@openrewrite/recipes-nodejs 0.38.0 → 0.38.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/resources/advisories-npm.csv +174 -18
- package/package.json +1 -1
|
@@ -1952,6 +1952,9 @@ CVE-2021-41720,2021-12-03T20:37:32Z,"Withdrawn: Arbitrary code execution in loda
|
|
|
1952
1952
|
CVE-2021-42057,2022-05-24T19:19:42Z,"Obsidian Dataview vulnerable to code injection due to unsafe eval",obsidian-dataview,0,0.4.13,,HIGH,CWE-94,
|
|
1953
1953
|
CVE-2021-42227,2021-10-18T19:44:32Z,"Cross site scripting in kindeditor",kindeditor,0,,4.1.12,MODERATE,CWE-79,
|
|
1954
1954
|
CVE-2021-42228,2021-10-18T19:44:06Z,"Cross Site Request Forgery in kindeditor",kindeditor,0,,4.1.12,HIGH,CWE-352,
|
|
1955
|
+
CVE-2021-4229,2021-10-22T20:38:14Z,"Embedded malware in ua-parser-js",ua-parser-js,0.7.29,0.7.30,,HIGH,CWE-829;CWE-912,
|
|
1956
|
+
CVE-2021-4229,2021-10-22T20:38:14Z,"Embedded malware in ua-parser-js",ua-parser-js,0.8.0,0.8.1,,HIGH,CWE-829;CWE-912,
|
|
1957
|
+
CVE-2021-4229,2021-10-22T20:38:14Z,"Embedded malware in ua-parser-js",ua-parser-js,1.0.0,1.0.1,,HIGH,CWE-829;CWE-912,
|
|
1955
1958
|
CVE-2021-4231,2022-05-27T00:01:08Z,"Angular vulnerable to Cross-site Scripting",@angular/core,0,10.2.5,,MODERATE,CWE-79,
|
|
1956
1959
|
CVE-2021-4231,2022-05-27T00:01:08Z,"Angular vulnerable to Cross-site Scripting",@angular/core,11.0.0,11.0.5,,MODERATE,CWE-79,
|
|
1957
1960
|
CVE-2021-4231,2022-05-27T00:01:08Z,"Angular vulnerable to Cross-site Scripting",@angular/core,11.1.0-next.0,11.1.0-next.3,,MODERATE,CWE-79,
|
|
@@ -2028,12 +2031,12 @@ CVE-2022-0401,2022-02-02T00:01:46Z,"Path Traversal in w-zip",w-zip,0,1.0.12,,CRI
|
|
|
2028
2031
|
CVE-2022-0436,2022-04-13T00:00:16Z,"Path Traversal in Grunt",grunt,0,1.5.2,,MODERATE,CWE-22,
|
|
2029
2032
|
CVE-2022-0437,2022-02-06T00:00:54Z,"Cross-site Scripting in karma",karma,0,6.3.14,,MODERATE,CWE-79,
|
|
2030
2033
|
CVE-2022-0508,2022-02-09T00:00:31Z,"Server-Side Request Forgery in @peertube/embed-api",@peertube/embed-api,0,4.1.0-rc.1,,MODERATE,CWE-918,
|
|
2031
|
-
CVE-2022-0512,2022-02-15T00:02:46Z,"Authorization bypass in url-parse",url-parse,0,1.5.6,,MODERATE,CWE-639,
|
|
2034
|
+
CVE-2022-0512,2022-02-15T00:02:46Z,"Authorization bypass in url-parse",url-parse,0.1.0,1.5.6,,MODERATE,CWE-639,
|
|
2032
2035
|
CVE-2022-0528,2022-03-04T00:00:19Z,"Incorrect Authorization in @uppy/companion",@uppy/companion,0,3.3.1,,HIGH,CWE-200;CWE-863;CWE-918,
|
|
2033
2036
|
CVE-2022-0536,2022-02-10T00:00:31Z,"Exposure of Sensitive Information to an Unauthorized Actor in follow-redirects",follow-redirects,0,1.14.8,,MODERATE,CWE-200;CWE-212,
|
|
2034
2037
|
CVE-2022-0613,2022-02-17T00:00:35Z,"Authorization Bypass Through User-Controlled Key in urijs",urijs,0,1.19.8,,MODERATE,CWE-639,
|
|
2035
2038
|
CVE-2022-0624,2022-06-29T00:00:57Z,"Authorization Bypass in parse-path",parse-path,0,5.0.0,,HIGH,CWE-639,
|
|
2036
|
-
CVE-2022-0639,2022-02-18T00:00:33Z,"url-parse Incorrectly parses URLs that include an '@'",url-parse,0,1.5.7,,MODERATE,CWE-639,
|
|
2039
|
+
CVE-2022-0639,2022-02-18T00:00:33Z,"url-parse Incorrectly parses URLs that include an '@'",url-parse,1.0.0,1.5.7,,MODERATE,CWE-639,
|
|
2037
2040
|
CVE-2022-0654,2022-02-24T00:00:54Z,"Cookie exposure in requestretry",requestretry,0,7.0.0,,HIGH,CWE-200,
|
|
2038
2041
|
CVE-2022-0686,2022-02-21T00:00:21Z,"Authorization Bypass Through User-Controlled Key in url-parse",url-parse,0,1.5.8,,CRITICAL,CWE-639,
|
|
2039
2042
|
CVE-2022-0691,2022-02-22T00:00:30Z,"url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.",url-parse,0.1.0,1.5.9,,MODERATE,CWE-639,
|
|
@@ -3655,7 +3658,7 @@ CVE-2025-1398,2025-03-17T15:31:50Z,"Mattermost Desktop App allows the bypass of
|
|
|
3655
3658
|
CVE-2025-14284,2025-12-09T18:30:35Z,"@tiptap/extension-link vulnerable to Cross-site Scripting (XSS)",@tiptap/extension-link,0,2.10.4,,LOW,CWE-79,
|
|
3656
3659
|
CVE-2025-14505,2026-01-08T21:30:34Z,"Elliptic Uses a Cryptographic Primitive with a Risky Implementation",elliptic,0,,6.6.1,LOW,CWE-1240,
|
|
3657
3660
|
CVE-2025-1467,2025-02-23T18:30:24Z,"tarteaucitron Cross-site Scripting (XSS)",tarteaucitronjs,0,1.17.0,,LOW,CWE-79,
|
|
3658
|
-
CVE-2025-14874,2025-12-01T20:44:25Z,"Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls",nodemailer,0,7.0.11,,
|
|
3661
|
+
CVE-2025-14874,2025-12-01T20:44:25Z,"Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls",nodemailer,0,7.0.11,,HIGH,CWE-703,
|
|
3659
3662
|
CVE-2025-15104,2026-01-16T15:31:25Z,"Nu Html Checker (vnu) contains a Server-Side Request Forgery (SSRF) vulnerability",vnu-jar,0,,26.1.11,MODERATE,CWE-918,
|
|
3660
3663
|
CVE-2025-1520,2025-04-23T18:30:58Z,"PostHog Plugin Server SQL Injection Vulnerability",@posthog/plugin-server,0,,1.10.7,HIGH,CWE-89,
|
|
3661
3664
|
CVE-2025-15265,2026-01-15T20:13:33Z,"svelte vulnerable to Cross-site Scripting",svelte,5.46.0,5.46.4,,MODERATE,CWE-79,
|
|
@@ -4095,6 +4098,7 @@ CVE-2025-56200,2025-09-30T18:30:25Z,"validator.js has a URL validation bypass vu
|
|
|
4095
4098
|
CVE-2025-56265,2025-09-08T18:31:42Z,"N8N's Chat Trigger component is vulnerable to XSS",@n8n/n8n-nodes-langchain,0,1.107.0,,HIGH,CWE-434;CWE-79,
|
|
4096
4099
|
CVE-2025-56571,2025-09-30T18:30:24Z,"Finance.js vulnerable to DoS via the IRR function’s depth parameter",financejs,0,,4.1.0,HIGH,CWE-400;CWE-770;CWE-834,
|
|
4097
4100
|
CVE-2025-56572,2025-09-30T18:30:24Z,"Finance.js vulnerable to DoS via the seekZero() parameter",financejs,0,,4.1.0,HIGH,CWE-400;CWE-770,
|
|
4101
|
+
CVE-2025-56647,2026-02-12T18:30:23Z,"@farmfe/core is Missing Origin Validation in WebSocket",@farmfe/core,0,1.7.6,,MODERATE,CWE-1385,
|
|
4098
4102
|
CVE-2025-56648,2025-09-17T21:30:42Z,"Parcel has an Origin Validation Error vulnerability","@parcel/reporter-dev-server",1.6.1,,2.16.3,MODERATE,CWE-346,
|
|
4099
4103
|
CVE-2025-57164,2025-09-15T19:51:08Z,"FlowiseAI Pre-Auth Arbitrary Code Execution",flowise,3.0.5,3.0.6,,CRITICAL,CWE-94,
|
|
4100
4104
|
CVE-2025-57283,2026-01-28T18:30:47Z,"BrowserStack Local vulnerable to Command Injection through logfile variable",browserstack-local,0,,1.5.8,MODERATE,CWE-77,
|
|
@@ -4335,7 +4339,7 @@ CVE-2025-65110,2026-01-05T22:56:59Z,"Vega XSS via expression abusing vlSelection
|
|
|
4335
4339
|
CVE-2025-65110,2026-01-05T22:56:59Z,"Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope",vega-selections,6.0.0,6.1.2,,HIGH,CWE-79,
|
|
4336
4340
|
CVE-2025-6514,2025-07-09T15:30:44Z,"mcp-remote exposed to OS command injection via untrusted MCP server connections",mcp-remote,0.0.5,0.1.16,,CRITICAL,CWE-78,
|
|
4337
4341
|
CVE-2025-6545,2025-06-23T22:41:50Z,"pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos",pbkdf2,3.0.10,3.1.3,,CRITICAL,CWE-20,
|
|
4338
|
-
CVE-2025-6547,2025-06-23T22:42:00Z,"pbkdf2 silently disregards Uint8Array input, returning static keys",pbkdf2,0,3.1.3,,CRITICAL,CWE-20,
|
|
4342
|
+
CVE-2025-6547,2025-06-23T22:42:00Z,"pbkdf2 silently disregards Uint8Array input, returning static keys",pbkdf2,1.0.0,3.1.3,,CRITICAL,CWE-20,
|
|
4339
4343
|
CVE-2025-65513,2025-12-10T00:30:22Z,"Fetch MCP Server has a Server-Side Request Forgery (SSRF) vulnerability",mcp-fetch-server,0,,1.0.2,MODERATE,CWE-918,
|
|
4340
4344
|
CVE-2025-65849,2025-12-08T21:30:22Z,"Altcha Proof-of-Work obfuscation mode cryptanalytic break",altcha,0.8.0,,2.2.4,MODERATE,CWE-327,
|
|
4341
4345
|
CVE-2025-65944,2025-11-24T21:52:45Z,"Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true`","@sentry/google-cloud-serverless",10.11.0,10.27.0,,MODERATE,CWE-201,
|
|
@@ -4395,6 +4399,7 @@ CVE-2025-66803,2026-01-20T18:58:15Z,"Turbo Frame responses can restore stale ses
|
|
|
4395
4399
|
CVE-2025-67364,2026-01-07T18:30:26Z,"fast-filesystem-mcp has a Path Traversal vulnerability",fast-filesystem-mcp,0,,3.4.0,HIGH,CWE-24,
|
|
4396
4400
|
CVE-2025-67419,2026-01-05T21:30:33Z,"evershop allows unauthenticated attackers to exhaust application server's resources via ""GET /images"" API",@evershop/evershop,0,,2.1.0,HIGH,CWE-1050,
|
|
4397
4401
|
CVE-2025-67427,2026-01-05T21:30:33Z,"evershop allows unauthenticated attackers to force server to initiate HTTP request via ""GET /images"" API",@evershop/evershop,0,,2.1.0,MODERATE,CWE-918,
|
|
4402
|
+
CVE-2025-67438,2026-02-20T18:31:33Z,"Sync-in Server has a stored cross-site scripting (XSS) vulnerability",@sync-in/server,0,1.9.3,,MODERATE,CWE-79,
|
|
4398
4403
|
CVE-2025-67489,2025-12-08T22:16:31Z,"@vitejs/plugin-rsc Remote Code Execution through unsafe dynamic imports in RSC server function APIs on development server",@vitejs/plugin-rsc,0,0.5.6,,CRITICAL,CWE-94,
|
|
4399
4404
|
CVE-2025-67490,2025-12-10T21:31:24Z,"Improper Request Caching Lookup in the Auth0 Next.js SDK",@auth0/nextjs-auth0,4.11.0,4.11.2,,MODERATE,CWE-863,
|
|
4400
4405
|
CVE-2025-67490,2025-12-10T21:31:24Z,"Improper Request Caching Lookup in the Auth0 Next.js SDK",@auth0/nextjs-auth0,4.12.0,4.12.1,,MODERATE,CWE-863,
|
|
@@ -4462,10 +4467,14 @@ CVE-2025-69256,2025-12-31T22:05:32Z,"serverless MCP Server vulnerable to Command
|
|
|
4462
4467
|
CVE-2025-69262,2026-01-07T18:51:07Z,"pnpm vulnerable to Command Injection via environment variable substitution",pnpm,6.25.0,10.27.0,,HIGH,CWE-78;CWE-94,
|
|
4463
4468
|
CVE-2025-69263,2026-01-07T19:06:59Z,"pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies",pnpm,0,10.26.0,,HIGH,CWE-494,
|
|
4464
4469
|
CVE-2025-69264,2026-01-07T19:07:43Z,"pnpm v10+ Bypass ""Dependency lifecycle scripts execution disabled by default""",pnpm,10.0.0,10.26.0,,HIGH,CWE-693,
|
|
4465
|
-
CVE-2025-
|
|
4470
|
+
CVE-2025-69287,2026-02-17T16:13:48Z,"BSV Blockchain SDK has an Authentication Signature Data Preparation Vulnerability",@bsv/sdk,0,2.0.0,,MODERATE,CWE-573,
|
|
4471
|
+
CVE-2025-69873,2026-02-11T21:30:39Z,"ajv has ReDoS when using `$data` option",ajv,0,6.14.0,,MODERATE,CWE-400,
|
|
4472
|
+
CVE-2025-69873,2026-02-11T21:30:39Z,"ajv has ReDoS when using `$data` option",ajv,7.0.0-alpha.0,8.18.0,,MODERATE,CWE-400,
|
|
4473
|
+
CVE-2025-69874,2026-02-11T18:31:30Z,"nanotar is vulnerable to path traversal in parseTar() and parseTarGzip()",nanotar,0,,0.2.0,MODERATE,CWE-22,
|
|
4474
|
+
CVE-2025-69970,2026-02-03T18:30:47Z,"FUXA contains an insecure default configuration vulnerability",fuxa-server,0,,1.2.7,HIGH,CWE-1188;CWE-306,
|
|
4466
4475
|
CVE-2025-69971,2026-02-03T18:30:47Z,"FUXA contains a hard-coded credential vulnerability",fuxa-server,0,,1.2.7,HIGH,CWE-798,
|
|
4467
|
-
CVE-2025-69981,2026-02-03T18:30:47Z,"FUXA contains an Unrestricted File Upload vulnerability",fuxa-server,0,,1.2.7,HIGH,CWE-306,
|
|
4468
|
-
CVE-2025-69983,2026-02-03T18:30:47Z,"FUXA allows Remote Code Execution (RCE) via the project import functionality.",fuxa-server,0,,1.2.7,HIGH,CWE-78,
|
|
4476
|
+
CVE-2025-69981,2026-02-03T18:30:47Z,"FUXA contains an Unrestricted File Upload vulnerability",fuxa-server,0,,1.2.7,HIGH,CWE-306;CWE-434,
|
|
4477
|
+
CVE-2025-69983,2026-02-03T18:30:47Z,"FUXA allows Remote Code Execution (RCE) via the project import functionality.",fuxa-server,0,,1.2.7,HIGH,CWE-78;CWE-94,
|
|
4469
4478
|
CVE-2025-7338,2025-07-17T21:01:54Z,"Multer vulnerable to Denial of Service via unhandled exception from malformed request",multer,1.4.4-lts.1,2.0.2,,HIGH,CWE-248,
|
|
4470
4479
|
CVE-2025-7339,2025-07-17T21:17:19Z,"on-headers is vulnerable to http response header manipulation",on-headers,0,1.1.0,,LOW,CWE-241,
|
|
4471
4480
|
CVE-2025-7783,2025-07-21T19:04:54Z,"form-data uses unsafe random function in form-data for choosing boundary",form-data,0,2.5.4,,CRITICAL,CWE-330,
|
|
@@ -4500,7 +4509,11 @@ CVE-2026-1470,2026-01-27T15:30:32Z,"n8n Unsafe Workflow Expression Evaluation Al
|
|
|
4500
4509
|
CVE-2026-1470,2026-01-27T15:30:32Z,"n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution",n8n,2.0.0,2.4.5,,CRITICAL,CWE-95,
|
|
4501
4510
|
CVE-2026-1470,2026-01-27T15:30:32Z,"n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution",n8n,2.5.0,2.5.1,,CRITICAL,CWE-95,
