z,"qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion",qs,0,6.14.1,,HIGH,CWE-20,
+CVE-2025-15536,2026-01-18T09:30:27Z,"Open Chinese Convert has Out-of-bounds Write",opencc,0,1.2.0,,LOW,CWE-119;CWE-787,
 CVE-2025-1691,2025-02-27T15:31:51Z,"MongoDB Shell may be susceptible to Control Character Injection via autocomplete",mongosh,0,2.3.9,,HIGH,CWE-74,
 CVE-2025-1692,2025-02-27T15:31:51Z,"MongoDB Shell may be susceptible to control character injection via pasting",mongosh,0,2.3.9,,MODERATE,CWE-150,
 CVE-2025-1693,2025-02-27T15:31:51Z,"MongoDB Shell may be susceptible to control character Injection via shell output",mongosh,0,2.3.9,,LOW,CWE-150,
@@ -3937,7 +3942,7 @@ CVE-2025-49595,2025-07-03T14:06:01Z,"n8n Vulnerable to Denial of Service via Mal
 CVE-2025-49596,2025-06-13T22:15:26Z,"MCP Inspector proxy server lacks authentication between the Inspector client and proxy","@modelcontextprotocol/inspector",0,0.14.1,,CRITICAL,CWE-306,
 CVE-2025-49826,2025-07-03T21:14:48Z,"Next.JS vulnerability can lead to DoS via cache poisoning ",next,15.0.4-canary.51,15.1.8,,HIGH,CWE-444,
 CVE-2025-50183,2025-06-18T14:41:25Z,"OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer","@openlist-frontend/openlist-frontend",0,4.0.0-rc.4,,MODERATE,CWE-79,
-CVE-2025-50537,2026-01-26T18:31:29Z,"eslint has a Stack Overflow when serializing objects with circular references",eslint,0,9.26.0,,MODERATE,CWE-674,
+CVE-2025-50537,2026-01-26T18:31:29Z,"Withdrawn Advisory: eslint has a Stack Overflow when serializing objects with circular references",eslint,0,9.26.0,,MODERATE,CWE-674,
 CVE-2025-50538,2025-10-03T21:47:37Z,"Flowise is vulnerable to stored XSS via ""View Messages"" allows credential theft in FlowiseAI admin panel",flowise,0,3.0.8,,CRITICAL,CWE-79,
 CVE-2025-50864,2025-08-20T15:31:42Z,"elysia-cors Origin Validation Error",@elysiajs/cors,0,1.3.1,,MODERATE,CWE-178;CWE-346,
 CVE-2025-50979,2025-08-27T18:31:55Z,"NodeBB SQL Injection vulnerability",nodebb,0,,4.3.0,HIGH,CWE-89,
@@ -4093,6 +4098,7 @@ CVE-2025-56200,2025-09-30T18:30:25Z,"validator.js has a URL validation bypass vu
 CVE-2025-56265,2025-09-08T18:31:42Z,"N8N's Chat Trigger component is vulnerable to XSS",@n8n/n8n-nodes-langchain,0,1.107.0,,HIGH,CWE-434;CWE-79,
 CVE-2025-56571,2025-09-30T18:30:24Z,"Finance.js vulnerable to DoS via the IRR function’s depth parameter",financejs,0,,4.1.0,HIGH,CWE-400;CWE-770;CWE-834,
 CVE-2025-56572,2025-09-30T18:30:24Z,"Finance.js vulnerable to DoS via the seekZero() parameter",financejs,0,,4.1.0,HIGH,CWE-400;CWE-770,
+CVE-2025-56647,2026-02-12T18:30:23Z,"@farmfe/core is Missing Origin Validation in WebSocket",@farmfe/core,0,1.7.6,,MODERATE,CWE-1385,
 CVE-2025-56648,2025-09-17T21:30:42Z,"Parcel has an Origin Validation Error vulnerability","@parcel/reporter-dev-server",1.6.1,,2.16.3,MODERATE,CWE-346,
 CVE-2025-57164,2025-09-15T19:51:08Z,"FlowiseAI Pre-Auth Arbitrary Code Execution",flowise,3.0.5,3.0.6,,CRITICAL,CWE-94,
 CVE-2025-57283,2026-01-28T18:30:47Z,"BrowserStack Local vulnerable to Command Injection through logfile variable",browserstack-local,0,,1.5.8,MODERATE,CWE-77,
@@ -4215,7 +4221,21 @@ CVE-2025-59430,2025-09-22T21:09:27Z,"Mesh Connect JS SDK Vulnerable to Cross Sit
 CVE-2025-59433,2025-09-22T18:01:01Z,"@conventional-changelog/git-client has Argument Injection vulnerability","@conventional-changelog/git-client",0,2.0.0,,MODERATE,CWE-88,
 CVE-2025-59471,2026-01-27T19:18:25Z,"Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration",next,10.0.0,15.5.10,,MODERATE,CWE-400;CWE-770,
 CVE-2025-59471,2026-01-27T19:18:25Z,"Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration",next,15.6.0-canary.0,16.1.5,,MODERATE,CWE-400;CWE-770,
-CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.0.0-canary.0,15.6.0-canary.61,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.0.0-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.0.1-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.0.2-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.0.3-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.0.4-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.1.1-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.2.0-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.2.1-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.2.2-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.3.0-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.3.1-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.4.0-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.4.2-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.5.1-canary.0,,,MODERATE,CWE-400;CWE-409;CWE-770,
+CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,15.6.0-canary.0,15.6.0-canary.61,,MODERATE,CWE-400;CWE-409;CWE-770,
 CVE-2025-59472,2026-01-28T15:20:55Z,"Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",next,16.0.0-beta.0,16.1.5,,MODERATE,CWE-400;CWE-409;CWE-770,
 CVE-2025-59526,2025-09-22T18:03:47Z,"Mailgen: HTML injection vulnerability in plaintext e-mails",mailgen,0,2.0.30,,MODERATE,CWE-79,
 CVE-2025-59527,2025-09-15T19:53:46Z,"FlowiseAI/Flowise has Server-Side Request Forgery (SSRF) vulnerability",flowise,3.0.5,3.0.6,,HIGH,CWE-918,
@@ -4239,6 +4259,7 @@ CVE-2025-59936,2025-09-26T14:27:01Z,"get-jwks: poisoned JWKS cache allows post-f
 CVE-2025-60542,2025-10-29T18:30:33Z,"TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update",typeorm,0,0.3.26,,HIGH,CWE-89,
 CVE-2025-60794,2025-11-20T15:30:24Z,"@perfood/couch-auth may expose session tokens, passwords",@perfood/couch-auth,0,,0.21.2,MODERATE,CWE-316,
 CVE-2025-6087,2025-06-16T19:37:16Z,"OpenNext for Cloudflare (opennextjs-cloudflare) has a SSRF vulnerability via /_next/image endpoint",@opennextjs/cloudflare,0,1.3.0,,HIGH,CWE-918,
+CVE-2025-61140,2026-01-28T18:30:47Z,"JSONPath vulnerable to Prototype Pollution due to insufficient input validation of object keys in lib/index.js",jsonpath,0,1.2.0,,MODERATE,CWE-1321,
 CVE-2025-61668,2025-10-01T15:53:43Z," @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user ",@plone/volto,0,16.34.1,,HIGH,CWE-476;CWE-754,
 CVE-2025-61668,2025-10-01T15:53:43Z," @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user ",@plone/volto,17.0.0,17.22.2,,HIGH,CWE-476;CWE-754,
 CVE-2025-61668,2025-10-01T15:53:43Z," @plone/volto vulnerable to potential DoS by invoking specific URL by anonymous user ",@plone/volto,18.0.0,18.27.2,,HIGH,CWE-476;CWE-754,
@@ -4252,6 +4273,7 @@ CVE-2025-61913,2025-10-09T15:21:39Z,"Flowise is vulnerable to arbitrary file wri
 CVE-2025-61913,2025-10-09T15:21:39Z,"Flowise is vulnerable to arbitrary file write through its WriteFileTool ",flowise,0,3.0.8,,CRITICAL,CWE-22,
 CVE-2025-61913,2025-10-09T15:21:39Z,"Flowise is vulnerable to arbitrary file write through its WriteFileTool ",flowise-components,0,3.0.8,,CRITICAL,CWE-22,
 CVE-2025-61914,2025-12-26T17:30:19Z,"n8n's Possible Stored XSS in ""Respond to Webhook"" Node May Execute Outside iframe Sandbox",n8n,0,1.114.0,,HIGH,CWE-79,
+CVE-2025-61917,2026-02-04T17:48:11Z,"n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner",n8n,1.65.0,1.114.3,,HIGH,CWE-200;CWE-668,
 CVE-2025-61925,2025-10-10T23:41:29Z,"Astro's `X-Forwarded-Host` is reflected without validation",astro,0,5.14.3,,MODERATE,CWE-20;CWE-470,
 CVE-2025-61927,2025-10-10T23:46:42Z,"Happy DOM: VM Context Escape can lead to Remote Code Execution",happy-dom,0,20.0.0,,CRITICAL,CWE-94,
 CVE-2025-61928,2025-10-09T15:40:50Z,"Better Auth: Unauthenticated API key creation through api-key plugin",better-auth,0,1.3.26,,HIGH,CWE-285;CWE-306,
@@ -4317,7 +4339,7 @@ CVE-2025-65110,2026-01-05T22:56:59Z,"Vega XSS via expression abusing vlSelection
 CVE-2025-65110,2026-01-05T22:56:59Z,"Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope",vega-selections,6.0.0,6.1.2,,HIGH,CWE-79,
 CVE-2025-6514,2025-07-09T15:30:44Z,"mcp-remote exposed to OS command injection via untrusted MCP server connections",mcp-remote,0.0.5,0.1.16,,CRITICAL,CWE-78,
 CVE-2025-6545,2025-06-23T22:41:50Z,"pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos",pbkdf2,3.0.10,3.1.3,,CRITICAL,CWE-20,
-CVE-2025-6547,2025-06-23T22:42:00Z,"pbkdf2 silently disregards Uint8Array input, returning static keys",pbkdf2,0,3.1.3,,CRITICAL,CWE-20,
+CVE-2025-6547,2025-06-23T22:42:00Z,"pbkdf2 silently disregards Uint8Array input, returning static keys",pbkdf2,1.0.0,3.1.3,,CRITICAL,CWE-20,
 CVE-2025-65513,2025-12-10T00:30:22Z,"Fetch MCP Server has a Server-Side Request Forgery (SSRF) vulnerability",mcp-fetch-server,0,,1.0.2,MODERATE,CWE-918,
 CVE-2025-65849,2025-12-08T21:30:22Z,"Altcha Proof-of-Work obfuscation mode cryptanalytic break",altcha,0.8.0,,2.2.4,MODERATE,CWE-327,
 CVE-2025-65944,2025-11-24T21:52:45Z,"Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`","@sentry/google-cloud-serverless",10.11.0,10.27.0,,MODERATE,CWE-201,
@@ -4377,6 +4399,7 @@ CVE-2025-66803,2026-01-20T18:58:15Z,"Turbo Frame responses can restore stale ses
 CVE-2025-67364,2026-01-07T18:30:26Z,"fast-filesystem-mcp has a Path Traversal vulnerability",fast-filesystem-mcp,0,,3.4.0,HIGH,CWE-24,
 CVE-2025-67419,2026-01-05T21:30:33Z,"evershop allows unauthenticated attackers to exhaust application server's resources via ""GET /images"" API",@evershop/evershop,0,,2.1.0,HIGH,CWE-1050,
 CVE-2025-67427,2026-01-05T21:30:33Z,"evershop allows unauthenticated attackers to force server to initiate HTTP request via ""GET /images"" API",@evershop/evershop,0,,2.1.0,MODERATE,CWE-918,
+CVE-2025-67438,2026-02-20T18:31:33Z,"Sync-in Server has a stored cross-site scripting (XSS) vulnerability",@sync-in/server,0,1.9.3,,MODERATE,CWE-79,
 CVE-2025-67489,2025-12-08T22:16:31Z,"@vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server",@vitejs/plugin-rsc,0,0.5.6,,CRITICAL,CWE-94,
 CVE-2025-67490,2025-12-10T21:31:24Z,"Improper Request Caching Lookup in the Auth0 Next.js SDK",@auth0/nextjs-auth0,4.11.0,4.11.2,,MODERATE,CWE-863,
 CVE-2025-67490,2025-12-10T21:31:24Z,"Improper Request Caching Lookup in the Auth0 Next.js SDK",@auth0/nextjs-auth0,4.12.0,4.12.1,,MODERATE,CWE-863,
@@ -4406,6 +4429,7 @@ CVE-2025-68150,2025-12-16T22:35:40Z,"Parse Server is vulnerable to Server-Side R
 CVE-2025-68150,2025-12-16T22:35:40Z,"Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter",parse-server,9.0.0,9.1.1-alpha.1,,HIGH,CWE-918,
 CVE-2025-68154,2025-12-16T22:37:23Z,"systeminformation has a Command Injection vulnerability in fsSize() function on Windows",systeminformation,0,5.27.14,,HIGH,CWE-78,
 CVE-2025-68155,2025-12-16T22:32:26Z,"@vitejs/plugin-rsc has an Arbitrary File Read via `/__vite_rsc_findSourceMapURL` Endpoint",@vitejs/plugin-rsc,0,0.5.8,,HIGH,CWE-22;CWE-73,
+CVE-2025-68157,2026-02-05T18:35:28Z,"webpack buildHttp HttpUriPlugin allowedUris bypass via HTTP redirects → SSRF + cache persistence",webpack,5.49.0,5.104.0,,LOW,CWE-918,
 CVE-2025-68272,2026-01-02T15:20:05Z,"Signal K Server Vulnerable to Denial of Service via Unrestricted Access Request Flooding",signalk-server,0,2.19.0,,HIGH,CWE-400;CWE-770,
 CVE-2025-68273,2026-01-02T15:22:11Z,"Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints",signalk-server,0,2.19.0,,MODERATE,CWE-200,
 CVE-2025-68278,2025-12-18T18:45:41Z,"tinacms is vulnerable to arbitrary code execution",@tinacms/cli,0,2.0.4,,HIGH,CWE-94,
@@ -4417,6 +4441,7 @@ CVE-2025-68429,2025-12-18T18:49:21Z,"Storybook manager bundle may expose environ
 CVE-2025-68429,2025-12-18T18:49:21Z,"Storybook manager bundle may expose environment variables during build",storybook,8.0.0,8.6.15,,HIGH,CWE-200;CWE-538;CWE-541,
 CVE-2025-68429,2025-12-18T18:49:21Z,"Storybook manager bundle may expose environment variables during build",storybook,9.0.0,9.1.17,,HIGH,CWE-200;CWE-538;CWE-541,
 CVE-2025-68457,2025-12-19T19:17:26Z,"Orejime has executable code in HTML attributes",orejime,0,2.3.2,,LOW,CWE-79,
+CVE-2025-68458,2026-02-05T18:38:10Z,"webpack buildHttp: allowedUris allow-list bypass via URL userinfo (@) leading to build-time SSRF behavior",webpack,5.49.0,5.104.1,,LOW,CWE-918,
 CVE-2025-68470,2026-01-08T20:48:21Z,"React Router has unexpected external redirect via untrusted paths",react-router,6.0.0,6.30.2,,MODERATE,CWE-601,
 CVE-2025-68470,2026-01-08T20:48:21Z,"React Router has unexpected external redirect via untrusted paths",react-router,7.0.0,7.9.6,,MODERATE,CWE-601,
 CVE-2025-68475,2025-12-22T21:36:55Z,"Fedify has ReDoS Vulnerability in HTML Parsing Regex",@fedify/fedify,0,1.6.13,,HIGH,CWE-1333,
@@ -4442,6 +4467,14 @@ CVE-2025-69256,2025-12-31T22:05:32Z,"serverless MCP Server vulnerable to Command
 CVE-2025-69262,2026-01-07T18:51:07Z,"pnpm vulnerable to Command Injection via environment variable substitution",pnpm,6.25.0,10.27.0,,HIGH,CWE-78;CWE-94,
 CVE-2025-69263,2026-01-07T19:06:59Z,"pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies",pnpm,0,10.26.0,,HIGH,CWE-494,
 CVE-2025-69264,2026-01-07T19:07:43Z,"pnpm v10+ Bypass ""Dependency lifecycle scripts execution disabled by default""",pnpm,10.0.0,10.26.0,,HIGH,CWE-693,
+CVE-2025-69287,2026-02-17T16:13:48Z,"BSV Blockchain SDK has an Authentication Signature Data Preparation Vulnerability",@bsv/sdk,0,2.0.0,,MODERATE,CWE-573,