|
|
4502
4511
|
CVE-2026-1513,2026-01-28T03:30:30Z,"billboard.js is vulnerable to XSS during chart option binding",billboard.js,0,3.18.0,,HIGH,CWE-79,
|
|
4512
|
+
CVE-2026-1615,2026-02-09T06:30:28Z,"jsonpath has Arbitrary Code Injection via Unsafe Evaluation of JSON Path Expressions",jsonpath,0,,1.2.1,HIGH,CWE-94,
|
|
4503
4513
|
CVE-2026-1664,2026-02-03T18:42:01Z,"Cloudflare Agents SDK has Insecure Direct Object Reference (IDOR) via Header-Based Email Routing",agents,0,0.3.7,,MODERATE,CWE-639,
|
|
4514
|
+
CVE-2026-1721,2026-02-13T03:31:23Z,"Cloudflare Agents is Vulnerable to Reflected Cross-Site Scripting in the AI Playground's OAuth callback handler",agents,0,0.3.10,,MODERATE,CWE-79,
|
|
4515
|
+
CVE-2026-1774,2026-02-10T18:30:38Z,"CASL Ability is Vulnerable to Prototype Pollution",@casl/ability,2.4.0,6.7.5,,CRITICAL,CWE-1321,
|
|
4516
|
+
CVE-2026-2130,2026-02-08T03:30:27Z,"mcp-maigret vulnerable to command injection",mcp-maigret,0,1.0.13,,MODERATE,CWE-74;CWE-77,
|
|
4504
4517
|
CVE-2026-21440,2026-01-02T18:58:32Z,"AdonisJS Path Traversal in Multipart File Handling",@adonisjs/bodyparser,0,10.1.2,,CRITICAL,CWE-22,
|
|
4505
4518
|
CVE-2026-21440,2026-01-02T18:58:32Z,"AdonisJS Path Traversal in Multipart File Handling",@adonisjs/bodyparser,11.0.0-next.0,11.0.0-next.6,,CRITICAL,CWE-22,
|
|
4506
4519
|
CVE-2026-21852,2026-01-21T01:00:31Z,"Claude Code Leaks Data via Malicious Environment Configuration Before Trust Confirmation","@anthropic-ai/claude-code",0,2.0.65,,MODERATE,CWE-522,
|
|
@@ -4561,6 +4574,7 @@ CVE-2026-22817,2026-01-13T21:51:44Z,"Hono JWT Middleware's JWT Algorithm Confusi
|
|
|
4561
4574
|
CVE-2026-22818,2026-01-13T21:52:03Z,"Hono JWK Auth Middleware has JWT algorithm confusion when JWK lacks ""alg"" (untrusted header.alg fallback)",hono,0,4.11.4,,HIGH,CWE-347,
|
|
4562
4575
|
CVE-2026-22819,2026-01-13T21:53:30Z,"Outray has a Race Condition in the cli's webapp",outray,0,0.1.5,,MODERATE,CWE-366,
|
|
4563
4576
|
CVE-2026-22820,2026-01-13T21:53:44Z,"Outray cli is vulnerable to race conditions in tunnels creation",outray,0,0.1.5,,MODERATE,CWE-367,
|
|
4577
|
+
CVE-2026-2327,2026-02-12T06:30:13Z,"markdown-it is has a Regular Expression Denial of Service (ReDoS)",markdown-it,13.0.0,14.1.1,,MODERATE,CWE-1333,
|
|
4564
4578
|
CVE-2026-23515,2026-02-02T18:10:32Z,"Signal K set-system-time plugin vulnerable to RCE - Command Injection",@signalk/set-system-time,0,1.5.0,,CRITICAL,CWE-78,
|
|
4565
4579
|
CVE-2026-23522,2026-01-20T17:14:39Z,"Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion",@lobehub/chat,0,,1.143.2,LOW,CWE-284,
|
|
4566
4580
|
CVE-2026-23527,2026-01-15T20:10:51Z,"h3 v1 has Request Smuggling (TE.TE) issue",h3,0,1.15.5,,HIGH,CWE-444,
|
|
@@ -4589,6 +4603,7 @@ CVE-2026-23890,2026-01-26T21:02:39Z,"pnpm scoped bin name Path Traversal allows
|
|
|
4589
4603
|
CVE-2026-23897,2026-02-04T18:02:26Z,"Apollo Serve vulnerable to Denial of Service with `startStandaloneServer`",@apollo/server,4.2.0,4.13.0,,HIGH,CWE-1333,
|
|
4590
4604
|
CVE-2026-23897,2026-02-04T18:02:26Z,"Apollo Serve vulnerable to Denial of Service with `startStandaloneServer`",@apollo/server,5.0.0,5.4.0,,HIGH,CWE-1333,
|
|
4591
4605
|
CVE-2026-23897,2026-02-04T18:02:26Z,"Apollo Serve vulnerable to Denial of Service with `startStandaloneServer`",apollo-server,2.0.0,,3.13.0,HIGH,CWE-1333,
|
|
4606
|
+
CVE-2026-2391,2026-02-12T17:04:39Z,"qs's arrayLimit bypass in comma parsing allows denial of service",qs,6.7.0,6.14.2,,LOW,CWE-20,
|
|
4592
4607
|
CVE-2026-23947,2026-01-21T01:01:13Z,"Orval has a code injection via unsanitized x-enum-descriptions in enum generation",@orval/core,0,7.19.0,,CRITICAL,CWE-77,
|
|
4593
4608
|
CVE-2026-23947,2026-01-21T01:01:13Z,"Orval has a code injection via unsanitized x-enum-descriptions in enum generation",@orval/core,8.0.0-rc.0,8.0.2,,CRITICAL,CWE-77,
|
|
4594
4609
|
CVE-2026-23950,2026-01-21T01:05:49Z,"Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS",tar,0,7.5.4,,HIGH,CWE-176,
|
|
@@ -4629,6 +4644,7 @@ CVE-2026-24472,2026-01-27T19:04:17Z,"Hono cache middleware ignores ""Cache-Contr
|
|
|
4629
4644
|
CVE-2026-24473,2026-01-27T19:09:01Z,"Hono has an Arbitrary Key Read in Serve static Middleware (Cloudflare Workers Adapter)",hono,0,4.11.7,,MODERATE,CWE-200;CWE-284;CWE-668,
|
|
4630
4645
|
CVE-2026-24737,2026-02-02T18:29:49Z,"jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution",jspdf,0,4.1.0,,HIGH,CWE-116,
|
|
4631
4646
|
CVE-2026-24763,2026-02-02T23:39:47Z,"OpenClaw/Clawdbot Docker Execution has Authenticated Command Injection via PATH Environment Variable",clawdbot,0,2026.1.29,,HIGH,CWE-78,
|
|
4647
|
+
CVE-2026-24764,2026-02-17T18:40:11Z,"OpenClaw Affected by Remote Code Execution via System Prompt Injection in Slack Channel Descriptions",openclaw,0,2026.2.3,,LOW,CWE-74;CWE-94,
|
|
4632
4648
|
CVE-2026-24766,2026-01-28T21:41:26Z,"NocoDB has Prototype Pollution in Connection Test Endpoint, Leading to DoS",nocodb,0,0.301.0,,MODERATE,CWE-1321,
|
|
4633
4649
|
CVE-2026-24767,2026-01-28T21:41:18Z,"NocoDB has Blind SSRF via Unvalidated HEAD Request in uploadViaURL Functionality",nocodb,0,0.301.0,,MODERATE,CWE-918,
|
|
4634
4650
|
CVE-2026-24768,2026-01-28T21:41:10Z,"NocoDB has Unvalidated Redirect in Login Flow via continueAfterSignIn Parameter",nocodb,0,0.301.0,,MODERATE,CWE-601,
|
|
@@ -4661,10 +4677,10 @@ CVE-2026-25055,2026-02-04T19:36:29Z,"n8n Vulnerable to Arbitrary File Write on R
|
|
|
4661
4677
|
CVE-2026-25056,2026-02-04T19:39:41Z,"n8n Merge Node has Arbitrary File Write leading to RCE",n8n,0,1.118.0,,CRITICAL,CWE-434;CWE-693,
|
|
4662
4678
|
CVE-2026-25056,2026-02-04T19:39:41Z,"n8n Merge Node has Arbitrary File Write leading to RCE",n8n,2.0.0,2.4.0,,CRITICAL,CWE-434;CWE-693,
|
|
4663
4679
|
CVE-2026-25115,2026-02-04T19:42:03Z,"n8n has a Python sandbox escape",n8n,0,2.4.8,,CRITICAL,CWE-693,
|
|
4664
|
-
CVE-2026-25128,2026-01-30T20:10:14Z,"fast-xml-parser has RangeError DoS Numeric Entities Bug",fast-xml-parser,
|
|
4680
|
+
CVE-2026-25128,2026-01-30T20:10:14Z,"fast-xml-parser has RangeError DoS Numeric Entities Bug",fast-xml-parser,5.0.9,5.3.4,,HIGH,CWE-20;CWE-248,
|
|
4665
4681
|
CVE-2026-25141,2026-01-30T21:17:25Z,"Orval has Code Injection via unsanitized x-enum-descriptions using JS comments",@orval/core,7.19.0,7.21.0,,CRITICAL,CWE-84;CWE-94,
|
|
4666
4682
|
CVE-2026-25141,2026-01-30T21:17:25Z,"Orval has Code Injection via unsanitized x-enum-descriptions using JS comments",@orval/core,8.0.0,8.2.0,,CRITICAL,CWE-84;CWE-94,
|
|
4667
|
-
CVE-2026-25142,2026-02-02T20:17:39Z,"SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE",@nyariv/sandboxjs,0,0.8.27,,CRITICAL,CWE-94,
|
|
4683
|
+
CVE-2026-25142,2026-02-02T20:17:39Z,"SandboxJS Vulnerable to Prototype Pollution -> Sandbox Escape -> RCE",@nyariv/sandboxjs,0,0.8.27,,CRITICAL,CWE-1321;CWE-94,
|
|
4668
4684
|
CVE-2026-25148,2026-02-03T20:47:55Z,"Qwik SSR XSS via Unsafe Virtual Node Serialization",@builder.io/qwik-city,0,1.19.0,,MODERATE,CWE-79,
|
|
4669
4685
|
CVE-2026-25149,2026-02-03T20:58:25Z,"Qwik City Open Redirect via fixTrailingSlash",@builder.io/qwik-city,0,1.19.0,,LOW,CWE-601,
|
|
4670
4686
|
CVE-2026-25150,2026-02-03T20:49:22Z,"Prototype Pollution via FormData Processing in Qwik City",@builder.io/qwik-city,0,1.19.0,,CRITICAL,CWE-1321,
|
|
@@ -4679,11 +4695,14 @@ CVE-2026-25223,2026-02-02T22:23:29Z,"Fastify's Content-Type header tab character
|
|
|
4679
4695
|
CVE-2026-25224,2026-02-02T22:25:05Z,"Fastify Vulnerable to DoS via Unbounded Memory Allocation in sendWebStream",fastify,0,5.7.3,,LOW,CWE-770,
|
|
4680
4696
|
CVE-2026-25228,2026-02-02T22:26:31Z,"SignalK Server has Path Traversal leading to information disclosure",signalk-server,0,2.20.3,,MODERATE,CWE-22,
|
|
4681
4697
|
CVE-2026-25253,2026-02-02T23:41:05Z,"OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl",clawdbot,0,2026.1.29,,HIGH,CWE-668,
|
|
4698
|
+
CVE-2026-25474,2026-02-17T18:46:16Z,"OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass",openclaw,0,2026.2.1,,HIGH,CWE-345,
|
|
4682
4699
|
CVE-2026-25475,2026-02-04T19:02:51Z,"OpenClaw Vulnerable to Local File Inclusion via MEDIA: Path Extraction",openclaw,0,2026.1.30,,MODERATE,CWE-200;CWE-22,
|
|
4683
4700
|
CVE-2026-25520,2026-02-05T20:41:28Z,"@nyariv/sandboxjs has a Sandbox Escape issue",@nyariv/sandboxjs,0,0.8.29,,CRITICAL,CWE-74,
|
|
4684
4701
|
CVE-2026-25521,2026-02-02T22:21:54Z,"locutus is vulnerable to Prototype Pollution",locutus,2.0.12,2.0.39,,CRITICAL,CWE-1321,
|
|
4702
|
+
CVE-2026-25528,2026-02-09T20:36:59Z,"LangSmith Client SDK Affected by Server-Side Request Forgery via Tracing Header Injection",langsmith,0.3.41,0.4.6,,MODERATE,CWE-918,
|
|
4685
4703
|
CVE-2026-25533,2026-02-05T17:49:35Z,"Sandbox escape via infinite recursion and error objects",@enclave-vm/core,0,2.10.1,,MODERATE,CWE-835,
|
|
4686
4704
|
CVE-2026-25533,2026-02-05T17:49:35Z,"Sandbox escape via infinite recursion and error objects",enclave-vm,0,,2.7.0,MODERATE,CWE-835,
|
|
4705
|
+
CVE-2026-25535,2026-02-19T15:25:48Z,"jsPDF Affected by Client-Side/Server-Side Denial of Service via Malicious GIF Dimensions",jspdf,0,4.2.0,,HIGH,CWE-770,
|
|
4687
4706
|
CVE-2026-25536,2026-02-04T20:04:16Z,"@modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse","@modelcontextprotocol/sdk",1.10.0,1.26.0,,HIGH,CWE-362,
|
|
4688
4707
|
CVE-2026-25544,2026-02-05T20:51:38Z,"@payloadcms/drizzle has SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters",@payloadcms/drizzle,0,3.73.0,,CRITICAL,CWE-89,
|
|
4689
4708
|
CVE-2026-25546,2026-02-04T20:02:32Z,"godot-mcp has Command Injection via unsanitized projectPath",@coding-solo/godot-mcp,0,0.1.1,,HIGH,CWE-78,
|
|
@@ -4695,7 +4714,9 @@ CVE-2026-25587,2026-02-05T21:05:59Z,"@nyariv/sandboxjs has a Sandbox Escape vuln
|
|
|
4695
4714
|
CVE-2026-25593,2026-02-04T20:06:46Z,"OpenClaw vulnerable to Unauthenticated Local RCE via WebSocket config.apply",openclaw,0,2026.1.20,,HIGH,CWE-20;CWE-306;CWE-78,
|
|
4696
4715
|
CVE-2026-25630,2026-02-04T20:07:34Z,"survey-pdf Upgraded jsPDF Version Due to Security Vulnerability",survey-pdf,0,1.12.59,,CRITICAL,CWE-35;CWE-73,
|
|
4697
4716
|
CVE-2026-25630,2026-02-04T20:07:34Z,"survey-pdf Upgraded jsPDF Version Due to Security Vulnerability",survey-pdf,2.0.0,2.5.5,,CRITICAL,CWE-35;CWE-73,
|
|
4698
|
-
CVE-2026-25631,2026-02-04T20:33:27Z,"n8n's domain allowlist bypass enables credential exfiltration",n8n,0,1.121.0,,MODERATE,CWE-20,
|
|
4717
|
+
CVE-2026-25631,2026-02-04T20:33:27Z,"n8n's domain allowlist bypass enables credential exfiltration",n8n,0,1.121.0,,MODERATE,CWE-20;CWE-522,
|
|
4718
|
+
CVE-2026-25639,2026-02-09T17:46:14Z,"Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig",axios,0,0.30.3,,HIGH,CWE-754,
|
|
4719
|
+
CVE-2026-25639,2026-02-09T17:46:14Z,"Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig",axios,1.0.0,1.13.5,,HIGH,CWE-754,
|
|
4699
4720
|
CVE-2026-25641,2026-02-05T21:33:04Z,"@nyariv/sandboxjs vulnerable to sandbox escape via TOCTOU bug on keys in property accesses",@nyariv/sandboxjs,0,0.8.29,,CRITICAL,CWE-367;CWE-74,
|
|
4700
4721
|
CVE-2026-25651,2026-02-06T18:54:33Z,"client-certificate-auth Vulnerable to Open Redirect via Host Header Injection in HTTP-to-HTTPS redirect",client-certificate-auth,0.2.1,1.0.0,,MODERATE,CWE-601,
|
|
4701
4722
|
CVE-2026-25722,2026-02-06T19:02:41Z,"Claude Code Vulnerable to Command Injection via Directory Change Bypasses Write Protection","@anthropic-ai/claude-code",0,2.0.57,,HIGH,CWE-20;CWE-78,
|
|
@@ -4706,8 +4727,82 @@ CVE-2026-25751,2026-02-05T00:33:44Z,"FUXA Unauthenticated Exposure of Plaintext
|
|
|
4706
4727
|
CVE-2026-25752,2026-02-05T00:38:25Z,"FUXA Unauthenticated Remote Arbitrary Device Tag Write",fuxa-server,0,1.2.10,,CRITICAL,CWE-862,
|
|
4707
4728
|
CVE-2026-25754,2026-02-06T19:27:30Z,"AdonisJS multipart body parsing has Prototype Pollution issue",@adonisjs/bodyparser,0,10.1.3,,HIGH,CWE-1321,
|
|
4708
4729
|
CVE-2026-25754,2026-02-06T19:27:30Z,"AdonisJS multipart body parsing has Prototype Pollution issue",@adonisjs/bodyparser,11.0.0-next.0,11.0.0-next.9,,HIGH,CWE-1321,
|
|
4730
|
+
CVE-2026-25755,2026-02-19T19:32:36Z,"jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method",jspdf,0,4.2.0,,HIGH,CWE-116;CWE-94,
|
|
4709
4731
|
CVE-2026-25762,2026-02-06T19:53:55Z,"AdonisJS vulnerable to Denial of Service (DoS) via Unrestricted Memory Buffering in PartHandler during File Type Detection",@adonisjs/bodyparser,0,10.1.3,,HIGH,CWE-400;CWE-770,
|
|
4710
4732
|
CVE-2026-25762,2026-02-06T19:53:55Z,"AdonisJS vulnerable to Denial of Service (DoS) via Unrestricted Memory Buffering in PartHandler during File Type Detection",@adonisjs/bodyparser,11.0.0-next.0,11.0.0-next.9,,HIGH,CWE-400;CWE-770,
|
|
4733
|
+
CVE-2026-25881,2026-02-10T00:24:53Z,"@nyariv/sandboxjs has host prototype pollution from sandbox via array intermediary (sandbox escape)",@nyariv/sandboxjs,0,0.8.31,,CRITICAL,CWE-1321,
|
|
4734
|
+
CVE-2026-25893,2026-02-05T00:27:53Z,"FUXA Unauthenticated Remote Code Execution via Admin JWT Minting",fuxa-server,0,1.2.10,,CRITICAL,CWE-285;CWE-287,
|
|
4735
|
+
CVE-2026-25894,2026-02-05T00:36:30Z,"FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration",fuxa-server,0,1.2.10,,CRITICAL,CWE-1188;CWE-321,
|
|
4736
|
+
CVE-2026-25895,2026-02-05T00:37:30Z,"FUXA Unauthenticated Remote Code Execution via Arbitrary File Write in Upload API",fuxa-server,0,1.2.10,,CRITICAL,CWE-22;CWE-306,
|
|
4737
|
+
CVE-2026-25896,2026-02-20T18:23:54Z,"fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names",fast-xml-parser,4.1.3,5.3.5,,CRITICAL,CWE-185,
|
|
4738
|
+
CVE-2026-25918,2026-02-10T00:25:32Z,"unity-cli Exposes Plaintext Credentials in Debug Logs (sign-package command)","@rage-against-the-pixel/unity-cli",0,1.8.2,,MODERATE,CWE-352;CWE-532,
|
|
4739
|
+
CVE-2026-25938,2026-02-10T00:27:31Z,"FUXA Unauthenticated Remote Code Execution in Node-RED Integration",fuxa-server,1.2.8,1.2.11,,CRITICAL,CWE-290;CWE-306,
|
|
4740
|
+
CVE-2026-25939,2026-02-10T00:28:28Z,"FUXA Unauthenticated Remote Arbitrary Scheduler Write",fuxa-server,1.2.8,1.2.11,,CRITICAL,CWE-862,
|
|
4741
|
+
CVE-2026-25940,2026-02-19T19:32:48Z,"jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and ""AS"" property)",jspdf,0,4.2.0,,HIGH,CWE-116,
|
|
4742
|
+
CVE-2026-25951,2026-02-10T00:29:00Z,"FUXA Affected by a Path Traversal Sanitization Bypass",fuxa-server,0,1.2.11,,HIGH,CWE-184;CWE-22;CWE-23,
|
|
4743
|
+
CVE-2026-25957,2026-02-10T00:29:13Z,"Cube Core is vulnerable to Denial of Service (DoS) via crafted request","@cubejs-backend/server-core",1.1.17,1.4.2,,MODERATE,CWE-755,
|
|
4744
|
+
CVE-2026-25957,2026-02-10T00:29:13Z,"Cube Core is vulnerable to Denial of Service (DoS) via crafted request","@cubejs-backend/server-core",1.5.0,1.5.13,,MODERATE,CWE-755,
|
|
4745
|
+
CVE-2026-25958,2026-02-10T00:29:07Z,"Cube Core is vulnerable to privilege escalation via a specially crafted request","@cubejs-backend/server-core",0.27.19,1.0.14,,HIGH,CWE-807,
|
|
4746
|
+
CVE-2026-25958,2026-02-10T00:29:07Z,"Cube Core is vulnerable to privilege escalation via a specially crafted request","@cubejs-backend/server-core",1.1.0,1.4.2,,HIGH,CWE-807,
|
|
4747
|
+
CVE-2026-25958,2026-02-10T00:29:07Z,"Cube Core is vulnerable to privilege escalation via a specially crafted request","@cubejs-backend/server-core",1.5.0,1.5.13,,HIGH,CWE-807,
|
|
4748
|
+
CVE-2026-26019,2026-02-11T15:13:20Z,"@langchain/community affected by SSRF Bypass in RecursiveUrlLoader via insufficient URL origin validation",@langchain/community,0,1.1.14,,MODERATE,CWE-918,
|
|
4749
|
+
CVE-2026-26021,2026-02-11T15:13:28Z,"set-in Affected by Prototype Pollution",set-in,2.0.1,2.0.5,,CRITICAL,CWE-1321,
|
|
4750
|
+
CVE-2026-26063,2026-02-12T17:04:50Z,"CediPay Affected by Improper Input Validation in Payment Processing",cedipay-core,0,1.2.3,,HIGH,CWE-20,
|
|
4751
|
+
CVE-2026-26185,2026-02-12T22:13:04Z,"Directus Vulnerable to User Enumeration via Password Reset Timing Attack",@directus/api,0,32.2.0,,MODERATE,CWE-203,
|
|
4752
|
+
CVE-2026-26185,2026-02-12T22:13:04Z,"Directus Vulnerable to User Enumeration via Password Reset Timing Attack",directus,0,11.14.1,,MODERATE,CWE-203,
|
|
4753
|
+
CVE-2026-26226,2026-02-13T18:31:25Z,"beautiful-mermaid contains an SVG attribute injection issue that can lead to cross-site scripting (XSS)",beautiful-mermaid,0,0.1.3,,MODERATE,CWE-79,
|
|
4754
|
+
CVE-2026-26278,2026-02-17T21:30:10Z,"fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit)",fast-xml-parser,4.1.3,5.3.6,,HIGH,CWE-776,
|
|
4755
|
+
CVE-2026-26280,2026-02-18T21:51:26Z,"Systeminformation has a Command Injection via unsanitized interface parameter in wifi.js retry path",systeminformation,0,5.30.8,,HIGH,CWE-78,
|
|
4756
|
+
CVE-2026-26316,2026-02-17T21:33:51Z,"OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust",@openclaw/bluebubbles,0,2026.2.13,,HIGH,CWE-863,
|
|
4757
|
+
CVE-2026-26316,2026-02-17T21:33:51Z,"OpenClaw BlueBubbles webhook auth bypass via loopback proxy trust",openclaw,0,2026.2.13,,HIGH,CWE-863,
|
|
4758
|
+
CVE-2026-26317,2026-02-18T00:53:59Z,"OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints",clawdbot,0,,2026.1.24-3,HIGH,CWE-352,
|
|
4759
|
+
CVE-2026-26317,2026-02-18T00:53:59Z,"OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints",openclaw,0,2026.2.14,,HIGH,CWE-352,
|
|
4760
|
+
CVE-2026-26318,2026-02-18T22:36:50Z,"Command Injection via Unsanitized `locate` Output in `versions()` — systeminformation",systeminformation,0,5.31.0,,HIGH,CWE-78,
|
|
4761
|
+
CVE-2026-26319,2026-02-17T21:40:46Z,"OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests",openclaw,0,2026.2.14,,HIGH,CWE-306,
|
|
4762
|
+
CVE-2026-26320,2026-02-17T21:41:40Z,"OpenClaw macOS deep link confirmation truncation can conceal executed agent message",openclaw,2026.2.6-0,2026.2.14,,HIGH,CWE-451,
|
|
4763
|
+
CVE-2026-26321,2026-02-17T21:41:52Z,"OpenClaw has a local file disclosure via sendMediaFeishu in Feishu extension",openclaw,0,2026.2.14,,HIGH,CWE-22,
|
|
4764
|
+
CVE-2026-26322,2026-02-17T21:42:15Z,"OpenClaw Gateway tool allowed unrestricted gatewayUrl override",openclaw,0,2026.2.14,,HIGH,CWE-918,
|
|
4765
|
+
CVE-2026-26323,2026-02-18T00:46:54Z,"OpenClaw has a command injection in maintainer clawtributors updater",openclaw,2026.1.8,2026.2.14,,HIGH,CWE-78,
|
|
4766
|
+
CVE-2026-26324,2026-02-17T21:42:40Z,"OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable)",openclaw,0,2026.2.14,,HIGH,CWE-918,
|
|
4767
|
+
CVE-2026-26325,2026-02-17T21:42:49Z,"OpenClaw Node host system.run rawCommand/command mismatch can bypass allowlist/approvals",openclaw,0,2026.2.14,,HIGH,CWE-284,
|
|
4768
|
+
CVE-2026-26326,2026-02-17T21:43:41Z,"OpenClaw skills.status could leak secrets to operator.read clients",openclaw,0,2026.2.14,,MODERATE,CWE-200,
|
|
4769
|
+
CVE-2026-26327,2026-02-18T00:33:35Z,"OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning",openclaw,0,2026.2.14,,HIGH,CWE-345,
|
|
4770
|
+
CVE-2026-26328,2026-02-18T00:43:54Z,"OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities",clawdbot,0,2026.2.14,,MODERATE,CWE-284;CWE-863,
|
|
4771
|
+
CVE-2026-26328,2026-02-18T00:43:54Z,"OpenClaw iMessage group allowlist authorization inherited DM pairing-store identities",openclaw,0,2026.2.14,,MODERATE,CWE-284;CWE-863,
|
|
4772
|
+
CVE-2026-26329,2026-02-18T00:46:49Z,"OpenClaw has a path traversal in browser upload allows local file read",openclaw,0,2026.2.14,,HIGH,CWE-22,
|
|
4773
|
+
CVE-2026-26960,2026-02-18T00:57:13Z,"Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction",tar,0,7.5.8,,HIGH,CWE-22,
|
|
4774
|
+
CVE-2026-26972,2026-02-18T17:37:52Z,"OpenClaw has a Path Traversal in Browser Download Functionality",openclaw,2026.1.12,2026.2.13,,MODERATE,CWE-22,
|
|
4775
|
+
CVE-2026-26974,2026-02-18T21:45:06Z,"Improper Control of Generation of Code ('Code Injection') in @tygo-van-den-hurk/slyde",@tygo-van-den-hurk/slyde,0,0.0.5,,HIGH,CWE-829,
|
|
4776
|
+
CVE-2026-26980,2026-02-18T21:50:23Z,"Ghost has a SQL injection in Content API",ghost,3.24.0,6.19.1,,CRITICAL,CWE-89,
|
|
4777
|
+
CVE-2026-26996,2026-02-18T22:38:11Z,"minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",minimatch,0,10.2.1,,HIGH,CWE-1333,
|
|
4778
|
+
CVE-2026-27001,2026-02-18T22:42:29Z,"OpenClaw: Unsanitized CWD path injection into LLM prompts",openclaw,0,2026.2.15,,HIGH,CWE-77,
|
|
4779
|
+
CVE-2026-27002,2026-02-18T22:42:42Z,"OpenClaw: Docker container escape via unvalidated bind mount config injection",openclaw,0,2026.2.15,,HIGH,CWE-250,
|
|
4780
|
+
CVE-2026-27003,2026-02-18T22:43:21Z,"OpenClaw: Telegram bot token exposure via logs",openclaw,0,2026.2.15,,MODERATE,CWE-522,
|
|
4781
|
+
CVE-2026-27004,2026-02-18T22:43:53Z,"OpenClaw session tool visibility hardening and Telegram webhook secret fallback",openclaw,0,2026.2.15,,MODERATE,CWE-209;CWE-346,
|
|
4782
|
+
CVE-2026-27007,2026-02-18T22:44:10Z,"OpenClaw's sandbox config hash sorted primitive arrays and suppressed needed container recreation",openclaw,0,2026.2.15,,MODERATE,CWE-1254,
|
|
4783
|
+
CVE-2026-27008,2026-02-18T22:44:18Z,"OpenClaw hardened the skill download target directory validation",openclaw,0,2026.2.15,,MODERATE,CWE-73,
|
|
4784
|
+
CVE-2026-27009,2026-02-18T22:44:33Z,"OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline script injection",openclaw,0,2026.2.15,,MODERATE,CWE-79,
|
|
4785
|
+
CVE-2026-27013,2026-02-18T22:44:58Z,"Fabric.js Affected by Stored XSS via SVG Export",fabric,0,7.2.0,,HIGH,CWE-116;CWE-79,
|
|
4786
|
+
CVE-2026-27022,2026-02-18T22:40:09Z,"RediSearch Query Injection in @langchain/langgraph-checkpoint-redis","@langchain/langgraph-checkpoint-redis",0,1.0.2,,MODERATE,CWE-74,
|
|
4787
|
+
CVE-2026-27118,2026-02-19T15:18:02Z,"Cache poisoning in @sveltejs/adapter-vercel",@sveltejs/adapter-vercel,0,6.3.2,,MODERATE,CWE-346,
|
|
4788
|
+
CVE-2026-27119,2026-02-19T15:18:19Z,"Svelte affected by XSS in SSR `<option>` element",svelte,5.39.3,5.51.5,,MODERATE,CWE-79,
|
|
4789
|
+
CVE-2026-27121,2026-02-19T15:18:33Z,"Svelte affected by cross-site scripting via spread attributes in Svelte SSR",svelte,0,5.51.5,,MODERATE,CWE-79,
|
|
4790
|
+
CVE-2026-27122,2026-02-19T15:18:42Z,"Svelte SSR does not validate dynamic element tag names in `<svelte:element>`",svelte,0,5.51.5,,MODERATE,CWE-79,
|
|
4791
|
+
CVE-2026-27125,2026-02-19T20:28:49Z,"Svelte SSR attribute spreading includes inherited properties from prototype chain",svelte,0,5.51.5,,MODERATE,CWE-915,
|
|
4792
|
+
CVE-2026-27191,2026-02-19T20:32:15Z,"Feathers has an open redirect in OAuth callback enables account takeover","@feathersjs/authentication-oauth",0,5.0.40,,HIGH,CWE-601,
|
|
4793
|
+
CVE-2026-27192,2026-02-19T20:32:28Z,"Feathers has an origin validation bypass via prefix matching","@feathersjs/authentication-oauth",0,5.0.40,,HIGH,CWE-346,
|
|
4794
|
+
CVE-2026-27193,2026-02-19T20:32:37Z,"Feathers exposes internal headers via unencrypted session cookie","@feathersjs/authentication-oauth",0,5.0.40,,HIGH,CWE-200,
|
|
4795
|
+
CVE-2026-27203,2026-02-19T20:27:11Z,"eBay API MCP Server Affected by Environment Variable Injection ",ebay-mcp,0,,1.7.2,HIGH,CWE-15;CWE-74,
|
|
4796
|
+
CVE-2026-27210,2026-02-19T20:44:48Z,"Pannellum has a XSS vulnerability in hot spot attributes",pannellum,2.5.0,2.5.7,,MODERATE,CWE-79,
|
|
4797
|
+
CVE-2026-27212,2026-02-19T20:28:35Z,"Prototype pollution in swiper",swiper,6.5.1,12.1.2,,CRITICAL,CWE-1321,
|
|
4798
|
+
CVE-2026-2739,2026-02-20T06:30:39Z,"bn.js affected by an infinite loop",bn.js,0,5.2.3,,MODERATE,CWE-835,
|
|
4799
|
+
CVE-2026-27484,2026-02-20T21:02:31Z,"OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows",openclaw,0,2026.2.18,,LOW,CWE-862,
|
|
4800
|
+
CVE-2026-27485,2026-02-20T21:05:45Z,"OpenClaw: Reject symlinks in local skill packaging script",openclaw,0,2026.2.19,,MODERATE,CWE-61,
|
|
4801