+CVE-2025-69873,2026-02-11T21:30:39Z,"ajv has ReDoS when using `$data` option",ajv,0,6.14.0,,MODERATE,CWE-400,
+CVE-2025-69873,2026-02-11T21:30:39Z,"ajv has ReDoS when using `$data` option",ajv,7.0.0-alpha.0,8.18.0,,MODERATE,CWE-400,
+CVE-2025-69874,2026-02-11T18:31:30Z,"nanotar is vulnerable to path traversal in parseTar() and parseTarGzip()",nanotar,0,,0.2.0,MODERATE,CWE-22,
+CVE-2025-69970,2026-02-03T18:30:47Z,"FUXA contains an insecure default configuration vulnerability",fuxa-server,0,,1.2.7,HIGH,CWE-1188;CWE-306,
+CVE-2025-69971,2026-02-03T18:30:47Z,"FUXA contains a hard-coded credential vulnerability",fuxa-server,0,,1.2.7,HIGH,CWE-798,
+CVE-2025-69981,2026-02-03T18:30:47Z,"FUXA contains an Unrestricted File Upload vulnerability",fuxa-server,0,,1.2.7,HIGH,CWE-306;CWE-434,
+CVE-2025-69983,2026-02-03T18:30:47Z,"FUXA allows Remote Code Execution (RCE) via the project import functionality.",fuxa-server,0,,1.2.7,HIGH,CWE-78;CWE-94,
 CVE-2025-7338,2025-07-17T21:01:54Z,"Multer vulnerable to Denial of Service via unhandled exception from malformed request",multer,1.4.4-lts.1,2.0.2,,HIGH,CWE-248,
 CVE-2025-7339,2025-07-17T21:17:19Z,"on-headers is vulnerable to http response header manipulation",on-headers,0,1.1.0,,LOW,CWE-241,
 CVE-2025-7783,2025-07-21T19:04:54Z,"form-data uses unsafe random function in form-data for choosing boundary",form-data,0,2.5.4,,CRITICAL,CWE-330,
@@ -4467,6 +4500,7 @@ CVE-2025-9862,2025-09-15T20:31:14Z,"Ghost vulnerable to Server Side Request Forg
 CVE-2025-9862,2025-09-15T20:31:14Z,"Ghost vulnerable to Server Side Request Forgery (SSRF) via oEmbed Bookmark",ghost,6.0.0,6.0.9,,MODERATE,CWE-918,
 CVE-2025-9910,2025-09-11T06:30:23Z,"jsondiffpatch is vulnerable to Cross-site Scripting (XSS) via HtmlFormatter::nodeBegin",jsondiffpatch,0,0.7.2,,MODERATE,CWE-79,
 CVE-2026-0621,2026-01-05T21:30:33Z,"Anthropic's MCP TypeScript SDK has a ReDoS vulnerability","@modelcontextprotocol/sdk",0,1.25.2,,HIGH,CWE-1333,
+CVE-2026-0775,2026-01-23T06:31:24Z,"Duplicate Advisory: npm cli Uncontrolled Search Path Element Local Privilege Escalation Vulnerability",npm,0,,11.8.0,HIGH,CWE-732,
 CVE-2026-0824,2026-01-10T15:31:22Z,"QuestDB UI's Web Console is Vulnerable to Cross-Site Scripting",@questdb/web-console,0,1.1.10,,LOW,CWE-79,
 CVE-2026-0933,2026-01-21T23:00:35Z,"Wrangler affected by OS Command Injection in `wrangler pages deploy`",wrangler,2.0.15,3.114.17,,HIGH,CWE-78,
 CVE-2026-0933,2026-01-21T23:00:35Z,"Wrangler affected by OS Command Injection in `wrangler pages deploy`",wrangler,4.0.0,4.59.1,,HIGH,CWE-78,
@@ -4475,6 +4509,11 @@ CVE-2026-1470,2026-01-27T15:30:32Z,"n8n Unsafe Workflow Expression Evaluation Al
 CVE-2026-1470,2026-01-27T15:30:32Z,"n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution",n8n,2.0.0,2.4.5,,CRITICAL,CWE-95,
 CVE-2026-1470,2026-01-27T15:30:32Z,"n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution",n8n,2.5.0,2.5.1,,CRITICAL,CWE-95,
 CVE-2026-1513,2026-01-28T03:30:30Z,"billboard.js is vulnerable to XSS during chart option binding",billboard.js,0,3.18.0,,HIGH,CWE-79,
+CVE-2026-1615,2026-02-09T06:30:28Z,"jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions",jsonpath,0,,1.2.1,HIGH,CWE-94,
+CVE-2026-1664,2026-02-03T18:42:01Z,"Cloudflare Agents SDK has Insecure Direct Object Reference (IDOR) via Header-Based Email Routing",agents,0,0.3.7,,MODERATE,CWE-639,
+CVE-2026-1721,2026-02-13T03:31:23Z,"Cloudflare Agents is Vulnerable to Reflected Cross-Site Scripting in the AI Playground's OAuth callback handler",agents,0,0.3.10,,MODERATE,CWE-79,
+CVE-2026-1774,2026-02-10T18:30:38Z,"CASL Ability is Vulnerable to Prototype Pollution",@casl/ability,2.4.0,6.7.5,,CRITICAL,CWE-1321,
+CVE-2026-2130,2026-02-08T03:30:27Z,"mcp-maigret vulnerable to command injection",mcp-maigret,0,1.0.13,,MODERATE,CWE-74;CWE-77,
 CVE-2026-21440,2026-01-02T18:58:32Z,"AdonisJS Path Traversal in Multipart File Handling",@adonisjs/bodyparser,0,10.1.2,,CRITICAL,CWE-22,
 CVE-2026-21440,2026-01-02T18:58:32Z,"AdonisJS Path Traversal in Multipart File Handling",@adonisjs/bodyparser,11.0.0-next.0,11.0.0-next.6,,CRITICAL,CWE-22,
 CVE-2026-21852,2026-01-21T01:00:31Z,"Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation","@anthropic-ai/claude-code",0,2.0.65,,MODERATE,CWE-522,
@@ -4482,6 +4521,7 @@ CVE-2026-21858,2026-01-07T19:20:19Z,"n8n Vulnerable to Unauthenticated File Acce
 CVE-2026-21877,2026-01-06T17:48:24Z,"n8n Vulnerable to RCE via Arbitrary File Write",n8n,0.123.0,1.121.3,,CRITICAL,CWE-434,
 CVE-2026-21884,2026-01-08T20:50:05Z,"React Router SSR XSS in ScrollRestoration",@remix-run/react,0,2.17.3,,HIGH,CWE-79,
 CVE-2026-21884,2026-01-08T20:50:05Z,"React Router SSR XSS in ScrollRestoration",react-router,7.0.0,7.12.0,,HIGH,CWE-79,
+CVE-2026-21893,2026-02-04T17:49:38Z,"n8n Vulnerable to Command Injection in Community Package Installation",n8n,0.187.0,1.120.3,,CRITICAL,CWE-20;CWE-78,
 CVE-2026-21894,2026-01-07T19:22:54Z,"n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks",n8n,0.150.0,2.2.2,,MODERATE,CWE-290,
 CVE-2026-22028,2026-01-07T19:28:15Z,"Preact has JSON VNode Injection issue",preact,10.26.5,10.26.10,,HIGH,CWE-843,
 CVE-2026-22028,2026-01-07T19:28:15Z,"Preact has JSON VNode Injection issue",preact,10.27.0,10.27.3,,HIGH,CWE-843,
@@ -4534,10 +4574,12 @@ CVE-2026-22817,2026-01-13T21:51:44Z,"Hono JWT Middleware's JWT Algorithm Confusi
 CVE-2026-22818,2026-01-13T21:52:03Z,"Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks ""alg"" (untrusted header.alg fallback)",hono,0,4.11.4,,HIGH,CWE-347,
 CVE-2026-22819,2026-01-13T21:53:30Z,"Outray has a Race Condition in the cli's webapp",outray,0,0.1.5,,MODERATE,CWE-366,
 CVE-2026-22820,2026-01-13T21:53:44Z,"Outray cli is vulnerable to race conditions in tunnels creation",outray,0,0.1.5,,MODERATE,CWE-367,
+CVE-2026-2327,2026-02-12T06:30:13Z,"markdown-it is has a Regular Expression Denial of Service (ReDoS)",markdown-it,13.0.0,14.1.1,,MODERATE,CWE-1333,
+CVE-2026-23515,2026-02-02T18:10:32Z,"Signal K set-system-time plugin vulnerable to RCE - Command Injection",@signalk/set-system-time,0,1.5.0,,CRITICAL,CWE-78,
 CVE-2026-23522,2026-01-20T17:14:39Z,"Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion",@lobehub/chat,0,,1.143.2,LOW,CWE-284,
 CVE-2026-23527,2026-01-15T20:10:51Z,"h3 v1 has Request Smuggling (TE.TE) issue",h3,0,1.15.5,,HIGH,CWE-444,
 CVE-2026-23634,2026-01-15T20:14:31Z,"Pepr Has Overly Permissive RBAC ClusterRole in Admin Mode",pepr,0,1.0.5,,LOW,CWE-272;CWE-276,
-CVE-2026-23733,2026-01-20T17:54:49Z,"Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)",@lobehub/chat,0,,1.143.2,MODERATE,CWE-94,
+CVE-2026-23733,2026-01-20T17:54:49Z,"Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)",@lobehub/chat,0,,1.143.2,CRITICAL,CWE-94,
 CVE-2026-23735,2026-01-16T21:09:08Z,"GraphQL Modules has a Race Condition issue",graphql-modules,2.2.1,2.4.1,,HIGH,CWE-362,
 CVE-2026-23735,2026-01-16T21:09:08Z,"GraphQL Modules has a Race Condition issue",graphql-modules,3.0.0,3.1.1,,HIGH,CWE-362,
 CVE-2026-23736,2026-01-21T15:41:14Z,"seroval Affected by Prototype Pollution via JSON Deserialization",seroval,0,1.4.1,,HIGH,CWE-1321,
@@ -4558,6 +4600,10 @@ CVE-2026-23864,2026-01-29T15:00:30Z,"React Server Components have multiple Denia
 CVE-2026-23888,2026-01-26T21:02:49Z,"pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)",pnpm,0,10.28.1,,MODERATE,CWE-22;CWE-23;CWE-426,
 CVE-2026-23889,2026-01-26T21:02:44Z,"pnpm has Windows-specific tarball Path Traversal",pnpm,0,10.28.1,,MODERATE,CWE-22,
 CVE-2026-23890,2026-01-26T21:02:39Z,"pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin",pnpm,0,10.28.1,,MODERATE,CWE-23,
+CVE-2026-23897,2026-02-04T18:02:26Z,"Apollo Serve vulnerable to Denial of Service with `startStandaloneServer`",@apollo/server,4.2.0,4.13.0,,HIGH,CWE-1333,
+CVE-2026-23897,2026-02-04T18:02:26Z,"Apollo Serve vulnerable to Denial of Service with `startStandaloneServer`",@apollo/server,5.0.0,5.4.0,,HIGH,CWE-1333,
+CVE-2026-23897,2026-02-04T18:02:26Z,"Apollo Serve vulnerable to Denial of Service with `startStandaloneServer`",apollo-server,2.0.0,,3.13.0,HIGH,CWE-1333,
+CVE-2026-2391,2026-02-12T17:04:39Z,"qs's arrayLimit bypass in comma parsing allows denial of service",qs,6.7.0,6.14.2,,LOW,CWE-20,
 CVE-2026-23947,2026-01-21T01:01:13Z,"Orval has a code injection via unsanitized x-enum-descriptions in enum generation",@orval/core,0,7.19.0,,CRITICAL,CWE-77,
 CVE-2026-23947,2026-01-21T01:01:13Z,"Orval has a code injection via unsanitized x-enum-descriptions in enum generation",@orval/core,8.0.0-rc.0,8.0.2,,CRITICAL,CWE-77,
 CVE-2026-23950,2026-01-21T01:05:49Z,"Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS",tar,0,7.5.4,,HIGH,CWE-176,
@@ -4571,6 +4617,8 @@ CVE-2026-24001,2026-01-14T21:34:12Z,"jsdiff has a Denial of Service vulnerabilit
 CVE-2026-24001,2026-01-14T21:34:12Z,"jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch",diff,5.0.0,5.2.2,,LOW,CWE-1333;CWE-400,
 CVE-2026-24001,2026-01-14T21:34:12Z,"jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch",diff,6.0.0,8.0.3,,LOW,CWE-1333;CWE-400,
 CVE-2026-24006,2026-01-22T18:02:22Z,"Seroval affected by Denial of Service via Deeply Nested Objects",seroval,0,1.4.1,,HIGH,CWE-770,
+CVE-2026-24040,2026-02-02T18:20:02Z,"jsPDF has Shared State Race Condition in addJS Plugin",jspdf,0,4.1.0,,MODERATE,CWE-200;CWE-362,
+CVE-2026-24043,2026-02-02T18:28:29Z,"jsPDF Vulnerable to Stored XMP Metadata Injection (Spoofing & Integrity Violation)",jspdf,0,4.1.0,,MODERATE,CWE-20;CWE-74,
 CVE-2026-24046,2026-01-21T22:36:36Z,"Backstage has a Possible Symlink Path Traversal in Scaffolder Actions","@backstage/backend-defaults",0,0.12.2,,HIGH,CWE-22;CWE-59,
 CVE-2026-24046,2026-01-21T22:36:36Z,"Backstage has a Possible Symlink Path Traversal in Scaffolder Actions","@backstage/backend-defaults",0.13.0,0.13.2,,HIGH,CWE-22;CWE-59,
 CVE-2026-24046,2026-01-21T22:36:36Z,"Backstage has a Possible Symlink Path Traversal in Scaffolder Actions","@backstage/backend-defaults",0.14.0,0.14.1,,HIGH,CWE-22;CWE-59,
@@ -4583,14 +4631,20 @@ CVE-2026-24047,2026-01-21T22:40:51Z,"@backstage/cli-common has a possible `resol
 CVE-2026-24048,2026-01-21T22:49:37Z,"Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`","@backstage/backend-defaults",0,0.12.2,,LOW,CWE-918,
 CVE-2026-24048,2026-01-21T22:49:37Z,"Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`","@backstage/backend-defaults",0.13.0,0.13.2,,LOW,CWE-918,
 CVE-2026-24048,2026-01-21T22:49:37Z,"Backstage has a Possible SSRF when reading from allowed URL's in `backend.reading.allow`","@backstage/backend-defaults",0.14.0,0.14.1,,LOW,CWE-918,
+CVE-2026-24052,2026-02-03T19:15:59Z,"Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains","@anthropic-ai/claude-code",0,1.0.111,,HIGH,CWE-601,
+CVE-2026-24053,2026-02-03T19:32:01Z,"Claude Code has a Path Restriction Bypass via ZSH Clobber which Allows Arbitrary File Writes","@anthropic-ai/claude-code",0,2.0.74,,HIGH,CWE-22;CWE-78,
 CVE-2026-24056,2026-01-26T21:02:33Z,"pnpm has symlink traversal in file:/git dependencies",pnpm,0,10.28.2,,MODERATE,CWE-22;CWE-59,
 CVE-2026-24131,2026-01-26T21:29:58Z,"pnpm has Path Traversal via arbitrary file permission modification ",pnpm,0,10.28.2,,MODERATE,CWE-22;CWE-732,
 CVE-2026-24132,2026-01-22T18:09:13Z,"Orval Mock Generation Code Injection via const",@orval/mock,0,7.20.0,,HIGH,CWE-77,
 CVE-2026-24132,2026-01-22T18:09:13Z,"Orval Mock Generation Code Injection via const",@orval/mock,8.0.0-rc.0,8.0.3,,HIGH,CWE-77,
+CVE-2026-24133,2026-02-02T18:29:13Z,"jsPDF Vulnerable to Denial of Service (DoS) via Unvalidated BMP Dimensions in BMPDecoder",jspdf,0,4.1.0,,HIGH,CWE-20;CWE-400;CWE-770,
 CVE-2026-24134,2026-01-27T22:13:52Z,"StudioCMS has Authorization Bypass Through User-Controlled Key",studiocms,0,0.2.0,,MODERATE,CWE-639;CWE-862,
 CVE-2026-24398,2026-01-27T19:01:43Z,"Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing",hono,0,4.11.7,,MODERATE,CWE-185,
 CVE-2026-24472,2026-01-27T19:04:17Z,"Hono cache middleware ignores ""Cache-Control: private"" leading to Web Cache Deception",hono,0,4.11.7,,MODERATE,CWE-524;CWE-613,
 CVE-2026-24473,2026-01-27T19:09:01Z,"Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)",hono,0,4.11.7,,MODERATE,CWE-200;CWE-284;CWE-668,
+CVE-2026-24737,2026-02-02T18:29:49Z,"jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution",jspdf,0,4.1.0,,HIGH,CWE-116,
+CVE-2026-24763,2026-02-02T23:39:47Z,"OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable",clawdbot,0,2026.1.29,,HIGH,CWE-78,
+CVE-2026-24764,2026-02-17T18:40:11Z,"OpenClaw Affected by Remote Code Execution via System Prompt Injection in Slack Channel Descriptions",openclaw,0,2026.2.3,,LOW,CWE-74;CWE-94,
 CVE-2026-24766,2026-01-28T21:41:26Z,"NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS",nocodb,0,0.301.0,,MODERATE,CWE-1321,
 CVE-2026-24767,2026-01-28T21:41:18Z,"NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality",nocodb,0,0.301.0,,MODERATE,CWE-918,
 CVE-2026-24768,2026-01-28T21:41:10Z,"NocoDB has Unvalidated Redirect in Login Flow via continueAfterSignIn Parameter",nocodb,0,0.301.0,,MODERATE,CWE-601,
@@ -4601,13 +4655,154 @@ CVE-2026-24778,2026-01-28T16:11:59Z,"Ghost vulnerable to XSS via malicious Porta
 CVE-2026-24778,2026-01-28T16:11:59Z,"Ghost vulnerable to XSS via malicious Portal preview links",ghost,5.43.0,5.121.0,,HIGH,CWE-79,
 CVE-2026-24778,2026-01-28T16:11:59Z,"Ghost vulnerable to XSS via malicious Portal preview links",ghost,6.0.0,6.15.0,,HIGH,CWE-79,
 CVE-2026-24842,2026-01-28T16:35:31Z,"node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal",tar,0,7.5.7,,HIGH,CWE-22;CWE-59,
+CVE-2026-24884,2026-02-03T17:42:18Z,"Compressing Vulnerable to Arbitrary File Write via Symlink Extraction",compressing,0,1.10.4,,HIGH,CWE-59,
+CVE-2026-24884,2026-02-03T17:42:18Z,"Compressing Vulnerable to Arbitrary File Write via Symlink Extraction",compressing,2.0.0,2.0.1,,HIGH,CWE-59,
+CVE-2026-24887,2026-02-03T19:33:32Z,"Claude Code has a Command Injection in find Command Bypasses User Approval Prompt","@anthropic-ai/claude-code",0,2.0.72,,HIGH,CWE-78;CWE-94,
 CVE-2026-24888,2026-01-29T15:18:33Z,"Maker.js has Unsafe Property Copying in makerjs.extendObject",makerjs,0,0.19.2,,MODERATE,CWE-1321,
 CVE-2026-24909,2026-01-28T00:31:42Z,"vlt Mishandles Path Sanitization for tar",@vltpkg/tar,0,1.0.0-rc.10,,MODERATE,CWE-23,
 CVE-2026-25047,2026-01-29T22:21:32Z,"deepHas vulnerable to Prototype Pollution via constructor.prototype",deephas,0,1.0.8,,CRITICAL,CWE-1321,
+CVE-2026-25049,2026-02-04T18:03:09Z,"n8n Has Expression Escape Vulnerability Leading to RCE",n8n,0,1.123.17,,CRITICAL,CWE-913,
+CVE-2026-25049,2026-02-04T18:03:09Z,"n8n Has Expression Escape Vulnerability Leading to RCE",n8n,2.0.0,2.5.2,,CRITICAL,CWE-913,
 CVE-2026-25050,2026-01-30T19:35:40Z,"Vendure vulnerable to timing attack that enables user enumeration in NativeAuthenticationStrategy",@vendure/core,0,3.5.3,,LOW,CWE-202,
-CVE-2026-25128,2026-01-30T20:10:14Z,"fast-xml-parser has RangeError DoS Numeric Entities Bug",fast-xml-parser,4.3.6,5.3.4,,HIGH,CWE-248,
+CVE-2026-25051,2026-02-04T18:15:51Z,"n8n's Improper CSP Enforcement in Webhook Responses May Allow Stored XSS",n8n,0,1.122.5,,HIGH,CWE-79,
+CVE-2026-25051,2026-02-04T18:15:51Z,"n8n's Improper CSP Enforcement in Webhook Responses May Allow Stored XSS",n8n,1.123.0,1.123.2,,HIGH,CWE-79,
+CVE-2026-25052,2026-02-04T18:25:29Z,"n8n's Improper File Access Controls Allow Arbitrary File Read by Authenticated Users",n8n,0,1.123.18,,CRITICAL,CWE-367,
+CVE-2026-25052,2026-02-04T18:25:29Z,"n8n's Improper File Access Controls Allow Arbitrary File Read by Authenticated Users",n8n,2.0.0,2.5.0,,CRITICAL,CWE-367,
+CVE-2026-25053,2026-02-04T18:38:13Z,"n8n has OS Command Injection in Git Node",n8n,0,1.123.10,,CRITICAL,CWE-78,
+CVE-2026-25053,2026-02-04T18:38:13Z,"n8n has OS Command Injection in Git Node",n8n,2.0.0,2.5.0,,CRITICAL,CWE-78,
+CVE-2026-25054,2026-02-04T19:35:20Z,"n8n Has Stored Cross-site Scripting via Markdown Rendering in Workflow UI",n8n,0,1.123.9,,HIGH,CWE-79,
+CVE-2026-25054,2026-02-04T19:35:20Z,"n8n Has Stored Cross-site Scripting via Markdown Rendering in Workflow UI",n8n,2.0.0,2.2.1,,HIGH,CWE-79,
+CVE-2026-25055,2026-02-04T19:36:29Z,"n8n Vulnerable to Arbitrary File Write on Remote Systems via SSH Node",n8n,0,1.123.12,,HIGH,CWE-22,
+CVE-2026-25055,2026-02-04T19:36:29Z,"n8n Vulnerable to Arbitrary File Write on Remote Systems via SSH Node",n8n,2.0.0,2.4.0,,HIGH,CWE-22,
+CVE-2026-25056,2026-02-04T19:39:41Z,"n8n Merge Node has Arbitrary File Write leading to RCE",n8n,0,1.118.0,,CRITICAL,CWE-434;CWE-693,
+CVE-2026-25056,2026-02-04T19:39:41Z,"n8n Merge Node has Arbitrary File Write leading to RCE",n8n,2.0.0,2.4.0,,CRITICAL,CWE-434;CWE-693,
+CVE-2026-25115,2026-02-04T19:42:03Z,"n8n has a Python sandbox escape",n8n,0,2.4.8,,CRITICAL,CWE-693,
+CVE-2026-25128,2026-01-30T20:10:14Z,"fast-xml-parser has RangeError DoS Numeric Entities Bug",fast-xml-parser,5.0.9,5.3.4,,HIGH,CWE-20;CWE-248,
 CVE-2026-25141,2026-01-30T21:17:25Z,"Orval has Code Injection via unsanitized x-enum-descriptions using JS comments",@orval/core,7.19.0,7.21.0,,CRITICAL,CWE-84;CWE-94,
 CVE-2026-25141,2026-01-30T21:17:25Z,"Orval has Code Injection via unsanitized x-enum-descriptions using JS comments",@orval/core,8.0.0,8.2.0,,CRITICAL,CWE-84;CWE-94,
+CVE-2026-25142,2026-02-02T20:17:39Z,"SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE",@nyariv/sandboxjs,0,0.8.27,,CRITICAL,CWE-1321;CWE-94,
+CVE-2026-25148,2026-02-03T20:47:55Z,"Qwik SSR XSS via Unsafe Virtual Node Serialization",@builder.io/qwik-city,0,1.19.0,,MODERATE,CWE-79,
+CVE-2026-25149,2026-02-03T20:58:25Z,"Qwik City Open Redirect via fixTrailingSlash",@builder.io/qwik-city,0,1.19.0,,LOW,CWE-601,
+CVE-2026-25150,2026-02-03T20:49:22Z,"Prototype Pollution via FormData Processing in Qwik City",@builder.io/qwik-city,0,1.19.0,,CRITICAL,CWE-1321,
+CVE-2026-25151,2026-02-03T20:49:58Z,"Qwik City has a CSRF Protection Bypass via Content-Type Header Validation",@builder.io/qwik-city,0,1.19.0,,MODERATE,CWE-352,
+CVE-2026-25152,2026-02-02T14:36:39Z,"@backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator","@backstage/plugin-techdocs-node",0,1.13.11,,MODERATE,CWE-22,
+CVE-2026-25152,2026-02-02T14:36:39Z,"@backstage/plugin-techdocs-node vulnerable to possible Path Traversal in TechDocs Local Generator","@backstage/plugin-techdocs-node",1.14.0,1.14.1,,MODERATE,CWE-22,
+CVE-2026-25153,2026-02-02T20:19:58Z,"@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks","@backstage/plugin-techdocs-node",0,1.13.11,,HIGH,CWE-94,
+CVE-2026-25153,2026-02-02T20:19:58Z,"@backstage/plugin-techdocs-node vulnerable to arbitrary code execution via MkDocs hooks","@backstage/plugin-techdocs-node",1.14.0,1.14.1,,HIGH,CWE-94,
+CVE-2026-25155,2026-02-03T20:59:18Z,"Qwik City CSRF protection middleware does not work properly for content type header with parameters (eg. multipart/form-data)",@builder.io/qwik-city,0,1.12.0,,MODERATE,CWE-352,
+CVE-2026-25157,2026-02-02T23:41:35Z,"OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand",clawdbot,0,2026.1.29,,HIGH,CWE-78,
+CVE-2026-25223,2026-02-02T22:23:29Z,"Fastify's Content-Type header tab character allows body validation bypass",fastify,0,5.7.2,,HIGH,CWE-436,
+CVE-2026-25224,2026-02-02T22:25:05Z,"Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream",fastify,0,5.7.3,,LOW,CWE-770,
+CVE-2026-25228,2026-02-02T22:26:31Z,"SignalK Server has Path Traversal leading to information disclosure",signalk-server,0,2.20.3,,MODERATE,CWE-22,
+CVE-2026-25253,2026-02-02T23:41:05Z,"OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl",clawdbot,0,2026.1.29,,HIGH,CWE-668,
+CVE-2026-25474,2026-02-17T18:46:16Z,"OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass",openclaw,0,2026.2.1,,HIGH,CWE-345,
+CVE-2026-25475,2026-02-04T19:02:51Z,"OpenClaw Vulnerable to Local File Inclusion via MEDIA: Path Extraction",openclaw,0,2026.1.30,,MODERATE,CWE-200;CWE-22,
+CVE-2026-25520,2026-02-05T20:41:28Z,"@nyariv/sandboxjs has a Sandbox Escape issue",@nyariv/sandboxjs,0,0.8.29,,CRITICAL,CWE-74,
+CVE-2026-25521,2026-02-02T22:21:54Z,"locutus is vulnerable to Prototype Pollution",locutus,2.0.12,2.0.39,,CRITICAL,CWE-1321,
+CVE-2026-25528,2026-02-09T20:36:59Z,"LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection",langsmith,0.3.41,0.4.6,,MODERATE,CWE-918,
+CVE-2026-25533,2026-02-05T17:49:35Z,"Sandbox escape via infinite recursion and error objects",@enclave-vm/core,0,2.10.1,,MODERATE,CWE-835,
+CVE-2026-25533,2026-02-05T17:49:35Z,"Sandbox escape via infinite recursion and error objects",enclave-vm,0,,2.7.0,MODERATE,CWE-835,
+CVE-2026-25535,2026-02-19T15:25:48Z,"jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions",jspdf,0,4.2.0,,HIGH,CWE-770,
+CVE-2026-25536,2026-02-04T20:04:16Z,"@modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse","@modelcontextprotocol/sdk",1.10.0,1.26.0,,HIGH,CWE-362,
+CVE-2026-25544,2026-02-05T20:51:38Z,"@payloadcms/drizzle has SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters",@payloadcms/drizzle,0,3.73.0,,CRITICAL,CWE-89,
+CVE-2026-25546,2026-02-04T20:02:32Z,"godot-mcp has Command Injection via unsanitized projectPath",@coding-solo/godot-mcp,0,0.1.1,,HIGH,CWE-78,
+CVE-2026-25547,2026-02-03T19:41:15Z,"@isaacs/brace-expansion has Uncontrolled Resource Consumption",@isaacs/brace-expansion,0,5.0.1,,HIGH,CWE-1333,
+CVE-2026-25574,2026-02-05T21:02:20Z,"payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments)",payload,0,3.74.0,,MODERATE,CWE-639,
+CVE-2026-25581,2026-02-06T18:34:30Z,"SCEditor has DOM XSS via emoticon URL/HTML injection",sceditor,0,3.2.1,,MODERATE,CWE-79,
+CVE-2026-25586,2026-02-05T21:04:58Z,"@nyariv/sandboxjs has Sandbox Escape via Prototype Whitelist Bypass and Host Prototype Pollution",@nyariv/sandboxjs,0,0.8.29,,CRITICAL,CWE-74,
+CVE-2026-25587,2026-02-05T21:05:59Z,"@nyariv/sandboxjs has a Sandbox Escape vulnerability",@nyariv/sandboxjs,0,0.8.29,,CRITICAL,CWE-74;CWE-94,
+CVE-2026-25593,2026-02-04T20:06:46Z,"OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply",openclaw,0,2026.1.20,,HIGH,CWE-20;CWE-306;CWE-78,
+CVE-2026-25630,2026-02-04T20:07:34Z,"survey-pdf Upgraded jsPDF Version Due to Security Vulnerability",survey-pdf,0,1.12.59,,CRITICAL,CWE-35;CWE-73,
+CVE-2026-25630,2026-02-04T20:07:34Z,"survey-pdf Upgraded jsPDF Version Due to Security Vulnerability",survey-pdf,2.0.0,2.5.5,,CRITICAL,CWE-35;CWE-73,
+CVE-2026-25631,2026-02-04T20:33:27Z,"n8n's domain allowlist bypass enables credential exfiltration",n8n,0,1.121.0,,MODERATE,CWE-20;CWE-522,
+CVE-2026-25639,2026-02-09T17:46:14Z,"Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig",axios,0,0.30.3,,HIGH,CWE-754,
+CVE-2026-25639,2026-02-09T17:46:14Z,"Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig",axios,1.0.0,1.13.5,,HIGH,CWE-754,
+CVE-2026-25641,2026-02-05T21:33:04Z,"@nyariv/sandboxjs vulnerable to sandbox escape via TOCTOU bug on keys in property accesses",@nyariv/sandboxjs,0,0.8.29,,CRITICAL,CWE-367;CWE-74,
+CVE-2026-25651,2026-02-06T18:54:33Z,"client-certificate-auth Vulnerable to Open Redirect via Host Header Injection in HTTP-to-HTTPS redirect",client-certificate-auth,0.2.1,1.0.0,,MODERATE,CWE-601,
+CVE-2026-25722,2026-02-06T19:02:41Z,"Claude Code Vulnerable to Command Injection via Directory Change Bypasses Write Protection","@anthropic-ai/claude-code",0,2.0.57,,HIGH,CWE-20;CWE-78,
+CVE-2026-25723,2026-02-06T19:04:51Z,"Claude Code Vulnerable to Command Injection via Piped sed Command Bypasses File Write Restrictions","@anthropic-ai/claude-code",0,2.0.55,,HIGH,CWE-20;CWE-78,
+CVE-2026-25724,2026-02-06T19:08:04Z,"Claude Code has Permission Deny Bypass Through Symbolic Links","@anthropic-ai/claude-code",0,2.1.7,,LOW,CWE-285;CWE-61,
+CVE-2026-25725,2026-02-06T19:14:33Z,"Claude Code has Sandbox Escape via Persistent Configuration Injection in settings.json","@anthropic-ai/claude-code",0,2.1.2,,HIGH,CWE-501;CWE-668,
+CVE-2026-25751,2026-02-05T00:33:44Z,"FUXA Unauthenticated Exposure of Plaintext Database Credentials",fuxa-server,0,1.2.10,,CRITICAL,CWE-306;CWE-312,
+CVE-2026-25752,2026-02-05T00:38:25Z,"FUXA Unauthenticated Remote Arbitrary Device Tag Write",fuxa-server,0,1.2.10,,CRITICAL,CWE-862,
+CVE-2026-25754,2026-02-06T19:27:30Z,"AdonisJS multipart body parsing has Prototype Pollution issue",@adonisjs/bodyparser,0,10.1.3,,HIGH,CWE-1321,
+CVE-2026-25754,2026-02-06T19:27:30Z,"AdonisJS multipart body parsing has Prototype Pollution issue",@adonisjs/bodyparser,11.0.0-next.0,11.0.0-next.9,,HIGH,CWE-1321,
+CVE-2026-25755,2026-02-19T19:32:36Z,"jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method",jspdf,0,4.2.0,,HIGH,CWE-116;CWE-94,
+CVE-2026-25762,2026-02-06T19:53:55Z,"AdonisJS vulnerable to Denial of Service (DoS) via Unrestricted Memory Buffering in PartHandler during File Type Detection",@adonisjs/bodyparser,0,10.1.3,,HIGH,CWE-400;CWE-770,
+CVE-2026-25762,2026-02-06T19:53:55Z,"AdonisJS vulnerable to Denial of Service (DoS) via Unrestricted Memory Buffering in PartHandler during File Type Detection",@adonisjs/bodyparser,11.0.0-next.0,11.0.0-next.9,,HIGH,CWE-400;CWE-770,
+CVE-2026-25881,2026-02-10T00:24:53Z,"@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape)",@nyariv/sandboxjs,0,0.8.31,,CRITICAL,CWE-1321,
+CVE-2026-25893,2026-02-05T00:27:53Z,"FUXA Unauthenticated Remote Code Execution via Admin JWT Minting",fuxa-server,0,1.2.10,,CRITICAL,CWE-285;CWE-287,
+CVE-2026-25894,2026-02-05T00:36:30Z,"FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration",fuxa-server,0,1.2.10,,CRITICAL,CWE-1188;CWE-321,
+CVE-2026-25895,2026-02-05T00:37:30Z,"FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API",fuxa-server,0,1.2.10,,CRITICAL,CWE-22;CWE-306,
+CVE-2026-25896,2026-02-20T18:23:54Z,"fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names",fast-xml-parser,4.1.3,5.3.5,,CRITICAL,CWE-185,
+CVE-2026-25918,2026-02-10T00:25:32Z,"unity-cli Exposes Plaintext Credentials in Debug Logs (sign-package command)","@rage-against-the-pixel/unity-cli",0,1.8.2,,MODERATE,CWE-352;CWE-532,
+CVE-2026-25938,2026-02-10T00:27:31Z,"FUXA Unauthenticated Remote Code Execution in Node-RED Integration",fuxa-server,1.2.8,1.2.11,,CRITICAL,CWE-290;CWE-306,
+CVE-2026-25939,2026-02-10T00:28:28Z,"FUXA Unauthenticated Remote Arbitrary Scheduler Write",fuxa-server,1.2.8,1.2.11,,CRITICAL,CWE-862,