|
+
CVE-2026-27486,2026-02-18T17:41:09Z,"OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup",openclaw,0,2026.2.14,,MODERATE,CWE-283,
|
|
4802
|
+
CVE-2026-27487,2026-02-18T17:39:00Z,"OpenClaw: Prevent shell injection in macOS keychain credential write",openclaw,0,2026.2.14,,HIGH,CWE-78,
|
|
4803
|
+
CVE-2026-27488,2026-02-20T21:13:03Z,"OpenClaw hardened cron webhook delivery against SSRF",openclaw,0,2026.2.19,,MODERATE,CWE-918,
|
|
4804
|
+
CVE-2026-27492,2026-02-20T21:14:49Z,"Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused",lettermint,0,1.5.1,,MODERATE,CWE-488,
|
|
4805
|
+
CVE-2026-27576,2026-02-20T21:52:44Z,"OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs",openclaw,0,2026.2.19,,MODERATE,CWE-400,
|
|
4711
4806
|
GHSA-224h-p7p5-rh85,2020-09-01T17:32:26Z,"Directory Traversal in wenluhong1",wenluhong1,0.0.0,,,HIGH,CWE-22,
|
|
4712
4807
|
GHSA-224p-v68g-5g8f,2025-08-26T18:45:55Z,"GraphQL Armor Max-Depth Plugin Bypass via fragment caching","@escape.tech/graphql-armor-max-depth",0,2.4.2,,MODERATE,CWE-400,
|
|
4713
4808
|
GHSA-226w-6hhj-69hp,2020-09-03T19:06:52Z,"Malicious Package in cal_rd",cal_rd,0.0.0,,,CRITICAL,CWE-506,
|
|
@@ -4715,6 +4810,9 @@ GHSA-22h7-7wwg-qmgg,2020-09-04T17:56:39Z,"Prototype Pollution in @hapi/hoek",@ha
|
|
|
4715
4810
|
GHSA-22h7-7wwg-qmgg,2020-09-04T17:56:39Z,"Prototype Pollution in @hapi/hoek",@hapi/hoek,9.0.0,9.0.3,,LOW,CWE-1321,
|
|
4716
4811
|
GHSA-22q9-hqm5-mhmc,2020-09-11T21:22:24Z,"Cross-Site Scripting in swagger-ui",swagger-ui,0,2.2.1,,MODERATE,CWE-79,
|
|
4717
4812
|
GHSA-22rr-f3p8-5gf8,2023-09-15T17:12:42Z,"Directus affected by VM2 sandbox escape vulnerability",directus,0,10.6.0,,HIGH,,
|
|
4813
|
+
GHSA-236c-vhj4-gfxg,2022-05-25T00:00:31Z,"Duplicate Advisory: Embedded malware in ua-parser-js",ua-parser-js,0.7.29,0.7.30,,HIGH,CWE-829;CWE-912,
|
|
4814
|
+
GHSA-236c-vhj4-gfxg,2022-05-25T00:00:31Z,"Duplicate Advisory: Embedded malware in ua-parser-js",ua-parser-js,0.8.0,0.8.1,,HIGH,CWE-829;CWE-912,
|
|
4815
|
+
GHSA-236c-vhj4-gfxg,2022-05-25T00:00:31Z,"Duplicate Advisory: Embedded malware in ua-parser-js",ua-parser-js,1.0.0,1.0.1,,HIGH,CWE-829;CWE-912,
|
|
4718
4816
|
GHSA-23q2-5gf8-gjpp,2024-04-19T17:26:32Z,"Enabling Authentication does not close all logged in socket connections immediately ",uptime-kuma,0,1.23.12,,LOW,CWE-384,
|
|
4719
4817
|
GHSA-23vw-mhv5-grv5,2020-09-03T15:48:43Z,"Denial of Service in @hapi/hapi",@hapi/hapi,0,18.4.1,,HIGH,,
|
|
4720
4818
|
GHSA-23vw-mhv5-grv5,2020-09-03T15:48:43Z,"Denial of Service in @hapi/hapi",@hapi/hapi,19.0.0,19.1.1,,HIGH,,
|
|
@@ -4758,9 +4856,10 @@ GHSA-2w9p-xf5h-qwj3,2023-03-27T03:30:16Z,"Duplicate Advisory: pullit Command Inj
|
|
|
4758
4856
|
GHSA-2xv3-h762-ccxv,2019-05-29T19:18:02Z,"Out-of-bounds Read in concat-with-sourcemaps",concat-with-sourcemaps,1.0.0,1.0.6,,MODERATE,CWE-125,
|
|
4759
4857
|
GHSA-2xw5-3767-qxvm,2020-09-11T21:21:20Z,"Malicious Package in ng-ui-library",ng-ui-library,1.0.987,1.0.990,,CRITICAL,CWE-506,
|
|
4760
4858
|
GHSA-3233-rgx3-c2wh,2018-10-09T00:38:09Z,"Moderate severity vulnerability that affects mustache",mustache,0,2.2.1,,MODERATE,,
|
|
4761
|
-
GHSA-32cc-x95p-fxcg,2026-02-05T00:36:30Z,"FUXA Unauthenticated Remote Code Execution via Hardcoded JWT Secret in Default Configuration",fuxa-server,0,1.2.10,,CRITICAL,CWE-1188;CWE-321,
|
|
4762
4859
|
GHSA-32vw-r77c-gm67,2020-08-03T17:57:05Z,"Withdrawn Advisory: marked cross-site scripting vulnerability",marked,0,0.3.3,,MODERATE,,
|
|
4763
4860
|
GHSA-33gc-f8v9-v8hm,2020-09-01T20:41:40Z,"Malicious Package in ladder-text-js",ladder-text-js,0,,,CRITICAL,CWE-506,
|
|
4861
|
+
GHSA-33hq-fvwr-56pm,2026-02-19T20:29:30Z,"devalue affected by CPU and memory amplification from sparse arrays",devalue,0,5.6.3,,LOW,CWE-770,
|
|
4862
|
+
GHSA-33rq-m5x2-fvgf,2026-02-17T21:37:55Z,"OpenClaw Twitch allowFrom is not enforced in optional plugin, unauthorized chat users can trigger agent pipeline",openclaw,2026.1.29,2026.2.1,,HIGH,CWE-285,
|
|
4764
4863
|
GHSA-353r-3v84-9pjj,2020-09-01T20:40:36Z,"Malicious Package in nothing-js",nothing-js,0,,,CRITICAL,CWE-506,
|
|
4765
4864
|
GHSA-365g-vjw2-grx8,2025-10-09T15:26:59Z,"n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host",n8n,0,,1.114.4,HIGH,CWE-78,
|
|
4766
4865
|
GHSA-365g-vjw2-grx8,2025-10-09T15:26:59Z,"n8n: Execute Command Node Allows Authenticated Users to Run Arbitrary Commands on Host",n8n-nodes-base,0,,1.113.0,HIGH,CWE-78,
|
|
@@ -4785,10 +4884,13 @@ GHSA-3g4j-r53p-22wx,2025-10-17T18:31:09Z,"Duplicate Advisory: FlowiseAI Pre-Auth
|
|
|
4785
4884
|
GHSA-3gpc-w23c-w59w,2020-09-04T15:02:06Z,"Sandbox Breakout / Arbitrary Code Execution in pitboss-ng",pitboss-ng,0,2.0.0,,CRITICAL,,
|
|
4786
4885
|
GHSA-3h99-v4qw-p2h5,2020-09-03T19:41:56Z,"Malicious Package in coinpayment",coinpayment,0.0.0,,,CRITICAL,CWE-506,
|
|
4787
4886
|
GHSA-3h9m-9g3g-5wqx,2020-09-03T22:13:14Z,"Malicious Package in buffer-xov",buffer-xov,0.0.0,,,CRITICAL,CWE-506,
|
|
4887
|
+
GHSA-3hcm-ggvf-rch5,2026-02-17T16:46:12Z,"OpenClaw has an exec allowlist bypass via command substitution/backticks inside double quotes",openclaw,0,2026.2.2,,HIGH,CWE-78,
|
|
4788
4888
|
GHSA-3j63-5h8p-gf7c,2025-08-20T20:51:55Z,"x402 SDK vulnerable in outdated versions in resource servers for builders",x402,0,0.5.2,,HIGH,,
|
|
4789
4889
|
GHSA-3j63-5h8p-gf7c,2025-08-20T20:51:55Z,"x402 SDK vulnerable in outdated versions in resource servers for builders",x402-express,0,0.5.2,,HIGH,,
|
|
4790
4890
|
GHSA-3j63-5h8p-gf7c,2025-08-20T20:51:55Z,"x402 SDK vulnerable in outdated versions in resource servers for builders",x402-hono,0,0.5.2,,HIGH,,
|
|
4791
4891
|
GHSA-3j63-5h8p-gf7c,2025-08-20T20:51:55Z,"x402 SDK vulnerable in outdated versions in resource servers for builders",x402-next,0,0.5.2,,HIGH,,
|
|
4892
|
+
GHSA-3m3q-x3gj-f79x,2026-02-17T21:31:58Z,"OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations",@clawdbot/voice-call,0,,2026.1.24,MODERATE,CWE-287,
|
|
4893
|
+
GHSA-3m3q-x3gj-f79x,2026-02-17T21:31:58Z,"OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations",@openclaw/voice-call,0,2026.2.3,,MODERATE,CWE-287,
|
|
4792
4894
|
GHSA-3mhm-jvqj-fvhg,2020-09-03T23:09:37Z,"Malicious Package in js-sia3",js-sia3,0.0.0,,,CRITICAL,CWE-506,
|
|
4793
4895
|
GHSA-3mpp-xfvh-qh37,2022-03-16T23:54:35Z,"node-ipc behavior change",node-ipc,11.0.0,12.0.0,,LOW,,
|
|
4794
4896
|
GHSA-3p92-886g-qxpq,2019-06-04T15:42:32Z,"Remote Memory Exposure in floody",floody,0,0.1.1,,MODERATE,CWE-201,
|
|
@@ -4803,6 +4905,7 @@ GHSA-43vf-2x6g-p2m5,2020-09-02T21:33:26Z,"Malicious Package in browserift",brows
|
|
|
4803
4905
|
GHSA-44vf-8ffm-v2qh,2020-09-02T15:42:47Z,"Sensitive Data Exposure in rails-session-decoder",rails-session-decoder,0.0.0,,,HIGH,,
|
|
4804
4906
|
GHSA-457r-cqc8-9vj9,2022-11-23T15:39:50Z,"sweetalert2 v10.16.10 and above contains hidden functionality",sweetalert2,10.16.10,11.22.4,,LOW,CWE-912,
|
|
4805
4907
|
GHSA-4627-w373-375v,2020-09-11T21:22:24Z,"Malicious Package in grunt-radical",grunt-radical,0.0.14,0.0.13,,CRITICAL,,
|
|
4908
|
+
GHSA-4685-c5cp-vp95,2026-02-19T22:06:00Z,"OpenClaw safeBins stdin-only bypass via sort output and recursive grep flags",openclaw,0,2026.2.19,,LOW,CWE-184;CWE-78,
|
|
4806
4909
|
GHSA-46fh-8fc5-xcwx,2020-09-03T18:09:16Z,"Prototype Pollution in lodash.defaultsdeep",lodash.defaultsdeep,0,4.6.1,,HIGH,CWE-1321,
|
|
4807
4910
|
GHSA-46j5-6fg5-4gv3,2025-12-18T09:30:30Z,"Duplicate Advisory: Nodemailer is vulnerable to DoS through Uncontrolled Recursion",nodemailer,0,7.0.11,,MODERATE,CWE-674;CWE-703,
|
|
4808
4911
|
GHSA-4859-gpc7-4j66,2019-06-05T21:24:29Z,"Command Injection in dot",dot,0,,1.1.2,MODERATE,CWE-77,
|
|
@@ -4836,6 +4939,7 @@ GHSA-4qhx-g9wp-g9m6,2019-06-14T16:09:01Z,"Failure to sanitize quotes which can l
|
|
|
4836
4939
|
GHSA-4qqc-mp5f-ccv4,2020-09-02T15:05:51Z,"Command Injection in bestzip",bestzip,0,2.1.7,,CRITICAL,CWE-77,
|
|
4837
4940
|
GHSA-4r97-78gf-q24v,2020-09-04T17:53:27Z,"Duplicate Advisory: Prototype Pollution in klona",klona,0,1.1.1,,HIGH,CWE-1321,
|
|
4838
4941
|
GHSA-4rgj-8mq3-hggj,2020-09-03T20:32:11Z,"Denial of Service in @hapi/subtext",@hapi/subtext,0,6.1.2,,HIGH,CWE-400,
|
|
4942
|
+
GHSA-4rj2-gpmh-qq5x,2026-02-17T21:36:34Z,"OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)",openclaw,0,2026.2.2,,CRITICAL,CWE-287,
|
|
4839
4943
|
GHSA-4vcf-q4xf-f48m,2025-11-25T21:42:53Z,"Better Auth Passkey Plugin allows passkey deletion through IDOR",@better-auth/passkey,0,1.4.0,,HIGH,CWE-284;CWE-639,
|
|
4840
4944
|
GHSA-4vjr-crvh-383h,2023-09-27T20:17:00Z,"@napi-rs/image affected by libwebp CVE",@napi-rs/image,0,1.7.0,,HIGH,,
|
|
4841
4945
|
GHSA-4vmm-mhcq-4x9j,2019-06-14T16:15:14Z,"Sandbox Bypass Leading to Arbitrary Code Execution in constantinople",constantinople,0,3.1.1,,CRITICAL,,
|
|
@@ -4852,7 +4956,7 @@ GHSA-4xf9-pgvv-xx67,2020-09-03T20:27:46Z,"Duplicate Advisory: Regular Expression
|
|
|
4852
4956
|
GHSA-4xg9-g7qj-jhg4,2020-09-03T20:46:36Z,"Malicious Package in comander",comander,0.0.0,,,CRITICAL,CWE-506,
|
|
4853
4957
|
GHSA-4xgp-xrg3-c73w,2020-09-11T21:10:29Z,"Malicious Package in commqnder",commqnder,0,,,CRITICAL,CWE-506,
|
|
4854
4958
|
GHSA-52c9-458g-whrf,2020-09-03T22:58:17Z,"Malicious Package in js-3ha3",js-3ha3,0.0.0,,,CRITICAL,CWE-506,
|
|
4855
|
-
GHSA-52rh-5rpj-c3w6,2022-05-05T16:00:50Z,"Improper handling of multiline messages in node-irc",matrix-org-irc,0,1.2.1,,HIGH
|
|
4959
|
+
GHSA-52rh-5rpj-c3w6,2022-05-05T16:00:50Z,"Improper handling of multiline messages in node-irc",matrix-org-irc,0,1.2.1,,HIGH,CWE-74;CWE-93,
|
|
4856
4960
|
GHSA-5327-gfq5-8f4m,2020-09-03T21:56:23Z,"Malicious Package in buffer-xmr",buffer-xmr,0.0.0,,,CRITICAL,CWE-506,
|
|
4857
4961
|
GHSA-533p-g2hq-qr26,2020-09-04T17:16:35Z,"Command Injection in treekill",treekill,0.0.0,,,HIGH,CWE-77,
|
|
4858
4962
|
GHSA-536f-268f-6gxc,2020-09-03T22:17:36Z,"Malicious Package in buffermxor",buffermxor,0.0.0,,,CRITICAL,CWE-506,
|
|
@@ -4865,6 +4969,7 @@ GHSA-5634-rv46-48jf,2020-09-03T17:13:45Z,"Cross-Site Scripting in bleach",bleach
|
|
|
4865
4969
|
GHSA-5635-9mvj-r6hp,2020-09-03T02:34:39Z,"Malicious Package in vue-backbone",vue-backbone,0.1.2,0.1.3,,CRITICAL,CWE-506,
|
|
4866
4970
|
GHSA-563h-49v8-g7x4,2020-09-03T23:17:01Z,"Malicious Package in ks-sha3",ks-sha3,0.0.0,,,CRITICAL,CWE-506,
|
|
4867
4971
|
GHSA-569q-mpph-wgww,2025-12-01T21:29:48Z,"Better Auth affected by external request basePath modification DoS",better-auth,0,1.4.2,,LOW,CWE-73,
|
|
4972
|
+
GHSA-56f2-hvwg-5743,2026-02-17T17:13:35Z,"OpenClaw affected by SSRF in Image Tool Remote Fetch",openclaw,0,2026.2.2,,HIGH,CWE-918,
|
|
4868
4973
|
GHSA-56r6-ccm5-8hg3,2025-07-21T14:20:40Z,"Alchemy Non-SMA and Webauthn Account Security Advisory","@account-kit/smart-contracts",4.42.0,4.52.0,,HIGH,CWE-287,
|
|
4869
4974
|
GHSA-56x4-j7p9-fcf9,2022-08-30T20:31:21Z,"Command Injection in moment-timezone",moment-timezone,0.1.0,0.5.35,,LOW,,
|
|
4870
4975
|
GHSA-57cf-349j-352g,2019-06-12T16:37:00Z,"Out-of-bounds Read in npmconf",npmconf,0,2.1.3,,MODERATE,CWE-125,
|
|
@@ -4918,12 +5023,14 @@ GHSA-5wq6-v5cw-jvfr,2020-09-03T23:03:36Z,"Malicious Package in js-shas",js-shas,
|
|
|
4918
5023
|
GHSA-5wrg-8fxp-cx9r,2023-06-21T22:06:22Z,"passport-wsfed-saml2 Signature Bypass vulnerability",passport-wsfed-saml2,0,3.0.10,,HIGH,,
|
|
4919
5024
|
GHSA-5x7p-gm79-383m,2020-09-01T21:11:57Z,"Malicious Package in regenraotr",regenraotr,0,,,CRITICAL,CWE-506,
|
|
4920
5025
|
GHSA-5x8q-gj67-rhf2,2020-09-02T21:18:33Z,"Malicious Package in discord_debug_log",discord_debug_log,0,,,CRITICAL,CWE-506,
|
|
5026
|
+
GHSA-5xfq-5mr7-426q,2026-02-18T00:57:30Z,"OpenClaw's unsanitized session ID enables path traversal in transcript file operations",openclaw,0,2026.2.12,,MODERATE,CWE-22,
|
|
4921
5027
|
GHSA-629c-j867-3v45,2020-09-04T16:41:04Z,"Malicious Package in bitcoisnj-lib",bitcoisnj-lib,0.0.0,,,CRITICAL,CWE-506,
|
|
4922
5028
|
GHSA-6343-m2qr-66gf,2020-09-03T23:10:41Z,"Malicious Package in js-sja3",js-sja3,0.0.0,,,CRITICAL,CWE-506,
|
|
4923
5029
|
GHSA-6394-6h9h-cfjg,2019-06-07T21:12:35Z,"Regular Expression Denial of Service",nwmatcher,0,1.4.4,,MODERATE,CWE-400,
|
|
4924
5030
|
GHSA-644f-hrff-mf96,2025-12-02T18:30:35Z,"Duplicate Advisory: Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments",@nocobase/auth,0,1.9.23,,LOW,,
|
|
4925
5031
|
GHSA-6475-r3vj-m8vf,2026-01-08T21:52:45Z,"AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value",@smithy/config-resolver,0,4.4.0,,LOW,CWE-20,
|
|
4926
5032
|
GHSA-64g7-mvw6-v9qj,2022-01-14T21:09:50Z,"Improper Privilege Management in shelljs",shelljs,0,0.8.5,,MODERATE,CWE-269,
|
|
5033
|
+
GHSA-64qx-vpxx-mvqf,2026-02-17T16:43:51Z,"OpenClaw has an arbitrary transcript path file write via gateway sessionFile",openclaw,0,2026.2.12,,HIGH,"CWE-23;CWE-284;CWE-73;CWE-78",
|
|
4927
5034
|
GHSA-657v-jjf8-83gh,2020-09-03T23:14:55Z,"Malicious Package in jsmsha3",jsmsha3,0.0.0,,,CRITICAL,CWE-506,
|
|
4928
5035
|
GHSA-6584-gfwm-3vc3,2020-09-03T21:43:01Z,"Malicious Package in budfer-xor",budfer-xor,0.0.0,,,CRITICAL,CWE-506,
|
|
4929
5036
|
GHSA-65j7-66p7-9xgf,2020-09-02T21:51:55Z,"Malicious Package in font-scrubber",font-scrubber,0,,,CRITICAL,CWE-506,
|
|
@@ -4949,6 +5056,7 @@ GHSA-69mf-2cw2-38m8,2020-09-03T23:04:40Z,"Malicious Package in js-shc3",js-shc3,
|
|
|
4949
5056
|
GHSA-69p9-9qm9-h447,2020-08-19T22:34:43Z,"Sandbox Breakout / Arbitrary Code Execution in safer-eval",safer-eval,0,1.3.2,,MODERATE,,
|
|
4950
5057
|
GHSA-69r6-7h4f-9p7q,2020-09-03T20:41:01Z,"Malicious Package in discord.js-user",discord.js-user,0.0.0,,,CRITICAL,CWE-506,
|
|
4951
5058
|
GHSA-6c37-2rw5-9j7x,2020-09-02T20:25:46Z,"Malicious Package in requesst",requesst,0,,,CRITICAL,CWE-506,
|
|
5059
|
+
GHSA-6c9j-x93c-rw6j,2026-02-19T22:06:26Z,"OpenClaw safeBins file-existence oracle information disclosure",openclaw,0,2026.2.19,,MODERATE,CWE-203,
|
|
4952
5060
|
GHSA-6chw-6frg-f759,2020-04-03T21:48:38Z,"Regular Expression Denial of Service in Acorn",acorn,5.5.0,5.7.4,,HIGH,CWE-400,
|
|
4953
5061
|
GHSA-6chw-6frg-f759,2020-04-03T21:48:38Z,"Regular Expression Denial of Service in Acorn",acorn,6.0.0,6.4.1,,HIGH,CWE-400,
|
|
4954
5062
|
GHSA-6chw-6frg-f759,2020-04-03T21:48:38Z,"Regular Expression Denial of Service in Acorn",acorn,7.0.0,7.1.1,,HIGH,CWE-400,
|
|
@@ -5014,9 +5122,11 @@ GHSA-7p6w-x2gr-rrf8,2020-09-02T21:28:05Z,"ag-grid Cross-Site Scripting vulnerabi
|
|
|
5014
5122
|
GHSA-7qg7-6g3g-8vxg,2020-09-03T22:46:25Z,"Malicious Package in bwffer-xor",bwffer-xor,0.0.0,,,CRITICAL,CWE-506,
|
|
5015
5123
|
GHSA-7r5f-7qr4-pf6q,2020-09-03T19:03:33Z,"Sandbox Breakout / Arbitrary Code Execution in notevil",notevil,0,1.3.2,,HIGH,,
|
|
5016
5124
|
GHSA-7r9x-hr76-jr96,2020-09-04T17:26:18Z,"Command Injection in giting",giting,0.0.0,,,CRITICAL,CWE-77,
|
|
5125
|
+
GHSA-7rcp-mxpq-72pj,2026-02-18T17:41:00Z,"OpenClaw Chutes manual OAuth state validation bypass can cause credential substitution",openclaw,0,2026.2.14,,MODERATE,CWE-352,
|
|
5017
5126
|
GHSA-7rgr-72hp-9wp3,2025-10-06T03:31:38Z,"Duplicate Advisory: Flowise is vulnerable to stored XSS via ""View Messages"" allows credential theft in FlowiseAI admin panel",flowise,0,3.0.5,,HIGH,CWE-79,
|
|
5018
5127
|
GHSA-7v28-g2pq-ggg8,2022-06-17T01:16:03Z,"Ghost vulnerable to remote code execution in locale setting change",ghost,0,4.48.2,,MODERATE,,
|
|
5019
5128
|
GHSA-7v28-g2pq-ggg8,2022-06-17T01:16:03Z,"Ghost vulnerable to remote code execution in locale setting change",ghost,5.0.0,5.2.3,,MODERATE,,
|
|
5129
|
+
GHSA-7vwx-582j-j332,2026-02-17T21:38:14Z,"OpenClaw MS Teams inbound attachment downloader leaks bearer tokens to allowlisted suffix domains",openclaw,0,2026.2.1,,HIGH,CWE-201,
|
|
5020
5130
|
GHSA-7w7c-867m-4mqc,2020-09-03T17:04:55Z,"Malicious Package in rceat",rceat,0.0.0,,,CRITICAL,CWE-506,
|
|
5021
5131
|
GHSA-7wgh-5q4q-6wx5,2020-09-04T17:30:39Z,"Malicious Package in 1337qq-js",1337qq-js,0.0.0,,,CRITICAL,CWE-506,
|
|
5022
5132
|
GHSA-7wwv-vh3v-89cq,2020-12-04T16:47:20Z,"ReDOS vulnerabities: multiple grammars",@highlightjs/cdn-assets,0,10.4.1,,MODERATE,CWE-20;CWE-400,
|
|
@@ -5051,7 +5161,7 @@ GHSA-87qp-7cw8-8q9c,2024-03-25T06:30:24Z,"Duplicate Advisory: web3-utils Prototy
|
|
|
5051
5161
|
GHSA-87qw-7v97-w34r,2020-09-02T18:33:18Z,"Malicious Package in asinc",asinc,0,,,CRITICAL,CWE-506,
|
|
5052
5162
|
GHSA-886v-mm6p-4m66,2019-06-05T09:48:02Z,"High severity vulnerability that affects gun",gun,0,0.2019.416,,HIGH,CWE-22,
|
|
5053
5163
|
GHSA-88h9-fc6v-jcw7,2020-09-03T20:28:51Z,"Unintended Require in larvitbase-www",larvitbase-www,0.0.0,,,MODERATE,,
|
|
5054
|
-
GHSA-
|
|
5164
|
+
GHSA-88qp-p4qg-rqm6,2026-02-19T20:30:25Z,"CPU exhaustion in SvelteKit remote form deserialization (experimental only)",@sveltejs/kit,2.49.0,2.52.2,,MODERATE,CWE-843,
|
|
5055
5165
|
GHSA-88xx-23mf-rcj2,2020-09-03T22:51:52Z,"Malicious Package in bs-sha3",bs-sha3,0.0.0,,,CRITICAL,CWE-506,
|
|
5056
5166
|
GHSA-8948-ffc6-jg52,2019-06-06T15:32:21Z,"Insecure Default Configuration in redbird",redbird,0,,0.9.0,MODERATE,CWE-20,
|
|
5057
5167
|
GHSA-8c8c-4vfj-rrpc,2020-09-01T19:05:11Z,"Reflected Cross-Site Scripting in redis-commander",redis-commander,0.0.0,0.5.0,,LOW,CWE-79,
|
|
@@ -5084,6 +5194,7 @@ GHSA-8mwq-mj73-qv68,2023-02-16T15:30:28Z,"Duplicate advisory: Sequelize vulnerab
|
|
|
5084
5194
|
GHSA-8mwq-mj73-qv68,2023-02-16T15:30:28Z,"Duplicate advisory: Sequelize vulnerable to Improper Filtering of Special Elements",sequelize,0,6.29.0,,CRITICAL,CWE-790,
|
|
5085
5195
|
GHSA-8pwx-j4r6-5v38,2020-09-03T17:05:25Z,"Malicious Package in hdkye",hdkye,0.0.0,,,CRITICAL,CWE-506,
|
|
5086
5196
|
GHSA-8q2c-2396-hf7j,2020-09-03T17:34:55Z,"Malicious Package in appx-compiler",appx-compiler,0.0.0,,,CRITICAL,CWE-506,
|
|
5197
|
+
GHSA-8qm3-746x-r74r,2026-02-19T20:29:17Z,"devalue `uneval`ed code can create objects with polluted prototypes when `eval`ed",devalue,0,5.6.3,,LOW,CWE-1321,
|
|
5087
5198
|
GHSA-8qx4-r7fx-xc4v,2020-09-11T21:08:19Z,"Malicious Package in requst",requst,0,,,CRITICAL,CWE-506,
|
|
5088
5199
|
GHSA-8r4g-cg4m-x23c,2021-09-22T18:22:02Z,"Denial of Service in node-static",node-static,0,,0.7.11,MODERATE,CWE-248;CWE-400,
|
|
5089
5200
|
GHSA-8r69-3cvp-wxc3,2022-11-02T18:18:10Z,"Batched HTTP requests may set incorrect `cache-control` response header",@apollo/server,0,4.1.0,,MODERATE,CWE-524,
|
|
@@ -5094,6 +5205,8 @@ GHSA-8vj3-jgcf-77jv,2020-09-02T20:26:49Z,"Malicious Package in requeest",requees
|
|
|
5094
5205
|
GHSA-8vvx-qvq9-5948,2025-03-14T18:48:44Z,"Flowise allows arbitrary file write to RCE",flowise,0,,2.2.7,CRITICAL,CWE-94,
|
|
5095
5206
|
GHSA-8w57-jfpm-945m,2019-06-11T16:16:07Z,"Denial of Service in http-proxy-agent",http-proxy-agent,0,2.1.0,,HIGH,CWE-400,
|
|
5096
5207
|
GHSA-8w9j-6wg6-qv4f,2020-09-03T19:41:17Z,"Malicious Package in axioss",axioss,0.0.0,,,CRITICAL,CWE-506,
|
|
5208
|
+
GHSA-8wc6-vgrq-x6cf,2026-02-13T20:53:58Z,"Child processes spawned by Renovate incorrectly have full access to environment variables",renovate,42.68.1,42.96.3,,MODERATE,CWE-269,
|
|
5209
|
+
GHSA-8wc6-vgrq-x6cf,2026-02-13T20:53:58Z,"Child processes spawned by Renovate incorrectly have full access to environment variables",renovate,43.0.0,43.4.4,,MODERATE,CWE-269,
|
|
5097
5210
|
GHSA-8wgc-jjvv-cv6v,2020-09-02T15:54:52Z,"Improper Authorization in loopback",loopback,0,2.40.0,,HIGH,CWE-285,
|
|
5098
5211
|
GHSA-8wgc-jjvv-cv6v,2020-09-02T15:54:52Z,"Improper Authorization in loopback",loopback,3.0.0,3.22.0,,HIGH,CWE-285,
|
|
5099
5212
|
GHSA-8whr-v3gm-w8h9,2020-09-03T15:51:04Z,"Duplicate Advisory: Command Injection in node-rules",node-rules,0,5.0.0,,HIGH,CWE-78,
|
|
@@ -5124,6 +5237,7 @@ GHSA-9mjp-gv34-3jcf,2020-09-02T18:37:35Z,"Malicious Package in aasync",aasync,0,
|
|
|
5124
5237
|
GHSA-9mmw-3fmh-96g3,2020-09-02T20:23:38Z,"Malicious Package in calk",calk,0,,,CRITICAL,CWE-506,
|
|
5125
5238
|
GHSA-9p64-h5q4-phpm,2020-09-02T15:44:58Z,"Remote Code Execution in office-converter",office-converter,0.0.0,,,HIGH,CWE-20,
|
|
5126
5239
|
GHSA-9pcf-h8q9-63f6,2020-09-03T17:12:41Z,"Sandbox Breakout / Arbitrary Code Execution in safe-eval",safe-eval,0.0.0,,,HIGH,,
|
|
5240
|
+
GHSA-9ppg-jx86-fqw7,2026-02-19T15:17:10Z,"Unauthorized npm publish of cline@2.3.0 with modified postinstall script",cline,2.3.0,2.4.0,,LOW,,
|
|
5127
5241
|
GHSA-9pr3-7449-977r,2020-09-02T18:21:26Z,"Cross-Site Scripting in express-cart",express-cart,0,,,LOW,CWE-79,
|
|
5128
5242
|
GHSA-9px9-f7jw-fwhj,2020-09-03T15:49:37Z,"Command Injection in priest-runner",priest-runner,0.0.0,,,CRITICAL,CWE-77,
|
|
5129
5243
|
GHSA-9q64-mpxx-87fg,2020-04-01T16:35:08Z,"Open Redirect in ecstatic",ecstatic,0,2.2.2,,HIGH,CWE-601,
|
|
@@ -5158,6 +5272,7 @@ GHSA-9xww-fwh9-95c5,2020-09-02T21:43:59Z,"Malicious Package in uglyfi-js",uglyfi
|
|
|
5158
5272
|
GHSA-c27r-x354-4m68,2020-10-27T20:39:46Z,"xml-crypto's HMAC-SHA1 signatures can bypass validation via key confusion",xml-crypto,0,2.0.0,,HIGH,CWE-287,
|
|
5159
5273
|
GHSA-c2g6-57fp-22wp,2020-09-03T22:48:35Z,"Malicious Package in fuffer-xor",fuffer-xor,0.0.0,,,CRITICAL,CWE-506,
|
|
5160
5274
|
GHSA-c35v-qwqg-87jc,2019-06-06T15:32:32Z,"express-basic-auth Timing Attack due to native string comparison instead of constant time string comparison",express-basic-auth,0,1.1.7,,LOW,CWE-208,
|
|
5275
|
+
GHSA-c37p-4qqg-3p76,2026-02-18T00:54:48Z,"OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled",openclaw,0,2026.2.14,,MODERATE,CWE-306,
|
|
5161
5276
|
GHSA-c3hq-7mxh-mqxf,2020-09-04T14:59:50Z,"Sandbox Breakout / Arbitrary Code Execution in lighter-vm",lighter-vm,0.0.0,,,CRITICAL,,
|
|
5162
5277
|
GHSA-c3m8-x3cg-qm2c,2020-09-03T20:39:53Z,"Configuration Override in helmet-csp",helmet-csp,1.2.2,2.9.1,,MODERATE,,
|
|
5163
5278
|
GHSA-c3px-v9c7-m734,2020-09-03T19:04:39Z,"Prototype Pollution in mithril",mithril,0,1.1.7,,HIGH,CWE-1321,
|
|
@@ -5185,6 +5300,8 @@ GHSA-ch52-vgq2-943f,2020-09-03T18:15:53Z,"Regular Expression Denial of Service i
|
|
|
5185
5300
|
GHSA-ch82-gqh6-9xj9,2020-09-04T15:13:19Z,"Prototype Pollution in get-setter",get-setter,0.0.0,,,HIGH,CWE-1321,
|
|
5186
5301
|
GHSA-chgg-rrmv-5q7x,2020-08-03T18:05:48Z,Withdrawn,jwt-simple,0,0.3.1,,MODERATE,,
|
|
5187
5302
|
GHSA-chh2-rvhg-wqwr,2020-09-03T21:02:10Z,"Malicious Package in json-serializer",json-serializer,2.0.10,2.0.11,,CRITICAL,,
|
|
5303
|
+
GHSA-chm2-m3w2-wcxm,2026-02-17T22:56:39Z,"OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch",clawdbot,0,,2026.1.24-3,LOW,CWE-290;CWE-863,
|
|
5304
|
+
GHSA-chm2-m3w2-wcxm,2026-02-17T22:56:39Z,"OpenClaw Google Chat spoofing access with allowlist authorized mutable email principal despite sender-ID mismatch",openclaw,0,2026.2.14,,LOW,CWE-290;CWE-863,
|
|
5188
5305
|
GHSA-cp47-r258-q626,2023-03-02T23:36:22Z," Vega vulnerable to arbitrary code execution when clicking href links",vega,0,4.5.1,,MODERATE,,
|
|
5189
5306
|
GHSA-cp47-r258-q626,2023-03-02T23:36:22Z," Vega vulnerable to arbitrary code execution when clicking href links",vega,5.0.0,5.4.1,,MODERATE,,
|
|
5190
5307
|
GHSA-cpgr-wmr9-qxv4,2020-09-11T21:20:14Z,"Cross-Site Scripting in serve",serve,0,10.0.2,,MODERATE,CWE-79,
|
|
@@ -5227,6 +5344,8 @@ GHSA-f8vf-6hwg-hw55,2020-09-04T15:38:21Z,"Malicious Package in bictore-lib",bict
|
|
|
5227
5344
|
GHSA-ff5x-w9wg-h275,2020-03-06T01:15:46Z,"Holder can generate proof of ownership for credentials it does not control in vp-toolkit",vp-toolkit,0,0.2.2,,HIGH,,
|
|
5228
5345
|
GHSA-ff6g-gm92-rf32,2020-09-03T19:42:06Z,"Malicious Package in coinstirng",coinstirng,0.0.0,,,CRITICAL,CWE-506,
|
|
5229
5346
|
GHSA-fgp6-8g62-qx6w,2020-09-03T17:01:45Z,"Malicious Package in smartsearchwp",smartsearchwp,0,,,CRITICAL,CWE-506,
|
|
5347
|
+
GHSA-fh3f-q9qw-93j9,2026-02-19T19:41:07Z,"OpenClaw replaced a deprecated sandbox hash algorithm",openclaw,0,2026.2.15,,MODERATE,CWE-328,
|
|
5348
|
+