+CVE-2026-25940,2026-02-19T19:32:48Z,"jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and ""AS"" property)",jspdf,0,4.2.0,,HIGH,CWE-116,
+CVE-2026-25951,2026-02-10T00:29:00Z,"FUXA Affected by a Path Traversal Sanitization Bypass",fuxa-server,0,1.2.11,,HIGH,CWE-184;CWE-22;CWE-23,
+CVE-2026-25957,2026-02-10T00:29:13Z,"Cube Core is vulnerable to Denial of Service (DoS) via crafted request","@cubejs-backend/server-core",1.1.17,1.4.2,,MODERATE,CWE-755,
+CVE-2026-25957,2026-02-10T00:29:13Z,"Cube Core is vulnerable to Denial of Service (DoS) via crafted request","@cubejs-backend/server-core",1.5.0,1.5.13,,MODERATE,CWE-755,
+CVE-2026-25958,2026-02-10T00:29:07Z,"Cube Core is vulnerable to privilege escalation via a specially crafted request","@cubejs-backend/server-core",0.27.19,1.0.14,,HIGH,CWE-807,
+CVE-2026-25958,2026-02-10T00:29:07Z,"Cube Core is vulnerable to privilege escalation via a specially crafted request","@cubejs-backend/server-core",1.1.0,1.4.2,,HIGH,CWE-807,
+CVE-2026-25958,2026-02-10T00:29:07Z,"Cube Core is vulnerable to privilege escalation via a specially crafted request","@cubejs-backend/server-core",1.5.0,1.5.13,,HIGH,CWE-807,
+CVE-2026-26019,2026-02-11T15:13:20Z,"@langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation",@langchain/community,0,1.1.14,,MODERATE,CWE-918,
+CVE-2026-26021,2026-02-11T15:13:28Z,"set-in Affected by Prototype Pollution",set-in,2.0.1,2.0.5,,CRITICAL,CWE-1321,
+CVE-2026-26063,2026-02-12T17:04:50Z,"CediPay Affected by Improper Input Validation in Payment Processing",cedipay-core,0,1.2.3,,HIGH,CWE-20,
+CVE-2026-26185,2026-02-12T22:13:04Z,"Directus Vulnerable to User Enumeration via Password Reset Timing Attack",@directus/api,0,32.2.0,,MODERATE,CWE-203,
+CVE-2026-26185,2026-02-12T22:13:04Z,"Directus Vulnerable to User Enumeration via Password Reset Timing Attack",directus,0,11.14.1,,MODERATE,CWE-203,
+CVE-2026-26226,2026-02-13T18:31:25Z,"beautiful-mermaid contains an SVG attribute injection issue that can lead to cross-site scripting (XSS)",beautiful-mermaid,0,0.1.3,,MODERATE,CWE-79,
+CVE-2026-26278,2026-02-17T21:30:10Z,"fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)",fast-xml-parser,4.1.3,5.3.6,,HIGH,CWE-776,
+CVE-2026-26280,2026-02-18T21:51:26Z,"Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path",systeminformation,0,5.30.8,,HIGH,CWE-78,
+CVE-2026-26316,2026-02-17T21:33:51Z,"OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust",@openclaw/bluebubbles,0,2026.2.13,,HIGH,CWE-863,
+CVE-2026-26316,2026-02-17T21:33:51Z,"OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust",openclaw,0,2026.2.13,,HIGH,CWE-863,
+CVE-2026-26317,2026-02-18T00:53:59Z,"OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints",clawdbot,0,,2026.1.24-3,HIGH,CWE-352,
+CVE-2026-26317,2026-02-18T00:53:59Z,"OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints",openclaw,0,2026.2.14,,HIGH,CWE-352,
+CVE-2026-26318,2026-02-18T22:36:50Z,"Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation",systeminformation,0,5.31.0,,HIGH,CWE-78,
+CVE-2026-26319,2026-02-17T21:40:46Z,"OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests",openclaw,0,2026.2.14,,HIGH,CWE-306,
+CVE-2026-26320,2026-02-17T21:41:40Z,"OpenClaw macOS deep link confirmation truncation can conceal executed agent message",openclaw,2026.2.6-0,2026.2.14,,HIGH,CWE-451,
+CVE-2026-26321,2026-02-17T21:41:52Z,"OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension",openclaw,0,2026.2.14,,HIGH,CWE-22,
+CVE-2026-26322,2026-02-17T21:42:15Z,"OpenClaw Gateway tool allowed unrestricted gatewayUrl override",openclaw,0,2026.2.14,,HIGH,CWE-918,
+CVE-2026-26323,2026-02-18T00:46:54Z,"OpenClaw has a command injection in maintainer clawtributors updater",openclaw,2026.1.8,2026.2.14,,HIGH,CWE-78,
+CVE-2026-26324,2026-02-17T21:42:40Z,"OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable)",openclaw,0,2026.2.14,,HIGH,CWE-918,
+CVE-2026-26325,2026-02-17T21:42:49Z,"OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals",openclaw,0,2026.2.14,,HIGH,CWE-284,
+CVE-2026-26326,2026-02-17T21:43:41Z,"OpenClaw skills.status could leak secrets to operator.read clients",openclaw,0,2026.2.14,,MODERATE,CWE-200,
+CVE-2026-26327,2026-02-18T00:33:35Z,"OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning",openclaw,0,2026.2.14,,HIGH,CWE-345,
+CVE-2026-26328,2026-02-18T00:43:54Z,"OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities",clawdbot,0,2026.2.14,,MODERATE,CWE-284;CWE-863,
+CVE-2026-26328,2026-02-18T00:43:54Z,"OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities",openclaw,0,2026.2.14,,MODERATE,CWE-284;CWE-863,
+CVE-2026-26329,2026-02-18T00:46:49Z,"OpenClaw has a path traversal in browser upload allows local file read",openclaw,0,2026.2.14,,HIGH,CWE-22,
+CVE-2026-26960,2026-02-18T00:57:13Z,"Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction",tar,0,7.5.8,,HIGH,CWE-22,
+CVE-2026-26972,2026-02-18T17:37:52Z,"OpenClaw has a Path Traversal in Browser Download Functionality",openclaw,2026.1.12,2026.2.13,,MODERATE,CWE-22,
+CVE-2026-26974,2026-02-18T21:45:06Z,"Improper Control of Generation of Code ('Code Injection') in @tygo-van-den-hurk/slyde",@tygo-van-den-hurk/slyde,0,0.0.5,,HIGH,CWE-829,
+CVE-2026-26980,2026-02-18T21:50:23Z,"Ghost has a SQL injection in Content API",ghost,3.24.0,6.19.1,,CRITICAL,CWE-89,
+CVE-2026-26996,2026-02-18T22:38:11Z,"minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",minimatch,0,10.2.1,,HIGH,CWE-1333,
+CVE-2026-27001,2026-02-18T22:42:29Z,"OpenClaw: Unsanitized CWD path injection into LLM prompts",openclaw,0,2026.2.15,,HIGH,CWE-77,
+CVE-2026-27002,2026-02-18T22:42:42Z,"OpenClaw: Docker container escape via unvalidated bind mount config injection",openclaw,0,2026.2.15,,HIGH,CWE-250,
+CVE-2026-27003,2026-02-18T22:43:21Z,"OpenClaw: Telegram bot token exposure via logs",openclaw,0,2026.2.15,,MODERATE,CWE-522,
+CVE-2026-27004,2026-02-18T22:43:53Z,"OpenClaw session tool visibility hardening and Telegram webhook secret fallback",openclaw,0,2026.2.15,,MODERATE,CWE-209;CWE-346,
+CVE-2026-27007,2026-02-18T22:44:10Z,"OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation",openclaw,0,2026.2.15,,MODERATE,CWE-1254,
+CVE-2026-27008,2026-02-18T22:44:18Z,"OpenClaw hardened the skill download target directory validation",openclaw,0,2026.2.15,,MODERATE,CWE-73,
+CVE-2026-27009,2026-02-18T22:44:33Z,"OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection",openclaw,0,2026.2.15,,MODERATE,CWE-79,
+CVE-2026-27013,2026-02-18T22:44:58Z,"Fabric.js Affected by Stored XSS via SVG Export",fabric,0,7.2.0,,HIGH,CWE-116;CWE-79,
+CVE-2026-27022,2026-02-18T22:40:09Z,"RediSearch Query Injection in @langchain/langgraph-checkpoint-redis","@langchain/langgraph-checkpoint-redis",0,1.0.2,,MODERATE,CWE-74,
+CVE-2026-27118,2026-02-19T15:18:02Z,"Cache poisoning in @sveltejs/adapter-vercel",@sveltejs/adapter-vercel,0,6.3.2,,MODERATE,CWE-346,
+CVE-2026-27119,2026-02-19T15:18:19Z,"Svelte affected by XSS in SSR `<option>` element",svelte,5.39.3,5.51.5,,MODERATE,CWE-79,
+CVE-2026-27121,2026-02-19T15:18:33Z,"Svelte affected by cross-site scripting via spread attributes in Svelte SSR",svelte,0,5.51.5,,MODERATE,CWE-79,
+CVE-2026-27122,2026-02-19T15:18:42Z,"Svelte SSR does not validate dynamic element tag names in `<svelte:element>`",svelte,0,5.51.5,,MODERATE,CWE-79,
+CVE-2026-27125,2026-02-19T20:28:49Z,"Svelte SSR attribute spreading includes inherited properties from prototype chain",svelte,0,5.51.5,,MODERATE,CWE-915,
+CVE-2026-27191,2026-02-19T20:32:15Z,"Feathers has an open redirect in OAuth callback enables account takeover","@feathersjs/authentication-oauth",0,5.0.40,,HIGH,CWE-601,
+CVE-2026-27192,2026-02-19T20:32:28Z,"Feathers has an origin validation bypass via prefix matching","@feathersjs/authentication-oauth",0,5.0.40,,HIGH,CWE-346,
+CVE-2026-27193,2026-02-19T20:32:37Z,"Feathers exposes internal headers via unencrypted session cookie","@feathersjs/authentication-oauth",0,5.0.40,,HIGH,CWE-200,
+CVE-2026-27203,2026-02-19T20:27:11Z,"eBay API MCP Server Affected by Environment Variable Injection ",ebay-mcp,0,,1.7.2,HIGH,CWE-15;CWE-74,
+CVE-2026-27210,2026-02-19T20:44:48Z,"Pannellum has a XSS vulnerability in hot spot attributes",pannellum,2.5.0,2.5.7,,MODERATE,CWE-79,
+CVE-2026-27212,2026-02-19T20:28:35Z,"Prototype pollution in swiper",swiper,6.5.1,12.1.2,,CRITICAL,CWE-1321,
+CVE-2026-2739,2026-02-20T06:30:39Z,"bn.js affected by an infinite loop",bn.js,0,5.2.3,,MODERATE,CWE-835,
+CVE-2026-27484,2026-02-20T21:02:31Z,"OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows",openclaw,0,2026.2.18,,LOW,CWE-862,
+CVE-2026-27485,2026-02-20T21:05:45Z,"OpenClaw: Reject symlinks in local skill packaging script",openclaw,0,2026.2.19,,MODERATE,CWE-61,
+CVE-2026-27486,2026-02-18T17:41:09Z,"OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup",openclaw,0,2026.2.14,,MODERATE,CWE-283,
+CVE-2026-27487,2026-02-18T17:39:00Z,"OpenClaw: Prevent shell injection in macOS keychain credential write",openclaw,0,2026.2.14,,HIGH,CWE-78,
+CVE-2026-27488,2026-02-20T21:13:03Z,"OpenClaw hardened cron webhook delivery against SSRF",openclaw,0,2026.2.19,,MODERATE,CWE-918,
+CVE-2026-27492,2026-02-20T21:14:49Z,"Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused",lettermint,0,1.5.1,,MODERATE,CWE-488,
+CVE-2026-27576,2026-02-20T21:52:44Z,"OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs",openclaw,0,2026.2.19,,MODERATE,CWE-400,
 GHSA-224h-p7p5-rh85,2020-09-01T17:32:26Z,"Directory Traversal in wenluhong1",wenluhong1,0.0.0,,,HIGH,CWE-22,
 GHSA-224p-v68g-5g8f,2025-08-26T18:45:55Z,"GraphQL Armor Max-Depth Plugin Bypass via fragment caching","@escape.tech/graphql-armor-max-depth",0,2.4.2,,MODERATE,CWE-400,
 GHSA-226w-6hhj-69hp,2020-09-03T19:06:52Z,"Malicious Package in cal_rd",cal_rd,0.0.0,,,CRITICAL,CWE-506,
@@ -4615,6 +4810,9 @@ GHSA-22h7-7wwg-qmgg,2020-09-04T17:56:39Z,"Prototype Pollution in @hapi/hoek",@ha
 GHSA-22h7-7wwg-qmgg,2020-09-04T17:56:39Z,"Prototype Pollution in @hapi/hoek",@hapi/hoek,9.0.0,9.0.3,,LOW,CWE-1321,
 GHSA-22q9-hqm5-mhmc,2020-09-11T21:22:24Z,"Cross-Site Scripting in swagger-ui",swagger-ui,0,2.2.1,,MODERATE,CWE-79,
 GHSA-22rr-f3p8-5gf8,2023-09-15T17:12:42Z,"Directus affected by VM2 sandbox escape vulnerability",directus,0,10.6.0,,HIGH,,
+GHSA-236c-vhj4-gfxg,2022-05-25T00:00:31Z,"Duplicate Advisory: Embedded malware in ua-parser-js",ua-parser-js,0.7.29,0.7.30,,HIGH,CWE-829;CWE-912,
+GHSA-236c-vhj4-gfxg,2022-05-25T00:00:31Z,"Duplicate Advisory: Embedded malware in ua-parser-js",ua-parser-js,0.8.0,0.8.1,,HIGH,CWE-829;CWE-912,
+GHSA-236c-vhj4-gfxg,2022-05-25T00:00:31Z,"Duplicate Advisory: Embedded malware in ua-parser-js",ua-parser-js,1.0.0,1.0.1,,HIGH,CWE-829;CWE-912,
 GHSA-23q2-5gf8-gjpp,2024-04-19T17:26:32Z,"Enabling Authentication does not close all logged in socket connections immediately ",uptime-kuma,0,1.23.12,,LOW,CWE-384,
 GHSA-23vw-mhv5-grv5,2020-09-03T15:48:43Z,"Denial of Service in @hapi/hapi",@hapi/hapi,0,18.4.1,,HIGH,,
 GHSA-23vw-mhv5-grv5,2020-09-03T15:48:43Z,"Denial of Service in @hapi/hapi",@hapi/hapi,19.0.0,19.1.1,,HIGH,,
@@ -4660,6 +4858,8 @@ GHSA-2xw5-3767-qxvm,2020-09-11T21:21:20Z,"Malicious Package in ng-ui-library",ng
 GHSA-3233-rgx3-c2wh,2018-10-09T00:38:09Z,"Moderate severity vulnerability that affects mustache",mustache,0,2.2.1,,MODERATE,,
 GHSA-32vw-r77c-gm67,2020-08-03T17:57:05Z,"Withdrawn Advisory: marked cross-site scripting vulnerability",marked,0,0.3.3,,MODERATE,,
 GHSA-33gc-f8v9-v8hm,2020-09-01T20:41:40Z,"Malicious Package in ladder-text-js",ladder-text-js,0,,,CRITICAL,CWE-506,
+GHSA-33hq-fvwr-56pm,2026-02-19T20:29:30Z,"devalue affected by CPU and memory amplification from sparse arrays",devalue,0,5.6.3,,LOW,CWE-770,
+GHSA-33rq-m5x2-fvgf,2026-02-17T21:37:55Z,"OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline",openclaw,2026.1.29,2026.2.1,,HIGH,CWE-285,
 GHSA-353r-3v84-9pjj,2020-09-01T20:40:36Z,"Malicious Package in nothing-js",nothing-js,0,,,CRITICAL,CWE-506,
 GHSA-365g-vjw2-grx8,2025-10-09T15:26:59Z,"n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host",n8n,0,,1.114.4,HIGH,CWE-78,
 GHSA-365g-vjw2-grx8,2025-10-09T15:26:59Z,"n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host",n8n-nodes-base,0,,1.113.0,HIGH,CWE-78,
@@ -4679,15 +4879,18 @@ GHSA-3cpj-mj3q-82wr,2020-09-04T16:49:43Z,"Malicious Package in bs58chek",bs58che
 GHSA-3f44-xw83-3pmg,2026-01-13T20:29:12Z,"Renovate vulnerable to arbitrary command injection via helmv3 manager and malicious Chart.yaml file",renovate,31.51.0,40.33.0,,MODERATE,CWE-77,
 GHSA-3f95-w5h5-fq86,2020-09-11T21:22:24Z,"Prototype Pollution in mergify",mergify,0,,,MODERATE,CWE-1321,
 GHSA-3f97-rj68-2pjf,2020-09-03T21:48:35Z,"Malicious Package in buffe2-xor",buffe2-xor,0.0.0,,,CRITICAL,CWE-506,
-GHSA-3fc5-9x9m-vqc4,2019-06-03T17:31:32Z,"Privilege Escalation in express-cart",express-cart,0,1.1.6,,CRITICAL,,
+GHSA-3fc5-9x9m-vqc4,2019-06-03T17:31:32Z,"Duplicate Advisory: Privilege Escalation in express-cart",express-cart,0,1.1.6,,CRITICAL,,
 GHSA-3g4j-r53p-22wx,2025-10-17T18:31:09Z,"Duplicate Advisory: FlowiseAI Pre-Auth Arbitrary Code Execution",flowise,3.0.5,3.0.6,,CRITICAL,CWE-94,