GHSA-fhvm-j76f-qmjv,2026-02-17T21:34:36Z,"OpenClaw has a potential access-group authorization bypass if channel type lookup fails",openclaw,0,2026.2.1,,CRITICAL,CWE-285,
|
|
5230
5349
|
GHSA-fj93-7wm4-8x2g,2020-09-02T21:22:47Z,"Cross-Site Scripting in jquery-mobile",jquery-mobile,0,,,HIGH,CWE-79,
|
|
5231
5350
|
GHSA-fjh6-8679-9pch,2025-11-14T20:57:31Z,"Flowise does not Prevent Bypass of Password Confirmation - Unverified Password Change",flowise-ui,0,3.0.10,,HIGH,CWE-306;CWE-620,
|
|
5232
5351
|
GHSA-fm4j-4xhm-xpwx,2020-09-02T15:51:34Z,"Sandbox Breakout / Arbitrary Code Execution in sandbox",sandbox,0.0.0,,,MODERATE,,
|
|
@@ -5246,6 +5365,7 @@ GHSA-fvwr-h9xh-m6wc,2020-09-03T20:33:17Z,"Denial of Service in @commercial/subte
|
|
|
5246
5365
|
GHSA-fw4p-36j9-rrj3,2020-09-03T20:25:33Z,"Denial of Service in sequelize",sequelize,0,4.44.4,,MODERATE,CWE-248,
|
|
5247
5366
|
GHSA-fw76-p9p2-6pvf,2020-09-03T19:58:58Z,"Malicious Package in serilize",serilize,0.0.0,,,CRITICAL,CWE-506,
|
|
5248
5367
|
GHSA-fwvq-x4j9-hr5f,2020-09-03T19:43:09Z,"Malicious Package in bs58chekc",bs58chekc,0.0.0,,,CRITICAL,CWE-506,
|
|
5368
|
+
GHSA-g27f-9qjv-22pm,2026-02-17T21:31:39Z,"OpenClaw log poisoning (indirect prompt injection) via WebSocket headers",openclaw,0,2026.2.13,,LOW,CWE-117,
|
|
5249
5369
|
GHSA-g2c4-4m64-vxm3,2020-09-03T22:15:25Z,"Malicious Package in buffer-yor",buffer-yor,0.0.0,,,CRITICAL,CWE-506,
|
|
5250
5370
|
GHSA-g336-c7wv-8hp3,2020-09-01T15:58:06Z,"Cross-Site Scripting in swagger-ui",swagger-ui,0,2.2.1,,CRITICAL,CWE-79,
|
|
5251
5371
|
GHSA-g35x-j6jj-8g7j,2023-05-02T16:51:25Z,"@mittwald/kubernetes's secret contents leaked via debug logging",@mittwald/kubernetes,0,3.5.0,,MODERATE,CWE-532,
|
|
@@ -5291,6 +5411,8 @@ GHSA-gm9x-q798-hmr4,2020-07-29T14:53:40Z,"Command Injection in git-tags-remote",
|
|
|
5291
5411
|
GHSA-gmjp-776j-2394,2020-09-03T17:04:24Z,"Malicious Package in ripmed160",ripmed160,0.0.0,,,CRITICAL,CWE-506,
|
|
5292
5412
|
GHSA-gpg2-7r7j-4pm9,2020-09-03T22:09:56Z,"Malicious Package in buffer-xob",buffer-xob,0.0.0,,,CRITICAL,CWE-506,
|
|
5293
5413
|
GHSA-gpv5-7x3g-ghjv,2023-06-15T19:05:13Z,"fast-xml-parser regex vulnerability patch could be improved from a safety perspective",fast-xml-parser,4.2.4,4.2.5,,LOW,,
|
|
5414
|
+
GHSA-gq3j-xvxp-8hrf,2026-02-19T20:15:59Z,"Hono added timing comparison hardening in basicAuth and bearerAuth",hono,0,4.11.10,,LOW,CWE-208,
|
|
5415
|
+
GHSA-gq9c-wg68-gwj2,2026-02-18T17:38:39Z,"OpenClaw has a path traversal in browser trace/download output paths may allow arbitrary file writes",openclaw,0,2026.2.13,,HIGH,CWE-22,
|
|
5294
5416
|
GHSA-gqf6-75v8-vr26,2020-09-04T16:56:11Z,"Arbitrary File Write in bin-links",bin-links,0,1.1.5,,LOW,,
|
|
5295
5417
|
GHSA-gqq4-937c-2282,2020-09-03T22:49:42Z,"Malicious Package in juffer-xor",juffer-xor,0.0.0,,,CRITICAL,CWE-506,
|
|
5296
5418
|
GHSA-gr4j-r575-g665,2020-08-25T14:04:47Z,"Cross-Site Scripting in highcharts",highcharts,0,7.2.2,,HIGH,CWE-79,
|
|
@@ -5328,8 +5450,11 @@ GHSA-h6m3-cx24-9626,2020-09-03T23:11:45Z,"Malicious Package in js-sla3",js-sla3,
|
|
|
5328
5450
|
GHSA-h6mq-3cj6-h738,2020-09-03T23:21:16Z,"Reverse Tabnabbing in showdown",showdown,0,1.9.1,,LOW,CWE-1022,
|
|
5329
5451
|
GHSA-h726-x36v-rx45,2020-09-03T18:04:54Z,"Prototype Pollution in lodash.merge",lodash.merge,0,4.6.2,,HIGH,CWE-1321,
|
|
5330
5452
|
GHSA-h87q-g2wp-47pj,2022-02-09T22:41:19Z,"Signatures are mistakenly recognized to be valid in jsrsasign",jsrsasign,0,10.2.0,,MODERATE,CWE-347,
|
|
5453
|
+
GHSA-h89v-j3x9-8wqj,2026-02-18T00:52:54Z,"OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)",clawdbot,0,,2026.1.24-3,MODERATE,CWE-400,
|
|
5454
|
+
GHSA-h89v-j3x9-8wqj,2026-02-18T00:52:54Z,"OpenClaw affected by denial of service through unguarded archive extraction allowing high expansion/resource abuse (ZIP/TAR)",openclaw,0,2026.2.14,,MODERATE,CWE-400,
|
|
5331
5455
|
GHSA-h96f-fc7c-9r55,2021-01-06T19:25:46Z,"Regex denial of service vulnerability in codesample plugin",tinymce,0,5.6.0,,LOW,CWE-400,
|
|
5332
5456
|
GHSA-h97g-4mx7-5p2p,2020-09-03T17:11:36Z,"Open Redirect in apostrophe",apostrophe,0,2.92.0,,MODERATE,CWE-601,
|
|
5457
|
+
GHSA-h9g4-589h-68xv,2026-02-18T17:45:31Z,"OpenClaw has an authentication bypass in sandbox browser bridge server",openclaw,2026.1.29-beta.1,2026.2.14,,HIGH,CWE-306,
|
|
5333
5458
|
GHSA-h9wq-xcqx-mqxm,2023-07-11T22:46:19Z,"Vendure Cross Site Request Forgery vulnerability impacting all API requests",@vendure/core,0,2.0.3,,LOW,,
|
|
5334
5459
|
GHSA-h9wr-xr4r-66fh,2020-09-03T18:20:20Z,"Cross-Site Scripting in dmn-js-properties-panel",dmn-js-properties-panel,0,0.3.0,,HIGH,CWE-79,
|
|
5335
5460
|
GHSA-hfwx-c7q6-g54c,2021-03-12T23:04:46Z,"Vulnerability allowing for reading internal HTTP resources",highcharts-export-server,0,2.1.0,,HIGH,CWE-552,
|
|
@@ -5350,6 +5475,7 @@ GHSA-hq8g-qq57-5275,2020-09-11T21:24:33Z,"SQL Injection in untitled-model",untit
|
|
|
5350
5475
|
GHSA-hqf9-8xv5-x8xw,2026-01-05T19:57:46Z,"ERC7984ERC20Wrapper: once a wrapper is filled, subsequent wrap requests do not revert and result in loss of funds.","@openzeppelin/confidential-contracts",0,0.3.1,,MODERATE,CWE-190,
|
|
5351
5476
|
GHSA-hrpp-f84w-xhfg,2020-09-04T16:55:06Z,"Outdated Static Dependency in vue-moment",vue-moment,0,4.1.0,,MODERATE,CWE-1104,
|
|
5352
5477
|
GHSA-hv4w-jhcj-6wfw,2020-09-03T20:34:23Z,"Cross-Site Scripting in snekserve",snekserve,0.0.0,,,HIGH,CWE-79,
|
|
5478
|
+
GHSA-hv93-r4j3-q65f,2026-02-17T16:43:34Z,"OpenClaw Hook Session Key Override Enables Targeted Cross-Session Routing",openclaw,2.0.0-beta3,2026.2.12,,HIGH,CWE-330;CWE-639,
|
|
5353
5479
|
GHSA-hvgc-mggg-pxr2,2020-09-03T23:02:33Z,"Malicious Package in js-sha7",js-sha7,0.0.0,,,CRITICAL,CWE-506,
|
|
5354
5480
|
GHSA-hvxq-j2r4-4jm8,2020-09-03T20:31:04Z,"Regular Expression Denial of Service in sql-injection",sql-injection,0.0.0,,,HIGH,,
|
|
5355
5481
|
GHSA-hwh3-fhf6-73x9,2020-09-04T15:36:09Z,"Malicious Package in bictoinjs-lib",bictoinjs-lib,0.0.0,,,CRITICAL,CWE-506,
|
|
@@ -5362,6 +5488,7 @@ GHSA-hxwc-5vw9-2w4w,2020-09-02T15:52:39Z,"NoSQL Injection in loopback-connector-
|
|
|
5362
5488
|
GHSA-hxwm-x553-x359,2021-08-05T17:07:39Z,"Arbitrary Command Injection due to Improper Command Sanitization",@npmcli/git,0,2.0.8,,MODERATE,CWE-78,
|
|
5363
5489
|
GHSA-hxxf-q3w9-4xgw,2018-07-12T19:52:02Z,"Malicious Package in eslint-scope",eslint-config-eslint,5.0.2,6.0.0,,CRITICAL,CWE-506,
|
|
5364
5490
|
GHSA-hxxf-q3w9-4xgw,2018-07-12T19:52:02Z,"Malicious Package in eslint-scope",eslint-scope,3.7.2,3.7.3,,CRITICAL,CWE-506,
|
|
5491
|
+
GHSA-j27p-hq53-9wgc,2026-02-18T00:51:37Z,"OpenClaw affected by denial of service via unbounded URL-backed media fetch",openclaw,0,2026.2.14,,HIGH,CWE-400,
|
|
5365
5492
|
GHSA-j3qq-qvc8-c6g7,2020-09-01T21:15:09Z,"Malicious Package in foever",foever,0,,,CRITICAL,CWE-506,
|
|
5366
5493
|
GHSA-j44m-5v8f-gc9c,2025-10-10T22:55:09Z,"Flowise is vulnerable to arbitrary file exposure through its ReadFileTool",flowise,0,3.0.8,,HIGH,CWE-22,
|
|
5367
5494
|
GHSA-j44m-5v8f-gc9c,2025-10-10T22:55:09Z,"Flowise is vulnerable to arbitrary file exposure through its ReadFileTool",flowise-components,0,3.0.8,,HIGH,CWE-22,
|
|
@@ -5400,6 +5527,7 @@ GHSA-jmqm-f2gx-4fjv,2020-07-07T18:59:10Z,"Sensitive information exposure through
|
|
|
5400
5527
|
GHSA-jp99-5h8w-gmxc,2020-09-04T15:03:13Z,"Sandbox Breakout / Arbitrary Code Execution in @zhaoyao91/eval-in-vm",@zhaoyao91/eval-in-vm,0.0.0,,,CRITICAL,,
|
|
5401
5528
|
GHSA-jp9g-5x75-ccp8,2020-09-02T21:34:30Z,"Malicious Package in colro-name",colro-name,0,,,CRITICAL,CWE-506,
|
|
5402
5529
|
GHSA-jqjg-v355-hr9q,2020-09-03T22:11:02Z,"Malicious Package in buffer-xop",buffer-xop,0.0.0,,,CRITICAL,CWE-506,
|
|
5530
|
+
GHSA-jqpq-mgvm-f9r6,2026-02-18T00:55:50Z,"OpenClaw: Command hijacking via unsafe PATH handling (bootstrapping + node-host PATH overrides)",openclaw,0,2026.2.14,,HIGH,CWE-427;CWE-78;CWE-807,
|
|
5403
5531
|
GHSA-jqvv-r4w3-8f7w,2020-09-04T15:35:00Z,"Malicious Package in bictoind-rpc",bictoind-rpc,0.0.0,,,CRITICAL,CWE-506,
|
|
5404
5532
|
GHSA-jqx4-9gpq-rppm,2025-05-06T16:44:22Z,"@misskey-dev/summaly allows IP Filter Bypass via Redirect",@misskey-dev/summaly,5.1.0,5.2.1,,MODERATE,CWE-346,
|
|
5405
5533
|
GHSA-jrj9-5qp6-2v8q,2020-09-03T23:22:19Z,"Machine-In-The-Middle in airtable",airtable,0.1.19,0.7.2,,HIGH,,
|
|
@@ -5449,6 +5577,8 @@ GHSA-mh5c-679w-hh4r,2020-09-03T21:12:01Z,"Denial of Service in mongodb",mongodb,
|
|
|
5449
5577
|
GHSA-mh6f-8j2x-4483,2018-11-26T23:58:21Z,"Critical severity vulnerability that affects event-stream and flatmap-stream",event-stream,3.3.6,4.0.0,,CRITICAL,CWE-506,
|
|
5450
5578
|
GHSA-mh6f-8j2x-4483,2018-11-26T23:58:21Z,"Critical severity vulnerability that affects event-stream and flatmap-stream",flatmap-stream,0,,,CRITICAL,CWE-506,
|
|
5451
5579
|
GHSA-mhxg-pr3j-v9gr,2020-09-03T19:41:22Z,"Malicious Package in colne",colne,0.0.0,,,CRITICAL,CWE-506,
|
|
5580
|
+
GHSA-mj5r-hh7j-4gxf,2026-02-18T00:54:32Z,"OpenClaw Telegram allowlist authorization accepted mutable usernames",clawdbot,0,,2026.1.24-3,MODERATE,CWE-284;CWE-290,
|
|
5581
|
+
GHSA-mj5r-hh7j-4gxf,2026-02-18T00:54:32Z,"OpenClaw Telegram allowlist authorization accepted mutable usernames",openclaw,0,2026.2.14,,MODERATE,CWE-284;CWE-290,
|
|
5452
5582
|
GHSA-mjjq-c88q-qhr6,2020-09-03T21:22:00Z,"Cross-Site Scripting in dompurify",dompurify,0,2.0.7,,CRITICAL,CWE-79,
|
|
5453
5583
|
GHSA-mmph-wp49-r48h,2020-09-02T20:20:26Z,"Malicious Package in experss",experss,0,,,CRITICAL,CWE-506,
|
|
5454
5584
|
GHSA-mmqv-m45h-q2hp,2020-09-04T15:22:40Z,"Sandbox Breakout / Arbitrary Code Execution in localeval",localeval,0,15.3.0,,CRITICAL,,
|
|
@@ -5457,7 +5587,11 @@ GHSA-mpcx-8qqw-rmcq,2020-08-19T21:51:20Z,"SQL Injection in waterline-sequel",wat
|
|
|
5457
5587
|
GHSA-mpjf-8cmf-p789,2020-09-01T21:25:46Z,"Cross-Site Scripting in jingo",jingo,0,1.9.2,,HIGH,CWE-79,
|
|
5458
5588
|
GHSA-mq6v-w35g-3c97,2024-02-03T00:37:56Z,"Local File Inclusion vulnerability in zmarkdown",zmarkdown,0,10.1.3,,LOW,,
|
|
5459
5589
|
GHSA-mq9h-cwc2-6j5r,2020-09-03T17:42:27Z,"Malicious Package in midway-dataproxy",midway-dataproxy,0.0.0,,,CRITICAL,CWE-506,
|
|
5590
|
+
GHSA-mqpw-46fh-299h,2026-02-17T21:39:11Z,"OpenClaw authorization bypass: operator.write can resolve exec approvals via chat.send -> /approve",openclaw,0,2026.2.2,,HIGH,CWE-269;CWE-863,
|
|
5591
|
+
GHSA-mr32-vwc2-5j6h,2026-02-17T16:45:47Z,"OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access",moltbot,0,,0.1.0,HIGH,CWE-306,
|
|
5592
|
+
GHSA-mr32-vwc2-5j6h,2026-02-17T16:45:47Z,"OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access",openclaw,2026.1.20,2026.2.1,,HIGH,CWE-306,
|
|
5460
5593
|
GHSA-mrr8-v49w-3333,2023-07-10T19:08:10Z,"sweetalert2 contains potentially undesirable behavior",sweetalert2,11.6.14,11.22.4,,LOW,CWE-440,
|
|
5594
|
+
GHSA-mv9j-6xhh-g383,2026-02-17T21:31:17Z,"OpenClaw's unauthenticated Nostr profile HTTP endpoints allow remote profile/config tampering",openclaw,0,2026.2.12,,MODERATE,CWE-285;CWE-306,
|
|
5461
5595
|
GHSA-mvch-rh6h-2m47,2020-09-11T21:10:29Z,"Malicious Package in equest",equest,0,,,CRITICAL,CWE-506,
|
|
5462
5596
|
GHSA-mvrp-3cvx-c325,2023-10-04T14:46:06Z,"Zod denial of service vulnerability during email validation",express-zod-api,0,10.0.0-beta1,,HIGH,CWE-1333,
|
|
5463
5597
|
GHSA-mvw6-62qv-vmqf,2025-07-25T06:30:30Z,"Duplicate Advisory: Koa Open Redirect via Referrer Header (User-Controlled)",koa,0,3.0.1,,LOW,CWE-601,
|
|
@@ -5478,6 +5612,7 @@ GHSA-mxq6-vrrr-ppmg,2022-05-24T17:04:00Z,"Duplicate Advisory: tree-kill vulnerab
|
|
|
5478
5612
|
GHSA-p33q-w45h-2hcj,2020-09-02T18:30:03Z,"Malicious Package in 4equest",4equest,0,,,CRITICAL,CWE-506,
|
|
5479
5613
|
GHSA-p3jx-g34v-q56j,2020-09-03T22:54:02Z,"Malicious Package in j3-sha3",j3-sha3,0.0.0,,,CRITICAL,CWE-506,
|
|
5480
5614
|
GHSA-p4mf-4qvh-w8g5,2020-09-04T15:41:42Z,"Malicious Package in bitcionjslib",bitcionjslib,0.0.0,,,CRITICAL,CWE-506,