 GHSA-3gpc-w23c-w59w,2020-09-04T15:02:06Z,"Sandbox Breakout / Arbitrary Code Execution in pitboss-ng",pitboss-ng,0,2.0.0,,CRITICAL,,
 GHSA-3h99-v4qw-p2h5,2020-09-03T19:41:56Z,"Malicious Package in coinpayment",coinpayment,0.0.0,,,CRITICAL,CWE-506,
 GHSA-3h9m-9g3g-5wqx,2020-09-03T22:13:14Z,"Malicious Package in buffer-xov",buffer-xov,0.0.0,,,CRITICAL,CWE-506,
+GHSA-3hcm-ggvf-rch5,2026-02-17T16:46:12Z,"OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes",openclaw,0,2026.2.2,,HIGH,CWE-78,
 GHSA-3j63-5h8p-gf7c,2025-08-20T20:51:55Z,"x402 SDK vulnerable in outdated versions in resource servers for builders",x402,0,0.5.2,,HIGH,,
 GHSA-3j63-5h8p-gf7c,2025-08-20T20:51:55Z,"x402 SDK vulnerable in outdated versions in resource servers for builders",x402-express,0,0.5.2,,HIGH,,
 GHSA-3j63-5h8p-gf7c,2025-08-20T20:51:55Z,"x402 SDK vulnerable in outdated versions in resource servers for builders",x402-hono,0,0.5.2,,HIGH,,
 GHSA-3j63-5h8p-gf7c,2025-08-20T20:51:55Z,"x402 SDK vulnerable in outdated versions in resource servers for builders",x402-next,0,0.5.2,,HIGH,,
+GHSA-3m3q-x3gj-f79x,2026-02-17T21:31:58Z,"OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations",@clawdbot/voice-call,0,,2026.1.24,MODERATE,CWE-287,
+GHSA-3m3q-x3gj-f79x,2026-02-17T21:31:58Z,"OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations",@openclaw/voice-call,0,2026.2.3,,MODERATE,CWE-287,
 GHSA-3mhm-jvqj-fvhg,2020-09-03T23:09:37Z,"Malicious Package in js-sia3",js-sia3,0.0.0,,,CRITICAL,CWE-506,
 GHSA-3mpp-xfvh-qh37,2022-03-16T23:54:35Z,"node-ipc behavior change",node-ipc,11.0.0,12.0.0,,LOW,,
 GHSA-3p92-886g-qxpq,2019-06-04T15:42:32Z,"Remote Memory Exposure in floody",floody,0,0.1.1,,MODERATE,CWE-201,
@@ -4702,7 +4905,9 @@ GHSA-43vf-2x6g-p2m5,2020-09-02T21:33:26Z,"Malicious Package in browserift",brows
 GHSA-44vf-8ffm-v2qh,2020-09-02T15:42:47Z,"Sensitive Data Exposure in rails-session-decoder",rails-session-decoder,0.0.0,,,HIGH,,
 GHSA-457r-cqc8-9vj9,2022-11-23T15:39:50Z,"sweetalert2 v10.16.10 and above contains hidden functionality",sweetalert2,10.16.10,11.22.4,,LOW,CWE-912,
 GHSA-4627-w373-375v,2020-09-11T21:22:24Z,"Malicious Package in grunt-radical",grunt-radical,0.0.14,0.0.13,,CRITICAL,,
+GHSA-4685-c5cp-vp95,2026-02-19T22:06:00Z,"OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags",openclaw,0,2026.2.19,,LOW,CWE-184;CWE-78,
 GHSA-46fh-8fc5-xcwx,2020-09-03T18:09:16Z,"Prototype Pollution in lodash.defaultsdeep",lodash.defaultsdeep,0,4.6.1,,HIGH,CWE-1321,
+GHSA-46j5-6fg5-4gv3,2025-12-18T09:30:30Z,"Duplicate Advisory: Nodemailer is vulnerable to DoS through Uncontrolled Recursion",nodemailer,0,7.0.11,,MODERATE,CWE-674;CWE-703,
 GHSA-4859-gpc7-4j66,2019-06-05T21:24:29Z,"Command Injection in dot",dot,0,,1.1.2,MODERATE,CWE-77,
 GHSA-48gc-5j93-5cfq,2020-09-11T21:15:54Z,"Path Traversal in serve",serve,0,10.1.2,,HIGH,CWE-22,
 GHSA-4964-cjrr-jg97,2020-09-02T21:38:43Z,"Malicious Package in jqeury",jqeury,0,,,CRITICAL,CWE-506,
@@ -4734,6 +4939,7 @@ GHSA-4qhx-g9wp-g9m6,2019-06-14T16:09:01Z,"Failure to sanitize quotes which can l
 GHSA-4qqc-mp5f-ccv4,2020-09-02T15:05:51Z,"Command Injection in bestzip",bestzip,0,2.1.7,,CRITICAL,CWE-77,
 GHSA-4r97-78gf-q24v,2020-09-04T17:53:27Z,"Duplicate Advisory: Prototype Pollution in klona",klona,0,1.1.1,,HIGH,CWE-1321,
 GHSA-4rgj-8mq3-hggj,2020-09-03T20:32:11Z,"Denial of Service in @hapi/subtext",@hapi/subtext,0,6.1.2,,HIGH,CWE-400,
+GHSA-4rj2-gpmh-qq5x,2026-02-17T21:36:34Z,"OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)",openclaw,0,2026.2.2,,CRITICAL,CWE-287,
 GHSA-4vcf-q4xf-f48m,2025-11-25T21:42:53Z,"Better Auth Passkey Plugin allows passkey deletion through IDOR",@better-auth/passkey,0,1.4.0,,HIGH,CWE-284;CWE-639,
 GHSA-4vjr-crvh-383h,2023-09-27T20:17:00Z,"@napi-rs/image affected by libwebp CVE",@napi-rs/image,0,1.7.0,,HIGH,,
 GHSA-4vmm-mhcq-4x9j,2019-06-14T16:15:14Z,"Sandbox Bypass Leading to Arbitrary Code Execution in constantinople",constantinople,0,3.1.1,,CRITICAL,,
@@ -4746,11 +4952,11 @@ GHSA-4x7c-cx64-49w8,2020-08-19T22:06:03Z,"Regular Expression Denial of Service i
 GHSA-4x7c-cx64-49w8,2020-08-19T22:06:03Z,"Regular Expression Denial of Service in is-my-json-valid",is-my-json-valid,2.0.0,2.17.2,,LOW,,
 GHSA-4x7w-frcq-v4m3,2020-09-03T20:38:47Z,"Path Traversal in @wturyn/swagger-injector",@wturyn/swagger-injector,0.0.0,,,CRITICAL,CWE-22,
 GHSA-4xcv-9jjx-gfj3,2019-07-05T21:07:58Z,"Denial of Service in mem",mem,0,4.0.0,,MODERATE,CWE-400,
-GHSA-4xf9-pgvv-xx67,2020-09-03T20:27:46Z,"Regular Expression Denial of Service in simple-markdown",simple-markdown,0,0.5.2,,MODERATE,CWE-400,
+GHSA-4xf9-pgvv-xx67,2020-09-03T20:27:46Z,"Duplicate Advisory: Regular Expression Denial of Service in simple-markdown",simple-markdown,0,0.5.2,,MODERATE,CWE-400,
 GHSA-4xg9-g7qj-jhg4,2020-09-03T20:46:36Z,"Malicious Package in comander",comander,0.0.0,,,CRITICAL,CWE-506,
 GHSA-4xgp-xrg3-c73w,2020-09-11T21:10:29Z,"Malicious Package in commqnder",commqnder,0,,,CRITICAL,CWE-506,
 GHSA-52c9-458g-whrf,2020-09-03T22:58:17Z,"Malicious Package in js-3ha3",js-3ha3,0.0.0,,,CRITICAL,CWE-506,
-GHSA-52rh-5rpj-c3w6,2022-05-05T16:00:50Z,"Improper handling of multiline messages in node-irc",matrix-org-irc,0,1.2.1,,HIGH,,
+GHSA-52rh-5rpj-c3w6,2022-05-05T16:00:50Z,"Improper handling of multiline messages in node-irc",matrix-org-irc,0,1.2.1,,HIGH,CWE-74;CWE-93,
 GHSA-5327-gfq5-8f4m,2020-09-03T21:56:23Z,"Malicious Package in buffer-xmr",buffer-xmr,0.0.0,,,CRITICAL,CWE-506,
 GHSA-533p-g2hq-qr26,2020-09-04T17:16:35Z,"Command Injection in treekill",treekill,0.0.0,,,HIGH,CWE-77,
 GHSA-536f-268f-6gxc,2020-09-03T22:17:36Z,"Malicious Package in buffermxor",buffermxor,0.0.0,,,CRITICAL,CWE-506,
@@ -4763,6 +4969,7 @@ GHSA-5634-rv46-48jf,2020-09-03T17:13:45Z,"Cross-Site Scripting in bleach",bleach
 GHSA-5635-9mvj-r6hp,2020-09-03T02:34:39Z,"Malicious Package in vue-backbone",vue-backbone,0.1.2,0.1.3,,CRITICAL,CWE-506,
 GHSA-563h-49v8-g7x4,2020-09-03T23:17:01Z,"Malicious Package in ks-sha3",ks-sha3,0.0.0,,,CRITICAL,CWE-506,
 GHSA-569q-mpph-wgww,2025-12-01T21:29:48Z,"Better Auth affected by external request basePath modification DoS",better-auth,0,1.4.2,,LOW,CWE-73,
+GHSA-56f2-hvwg-5743,2026-02-17T17:13:35Z,"OpenClaw affected by SSRF in Image Tool Remote Fetch",openclaw,0,2026.2.2,,HIGH,CWE-918,
 GHSA-56r6-ccm5-8hg3,2025-07-21T14:20:40Z,"Alchemy Non-SMA and Webauthn Account Security Advisory","@account-kit/smart-contracts",4.42.0,4.52.0,,HIGH,CWE-287,
 GHSA-56x4-j7p9-fcf9,2022-08-30T20:31:21Z,"Command Injection in moment-timezone",moment-timezone,0.1.0,0.5.35,,LOW,,
 GHSA-57cf-349j-352g,2019-06-12T16:37:00Z,"Out-of-bounds Read in npmconf",npmconf,0,2.1.3,,MODERATE,CWE-125,
@@ -4816,12 +5023,14 @@ GHSA-5wq6-v5cw-jvfr,2020-09-03T23:03:36Z,"Malicious Package in js-shas",js-shas,
 GHSA-5wrg-8fxp-cx9r,2023-06-21T22:06:22Z,"passport-wsfed-saml2 Signature Bypass vulnerability",passport-wsfed-saml2,0,3.0.10,,HIGH,,
 GHSA-5x7p-gm79-383m,2020-09-01T21:11:57Z,"Malicious Package in regenraotr",regenraotr,0,,,CRITICAL,CWE-506,
 GHSA-5x8q-gj67-rhf2,2020-09-02T21:18:33Z,"Malicious Package in discord_debug_log",discord_debug_log,0,,,CRITICAL,CWE-506,
+GHSA-5xfq-5mr7-426q,2026-02-18T00:57:30Z,"OpenClaw's unsanitized session ID enables path traversal in transcript file operations",openclaw,0,2026.2.12,,MODERATE,CWE-22,
 GHSA-629c-j867-3v45,2020-09-04T16:41:04Z,"Malicious Package in bitcoisnj-lib",bitcoisnj-lib,0.0.0,,,CRITICAL,CWE-506,
 GHSA-6343-m2qr-66gf,2020-09-03T23:10:41Z,"Malicious Package in js-sja3",js-sja3,0.0.0,,,CRITICAL,CWE-506,
 GHSA-6394-6h9h-cfjg,2019-06-07T21:12:35Z,"Regular Expression Denial of Service",nwmatcher,0,1.4.4,,MODERATE,CWE-400,
 GHSA-644f-hrff-mf96,2025-12-02T18:30:35Z,"Duplicate Advisory: Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments",@nocobase/auth,0,1.9.23,,LOW,,
 GHSA-6475-r3vj-m8vf,2026-01-08T21:52:45Z,"AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value",@smithy/config-resolver,0,4.4.0,,LOW,CWE-20,
 GHSA-64g7-mvw6-v9qj,2022-01-14T21:09:50Z,"Improper Privilege Management in shelljs",shelljs,0,0.8.5,,MODERATE,CWE-269,
+GHSA-64qx-vpxx-mvqf,2026-02-17T16:43:51Z,"OpenClaw has an arbitrary transcript path file write via gateway sessionFile",openclaw,0,2026.2.12,,HIGH,"CWE-23;CWE-284;CWE-73;CWE-78",
 GHSA-657v-jjf8-83gh,2020-09-03T23:14:55Z,"Malicious Package in jsmsha3",jsmsha3,0.0.0,,,CRITICAL,CWE-506,
 GHSA-6584-gfwm-3vc3,2020-09-03T21:43:01Z,"Malicious Package in budfer-xor",budfer-xor,0.0.0,,,CRITICAL,CWE-506,
 GHSA-65j7-66p7-9xgf,2020-09-02T21:51:55Z,"Malicious Package in font-scrubber",font-scrubber,0,,,CRITICAL,CWE-506,
@@ -4847,6 +5056,7 @@ GHSA-69mf-2cw2-38m8,2020-09-03T23:04:40Z,"Malicious Package in js-shc3",js-shc3,
 GHSA-69p9-9qm9-h447,2020-08-19T22:34:43Z,"Sandbox Breakout / Arbitrary Code Execution in safer-eval",safer-eval,0,1.3.2,,MODERATE,,
 GHSA-69r6-7h4f-9p7q,2020-09-03T20:41:01Z,"Malicious Package in discord.js-user",discord.js-user,0.0.0,,,CRITICAL,CWE-506,
 GHSA-6c37-2rw5-9j7x,2020-09-02T20:25:46Z,"Malicious Package in requesst",requesst,0,,,CRITICAL,CWE-506,
+GHSA-6c9j-x93c-rw6j,2026-02-19T22:06:26Z,"OpenClaw safeBins file-existence oracle information disclosure",openclaw,0,2026.2.19,,MODERATE,CWE-203,
 GHSA-6chw-6frg-f759,2020-04-03T21:48:38Z,"Regular Expression Denial of Service in Acorn",acorn,5.5.0,5.7.4,,HIGH,CWE-400,
 GHSA-6chw-6frg-f759,2020-04-03T21:48:38Z,"Regular Expression Denial of Service in Acorn",acorn,6.0.0,6.4.1,,HIGH,CWE-400,
 GHSA-6chw-6frg-f759,2020-04-03T21:48:38Z,"Regular Expression Denial of Service in Acorn",acorn,7.0.0,7.1.1,,HIGH,CWE-400,
@@ -4912,9 +5122,11 @@ GHSA-7p6w-x2gr-rrf8,2020-09-02T21:28:05Z,"ag-grid Cross-Site Scripting vulnerabi
 GHSA-7qg7-6g3g-8vxg,2020-09-03T22:46:25Z,"Malicious Package in bwffer-xor",bwffer-xor,0.0.0,,,CRITICAL,CWE-506,
 GHSA-7r5f-7qr4-pf6q,2020-09-03T19:03:33Z,"Sandbox Breakout / Arbitrary Code Execution in notevil",notevil,0,1.3.2,,HIGH,,
 GHSA-7r9x-hr76-jr96,2020-09-04T17:26:18Z,"Command Injection in giting",giting,0.0.0,,,CRITICAL,CWE-77,
+GHSA-7rcp-mxpq-72pj,2026-02-18T17:41:00Z,"OpenClaw Chutes manual OAuth state validation bypass can cause credential substitution",openclaw,0,2026.2.14,,MODERATE,CWE-352,
 GHSA-7rgr-72hp-9wp3,2025-10-06T03:31:38Z,"Duplicate Advisory: Flowise is vulnerable to stored XSS via ""View Messages"" allows credential theft in FlowiseAI admin panel",flowise,0,3.0.5,,HIGH,CWE-79,
 GHSA-7v28-g2pq-ggg8,2022-06-17T01:16:03Z,"Ghost vulnerable to remote code execution in locale setting change",ghost,0,4.48.2,,MODERATE,,
 GHSA-7v28-g2pq-ggg8,2022-06-17T01:16:03Z,"Ghost vulnerable to remote code execution in locale setting change",ghost,5.0.0,5.2.3,,MODERATE,,
+GHSA-7vwx-582j-j332,2026-02-17T21:38:14Z,"OpenClaw MS Teams inbound attachment downloader leaks bearer tokens to allowlisted suffix domains",openclaw,0,2026.2.1,,HIGH,CWE-201,
 GHSA-7w7c-867m-4mqc,2020-09-03T17:04:55Z,"Malicious Package in rceat",rceat,0.0.0,,,CRITICAL,CWE-506,
 GHSA-7wgh-5q4q-6wx5,2020-09-04T17:30:39Z,"Malicious Package in 1337qq-js",1337qq-js,0.0.0,,,CRITICAL,CWE-506,
 GHSA-7wwv-vh3v-89cq,2020-12-04T16:47:20Z,"ReDOS vulnerabities: multiple grammars",@highlightjs/cdn-assets,0,10.4.1,,MODERATE,CWE-20;CWE-400,
@@ -4949,6 +5161,7 @@ GHSA-87qp-7cw8-8q9c,2024-03-25T06:30:24Z,"Duplicate Advisory: web3-utils Prototy
 GHSA-87qw-7v97-w34r,2020-09-02T18:33:18Z,"Malicious Package in asinc",asinc,0,,,CRITICAL,CWE-506,
 GHSA-886v-mm6p-4m66,2019-06-05T09:48:02Z,"High severity vulnerability that affects gun",gun,0,0.2019.416,,HIGH,CWE-22,
 GHSA-88h9-fc6v-jcw7,2020-09-03T20:28:51Z,"Unintended Require in larvitbase-www",larvitbase-www,0.0.0,,,MODERATE,,
+GHSA-88qp-p4qg-rqm6,2026-02-19T20:30:25Z,"CPU exhaustion in SvelteKit remote form deserialization (experimental only)",@sveltejs/kit,2.49.0,2.52.2,,MODERATE,CWE-843,
 GHSA-88xx-23mf-rcj2,2020-09-03T22:51:52Z,"Malicious Package in bs-sha3",bs-sha3,0.0.0,,,CRITICAL,CWE-506,
 GHSA-8948-ffc6-jg52,2019-06-06T15:32:21Z,"Insecure Default Configuration in redbird",redbird,0,,0.9.0,MODERATE,CWE-20,
 GHSA-8c8c-4vfj-rrpc,2020-09-01T19:05:11Z,"Reflected Cross-Site Scripting in redis-commander",redis-commander,0.0.0,0.5.0,,LOW,CWE-79,
@@ -4981,6 +5194,7 @@ GHSA-8mwq-mj73-qv68,2023-02-16T15:30:28Z,"Duplicate advisory: Sequelize vulnerab
 GHSA-8mwq-mj73-qv68,2023-02-16T15:30:28Z,"Duplicate advisory: Sequelize vulnerable to Improper Filtering of Special Elements",sequelize,0,6.29.0,,CRITICAL,CWE-790,
 GHSA-8pwx-j4r6-5v38,2020-09-03T17:05:25Z,"Malicious Package in hdkye",hdkye,0.0.0,,,CRITICAL,CWE-506,
 GHSA-8q2c-2396-hf7j,2020-09-03T17:34:55Z,"Malicious Package in appx-compiler",appx-compiler,0.0.0,,,CRITICAL,CWE-506,
+GHSA-8qm3-746x-r74r,2026-02-19T20:29:17Z,"devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed",devalue,0,5.6.3,,LOW,CWE-1321,
 GHSA-8qx4-r7fx-xc4v,2020-09-11T21:08:19Z,"Malicious Package in requst",requst,0,,,CRITICAL,CWE-506,
 GHSA-8r4g-cg4m-x23c,2021-09-22T18:22:02Z,"Denial of Service in node-static",node-static,0,,0.7.11,MODERATE,CWE-248;CWE-400,
 GHSA-8r69-3cvp-wxc3,2022-11-02T18:18:10Z,"Batched HTTP requests may set incorrect `cache-control` response header",@apollo/server,0,4.1.0,,MODERATE,CWE-524,