|
|
5615
|
+
GHSA-p536-vvpp-9mc8,2026-02-19T19:40:56Z,"OpenClaw has a Web Fetch DoS via unbounded response parsing",openclaw,0,2026.2.15,,MODERATE,CWE-400,
|
|
5481
5616
|
GHSA-p56r-jr4p-4wgh,2020-08-03T18:16:37Z,Withdrawn,whereis,0,0.4.1,,HIGH,,
|
|
5482
5617
|
GHSA-p5p2-rhc3-wmf3,2020-09-03T17:03:31Z,"Malicious Package in siganle",siganle,0.0.0,,,CRITICAL,CWE-506,
|
|
5483
5618
|
GHSA-p62r-jf56-h429,2020-09-03T20:29:58Z,"Malicious Package in evil-package",evil-package,0.0.0,,,CRITICAL,CWE-506,
|
|
@@ -5494,6 +5629,7 @@ GHSA-pc5p-h8pf-mvwp,2020-04-16T03:14:56Z,"Machine-In-The-Middle in https-proxy-a
|
|
|
5494
5629
|
GHSA-pc7q-c837-3wjq,2020-09-03T17:02:58Z,"Malicious Package in wallet-address-validtaor",wallet-address-validtaor,0.0.0,,,CRITICAL,CWE-506,
|
|
5495
5630
|
GHSA-pf56-h9qf-rxq4,2024-10-07T15:14:40Z,"Saltcorn Server Stored Cross-Site Scripting (XSS) in event logs page",@saltcorn/server,0,1.0.0-beta.16,,MODERATE,CWE-79,
|
|
5496
5631
|
GHSA-pfq2-hh62-7m96,2026-01-13T19:54:29Z,"Renovate vulnerable to arbitrary command injection via Gradle Wrapper and malicious `distributionUrl`",renovate,32.124.0,42.68.5,,MODERATE,CWE-78,
|
|
5632
|
+
GHSA-pg2v-8xwh-qhcc,2026-02-18T00:55:00Z,"OpenClaw affected by SSRF in optional Tlon (Urbit) extension authentication",openclaw,0,2026.2.14,,MODERATE,CWE-918,
|
|
5497
5633
|
GHSA-pg98-6v7f-2xfv,2022-11-23T15:44:52Z,"sweetalert2 v9.17.4 and above contains hidden functionality",sweetalert2,9.17.4,11.22.4,,LOW,CWE-912,
|
|
5498
5634
|
GHSA-pgcr-7wm4-mcv6,2019-06-04T15:42:45Z,"Sensitive Data Exposure in pem",pem,0,1.13.2,,CRITICAL,CWE-200,
|
|
5499
5635
|
GHSA-pgr8-jg6h-8gw6,2019-05-23T09:26:20Z,"Cross-Site Scripting in webpack-bundle-analyzer",webpack-bundle-analyzer,0,3.3.2,,MODERATE,CWE-79,
|
|
@@ -5501,9 +5637,6 @@ GHSA-pgv6-jrvv-75jp,2018-10-09T00:34:30Z,"Moderate severity vulnerability that a
|
|
|
5501
5637
|
GHSA-ph6w-f82w-28w6,2025-09-03T18:06:31Z,"Claude Code Vulnerable to Arbitrary Code Execution Due to Insufficient Startup Warning","@anthropic-ai/claude-code",0,1.0.87,,HIGH,CWE-94,
|
|
5502
5638
|
GHSA-phph-xpj4-wvcv,2020-09-03T21:13:07Z,"Cross-Site Scripting in hexo-admin",hexo-admin,0.0.0,,,HIGH,CWE-79,
|
|
5503
5639
|
GHSA-pj97-j597-ppm7,2020-09-02T21:15:22Z,"Malicious Package in rqeuest",rqeuest,0,,,CRITICAL,CWE-506,
|
|
5504
|
-
GHSA-pjwm-rvh2-c87w,2021-10-22T20:38:14Z,"Embedded malware in ua-parser-js",ua-parser-js,0.7.29,0.7.30,,HIGH,CWE-829;CWE-912,
|
|
5505
|
-
GHSA-pjwm-rvh2-c87w,2021-10-22T20:38:14Z,"Embedded malware in ua-parser-js",ua-parser-js,0.8.0,0.8.1,,HIGH,CWE-829;CWE-912,
|
|
5506
|
-
GHSA-pjwm-rvh2-c87w,2021-10-22T20:38:14Z,"Embedded malware in ua-parser-js",ua-parser-js,1.0.0,1.0.1,,HIGH,CWE-829;CWE-912,
|
|
5507
5640
|
GHSA-pm52-wwrw-c282,2019-06-13T18:59:06Z,"Command Injection in wiki-plugin-datalog",wiki-plugin-datalog,0,0.1.6,,HIGH,CWE-94,
|
|
5508
5641
|
GHSA-pm9v-325f-5g74,2020-09-02T21:30:11Z,"Malicious Package in saync",saync,0,,,CRITICAL,CWE-506,
|
|
5509
5642
|
GHSA-pmgv-94f5-6w7w,2020-09-02T20:21:30Z,"Malicious Package in eact",eact,0,,,CRITICAL,CWE-506,
|
|
@@ -5525,6 +5658,8 @@ GHSA-q42c-rrp3-r3xm,2020-09-11T21:13:44Z,"Malicious Package in commmander",commm
|
|
|
5525
5658
|
GHSA-q42p-pg8m-cqh6,2019-06-05T14:07:48Z,"Prototype Pollution in handlebars",handlebars,0,3.0.7,,HIGH,CWE-471,
|
|
5526
5659
|
GHSA-q42p-pg8m-cqh6,2019-06-05T14:07:48Z,"Prototype Pollution in handlebars",handlebars,4.0.0,4.0.14,,HIGH,CWE-471,
|
|
5527
5660
|
GHSA-q42p-pg8m-cqh6,2019-06-05T14:07:48Z,"Prototype Pollution in handlebars",handlebars,4.1.0,4.1.2,,HIGH,CWE-471,
|
|
5661
|
+
GHSA-q447-rj3r-2cgh,2026-02-18T00:53:07Z,"OpenClaw affected by denial of service via unbounded webhook request body buffering",clawdbot,0,,2026.1.24-3,HIGH,CWE-400,
|
|
5662
|
+
GHSA-q447-rj3r-2cgh,2026-02-18T00:53:07Z,"OpenClaw affected by denial of service via unbounded webhook request body buffering",openclaw,0,2026.2.13,,HIGH,CWE-400,
|
|
5528
5663
|
GHSA-q4h9-46xg-m3x9,2021-09-15T20:22:13Z,"UUPSUpgradeable vulnerability in @openzeppelin/contracts-upgradeable","@openzeppelin/contracts-upgradeable",4.1.0,4.3.2,,CRITICAL,,
|
|
5529
5664
|
GHSA-q4pp-j36h-3gqg,2023-08-24T12:53:06Z,"Minimal `basti` IAM Policy Allows Shell Access",basti-cdk,0,1.0.1,,LOW,,
|
|
5530
5665
|
GHSA-q4xx-mc3q-23x8,2025-08-14T12:30:22Z,"Duplicate Advisory: Flowise vulnerable to RCE via Dynamic function constructor injection",flowise,0,,3.0.5,CRITICAL,CWE-94,
|
|
@@ -5550,6 +5685,7 @@ GHSA-qj3g-wfr7-3cv7,2020-09-02T21:41:53Z,"Malicious Package in require-ports",re
|
|
|
5550
5685
|
GHSA-qj3p-xc97-xw74,2025-09-15T13:55:56Z,"MetaMask SDK indirectly exposed via malicious debug@4.4.2 dependency","@metamask/sdk-communication-layer",0.16.0,0.33.1,,MODERATE,CWE-506,
|
|
5551
5686
|
GHSA-qj3p-xc97-xw74,2025-09-15T13:55:56Z,"MetaMask SDK indirectly exposed via malicious debug@4.4.2 dependency",@metamask/sdk,0.16.0,0.33.1,,MODERATE,CWE-506,
|
|
5552
5687
|
GHSA-qj3p-xc97-xw74,2025-09-15T13:55:56Z,"MetaMask SDK indirectly exposed via malicious debug@4.4.2 dependency",@metamask/sdk-react,0.16.0,0.33.1,,MODERATE,CWE-506,
|
|
5688
|
+
GHSA-qj77-c3c8-9c3q,2026-02-17T16:44:11Z,"OpenClaw's Windows cmd.exe parsing may bypass exec allowlist/approval gating",openclaw,0,2026.2.2,,HIGH,CWE-78,
|
|
5553
5689
|
GHSA-qjfh-xc44-rm9x,2020-09-03T16:49:43Z,"Path Traversal in file-static-server",file-static-server,0.0.0,,,HIGH,CWE-22,
|
|
5554
5690
|
GHSA-qm4q-f956-fg64,2020-09-03T17:39:13Z,"Malicious Package in luna-mock",luna-mock,0.0.0,,,CRITICAL,CWE-506,
|
|
5555
5691
|
GHSA-qm7x-rc44-rrqw,2021-11-08T18:07:42Z,"Cross-site Scripting Vulnerability in GraphQL Playground (distributed by Apollo Server)",apollo-server,2.0.0,2.25.3,,HIGH,CWE-79,
|
|
@@ -5563,8 +5699,10 @@ GHSA-qrg3-f6h6-vq8q,2020-08-19T22:15:57Z,"Denial of Service in https-proxy-agent
|
|
|
5563
5699
|
GHSA-qrmm-w75w-3wpx,2021-12-09T19:08:38Z,"Server side request forgery in SwaggerUI",swagger-ui,0,4.1.3,,MODERATE,CWE-918,
|
|
5564
5700
|
GHSA-qrmm-w75w-3wpx,2021-12-09T19:08:38Z,"Server side request forgery in SwaggerUI",swagger-ui-dist,0,4.1.3,,MODERATE,CWE-918,
|
|
5565
5701
|
GHSA-qrmm-w75w-3wpx,2021-12-09T19:08:38Z,"Server side request forgery in SwaggerUI",swagger-ui-react,0,4.1.3,,MODERATE,CWE-918,
|
|
5702
|
+
GHSA-qrq5-wjgg-rvqw,2026-02-17T21:39:24Z,"OpenClaw has a Path Traversal in Plugin Installation",openclaw,2026.1.20,2026.2.1,,CRITICAL,CWE-22,
|
|
5566
5703
|
GHSA-qv2g-99x4-45x6,2021-01-29T18:12:07Z,"Malicious npm package: discord-fix",discord-fix,0.0.0,,,CRITICAL,CWE-506,
|
|
5567
5704
|
GHSA-qv78-398w-cxp7,2020-09-11T21:08:19Z,"Malicious Package in shrugging-logging",shrugging-logging,0,,,CRITICAL,CWE-506,
|
|
5705
|
+
GHSA-qw99-grcx-4pvm,2026-02-17T17:09:43Z,"OpenClaw's Chrome extension relay binds publicly due to wildcard treated as loopback",openclaw,2026.1.14-1,2026.2.12,,MODERATE,CWE-284,
|
|
5568
5706
|
GHSA-qx4v-6gc5-f2vv,2019-06-20T14:32:56Z,"Regular Expression Denial of Service",esm,0,3.1.0,,MODERATE,CWE-400,
|
|
5569
5707
|
GHSA-qxrj-x7rm-2h49,2020-09-03T17:05:59Z,"Malicious Package in dhkey",dhkey,0.0.0,,,CRITICAL,CWE-506,
|
|
5570
5708
|
GHSA-r2c6-8jc8-g32w,2026-02-02T00:30:23Z,"Duplicate Advisory: 1-Click RCE via Authentication Token Exfiltration From gatewayUrl",clawdbot,0,2026.1.29,,HIGH,CWE-669,
|
|
@@ -5582,6 +5720,8 @@ GHSA-r4m5-47cq-6qg8,2020-09-04T17:25:13Z,"Server-Side Request Forgery in ftp-srv
|
|
|
5582
5720
|
GHSA-r4m5-47cq-6qg8,2020-09-04T17:25:13Z,"Server-Side Request Forgery in ftp-srv",ftp-srv,3.0.0,3.1.2,,HIGH,CWE-918,
|
|
5583
5721
|
GHSA-r4m5-47cq-6qg8,2020-09-04T17:25:13Z,"Server-Side Request Forgery in ftp-srv",ftp-srv,4.0.0,4.3.4,,HIGH,CWE-918,
|
|
5584
5722
|
GHSA-r587-7jh2-4qr3,2020-08-26T19:32:50Z,"Server secret was included in static assets and served to clients",flood,2.0.0,3.0.0,,CRITICAL,,
|
|
5723
|
+
GHSA-r5fq-947m-xm57,2026-02-19T20:45:58Z,"OpenClaw has a path traversal in apply_patch could write/delete files outside the workspace",openclaw,0,2026.2.14,,HIGH,CWE-22,
|
|
5724
|
+
GHSA-r5h9-vjqc-hq3r,2026-02-17T21:36:15Z,"Nextcloud Talk allowlist bypass via actor.name display name spoofing",@openclaw/nextcloud-talk,0,2026.2.6,,CRITICAL,CWE-290,
|
|
5585
5725
|
GHSA-r5w7-f542-q2j4,2025-01-28T20:37:26Z,"Potential DoS when using ContextLines integration","@sentry/google-cloud-serverless",8.10.0,8.49.0,,LOW,CWE-774,
|
|
5586
5726
|
GHSA-r5w7-f542-q2j4,2025-01-28T20:37:26Z,"Potential DoS when using ContextLines integration",@sentry/astro,8.10.0,8.49.0,,LOW,CWE-774,
|
|
5587
5727
|
GHSA-r5w7-f542-q2j4,2025-01-28T20:37:26Z,"Potential DoS when using ContextLines integration",@sentry/aws-serverless,8.10.0,8.49.0,,LOW,CWE-774,
|
|
@@ -5610,9 +5750,13 @@ GHSA-rjhc-w3fj-j6x9,2020-09-03T17:32:45Z,"Malicious Package in alipayjsapi",alip
|
|
|
5610
5750
|
GHSA-rjvj-673q-4hfw,2020-09-04T17:54:31Z,"Command Injection in traceroute",traceroute,0.0.0,,,CRITICAL,CWE-77,
|
|
5611
5751
|
GHSA-rm7c-x424-g2mw,2020-09-02T18:36:31Z,"Malicious Package in asyync",asyync,0,,,CRITICAL,CWE-506,
|
|
5612
5752
|
GHSA-rmmc-8cqj-hfp3,2020-09-03T18:24:43Z,"Authentication Bypass in otpauth",otpauth,0,3.2.8,,HIGH,CWE-287,
|
|
5753
|
+
GHSA-rmxw-jxxx-4cpc,2026-02-17T21:34:17Z,"OpenClaw has a Matrix allowlist bypass via displayName and cross-homeserver localpart matching",openclaw,2026.1.14-1,2026.2.2,,MODERATE,CWE-290,
|
|
5754
|
+
GHSA-rq6g-px6m-c248,2026-02-18T00:54:14Z,"OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting",clawdbot,0,,2026.1.24-3,HIGH,CWE-284;CWE-639,
|
|
5755
|
+
GHSA-rq6g-px6m-c248,2026-02-18T00:54:14Z,"OpenClaw Google Chat shared-path webhook target ambiguity allowed cross-account policy-context misrouting",openclaw,0,2026.2.14,,HIGH,CWE-284;CWE-639,
|
|
5613
5756
|
GHSA-rqgv-292v-5qgr,2024-04-23T16:21:09Z,"Renovate vulnerable to arbitrary command injection via helmv3 manager and registryAliases",renovate,37.158.0,37.199.0,,MODERATE,CWE-78,
|
|
5614
5757
|
GHSA-rrqv-vjrw-hrcr,2021-05-26T19:59:19Z,"Arbitrary Code Execution in json-ptr",json-ptr,0,2.1.0,,HIGH,CWE-74,
|
|
5615
5758
|
GHSA-rrvm-gqq8-q2wx,2020-09-03T21:05:26Z,"Malicious Package in require-port",require-port,0.0.0,,,CRITICAL,CWE-506,
|
|
5759
|
+
GHSA-rv39-79c4-7459,2026-02-17T16:37:04Z,"OpenClaw's gateway connect could skip device identity checks when auth.token was present but not yet validated",openclaw,0,2026.2.2,,CRITICAL,CWE-306,
|
|
5616
5760
|
GHSA-rv49-54qp-fw42,2019-06-06T15:30:20Z,"Path Traversal in servey",servey,0,3.1.0,,MODERATE,CWE-22,
|
|
5617
5761
|
GHSA-rv6q-p3x7-43fx,2020-09-04T16:37:50Z,"Malicious Package in bitcoimjs-lib",bitcoimjs-lib,0.0.0,,,CRITICAL,CWE-506,
|
|
5618
5762
|
GHSA-rvg8-pwq2-xj7q,2020-09-01T20:42:44Z,"Out-of-bounds Read in base64url",base64url,0,3.0.0,,MODERATE,CWE-125,
|
|
@@ -5620,14 +5764,17 @@ GHSA-rvww-x6m4-4vc2,2020-09-11T21:12:39Z,"Malicious Package in blubird",blubird,
|
|
|
5620
5764
|
GHSA-rw4r-h883-8pf9,2020-09-02T20:30:02Z,"Malicious Package in reequest",reequest,0,,,CRITICAL,CWE-506,
|
|
5621
5765
|
GHSA-rw53-q8x7-ccx8,2020-09-03T21:55:17Z,"Malicious Package in buffer-xkr",buffer-xkr,0.0.0,,,CRITICAL,CWE-506,
|
|
5622
5766
|
GHSA-rwcq-qpm6-7867,2020-09-03T17:04:32Z,"Malicious Package in riped160",riped160,0.0.0,,,CRITICAL,CWE-506,
|
|
5767
|
+
GHSA-rwj8-p9vq-25gv,2026-02-18T17:44:58Z,"OpenClaw has a LFI in BlueBubbles media path handling",openclaw,0,2026.2.14,,HIGH,CWE-22,
|
|
5623
5768
|
GHSA-rwmv-c7v8-v9vf,2020-09-04T16:36:45Z,"Malicious Package in bitcoimd-rpc",bitcoimd-rpc,0.0.0,,,CRITICAL,CWE-506,
|
|
5624
5769
|
GHSA-v2p6-4mp7-3r9v,2019-06-14T16:26:22Z,"Regular Expression Denial of Service in underscore.string",underscore.string,0,3.3.5,,MODERATE,CWE-400,
|
|
5625
5770
|
GHSA-v3wr-67px-44xg,2022-03-03T19:11:14Z,"Execution with Unnecessary Privileges in arc-electron","@advanced-rest-client/base",0,0.1.10,,HIGH,,