@@ -4991,6 +5205,8 @@ GHSA-8vj3-jgcf-77jv,2020-09-02T20:26:49Z,"Malicious Package in requeest",requees
 GHSA-8vvx-qvq9-5948,2025-03-14T18:48:44Z,"Flowise allows arbitrary file write to RCE",flowise,0,,2.2.7,CRITICAL,CWE-94,
 GHSA-8w57-jfpm-945m,2019-06-11T16:16:07Z,"Denial of Service in http-proxy-agent",http-proxy-agent,0,2.1.0,,HIGH,CWE-400,
 GHSA-8w9j-6wg6-qv4f,2020-09-03T19:41:17Z,"Malicious Package in axioss",axioss,0.0.0,,,CRITICAL,CWE-506,
+GHSA-8wc6-vgrq-x6cf,2026-02-13T20:53:58Z,"Child processes spawned by Renovate incorrectly have full access to environment variables",renovate,42.68.1,42.96.3,,MODERATE,CWE-269,
+GHSA-8wc6-vgrq-x6cf,2026-02-13T20:53:58Z,"Child processes spawned by Renovate incorrectly have full access to environment variables",renovate,43.0.0,43.4.4,,MODERATE,CWE-269,
 GHSA-8wgc-jjvv-cv6v,2020-09-02T15:54:52Z,"Improper Authorization in loopback",loopback,0,2.40.0,,HIGH,CWE-285,
 GHSA-8wgc-jjvv-cv6v,2020-09-02T15:54:52Z,"Improper Authorization in loopback",loopback,3.0.0,3.22.0,,HIGH,CWE-285,
 GHSA-8whr-v3gm-w8h9,2020-09-03T15:51:04Z,"Duplicate Advisory: Command Injection in node-rules",node-rules,0,5.0.0,,HIGH,CWE-78,
@@ -5021,6 +5237,7 @@ GHSA-9mjp-gv34-3jcf,2020-09-02T18:37:35Z,"Malicious Package in aasync",aasync,0,
 GHSA-9mmw-3fmh-96g3,2020-09-02T20:23:38Z,"Malicious Package in calk",calk,0,,,CRITICAL,CWE-506,
 GHSA-9p64-h5q4-phpm,2020-09-02T15:44:58Z,"Remote Code Execution in office-converter",office-converter,0.0.0,,,HIGH,CWE-20,
 GHSA-9pcf-h8q9-63f6,2020-09-03T17:12:41Z,"Sandbox Breakout / Arbitrary Code Execution in safe-eval",safe-eval,0.0.0,,,HIGH,,
+GHSA-9ppg-jx86-fqw7,2026-02-19T15:17:10Z,"Unauthorized npm publish of cline@2.3.0 with modified postinstall script",cline,2.3.0,2.4.0,,LOW,,
 GHSA-9pr3-7449-977r,2020-09-02T18:21:26Z,"Cross-Site Scripting in express-cart",express-cart,0,,,LOW,CWE-79,
 GHSA-9px9-f7jw-fwhj,2020-09-03T15:49:37Z,"Command Injection in priest-runner",priest-runner,0.0.0,,,CRITICAL,CWE-77,
 GHSA-9q64-mpxx-87fg,2020-04-01T16:35:08Z,"Open Redirect in ecstatic",ecstatic,0,2.2.2,,HIGH,CWE-601,
@@ -5055,6 +5272,7 @@ GHSA-9xww-fwh9-95c5,2020-09-02T21:43:59Z,"Malicious Package in uglyfi-js",uglyfi
 GHSA-c27r-x354-4m68,2020-10-27T20:39:46Z,"xml-crypto's HMAC-SHA1 signatures can bypass validation via key confusion",xml-crypto,0,2.0.0,,HIGH,CWE-287,
 GHSA-c2g6-57fp-22wp,2020-09-03T22:48:35Z,"Malicious Package in fuffer-xor",fuffer-xor,0.0.0,,,CRITICAL,CWE-506,
 GHSA-c35v-qwqg-87jc,2019-06-06T15:32:32Z,"express-basic-auth Timing Attack due to native string comparison instead of constant time string comparison",express-basic-auth,0,1.1.7,,LOW,CWE-208,
+GHSA-c37p-4qqg-3p76,2026-02-18T00:54:48Z,"OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled",openclaw,0,2026.2.14,,MODERATE,CWE-306,
 GHSA-c3hq-7mxh-mqxf,2020-09-04T14:59:50Z,"Sandbox Breakout / Arbitrary Code Execution in lighter-vm",lighter-vm,0.0.0,,,CRITICAL,,
 GHSA-c3m8-x3cg-qm2c,2020-09-03T20:39:53Z,"Configuration Override in helmet-csp",helmet-csp,1.2.2,2.9.1,,MODERATE,,
 GHSA-c3px-v9c7-m734,2020-09-03T19:04:39Z,"Prototype Pollution in mithril",mithril,0,1.1.7,,HIGH,CWE-1321,
@@ -5082,6 +5300,8 @@ GHSA-ch52-vgq2-943f,2020-09-03T18:15:53Z,"Regular Expression Denial of Service i
 GHSA-ch82-gqh6-9xj9,2020-09-04T15:13:19Z,"Prototype Pollution in get-setter",get-setter,0.0.0,,,HIGH,CWE-1321,
 GHSA-chgg-rrmv-5q7x,2020-08-03T18:05:48Z,Withdrawn,jwt-simple,0,0.3.1,,MODERATE,,
 GHSA-chh2-rvhg-wqwr,2020-09-03T21:02:10Z,"Malicious Package in json-serializer",json-serializer,2.0.10,2.0.11,,CRITICAL,,
+GHSA-chm2-m3w2-wcxm,2026-02-17T22:56:39Z,"OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch",clawdbot,0,,2026.1.24-3,LOW,CWE-290;CWE-863,
+GHSA-chm2-m3w2-wcxm,2026-02-17T22:56:39Z,"OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch",openclaw,0,2026.2.14,,LOW,CWE-290;CWE-863,
 GHSA-cp47-r258-q626,2023-03-02T23:36:22Z," Vega vulnerable to arbitrary code execution when clicking href links",vega,0,4.5.1,,MODERATE,,
 GHSA-cp47-r258-q626,2023-03-02T23:36:22Z," Vega vulnerable to arbitrary code execution when clicking href links",vega,5.0.0,5.4.1,,MODERATE,,
 GHSA-cpgr-wmr9-qxv4,2020-09-11T21:20:14Z,"Cross-Site Scripting in serve",serve,0,10.0.2,,MODERATE,CWE-79,
@@ -5124,6 +5344,8 @@ GHSA-f8vf-6hwg-hw55,2020-09-04T15:38:21Z,"Malicious Package in bictore-lib",bict
 GHSA-ff5x-w9wg-h275,2020-03-06T01:15:46Z,"Holder can generate proof of ownership for credentials it does not control in vp-toolkit",vp-toolkit,0,0.2.2,,HIGH,,
 GHSA-ff6g-gm92-rf32,2020-09-03T19:42:06Z,"Malicious Package in coinstirng",coinstirng,0.0.0,,,CRITICAL,CWE-506,
 GHSA-fgp6-8g62-qx6w,2020-09-03T17:01:45Z,"Malicious Package in smartsearchwp",smartsearchwp,0,,,CRITICAL,CWE-506,
+GHSA-fh3f-q9qw-93j9,2026-02-19T19:41:07Z,"OpenClaw replaced a deprecated sandbox hash algorithm",openclaw,0,2026.2.15,,MODERATE,CWE-328,
+GHSA-fhvm-j76f-qmjv,2026-02-17T21:34:36Z,"OpenClaw has a potential access-group authorization bypass if channel type lookup fails",openclaw,0,2026.2.1,,CRITICAL,CWE-285,
 GHSA-fj93-7wm4-8x2g,2020-09-02T21:22:47Z,"Cross-Site Scripting in jquery-mobile",jquery-mobile,0,,,HIGH,CWE-79,
 GHSA-fjh6-8679-9pch,2025-11-14T20:57:31Z,"Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change",flowise-ui,0,3.0.10,,HIGH,CWE-306;CWE-620,
 GHSA-fm4j-4xhm-xpwx,2020-09-02T15:51:34Z,"Sandbox Breakout / Arbitrary Code Execution in sandbox",sandbox,0.0.0,,,MODERATE,,
@@ -5143,6 +5365,7 @@ GHSA-fvwr-h9xh-m6wc,2020-09-03T20:33:17Z,"Denial of Service in @commercial/subte
 GHSA-fw4p-36j9-rrj3,2020-09-03T20:25:33Z,"Denial of Service in sequelize",sequelize,0,4.44.4,,MODERATE,CWE-248,
 GHSA-fw76-p9p2-6pvf,2020-09-03T19:58:58Z,"Malicious Package in serilize",serilize,0.0.0,,,CRITICAL,CWE-506,
 GHSA-fwvq-x4j9-hr5f,2020-09-03T19:43:09Z,"Malicious Package in bs58chekc",bs58chekc,0.0.0,,,CRITICAL,CWE-506,
+GHSA-g27f-9qjv-22pm,2026-02-17T21:31:39Z,"OpenClaw log poisoning (indirect prompt injection) via WebSocket headers",openclaw,0,2026.2.13,,LOW,CWE-117,
 GHSA-g2c4-4m64-vxm3,2020-09-03T22:15:25Z,"Malicious Package in buffer-yor",buffer-yor,0.0.0,,,CRITICAL,CWE-506,
 GHSA-g336-c7wv-8hp3,2020-09-01T15:58:06Z,"Cross-Site Scripting in swagger-ui",swagger-ui,0,2.2.1,,CRITICAL,CWE-79,
 GHSA-g35x-j6jj-8g7j,2023-05-02T16:51:25Z,"@mittwald/kubernetes's secret contents leaked via debug logging",@mittwald/kubernetes,0,3.5.0,,MODERATE,CWE-532,
@@ -5165,7 +5388,7 @@ GHSA-g8jc-mm3c-cwhj,2020-09-02T20:31:06Z,"Malicious Package in reques",reques,0,
 GHSA-g8m7-qhv7-9h5x,2019-07-05T21:07:14Z,"Path Traversal in serve-here.js",serve-here,0,,3.2.0,HIGH,CWE-22,
 GHSA-g8q2-24jh-5hpc,2018-07-27T14:47:52Z,"High severity vulnerability that affects jquery-ui",jquery-ui,0,1.12.0,,HIGH,,
 GHSA-g8vp-6hv4-m67c,2020-09-11T21:23:29Z,"Command Injection in entitlements",entitlements,0,1.3.0,,HIGH,CWE-77,
-GHSA-g95f-p29q-9xw4,2019-06-06T15:30:30Z,"Regular Expression Denial of Service in braces",braces,0,2.3.1,,LOW,CWE-185;CWE-400,
+GHSA-g95f-p29q-9xw4,2019-06-06T15:30:30Z,"Duplicate Advisory: Regular Expression Denial of Service in braces",braces,0,2.3.1,,LOW,CWE-185;CWE-400,
 GHSA-g9cg-h3jm-cwrc,2020-09-03T15:47:23Z,"Prototype Pollution in @hapi/subtext",@hapi/pez,0,5.0.1,,HIGH,CWE-1321,
 GHSA-g9jg-w8vm-g96v,2025-12-31T22:07:25Z,"Trix has a stored XSS vulnerability through its attachment attribute",trix,0,2.1.16,,MODERATE,CWE-79,
 GHSA-g9r4-xpmj-mj65,2020-09-04T15:06:32Z,"Prototype Pollution in handlebars",handlebars,0,3.0.8,,HIGH,CWE-1321,
@@ -5188,6 +5411,8 @@ GHSA-gm9x-q798-hmr4,2020-07-29T14:53:40Z,"Command Injection in git-tags-remote",
 GHSA-gmjp-776j-2394,2020-09-03T17:04:24Z,"Malicious Package in ripmed160",ripmed160,0.0.0,,,CRITICAL,CWE-506,
 GHSA-gpg2-7r7j-4pm9,2020-09-03T22:09:56Z,"Malicious Package in buffer-xob",buffer-xob,0.0.0,,,CRITICAL,CWE-506,
 GHSA-gpv5-7x3g-ghjv,2023-06-15T19:05:13Z,"fast-xml-parser regex vulnerability patch could be improved from a safety perspective",fast-xml-parser,4.2.4,4.2.5,,LOW,,
+GHSA-gq3j-xvxp-8hrf,2026-02-19T20:15:59Z,"Hono added timing comparison hardening in basicAuth and bearerAuth",hono,0,4.11.10,,LOW,CWE-208,
+GHSA-gq9c-wg68-gwj2,2026-02-18T17:38:39Z,"OpenClaw has a path traversal in browser trace/download output paths may allow arbitrary file writes",openclaw,0,2026.2.13,,HIGH,CWE-22,
 GHSA-gqf6-75v8-vr26,2020-09-04T16:56:11Z,"Arbitrary File Write in bin-links",bin-links,0,1.1.5,,LOW,,
 GHSA-gqq4-937c-2282,2020-09-03T22:49:42Z,"Malicious Package in juffer-xor",juffer-xor,0.0.0,,,CRITICAL,CWE-506,
 GHSA-gr4j-r575-g665,2020-08-25T14:04:47Z,"Cross-Site Scripting in highcharts",highcharts,0,7.2.2,,HIGH,CWE-79,
@@ -5225,8 +5450,11 @@ GHSA-h6m3-cx24-9626,2020-09-03T23:11:45Z,"Malicious Package in js-sla3",js-sla3,
 GHSA-h6mq-3cj6-h738,2020-09-03T23:21:16Z,"Reverse Tabnabbing in showdown",showdown,0,1.9.1,,LOW,CWE-1022,
 GHSA-h726-x36v-rx45,2020-09-03T18:04:54Z,"Prototype Pollution in lodash.merge",lodash.merge,0,4.6.2,,HIGH,CWE-1321,
 GHSA-h87q-g2wp-47pj,2022-02-09T22:41:19Z,"Signatures are mistakenly recognized to be valid in jsrsasign",jsrsasign,0,10.2.0,,MODERATE,CWE-347,
+GHSA-h89v-j3x9-8wqj,2026-02-18T00:52:54Z,"OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)",clawdbot,0,,2026.1.24-3,MODERATE,CWE-400,
+GHSA-h89v-j3x9-8wqj,2026-02-18T00:52:54Z,"OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)",openclaw,0,2026.2.14,,MODERATE,CWE-400,
 GHSA-h96f-fc7c-9r55,2021-01-06T19:25:46Z,"Regex denial of service vulnerability in codesample plugin",tinymce,0,5.6.0,,LOW,CWE-400,
 GHSA-h97g-4mx7-5p2p,2020-09-03T17:11:36Z,"Open Redirect in apostrophe",apostrophe,0,2.92.0,,MODERATE,CWE-601,
+GHSA-h9g4-589h-68xv,2026-02-18T17:45:31Z,"OpenClaw has an authentication bypass in sandbox browser bridge server",openclaw,2026.1.29-beta.1,2026.2.14,,HIGH,CWE-306,
 GHSA-h9wq-xcqx-mqxm,2023-07-11T22:46:19Z,"Vendure Cross Site Request Forgery vulnerability impacting all API requests",@vendure/core,0,2.0.3,,LOW,,
 GHSA-h9wr-xr4r-66fh,2020-09-03T18:20:20Z,"Cross-Site Scripting in dmn-js-properties-panel",dmn-js-properties-panel,0,0.3.0,,HIGH,CWE-79,
 GHSA-hfwx-c7q6-g54c,2021-03-12T23:04:46Z,"Vulnerability allowing for reading internal HTTP resources",highcharts-export-server,0,2.1.0,,HIGH,CWE-552,
@@ -5247,6 +5475,7 @@ GHSA-hq8g-qq57-5275,2020-09-11T21:24:33Z,"SQL Injection in untitled-model",untit
 GHSA-hqf9-8xv5-x8xw,2026-01-05T19:57:46Z,"ERC7984ERC20Wrapper: once a wrapper is filled, subsequent wrap requests do not revert and result in loss of funds.","@openzeppelin/confidential-contracts",0,0.3.1,,MODERATE,CWE-190,
 GHSA-hrpp-f84w-xhfg,2020-09-04T16:55:06Z,"Outdated Static Dependency in vue-moment",vue-moment,0,4.1.0,,MODERATE,CWE-1104,
 GHSA-hv4w-jhcj-6wfw,2020-09-03T20:34:23Z,"Cross-Site Scripting in snekserve",snekserve,0.0.0,,,HIGH,CWE-79,
+GHSA-hv93-r4j3-q65f,2026-02-17T16:43:34Z,"OpenClaw Hook Session Key Override Enables Targeted Cross-Session Routing",openclaw,2.0.0-beta3,2026.2.12,,HIGH,CWE-330;CWE-639,
 GHSA-hvgc-mggg-pxr2,2020-09-03T23:02:33Z,"Malicious Package in js-sha7",js-sha7,0.0.0,,,CRITICAL,CWE-506,
 GHSA-hvxq-j2r4-4jm8,2020-09-03T20:31:04Z,"Regular Expression Denial of Service in sql-injection",sql-injection,0.0.0,,,HIGH,,
 GHSA-hwh3-fhf6-73x9,2020-09-04T15:36:09Z,"Malicious Package in bictoinjs-lib",bictoinjs-lib,0.0.0,,,CRITICAL,CWE-506,
@@ -5259,6 +5488,7 @@ GHSA-hxwc-5vw9-2w4w,2020-09-02T15:52:39Z,"NoSQL Injection in loopback-connector-
 GHSA-hxwm-x553-x359,2021-08-05T17:07:39Z,"Arbitrary Command Injection due to Improper Command Sanitization",@npmcli/git,0,2.0.8,,MODERATE,CWE-78,
 GHSA-hxxf-q3w9-4xgw,2018-07-12T19:52:02Z,"Malicious Package in eslint-scope",eslint-config-eslint,5.0.2,6.0.0,,CRITICAL,CWE-506,
 GHSA-hxxf-q3w9-4xgw,2018-07-12T19:52:02Z,"Malicious Package in eslint-scope",eslint-scope,3.7.2,3.7.3,,CRITICAL,CWE-506,
+GHSA-j27p-hq53-9wgc,2026-02-18T00:51:37Z,"OpenClaw affected by denial of service via unbounded URL-backed media fetch",openclaw,0,2026.2.14,,HIGH,CWE-400,
 GHSA-j3qq-qvc8-c6g7,2020-09-01T21:15:09Z,"Malicious Package in foever",foever,0,,,CRITICAL,CWE-506,
 GHSA-j44m-5v8f-gc9c,2025-10-10T22:55:09Z,"Flowise is vulnerable to arbitrary file exposure through its ReadFileTool",flowise,0,3.0.8,,HIGH,CWE-22,
 GHSA-j44m-5v8f-gc9c,2025-10-10T22:55:09Z,"Flowise is vulnerable to arbitrary file exposure through its ReadFileTool",flowise-components,0,3.0.8,,HIGH,CWE-22,
@@ -5297,6 +5527,7 @@ GHSA-jmqm-f2gx-4fjv,2020-07-07T18:59:10Z,"Sensitive information exposure through
 GHSA-jp99-5h8w-gmxc,2020-09-04T15:03:13Z,"Sandbox Breakout / Arbitrary Code Execution in @zhaoyao91/eval-in-vm",@zhaoyao91/eval-in-vm,0.0.0,,,CRITICAL,,
 GHSA-jp9g-5x75-ccp8,2020-09-02T21:34:30Z,"Malicious Package in colro-name",colro-name,0,,,CRITICAL,CWE-506,
 GHSA-jqjg-v355-hr9q,2020-09-03T22:11:02Z,"Malicious Package in buffer-xop",buffer-xop,0.0.0,,,CRITICAL,CWE-506,
+GHSA-jqpq-mgvm-f9r6,2026-02-18T00:55:50Z,"OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides)",openclaw,0,2026.2.14,,HIGH,CWE-427;CWE-78;CWE-807,
 GHSA-jqvv-r4w3-8f7w,2020-09-04T15:35:00Z,"Malicious Package in bictoind-rpc",bictoind-rpc,0.0.0,,,CRITICAL,CWE-506,
 GHSA-jqx4-9gpq-rppm,2025-05-06T16:44:22Z,"@misskey-dev/summaly allows IP Filter Bypass via Redirect",@misskey-dev/summaly,5.1.0,5.2.1,,MODERATE,CWE-346,
 GHSA-jrj9-5qp6-2v8q,2020-09-03T23:22:19Z,"Machine-In-The-Middle in airtable",airtable,0.1.19,0.7.2,,HIGH,,
@@ -5346,6 +5577,8 @@ GHSA-mh5c-679w-hh4r,2020-09-03T21:12:01Z,"Denial of Service in mongodb",mongodb,
 GHSA-mh6f-8j2x-4483,2018-11-26T23:58:21Z,"Critical severity vulnerability that affects event-stream and flatmap-stream",event-stream,3.3.6,4.0.0,,CRITICAL,CWE-506,
 GHSA-mh6f-8j2x-4483,2018-11-26T23:58:21Z,"Critical severity vulnerability that affects event-stream and flatmap-stream",flatmap-stream,0,,,CRITICAL,CWE-506,
 GHSA-mhxg-pr3j-v9gr,2020-09-03T19:41:22Z,"Malicious Package in colne",colne,0.0.0,,,CRITICAL,CWE-506,
+GHSA-mj5r-hh7j-4gxf,2026-02-18T00:54:32Z,"OpenClaw Telegram allowlist authorization accepted mutable usernames",clawdbot,0,,2026.1.24-3,MODERATE,CWE-284;CWE-290,
+GHSA-mj5r-hh7j-4gxf,2026-02-18T00:54:32Z,"OpenClaw Telegram allowlist authorization accepted mutable usernames",openclaw,0,2026.2.14,,MODERATE,CWE-284;CWE-290,
 GHSA-mjjq-c88q-qhr6,2020-09-03T21:22:00Z,"Cross-Site Scripting in dompurify",dompurify,0,2.0.7,,CRITICAL,CWE-79,
 GHSA-mmph-wp49-r48h,2020-09-02T20:20:26Z,"Malicious Package in experss",experss,0,,,CRITICAL,CWE-506,
 GHSA-mmqv-m45h-q2hp,2020-09-04T15:22:40Z,"Sandbox Breakout / Arbitrary Code Execution in localeval",localeval,0,15.3.0,,CRITICAL,,
@@ -5354,7 +5587,11 @@ GHSA-mpcx-8qqw-rmcq,2020-08-19T21:51:20Z,"SQL Injection in waterline-sequel",wat
 GHSA-mpjf-8cmf-p789,2020-09-01T21:25:46Z,"Cross-Site Scripting in jingo",jingo,0,1.9.2,,HIGH,CWE-79,
 GHSA-mq6v-w35g-3c97,2024-02-03T00:37:56Z,"Local File Inclusion vulnerability in zmarkdown",zmarkdown,0,10.1.3,,LOW,,
 GHSA-mq9h-cwc2-6j5r,2020-09-03T17:42:27Z,"Malicious Package in midway-dataproxy",midway-dataproxy,0.0.0,,,CRITICAL,CWE-506,
+GHSA-mqpw-46fh-299h,2026-02-17T21:39:11Z,"OpenClaw authorization bypass: operator.write can resolve exec approvals via chat.send -> /approve",openclaw,0,2026.2.2,,HIGH,CWE-269;CWE-863,
+GHSA-mr32-vwc2-5j6h,2026-02-17T16:45:47Z,"OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access",moltbot,0,,0.1.0,HIGH,CWE-306,
+GHSA-mr32-vwc2-5j6h,2026-02-17T16:45:47Z,"OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access",openclaw,2026.1.20,2026.2.1,,HIGH,CWE-306,
 GHSA-mrr8-v49w-3333,2023-07-10T19:08:10Z,"sweetalert2 contains potentially undesirable behavior",sweetalert2,11.6.14,11.22.4,,LOW,CWE-440,
+GHSA-mv9j-6xhh-g383,2026-02-17T21:31:17Z,"OpenClaw's unauthenticated Nostr profile HTTP endpoints allow remote profile/config tampering",openclaw,0,2026.2.12,,MODERATE,CWE-285;CWE-306,
 GHSA-mvch-rh6h-2m47,2020-09-11T21:10:29Z,"Malicious Package in equest",equest,0,,,CRITICAL,CWE-506,
 GHSA-mvrp-3cvx-c325,2023-10-04T14:46:06Z,"Zod denial of service vulnerability during email validation",express-zod-api,0,10.0.0-beta1,,HIGH,CWE-1333,
 GHSA-mvw6-62qv-vmqf,2025-07-25T06:30:30Z,"Duplicate Advisory: Koa Open Redirect via Referrer Header (User-Controlled)",koa,0,3.0.1,,LOW,CWE-601,
@@ -5375,6 +5612,7 @@ GHSA-mxq6-vrrr-ppmg,2022-05-24T17:04:00Z,"Duplicate Advisory: tree-kill vulnerab
 GHSA-p33q-w45h-2hcj,2020-09-02T18:30:03Z,"Malicious Package in 4equest",4equest,0,,,CRITICAL,CWE-506,
 GHSA-p3jx-g34v-q56j,2020-09-03T22:54:02Z,"Malicious Package in j3-sha3",j3-sha3,0.0.0,,,CRITICAL,CWE-506,
 GHSA-p4mf-4qvh-w8g5,2020-09-04T15:41:42Z,"Malicious Package in bitcionjslib",bitcionjslib,0.0.0,,,CRITICAL,CWE-506,
+GHSA-p536-vvpp-9mc8,2026-02-19T19:40:56Z,"OpenClaw has a Web Fetch DoS via unbounded response parsing",openclaw,0,2026.2.15,,MODERATE,CWE-400,
 GHSA-p56r-jr4p-4wgh,2020-08-03T18:16:37Z,Withdrawn,whereis,0,0.4.1,,HIGH,,
 GHSA-p5p2-rhc3-wmf3,2020-09-03T17:03:31Z,"Malicious Package in siganle",siganle,0.0.0,,,CRITICAL,CWE-506,
 GHSA-p62r-jf56-h429,2020-09-03T20:29:58Z,"Malicious Package in evil-package",evil-package,0.0.0,,,CRITICAL,CWE-506,
@@ -5391,6 +5629,7 @@ GHSA-pc5p-h8pf-mvwp,2020-04-16T03:14:56Z,"Machine-In-The-Middle in https-proxy-a
 GHSA-pc7q-c837-3wjq,2020-09-03T17:02:58Z,"Malicious Package in wallet-address-validtaor",wallet-address-validtaor,0.0.0,,,CRITICAL,CWE-506,
 GHSA-pf56-h9qf-rxq4,2024-10-07T15:14:40Z,"Saltcorn Server Stored Cross-Site Scripting (XSS) in event logs page",@saltcorn/server,0,1.0.0-beta.16,,MODERATE,CWE-79,
 GHSA-pfq2-hh62-7m96,2026-01-13T19:54:29Z,"Renovate vulnerable to arbitrary command injection via Gradle Wrapper and malicious `distributionUrl`",renovate,32.124.0,42.68.5,,MODERATE,CWE-78,
+GHSA-pg2v-8xwh-qhcc,2026-02-18T00:55:00Z,"OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication",openclaw,0,2026.2.14,,MODERATE,CWE-918,
 GHSA-pg98-6v7f-2xfv,2022-11-23T15:44:52Z,"sweetalert2 v9.17.4 and above contains hidden functionality",sweetalert2,9.17.4,11.22.4,,LOW,CWE-912,
 GHSA-pgcr-7wm4-mcv6,2019-06-04T15:42:45Z,"Sensitive Data Exposure in pem",pem,0,1.13.2,,CRITICAL,CWE-200,
 GHSA-pgr8-jg6h-8gw6,2019-05-23T09:26:20Z,"Cross-Site Scripting in webpack-bundle-analyzer",webpack-bundle-analyzer,0,3.3.2,,MODERATE,CWE-79,
@@ -5398,9 +5637,6 @@ GHSA-pgv6-jrvv-75jp,2018-10-09T00:34:30Z,"Moderate severity vulnerability that a
 GHSA-ph6w-f82w-28w6,2025-09-03T18:06:31Z,"Claude Code Vulnerable to Arbitrary Code Execution Due to Insufficient Startup Warning","@anthropic-ai/claude-code",0,1.0.87,,HIGH,CWE-94,
 GHSA-phph-xpj4-wvcv,2020-09-03T21:13:07Z,"Cross-Site Scripting in hexo-admin",hexo-admin,0.0.0,,,HIGH,CWE-79,
 GHSA-pj97-j597-ppm7,2020-09-02T21:15:22Z,"Malicious Package in rqeuest",rqeuest,0,,,CRITICAL,CWE-506,
-GHSA-pjwm-rvh2-c87w,2021-10-22T20:38:14Z,"Embedded malware in ua-parser-js",ua-parser-js,0.7.29,0.7.30,,HIGH,CWE-829;CWE-912,
-GHSA-pjwm-rvh2-c87w,2021-10-22T20:38:14Z,"Embedded malware in ua-parser-js",ua-parser-js,0.8.0,0.8.1,,HIGH,CWE-829;CWE-912,
-GHSA-pjwm-rvh2-c87w,2021-10-22T20:38:14Z,"Embedded malware in ua-parser-js",ua-parser-js,1.0.0,1.0.1,,HIGH,CWE-829;CWE-912,
 GHSA-pm52-wwrw-c282,2019-06-13T18:59:06Z,"Command Injection in wiki-plugin-datalog",wiki-plugin-datalog,0,0.1.6,,HIGH,CWE-94,
 GHSA-pm9v-325f-5g74,2020-09-02T21:30:11Z,"Malicious Package in saync",saync,0,,,CRITICAL,CWE-506,
 GHSA-pmgv-94f5-6w7w,2020-09-02T20:21:30Z,"Malicious Package in eact",eact,0,,,CRITICAL,CWE-506,
@@ -5422,6 +5658,8 @@ GHSA-q42c-rrp3-r3xm,2020-09-11T21:13:44Z,"Malicious Package in commmander",commm
 GHSA-q42p-pg8m-cqh6,2019-06-05T14:07:48Z,"Prototype Pollution in handlebars",handlebars,0,3.0.7,,HIGH,CWE-471,
 GHSA-q42p-pg8m-cqh6,2019-06-05T14:07:48Z,"Prototype Pollution in handlebars",handlebars,4.0.0,4.0.14,,HIGH,CWE-471,
 GHSA-q42p-pg8m-cqh6,2019-06-05T14:07:48Z,"Prototype Pollution in handlebars",handlebars,4.1.0,4.1.2,,HIGH,CWE-471,
+GHSA-q447-rj3r-2cgh,2026-02-18T00:53:07Z,"OpenClaw affected by denial of service via unbounded webhook request body buffering",clawdbot,0,,2026.1.24-3,HIGH,CWE-400,
+GHSA-q447-rj3r-2cgh,2026-02-18T00:53:07Z,"OpenClaw affected by denial of service via unbounded webhook request body buffering",openclaw,0,2026.2.13,,HIGH,CWE-400,
 GHSA-q4h9-46xg-m3x9,2021-09-15T20:22:13Z,"UUPSUpgradeable vulnerability in @openzeppelin/contracts-upgradeable","@openzeppelin/contracts-upgradeable",4.1.0,4.3.2,,CRITICAL,,
 GHSA-q4pp-j36h-3gqg,2023-08-24T12:53:06Z,"Minimal `basti` IAM Policy Allows Shell Access",basti-cdk,0,1.0.1,,LOW,,
 GHSA-q4xx-mc3q-23x8,2025-08-14T12:30:22Z,"Duplicate Advisory: Flowise vulnerable to RCE via Dynamic function constructor injection",flowise,0,,3.0.5,CRITICAL,CWE-94,
@@ -5447,6 +5685,7 @@ GHSA-qj3g-wfr7-3cv7,2020-09-02T21:41:53Z,"Malicious Package in require-ports",re
 GHSA-qj3p-xc97-xw74,2025-09-15T13:55:56Z,"MetaMask SDK indirectly exposed via malicious debug@4.4.2 dependency","@metamask/sdk-communication-layer",0.16.0,0.33.1,,MODERATE,CWE-506,
 GHSA-qj3p-xc97-xw74,2025-09-15T13:55:56Z,"MetaMask SDK indirectly exposed via malicious debug@4.4.2 dependency",@metamask/sdk,0.16.0,0.33.1,,MODERATE,CWE-506,
 GHSA-qj3p-xc97-xw74,2025-09-15T13:55:56Z,"MetaMask SDK indirectly exposed via malicious debug@4.4.2 dependency",@metamask/sdk-react,0.16.0,0.33.1,,MODERATE,CWE-506,
+GHSA-qj77-c3c8-9c3q,2026-02-17T16:44:11Z,"OpenClaw's Windows cmd.exe parsing may bypass exec allowlist/approval gating",openclaw,0,2026.2.2,,HIGH,CWE-78,
 GHSA-qjfh-xc44-rm9x,2020-09-03T16:49:43Z,"Path Traversal in file-static-server",file-static-server,0.0.0,,,HIGH,CWE-22,
 GHSA-qm4q-f956-fg64,2020-09-03T17:39:13Z,"Malicious Package in luna-mock",luna-mock,0.0.0,,,CRITICAL,CWE-506,
 GHSA-qm7x-rc44-rrqw,2021-11-08T18:07:42Z,"Cross-site Scripting Vulnerability in GraphQL Playground (distributed by Apollo Server)",apollo-server,2.0.0,2.25.3,,HIGH,CWE-79,
@@ -5460,10 +5699,13 @@ GHSA-qrg3-f6h6-vq8q,2020-08-19T22:15:57Z,"Denial of Service in https-proxy-agent
 GHSA-qrmm-w75w-3wpx,2021-12-09T19:08:38Z,"Server side request forgery in SwaggerUI",swagger-ui,0,4.1.3,,MODERATE,CWE-918,
 GHSA-qrmm-w75w-3wpx,2021-12-09T19:08:38Z,"Server side request forgery in SwaggerUI",swagger-ui-dist,0,4.1.3,,MODERATE,CWE-918,
 GHSA-qrmm-w75w-3wpx,2021-12-09T19:08:38Z,"Server side request forgery in SwaggerUI",swagger-ui-react,0,4.1.3,,MODERATE,CWE-918,
+GHSA-qrq5-wjgg-rvqw,2026-02-17T21:39:24Z,"OpenClaw has a Path Traversal in Plugin Installation",openclaw,2026.1.20,2026.2.1,,CRITICAL,CWE-22,
 GHSA-qv2g-99x4-45x6,2021-01-29T18:12:07Z,"Malicious npm package: discord-fix",discord-fix,0.0.0,,,CRITICAL,CWE-506,
 GHSA-qv78-398w-cxp7,2020-09-11T21:08:19Z,"Malicious Package in shrugging-logging",shrugging-logging,0,,,CRITICAL,CWE-506,
+GHSA-qw99-grcx-4pvm,2026-02-17T17:09:43Z,"OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback",openclaw,2026.1.14-1,2026.2.12,,MODERATE,CWE-284,
 GHSA-qx4v-6gc5-f2vv,2019-06-20T14:32:56Z,"Regular Expression Denial of Service",esm,0,3.1.0,,MODERATE,CWE-400,
 GHSA-qxrj-x7rm-2h49,2020-09-03T17:05:59Z,"Malicious Package in dhkey",dhkey,0.0.0,,,CRITICAL,CWE-506,
+GHSA-r2c6-8jc8-g32w,2026-02-02T00:30:23Z,"Duplicate Advisory: 1-Click RCE via Authentication Token Exfiltration From gatewayUrl",clawdbot,0,2026.1.29,,HIGH,CWE-669,
 GHSA-r2gr-fhmr-66c5,2021-05-10T18:38:11Z,"Duplicate Advisory: ""Arbitrary code execution in socket.io-file""",socket.io-file,0,,2.0.31,HIGH,CWE-20,
 GHSA-r2rg-683g-ff96,2020-09-03T19:40:12Z,"Malicious Package in axios-http",axios-http,0.0.0,,,CRITICAL,CWE-506,
 GHSA-r2vw-jgq9-jqx2,2020-09-03T15:54:11Z,"Improper Authorization in @sap-cloud-sdk/core",@sap-cloud-sdk/core,1.19.0,1.21.2,,HIGH,CWE-285,
@@ -5478,6 +5720,8 @@ GHSA-r4m5-47cq-6qg8,2020-09-04T17:25:13Z,"Server-Side Request Forgery in ftp-srv
 GHSA-r4m5-47cq-6qg8,2020-09-04T17:25:13Z,"Server-Side Request Forgery in ftp-srv",ftp-srv,3.0.0,3.1.2,,HIGH,CWE-918,
 GHSA-r4m5-47cq-6qg8,2020-09-04T17:25:13Z,"Server-Side Request Forgery in ftp-srv",ftp-srv,4.0.0,4.3.4,,HIGH,CWE-918,
 GHSA-r587-7jh2-4qr3,2020-08-26T19:32:50Z,"Server secret was included in static assets and served to clients",flood,2.0.0,3.0.0,,CRITICAL,,
+GHSA-r5fq-947m-xm57,2026-02-19T20:45:58Z,"OpenClaw has a path traversal in apply_patch could write/delete files outside the workspace",openclaw,0,2026.2.14,,HIGH,CWE-22,
+GHSA-r5h9-vjqc-hq3r,2026-02-17T21:36:15Z,"Nextcloud Talk allowlist bypass via actor.name display name spoofing",@openclaw/nextcloud-talk,0,2026.2.6,,CRITICAL,CWE-290,
 GHSA-r5w7-f542-q2j4,2025-01-28T20:37:26Z,"Potential DoS when using ContextLines integration","@sentry/google-cloud-serverless",8.10.0,8.49.0,,LOW,CWE-774,
 GHSA-r5w7-f542-q2j4,2025-01-28T20:37:26Z,"Potential DoS when using ContextLines integration",@sentry/astro,8.10.0,8.49.0,,LOW,CWE-774,
 GHSA-r5w7-f542-q2j4,2025-01-28T20:37:26Z,"Potential DoS when using ContextLines integration",@sentry/aws-serverless,8.10.0,8.49.0,,LOW,CWE-774,
@@ -5498,7 +5742,6 @@ GHSA-r9cj-xj33-4q42,2020-09-03T22:21:54Z,"Malicious Package in buffgr-xor",buffg
 GHSA-r9q4-w3fm-wrm2,2020-09-02T21:21:43Z,"Cross-Site Scripting in google-closure-library",google-closure-library,0,20190301.0.0,,MODERATE,CWE-79,
 GHSA-rc4v-99cr-pjcm,2023-10-17T14:21:16Z,"Prototype Pollution in ali-security/mongoose","@seal-security/mongoose-fixed",5.3.3,5.3.4,,CRITICAL,CWE-1321,
 GHSA-rch7-f4h5-x9rj,2019-08-23T00:04:52Z,"Identity Spoofing in libp2p-secio",libp2p-secio,0,0.9.0,,CRITICAL,CWE-290,
-GHSA-rcmh-qjqh-p98v,2025-12-01T20:44:25Z,"Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls",nodemailer,0,7.0.11,,LOW,CWE-703,
 GHSA-rcv7-4w2m-gj9v,2020-09-03T23:24:26Z,"Malicious Package in sj-tw-test-security",sj-tw-test-security,0.0.0,,,CRITICAL,CWE-506,
 GHSA-rffp-mc78-wjf7,2020-09-02T18:26:48Z,"Command Injection in cocos-utils",cocos-utils,0,,,HIGH,CWE-77,
 GHSA-rggq-f2wf-m6cp,2020-09-02T18:31:08Z,"Malicious Package in jajajejejiji",jajajejejiji,0,,,CRITICAL,CWE-506,
@@ -5507,9 +5750,13 @@ GHSA-rjhc-w3fj-j6x9,2020-09-03T17:32:45Z,"Malicious Package in alipayjsapi",alip
 GHSA-rjvj-673q-4hfw,2020-09-04T17:54:31Z,"Command Injection in traceroute",traceroute,0.0.0,,,CRITICAL,CWE-77,