|
|
5626
5771
|
GHSA-v45m-2wcp-gg98,2020-09-04T17:18:44Z,"Global node_modules Binary Overwrite in bin-links",bin-links,0,1.1.6,,LOW,,
|
|
5627
5772
|
GHSA-v4x8-gw49-7hv4,2020-09-03T20:37:42Z,"Path Traversal in swagger-injector",swagger-injector,0.0.0,,,CRITICAL,CWE-22,
|
|
5628
5773
|
GHSA-v66p-w7qx-wv98,2020-09-04T17:29:34Z,"Authentication Bypass in express-laravel-passport",express-laravel-passport,0.0.0,,,CRITICAL,CWE-287,
|
|
5774
|
+
GHSA-v6c6-vqqg-w888,2026-02-18T00:57:48Z,"OpenClaw affected by potential code execution via unsafe hook module path handling in Gateway",openclaw,2026.1.5,2026.2.14,,HIGH,CWE-22,
|
|
5629
5775
|
GHSA-v6cj-r88p-92rm,2019-09-30T19:31:59Z,"Buffer Overflow in centra",centra,0,2.4.0,,HIGH,CWE-119,
|
|
5630
5776
|
GHSA-v6gv-fg46-h89j,2020-09-03T16:48:36Z,"Sensitive Data Exposure in put",put,0,,,LOW,CWE-200,
|
|
5777
|
+
GHSA-v773-r54f-q32w,2026-02-18T00:51:03Z,"OpenClaw Slack: dmPolicy=open allowed any DM sender to run privileged slash commands",openclaw,0,2026.2.14,,MODERATE,CWE-285,
|
|
5631
5778
|
GHSA-v78c-4p63-2j6c,2022-08-30T20:28:43Z,"Cleartext Transmission of Sensitive Information in moment-timezone",moment-timezone,0.1.0,0.5.35,,MODERATE,CWE-319,
|
|
5632
5779
|
GHSA-v7cp-5326-54fh,2020-09-03T16:45:15Z,"Path Traversal in bruteser",bruteser,0,0.1.0,,HIGH,CWE-22,
|
|
5633
5780
|
GHSA-v7x3-7hw7-pcjg,2019-10-21T16:02:33Z,"Renovate vulnerable to leakage of temporary repository tokens into Pull Request comments",renovate,13.87.0,19.38.7,,MODERATE,CWE-200,
|
|
@@ -5657,12 +5804,13 @@ GHSA-vpgc-7h78-gx8f,2020-09-04T18:05:14Z,"personnummer/js vulnerable to Improper
|
|
|
5657
5804
|
GHSA-vpj4-89q8-rh38,2020-09-03T18:16:59Z,"Cross-Site Scripting in bpmn-js-properties-panel",bpmn-js-properties-panel,0,0.31.0,,HIGH,CWE-79,
|
|
5658
5805
|
GHSA-vpq5-4rc8-c222,2019-06-05T14:10:45Z,"Denial of Service in canvas",canvas,0,1.6.10,,MODERATE,,
|
|
5659
5806
|
GHSA-vr6p-vq2p-6j74,2025-12-15T22:00:17Z,"Withdrawn Advisory: LikeC4 has RCE through vulnerable React and Next.js versions",likec4,0,,1.46.1,CRITICAL,CWE-502,
|
|
5807
|
+
GHSA-vrhm-gvg7-fpcf,2026-02-19T20:29:42Z," Memory exhaustion in SvelteKit remote form deserialization (experimental only)",@sveltejs/kit,2.49.0,2.52.2,,MODERATE,CWE-770,
|
|
5660
5808
|
GHSA-vrxj-4qhw-5vwq,2020-09-03T17:03:41Z,"Malicious Package in scryptys",scryptys,0.0.0,,,CRITICAL,CWE-506,
|
|
5661
5809
|
GHSA-vv52-3mrp-455m,2020-09-03T15:53:36Z,"Malicious Package in m-backdoor",m-backdoor,0.0.0,,,CRITICAL,CWE-506,
|
|
5662
5810
|
GHSA-vv7g-pjw9-4qj9,2020-09-03T17:03:56Z,"Malicious Package in scrytsy",scrytsy,0.0.0,,,CRITICAL,CWE-506,
|
|
5663
5811
|
GHSA-vvfh-mvjv-w38q,2020-09-04T15:28:19Z,"Malicious Package in babel-loadre",babel-loadre,0.0.0,,,CRITICAL,CWE-506,
|
|
5664
5812
|
GHSA-vw7g-jq9m-3q9v,2020-09-02T18:23:35Z,"Unauthorized File Access in glance",glance,0,3.0.7,,MODERATE,,
|
|
5665
|
-
GHSA-
|
|
5813
|
+
GHSA-vx5f-vmr6-32wf,2026-02-10T14:33:50Z,"cap-go/capacitor-native-biometric Authentication Bypass","@capgo/capacitor-native-biometric",0,8.3.6,,MODERATE,CWE-287,
|
|
5666
5814
|
GHSA-vx5w-cxch-wwc9,2020-09-03T19:02:27Z,"Path Traversal in f-serv",f-serv,0.0.0,,,CRITICAL,CWE-22,
|
|
5667
5815
|
GHSA-vxfp-qmpq-6826,2020-09-03T17:38:09Z,"Malicious Package in hpmm",hpmm,0.0.0,,,CRITICAL,CWE-506,
|
|
5668
5816
|
GHSA-vxp4-25qp-86qh,2017-10-24T18:33:36Z,"Moderate severity vulnerability that affects ember",ember,1.12.0,1.12.2,,MODERATE,,
|
|
@@ -5671,6 +5819,8 @@ GHSA-vxp4-25qp-86qh,2017-10-24T18:33:36Z,"Moderate severity vulnerability that a
|
|
|
5671
5819
|
GHSA-vxp4-25qp-86qh,2017-10-24T18:33:36Z,"Moderate severity vulnerability that affects ember",ember,2.0.0,2.0.3,,MODERATE,,
|
|
5672
5820
|
GHSA-vxp4-25qp-86qh,2017-10-24T18:33:36Z,"Moderate severity vulnerability that affects ember",ember,2.1.0,2.1.2,,MODERATE,,
|
|
5673
5821
|
GHSA-vxp4-25qp-86qh,2017-10-24T18:33:36Z,"Moderate severity vulnerability that affects ember",ember,2.2.0,2.2.1,,MODERATE,,
|
|
5822
|
+
GHSA-w2cg-vxx6-5xjg,2026-02-18T00:52:36Z,"OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks",clawdbot,0,,2026.1.24-3,MODERATE,CWE-400,
|
|
5823
|
+
GHSA-w2cg-vxx6-5xjg,2026-02-18T00:52:36Z,"OpenClaw: denial of service through large base64 media files allocating large buffers before limit checks",openclaw,0,2026.2.14,,MODERATE,CWE-400,
|
|
5674
5824
|
GHSA-w32g-5hqp-gg6q,2020-09-02T15:41:41Z,"Cross-Site Scripting in mermaid",mermaid,0,8.2.3,,HIGH,CWE-79,
|
|
5675
5825
|
GHSA-w37m-7fhw-fmv9,2025-12-11T22:49:56Z,"Next Server Actions Source Code Exposure ",next,15.0.0-canary.0,15.0.6,,MODERATE,CWE-1395;CWE-497;CWE-502,
|
|
5676
5826
|
GHSA-w37m-7fhw-fmv9,2025-12-11T22:49:56Z,"Next Server Actions Source Code Exposure ",next,15.1.1-canary.0,15.1.10,,MODERATE,CWE-1395;CWE-497;CWE-502,
|
|
@@ -5698,10 +5848,12 @@ GHSA-w42g-7vfc-xf37,2020-06-05T19:38:14Z,"Introspection in schema validation in
|
|
|
5698
5848
|
GHSA-w4hv-vmv9-hgcr,2024-02-16T19:29:31Z,"GitHub Security Lab (GHSL) Vulnerability Report, scrypted: `GHSL-2023-218`, `GHSL-2023-219`",@scrypted/core,0,,0.1.142,HIGH,,
|
|
5699
5849
|
GHSA-w4hv-vmv9-hgcr,2024-02-16T19:29:31Z,"GitHub Security Lab (GHSL) Vulnerability Report, scrypted: `GHSL-2023-218`, `GHSL-2023-219`",@scrypted/server,0,,0.56.0,HIGH,,
|
|
5700
5850
|
GHSA-w4vp-3mq7-7v82,2020-09-03T15:49:48Z,"Cross-Site Scripting in lazysizes",lazysizes,0,5.2.1-rc1,,HIGH,CWE-79,
|
|
5851
|
+
GHSA-w5c7-9qqw-6645,2026-02-18T00:56:51Z,"OpenClaw inter-session prompts could be treated as direct user instructions",openclaw,0,2026.2.13,,HIGH,CWE-345,
|
|
5852
|
+
GHSA-w5cr-2qhr-jqc5,2026-02-13T21:04:00Z,"Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site",agents,0,0.3.10,,MODERATE,CWE-79,
|
|
5701
5853
|
GHSA-w5q7-3pr9-x44w,2020-09-02T15:59:19Z,"Denial of Service in serialize-to-js",serialize-to-js,0,2.0.0,,HIGH,,
|
|
5702
5854
|
GHSA-w65v-hx54-xrqx,2020-09-03T17:41:23Z,"Malicious Package in midway-xtpl",midway-xtpl,0.0.0,,,CRITICAL,CWE-506,
|
|
5703
5855
|
GHSA-w725-67p7-xv22,2020-09-03T17:05:04Z,"Command Injection in local-devices",local-devices,0,3.0.0,,HIGH,CWE-77,
|
|
5704
|
-
GHSA-w7q7-vjp8-7jv4,2019-06-06T15:30:16Z,"SQL Injection in typeorm",typeorm,0,0.1.15,,
|
|
5856
|
+
GHSA-w7q7-vjp8-7jv4,2019-06-06T15:30:16Z,"SQL Injection in typeorm",typeorm,0,0.1.15,,CRITICAL,CWE-89,
|
|
5705
5857
|
GHSA-w7wg-24g3-2c78,2020-09-02T21:14:17Z,"Malicious Package in requset",requset,0,,,CRITICAL,CWE-506,
|
|
5706
5858
|
GHSA-w8fh-pvq2-x8c4,2021-01-29T18:11:20Z,"Malicious npm package: sonatype",sonatype,0.0.0,,,CRITICAL,CWE-506,
|
|
5707
5859
|
GHSA-w992-2gmj-9xxj,2020-09-11T21:23:29Z,"Cross-Site Scripting in swagger-ui",swagger-ui,0,2.2.1,,MODERATE,CWE-79,
|
|
@@ -5712,6 +5864,7 @@ GHSA-wch2-46wj-6x5j,2020-09-04T15:37:15Z,"Malicious Package in bip30",bip30,0.0.
|
|
|
5712
5864
|
GHSA-wfhx-6pcm-7m55,2020-09-03T16:46:22Z,"Path Traversal in ponse",ponse,0,2.0.2,,HIGH,CWE-22,
|
|
5713
5865
|
GHSA-wfjh-3hq2-r276,2020-09-03T19:56:48Z,"Malicious Package in node-spdy",node-spdy,0.0.0,,,CRITICAL,CWE-506,
|
|
5714
5866
|
GHSA-wfm2-rq5g-f8v5,2025-04-29T15:11:41Z,"@account-kit/smart-contracts Allowlist Module Bypass Vulnerability","@account-kit/smart-contracts",4.8.0,4.28.2,,MODERATE,CWE-288,
|
|
5867
|
+
GHSA-wfp2-v9c7-fh79,2026-02-17T21:30:48Z,"OpenClaw affected by SSRF via attachment/media URL hydration",openclaw,0,2026.2.2,,MODERATE,CWE-918,
|
|
5715
5868
|
GHSA-wfp9-vr4j-f49j,2019-06-04T20:04:27Z,"NoSQL Injection in sequelize",sequelize,0,4.12.0,,HIGH,CWE-89,
|
|
5716
5869
|
GHSA-wfrj-qqc2-83cm,2021-09-20T19:52:41Z,"Remote command injection when using sendmail email transport",ghost,0,4.15.0,,MODERATE,CWE-88,
|
|
5717
5870
|
GHSA-wg2x-rv86-mmpx,2024-01-19T22:07:47Z,"SPV Merkle proof malleability allows the maintainer to prove invalid transactions",@keep-network/tbtc-v2,0,1.5.2,,HIGH,,
|
|
@@ -5752,6 +5905,7 @@ GHSA-wxhq-pm8v-cw75,2019-06-05T20:50:16Z,"Regular Expression Denial of Service i
|
|
|
5752
5905
|
GHSA-wxj2-777f-vxmf,2024-01-03T18:30:51Z,"Duplicate Advisory: Cross-site scripting vulnerability in TinyMCE plugins",tinymce,0,,,MODERATE,CWE-79,
|
|
5753
5906
|
GHSA-wxrm-2h86-v95f,2020-09-03T21:04:20Z,"Malicious Package in pizza-pasta",pizza-pasta,0.0.0,,,CRITICAL,CWE-506,
|
|
5754
5907
|
GHSA-wxvm-fh75-mpgr,2018-07-26T16:24:34Z,"Critical severity vulnerability that affects dns-sync",dns-sync,0,0.1.1,,CRITICAL,,
|
|
5908
|
+
GHSA-x22m-j5qq-j49m,2026-02-18T17:45:12Z,"OpenClaw has two SSRF via sendMediaFeishu and markdown image fetching in Feishu extension",openclaw,0,2026.2.14,,HIGH,CWE-918,
|
|
5755
5909
|
GHSA-x39m-3393-3qp4,2025-11-14T20:56:02Z,"Flowise doesn't Prevent Bypass of Password Confirmation through Unverified Email Change (credentials)",flowise-ui,0,3.0.10,,HIGH,CWE-306;CWE-620,
|
|
5756
5910
|
GHSA-x3m6-rprw-862w,2020-09-03T17:43:31Z,"Malicious Package in node-buc",node-buc,0.0.0,,,CRITICAL,CWE-506,
|
|
5757
5911
|
GHSA-x3w4-mrmv-cw2x,2020-09-03T22:19:44Z,"Malicious Package in buffev-xor",buffev-xor,0.0.0,,,CRITICAL,CWE-506,
|
|
@@ -5771,6 +5925,7 @@ GHSA-x8m7-cv39-xmg9,2020-09-03T22:56:10Z,"Malicious Package in jq-sha3",jq-sha3,
|
|
|
5771
5925
|
GHSA-x9hc-rw35-f44h,2020-09-02T15:46:03Z,"Sandbox Breakout / Arbitrary Code Execution in static-eval",static-eval,0,2.0.2,,HIGH,CWE-94,
|
|
5772
5926
|
GHSA-x9p2-fxq6-2m5f,2019-06-20T14:33:07Z,"Reverse Tabnapping in swagger-ui",swagger-ui,0,3.18.0,,MODERATE,CWE-1022,
|
|
5773
5927
|
GHSA-xc7v-wxcw-j472,2019-06-03T17:08:26Z,"Memory Exposure in tunnel-agent",tunnel-agent,0,0.6.0,,MODERATE,CWE-200,
|
|
5928
|
+
GHSA-xc7w-v5x6-cc87,2026-02-17T17:14:00Z,"OpenClaw has a webhook auth bypass when gateway is behind a reverse proxy (loopback remoteAddress trust)",openclaw,0,2026.2.12,,MODERATE,CWE-306,
|
|
5774
5929
|
GHSA-xcgx-27q5-7634,2020-09-03T19:41:05Z,"Malicious Package in commanedr",commanedr,0.0.0,,,CRITICAL,CWE-506,
|
|
5775
5930
|
GHSA-xcxh-6cv4-q8p8,2025-08-12T00:13:03Z,"HFS user adding a ""web link"" in HFS is vulnerable to ""target=_blank"" exploit",hfs,0,0.57.10,,LOW,CWE-1022,
|
|
5776
5931
|
GHSA-xf5p-87ch-gxw2,2019-06-05T14:10:03Z,"Marked ReDoS due to email addresses being evaluated in quadratic time",marked,0.3.14,0.6.2,,MODERATE,CWE-400,
|
|
@@ -5795,6 +5950,7 @@ GHSA-xrr6-6ww3-f3qm,2020-09-02T21:25:58Z,"Sandbox Breakout / Arbitrary Code Exec
|
|
|
5795
5950
|
GHSA-xrrg-wfwc-c7r3,2020-09-04T15:33:52Z,"Malicious Package in bictoin-ops",bictoin-ops,0.0.0,,,CRITICAL,CWE-506,
|
|
5796
5951
|
GHSA-xv3q-jrmm-4fxv,2023-04-18T22:28:02Z,"Authentication Bypass in @strapi/plugin-users-permissions","@strapi/plugin-users-permissions",3.2.1,4.6.0,,HIGH,,
|
|
5797
5952
|
GHSA-xv56-3wq5-9997,2026-01-13T19:57:06Z,"Renovate vulnerable to arbitrary command injection via kustomize manager and malicious helm repository",renovate,39.218.0,40.33.0,,MODERATE,CWE-77,
|
|
5953
|
+
GHSA-xvhf-x56f-2hpp,2026-02-18T00:50:47Z,"OpenClaw exec approvals: safeBins could bypass stdin-only constraints via shell expansion",openclaw,0,2026.2.14,,MODERATE,CWE-78,
|
|
5798
5954
|
GHSA-xvp7-8vm8-xfxx,2025-10-20T17:55:59Z,"Actual Sync-server Gocardless service is logging sensitive data including bearer tokens and account numbers",@actual-app/sync-server,0,,25.10.0,MODERATE,CWE-209;CWE-219,
|
|
5799
5955
|
GHSA-xw79-hhv6-578c,2020-09-11T21:16:59Z,"Cross-Site Scripting in serve",serve,0,10.0.2,,HIGH,CWE-79,
|
|
5800
5956
|
GHSA-xwqw-rf2q-xmhf,2020-09-01T21:23:38Z,"Cross-Site Scripting in buefy",buefy,0,0.7.2,,HIGH,CWE-79,
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@openrewrite/recipes-nodejs",
|
|
3
|
-
"version": "0.38.
|
|
3
|
+
"version": "0.38.1",
|
|
4
4
|
"license": "Moderne Source Available License",
|
|
5
5
|
"description": "OpenRewrite recipes for Node.js library migrations.",
|
|
6
6
|
"homepage": "https://github.com/moderneinc/rewrite-node",
|