 GHSA-rm7c-x424-g2mw,2020-09-02T18:36:31Z,"Malicious Package in asyync",asyync,0,,,CRITICAL,CWE-506,
 GHSA-rmmc-8cqj-hfp3,2020-09-03T18:24:43Z,"Authentication Bypass in otpauth",otpauth,0,3.2.8,,HIGH,CWE-287,
+GHSA-rmxw-jxxx-4cpc,2026-02-17T21:34:17Z,"OpenClaw has a Matrix allowlist bypass via displayName and cross-homeserver localpart matching",openclaw,2026.1.14-1,2026.2.2,,MODERATE,CWE-290,
+GHSA-rq6g-px6m-c248,2026-02-18T00:54:14Z,"OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting",clawdbot,0,,2026.1.24-3,HIGH,CWE-284;CWE-639,
+GHSA-rq6g-px6m-c248,2026-02-18T00:54:14Z,"OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting",openclaw,0,2026.2.14,,HIGH,CWE-284;CWE-639,
 GHSA-rqgv-292v-5qgr,2024-04-23T16:21:09Z,"Renovate vulnerable to arbitrary command injection via helmv3 manager and registryAliases",renovate,37.158.0,37.199.0,,MODERATE,CWE-78,
 GHSA-rrqv-vjrw-hrcr,2021-05-26T19:59:19Z,"Arbitrary Code Execution in json-ptr",json-ptr,0,2.1.0,,HIGH,CWE-74,
 GHSA-rrvm-gqq8-q2wx,2020-09-03T21:05:26Z,"Malicious Package in require-port",require-port,0.0.0,,,CRITICAL,CWE-506,
+GHSA-rv39-79c4-7459,2026-02-17T16:37:04Z,"OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated",openclaw,0,2026.2.2,,CRITICAL,CWE-306,
 GHSA-rv49-54qp-fw42,2019-06-06T15:30:20Z,"Path Traversal in servey",servey,0,3.1.0,,MODERATE,CWE-22,
 GHSA-rv6q-p3x7-43fx,2020-09-04T16:37:50Z,"Malicious Package in bitcoimjs-lib",bitcoimjs-lib,0.0.0,,,CRITICAL,CWE-506,
 GHSA-rvg8-pwq2-xj7q,2020-09-01T20:42:44Z,"Out-of-bounds Read in base64url",base64url,0,3.0.0,,MODERATE,CWE-125,
@@ -5517,14 +5764,17 @@ GHSA-rvww-x6m4-4vc2,2020-09-11T21:12:39Z,"Malicious Package in blubird",blubird,
 GHSA-rw4r-h883-8pf9,2020-09-02T20:30:02Z,"Malicious Package in reequest",reequest,0,,,CRITICAL,CWE-506,
 GHSA-rw53-q8x7-ccx8,2020-09-03T21:55:17Z,"Malicious Package in buffer-xkr",buffer-xkr,0.0.0,,,CRITICAL,CWE-506,
 GHSA-rwcq-qpm6-7867,2020-09-03T17:04:32Z,"Malicious Package in riped160",riped160,0.0.0,,,CRITICAL,CWE-506,
+GHSA-rwj8-p9vq-25gv,2026-02-18T17:44:58Z,"OpenClaw has a LFI in BlueBubbles media path handling",openclaw,0,2026.2.14,,HIGH,CWE-22,
 GHSA-rwmv-c7v8-v9vf,2020-09-04T16:36:45Z,"Malicious Package in bitcoimd-rpc",bitcoimd-rpc,0.0.0,,,CRITICAL,CWE-506,
 GHSA-v2p6-4mp7-3r9v,2019-06-14T16:26:22Z,"Regular Expression Denial of Service in underscore.string",underscore.string,0,3.3.5,,MODERATE,CWE-400,
 GHSA-v3wr-67px-44xg,2022-03-03T19:11:14Z,"Execution with Unnecessary Privileges in arc-electron","@advanced-rest-client/base",0,0.1.10,,HIGH,,
 GHSA-v45m-2wcp-gg98,2020-09-04T17:18:44Z,"Global node_modules Binary Overwrite in bin-links",bin-links,0,1.1.6,,LOW,,
 GHSA-v4x8-gw49-7hv4,2020-09-03T20:37:42Z,"Path Traversal in swagger-injector",swagger-injector,0.0.0,,,CRITICAL,CWE-22,
 GHSA-v66p-w7qx-wv98,2020-09-04T17:29:34Z,"Authentication Bypass in express-laravel-passport",express-laravel-passport,0.0.0,,,CRITICAL,CWE-287,
+GHSA-v6c6-vqqg-w888,2026-02-18T00:57:48Z,"OpenClaw affected by potential code execution via unsafe hook module path handling in Gateway",openclaw,2026.1.5,2026.2.14,,HIGH,CWE-22,
 GHSA-v6cj-r88p-92rm,2019-09-30T19:31:59Z,"Buffer Overflow in centra",centra,0,2.4.0,,HIGH,CWE-119,
 GHSA-v6gv-fg46-h89j,2020-09-03T16:48:36Z,"Sensitive Data Exposure in put",put,0,,,LOW,CWE-200,
+GHSA-v773-r54f-q32w,2026-02-18T00:51:03Z,"OpenClaw Slack: dmPolicy=open allowed any DM sender to run privileged slash commands",openclaw,0,2026.2.14,,MODERATE,CWE-285,
 GHSA-v78c-4p63-2j6c,2022-08-30T20:28:43Z,"Cleartext Transmission of Sensitive Information in moment-timezone",moment-timezone,0.1.0,0.5.35,,MODERATE,CWE-319,
 GHSA-v7cp-5326-54fh,2020-09-03T16:45:15Z,"Path Traversal in bruteser",bruteser,0,0.1.0,,HIGH,CWE-22,
 GHSA-v7x3-7hw7-pcjg,2019-10-21T16:02:33Z,"Renovate vulnerable to leakage of temporary repository tokens into Pull Request comments",renovate,13.87.0,19.38.7,,MODERATE,CWE-200,
@@ -5554,11 +5804,13 @@ GHSA-vpgc-7h78-gx8f,2020-09-04T18:05:14Z,"personnummer/js vulnerable to Improper
 GHSA-vpj4-89q8-rh38,2020-09-03T18:16:59Z,"Cross-Site Scripting in bpmn-js-properties-panel",bpmn-js-properties-panel,0,0.31.0,,HIGH,CWE-79,
 GHSA-vpq5-4rc8-c222,2019-06-05T14:10:45Z,"Denial of Service in canvas",canvas,0,1.6.10,,MODERATE,,
 GHSA-vr6p-vq2p-6j74,2025-12-15T22:00:17Z,"Withdrawn Advisory: LikeC4 has RCE through vulnerable React and Next.js versions",likec4,0,,1.46.1,CRITICAL,CWE-502,
+GHSA-vrhm-gvg7-fpcf,2026-02-19T20:29:42Z," Memory exhaustion in SvelteKit remote form deserialization (experimental only)",@sveltejs/kit,2.49.0,2.52.2,,MODERATE,CWE-770,
 GHSA-vrxj-4qhw-5vwq,2020-09-03T17:03:41Z,"Malicious Package in scryptys",scryptys,0.0.0,,,CRITICAL,CWE-506,
 GHSA-vv52-3mrp-455m,2020-09-03T15:53:36Z,"Malicious Package in m-backdoor",m-backdoor,0.0.0,,,CRITICAL,CWE-506,
 GHSA-vv7g-pjw9-4qj9,2020-09-03T17:03:56Z,"Malicious Package in scrytsy",scrytsy,0.0.0,,,CRITICAL,CWE-506,
 GHSA-vvfh-mvjv-w38q,2020-09-04T15:28:19Z,"Malicious Package in babel-loadre",babel-loadre,0.0.0,,,CRITICAL,CWE-506,
 GHSA-vw7g-jq9m-3q9v,2020-09-02T18:23:35Z,"Unauthorized File Access in glance",glance,0,3.0.7,,MODERATE,,
+GHSA-vx5f-vmr6-32wf,2026-02-10T14:33:50Z,"cap-go/capacitor-native-biometric Authentication Bypass","@capgo/capacitor-native-biometric",0,8.3.6,,MODERATE,CWE-287,
 GHSA-vx5w-cxch-wwc9,2020-09-03T19:02:27Z,"Path Traversal in f-serv",f-serv,0.0.0,,,CRITICAL,CWE-22,
 GHSA-vxfp-qmpq-6826,2020-09-03T17:38:09Z,"Malicious Package in hpmm",hpmm,0.0.0,,,CRITICAL,CWE-506,
 GHSA-vxp4-25qp-86qh,2017-10-24T18:33:36Z,"Moderate severity vulnerability that affects ember",ember,1.12.0,1.12.2,,MODERATE,,
@@ -5567,6 +5819,8 @@ GHSA-vxp4-25qp-86qh,2017-10-24T18:33:36Z,"Moderate severity vulnerability that a
 GHSA-vxp4-25qp-86qh,2017-10-24T18:33:36Z,"Moderate severity vulnerability that affects ember",ember,2.0.0,2.0.3,,MODERATE,,
 GHSA-vxp4-25qp-86qh,2017-10-24T18:33:36Z,"Moderate severity vulnerability that affects ember",ember,2.1.0,2.1.2,,MODERATE,,
 GHSA-vxp4-25qp-86qh,2017-10-24T18:33:36Z,"Moderate severity vulnerability that affects ember",ember,2.2.0,2.2.1,,MODERATE,,
+GHSA-w2cg-vxx6-5xjg,2026-02-18T00:52:36Z,"OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks",clawdbot,0,,2026.1.24-3,MODERATE,CWE-400,
+GHSA-w2cg-vxx6-5xjg,2026-02-18T00:52:36Z,"OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks",openclaw,0,2026.2.14,,MODERATE,CWE-400,
 GHSA-w32g-5hqp-gg6q,2020-09-02T15:41:41Z,"Cross-Site Scripting in mermaid",mermaid,0,8.2.3,,HIGH,CWE-79,
 GHSA-w37m-7fhw-fmv9,2025-12-11T22:49:56Z,"Next Server Actions Source Code Exposure ",next,15.0.0-canary.0,15.0.6,,MODERATE,CWE-1395;CWE-497;CWE-502,
 GHSA-w37m-7fhw-fmv9,2025-12-11T22:49:56Z,"Next Server Actions Source Code Exposure ",next,15.1.1-canary.0,15.1.10,,MODERATE,CWE-1395;CWE-497;CWE-502,
@@ -5594,10 +5848,12 @@ GHSA-w42g-7vfc-xf37,2020-06-05T19:38:14Z,"Introspection in schema validation in
 GHSA-w4hv-vmv9-hgcr,2024-02-16T19:29:31Z,"GitHub Security Lab (GHSL) Vulnerability Report, scrypted: `GHSL-2023-218`, `GHSL-2023-219`",@scrypted/core,0,,0.1.142,HIGH,,
 GHSA-w4hv-vmv9-hgcr,2024-02-16T19:29:31Z,"GitHub Security Lab (GHSL) Vulnerability Report, scrypted: `GHSL-2023-218`, `GHSL-2023-219`",@scrypted/server,0,,0.56.0,HIGH,,
 GHSA-w4vp-3mq7-7v82,2020-09-03T15:49:48Z,"Cross-Site Scripting in lazysizes",lazysizes,0,5.2.1-rc1,,HIGH,CWE-79,
+GHSA-w5c7-9qqw-6645,2026-02-18T00:56:51Z,"OpenClaw inter-session prompts could be treated as direct user instructions",openclaw,0,2026.2.13,,HIGH,CWE-345,
+GHSA-w5cr-2qhr-jqc5,2026-02-13T21:04:00Z,"Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site",agents,0,0.3.10,,MODERATE,CWE-79,
 GHSA-w5q7-3pr9-x44w,2020-09-02T15:59:19Z,"Denial of Service in serialize-to-js",serialize-to-js,0,2.0.0,,HIGH,,
 GHSA-w65v-hx54-xrqx,2020-09-03T17:41:23Z,"Malicious Package in midway-xtpl",midway-xtpl,0.0.0,,,CRITICAL,CWE-506,
 GHSA-w725-67p7-xv22,2020-09-03T17:05:04Z,"Command Injection in local-devices",local-devices,0,3.0.0,,HIGH,CWE-77,
-GHSA-w7q7-vjp8-7jv4,2019-06-06T15:30:16Z,"SQL Injection in typeorm",typeorm,0,0.1.15,,HIGH,CWE-89,
+GHSA-w7q7-vjp8-7jv4,2019-06-06T15:30:16Z,"SQL Injection in typeorm",typeorm,0,0.1.15,,CRITICAL,CWE-89,
 GHSA-w7wg-24g3-2c78,2020-09-02T21:14:17Z,"Malicious Package in requset",requset,0,,,CRITICAL,CWE-506,
 GHSA-w8fh-pvq2-x8c4,2021-01-29T18:11:20Z,"Malicious npm package: sonatype",sonatype,0.0.0,,,CRITICAL,CWE-506,
 GHSA-w992-2gmj-9xxj,2020-09-11T21:23:29Z,"Cross-Site Scripting in swagger-ui",swagger-ui,0,2.2.1,,MODERATE,CWE-79,
@@ -5608,6 +5864,7 @@ GHSA-wch2-46wj-6x5j,2020-09-04T15:37:15Z,"Malicious Package in bip30",bip30,0.0.
 GHSA-wfhx-6pcm-7m55,2020-09-03T16:46:22Z,"Path Traversal in ponse",ponse,0,2.0.2,,HIGH,CWE-22,
 GHSA-wfjh-3hq2-r276,2020-09-03T19:56:48Z,"Malicious Package in node-spdy",node-spdy,0.0.0,,,CRITICAL,CWE-506,
 GHSA-wfm2-rq5g-f8v5,2025-04-29T15:11:41Z,"@account-kit/smart-contracts Allowlist Module Bypass Vulnerability","@account-kit/smart-contracts",4.8.0,4.28.2,,MODERATE,CWE-288,
+GHSA-wfp2-v9c7-fh79,2026-02-17T21:30:48Z,"OpenClaw affected by SSRF via attachment/media URL hydration",openclaw,0,2026.2.2,,MODERATE,CWE-918,
 GHSA-wfp9-vr4j-f49j,2019-06-04T20:04:27Z,"NoSQL Injection in sequelize",sequelize,0,4.12.0,,HIGH,CWE-89,
 GHSA-wfrj-qqc2-83cm,2021-09-20T19:52:41Z,"Remote command injection when using sendmail email transport",ghost,0,4.15.0,,MODERATE,CWE-88,
 GHSA-wg2x-rv86-mmpx,2024-01-19T22:07:47Z,"SPV Merkle proof malleability allows the maintainer to prove invalid transactions",@keep-network/tbtc-v2,0,1.5.2,,HIGH,,
@@ -5648,6 +5905,7 @@ GHSA-wxhq-pm8v-cw75,2019-06-05T20:50:16Z,"Regular Expression Denial of Service i
 GHSA-wxj2-777f-vxmf,2024-01-03T18:30:51Z,"Duplicate Advisory: Cross-site scripting vulnerability in TinyMCE plugins",tinymce,0,,,MODERATE,CWE-79,
 GHSA-wxrm-2h86-v95f,2020-09-03T21:04:20Z,"Malicious Package in pizza-pasta",pizza-pasta,0.0.0,,,CRITICAL,CWE-506,
 GHSA-wxvm-fh75-mpgr,2018-07-26T16:24:34Z,"Critical severity vulnerability that affects dns-sync",dns-sync,0,0.1.1,,CRITICAL,,
+GHSA-x22m-j5qq-j49m,2026-02-18T17:45:12Z,"OpenClaw has two SSRF via sendMediaFeishu and markdown image fetching in Feishu extension",openclaw,0,2026.2.14,,HIGH,CWE-918,
 GHSA-x39m-3393-3qp4,2025-11-14T20:56:02Z,"Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials)",flowise-ui,0,3.0.10,,HIGH,CWE-306;CWE-620,
 GHSA-x3m6-rprw-862w,2020-09-03T17:43:31Z,"Malicious Package in node-buc",node-buc,0.0.0,,,CRITICAL,CWE-506,
 GHSA-x3w4-mrmv-cw2x,2020-09-03T22:19:44Z,"Malicious Package in buffev-xor",buffev-xor,0.0.0,,,CRITICAL,CWE-506,
@@ -5667,6 +5925,7 @@ GHSA-x8m7-cv39-xmg9,2020-09-03T22:56:10Z,"Malicious Package in jq-sha3",jq-sha3,
 GHSA-x9hc-rw35-f44h,2020-09-02T15:46:03Z,"Sandbox Breakout / Arbitrary Code Execution in static-eval",static-eval,0,2.0.2,,HIGH,CWE-94,
 GHSA-x9p2-fxq6-2m5f,2019-06-20T14:33:07Z,"Reverse Tabnapping in swagger-ui",swagger-ui,0,3.18.0,,MODERATE,CWE-1022,
 GHSA-xc7v-wxcw-j472,2019-06-03T17:08:26Z,"Memory Exposure in tunnel-agent",tunnel-agent,0,0.6.0,,MODERATE,CWE-200,
+GHSA-xc7w-v5x6-cc87,2026-02-17T17:14:00Z,"OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust)",openclaw,0,2026.2.12,,MODERATE,CWE-306,
 GHSA-xcgx-27q5-7634,2020-09-03T19:41:05Z,"Malicious Package in commanedr",commanedr,0.0.0,,,CRITICAL,CWE-506,
 GHSA-xcxh-6cv4-q8p8,2025-08-12T00:13:03Z,"HFS user adding a ""web link"" in HFS is vulnerable to ""target=_blank"" exploit",hfs,0,0.57.10,,LOW,CWE-1022,
 GHSA-xf5p-87ch-gxw2,2019-06-05T14:10:03Z,"Marked ReDoS due to email addresses being evaluated in quadratic time",marked,0.3.14,0.6.2,,MODERATE,CWE-400,
@@ -5691,6 +5950,7 @@ GHSA-xrr6-6ww3-f3qm,2020-09-02T21:25:58Z,"Sandbox Breakout / Arbitrary Code Exec
 GHSA-xrrg-wfwc-c7r3,2020-09-04T15:33:52Z,"Malicious Package in bictoin-ops",bictoin-ops,0.0.0,,,CRITICAL,CWE-506,
 GHSA-xv3q-jrmm-4fxv,2023-04-18T22:28:02Z,"Authentication Bypass in @strapi/plugin-users-permissions","@strapi/plugin-users-permissions",3.2.1,4.6.0,,HIGH,,
 GHSA-xv56-3wq5-9997,2026-01-13T19:57:06Z,"Renovate vulnerable to arbitrary command injection via kustomize manager and malicious helm repository",renovate,39.218.0,40.33.0,,MODERATE,CWE-77,
+GHSA-xvhf-x56f-2hpp,2026-02-18T00:50:47Z,"OpenClaw exec approvals: safeBins could bypass stdin-only constraints via shell expansion",openclaw,0,2026.2.14,,MODERATE,CWE-78,
 GHSA-xvp7-8vm8-xfxx,2025-10-20T17:55:59Z,"Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers",@actual-app/sync-server,0,,25.10.0,MODERATE,CWE-209;CWE-219,
 GHSA-xw79-hhv6-578c,2020-09-11T21:16:59Z,"Cross-Site Scripting in serve",serve,0,10.0.2,,HIGH,CWE-79,
 GHSA-xwqw-rf2q-xmhf,2020-09-01T21:23:38Z,"Cross-Site Scripting in buefy",buefy,0,0.7.2,,HIGH,CWE-79,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@openrewrite/recipes-nodejs",
-  "version": "0.38.0-20260203-172000",
+  "version": "0.38.1",
   "license": "Moderne Source Available License",
   "description": "OpenRewrite recipes for Node.js library migrations.",
   "homepage": "https://github.com/moderneinc/rewrite-node",