@openrewrite/recipes-nodejs 0.44.0 → 0.44.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -5401,6 +5401,7 @@ CVE-2026-33311,2026-03-19T17:49:28Z,"SVG Injection via Unsanitized Options in @d
|
|
|
5401
5401
|
CVE-2026-33311,2026-03-19T17:49:28Z,"SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials",@dicebear/initials,7.0.0,7.1.4,,MODERATE,CWE-79,
|
|
5402
5402
|
CVE-2026-33311,2026-03-19T17:49:28Z,"SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials",@dicebear/initials,8.0.0,8.0.3,,MODERATE,CWE-79,
|
|
5403
5403
|
CVE-2026-33311,2026-03-19T17:49:28Z,"SVG Injection via Unsanitized Options in @dicebear/core and @dicebear/initials",@dicebear/initials,9.0.0,9.4.1,,MODERATE,CWE-79,
|
|
5404
|
+
CVE-2026-33318,2026-04-23T21:23:38Z,"Actual has Privilege Escalation via 'change-password' Endpoint on OpenID-Migrated Servers",@actual-app/sync-server,0,26.4.0,,HIGH,CWE-284;CWE-862,
|
|
5404
5405
|
CVE-2026-33323,2026-03-19T18:21:18Z,"Parse Server email verification resend page leaks user existence",parse-server,0,8.6.51,,MODERATE,CWE-204,
|
|
5405
5406
|
CVE-2026-33323,2026-03-19T18:21:18Z,"Parse Server email verification resend page leaks user existence",parse-server,9.0.0,9.6.0-alpha.40,,MODERATE,CWE-204,
|
|
5406
5407
|
CVE-2026-33326,2026-03-19T18:37:42Z,"@keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany (CVE-2025-46720 incomplete fix)",@keystone-6/core,0,6.5.2,,MODERATE,CWE-863,
|
|
@@ -5685,6 +5686,7 @@ CVE-2026-35442,2026-04-04T06:13:57Z,"Directus: Authenticated Users Can Extract C
|
|
|
5685
5686
|
CVE-2026-35515,2026-04-06T17:59:51Z,"@nestjs/core Improperly Neutralizes Special Elements in Output Used by a Downstream Component ('Injection')",@nestjs/core,0,11.1.18,,MODERATE,CWE-74,
|
|
5686
5687
|
CVE-2026-35525,2026-04-08T15:03:47Z,"LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates",liquidjs,0,10.25.3,,HIGH,CWE-61,
|
|
5687
5688
|
CVE-2026-35569,2026-04-16T20:44:18Z,"Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS",apostrophe,0,4.29.0,,HIGH,CWE-116;CWE-79,
|
|
5689
|
+
CVE-2026-35570,2026-04-21T15:16:16Z,"OpenClaude: Sandbox Bypass via Early-Exit Logic Flaw Allows Path Traversal ",@gitlawb/openclaude,0,0.5.1,,HIGH,CWE-22;CWE-284,
|
|
5688
5690
|
CVE-2026-35603,2026-04-17T22:19:38Z,"Claude Code: Insecure System-Wide Configuration Loading Enables Local Privilege Escalation on Windows","@anthropic-ai/claude-code",0,2.1.75,,MODERATE,CWE-426,
|
|
5689
5691
|
CVE-2026-35613,2026-04-08T00:06:03Z,"coursevault-preview has a path traversal due to improper base-directory boundary validation",coursevault-preview,0,0.1.1,,MODERATE,CWE-22,
|
|
5690
5692
|
CVE-2026-35617,2026-03-29T15:48:15Z,"OpenClaw: Google Chat Authz Bypass via Group Policy Rebinding with Mutable Space displayName",openclaw,0,2026.3.28,,LOW,CWE-639;CWE-807;CWE-863,
|
|
@@ -5737,6 +5739,7 @@ CVE-2026-35670,2026-03-26T19:08:16Z,"OpenClaw: Synology Chat reply delivery coul
|
|
|
5737
5739
|
CVE-2026-3635,2026-03-25T19:32:28Z,"fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections",fastify,0,5.8.3,,MODERATE,CWE-348,
|
|
5738
5740
|
CVE-2026-39313,2026-04-16T20:44:32Z,"MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport",mcp-framework,0,0.2.22,,HIGH,CWE-770,
|
|
5739
5741
|
CVE-2026-39315,2026-04-09T20:28:05Z,"Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()",unhead,0,2.1.13,,MODERATE,CWE-184,
|
|
5742
|
+
CVE-2026-39320,2026-04-21T17:17:00Z,"Signal K Server has an Unauthenticated Regular Expression Denial of Service (ReDoS) via WebSocket Subscription Paths",signalk-server,0,2.25.0,,HIGH,CWE-1333;CWE-400,
|
|
5740
5743
|
CVE-2026-39321,2026-04-08T00:07:10Z,"Parse Server has a login timing side-channel reveals user existence",parse-server,0,8.6.74,,MODERATE,CWE-208,
|
|
5741
5744
|
CVE-2026-39321,2026-04-08T00:07:10Z,"Parse Server has a login timing side-channel reveals user existence",parse-server,9.0.0,9.8.0-alpha.6,,MODERATE,CWE-208,
|
|
5742
5745
|
CVE-2026-39356,2026-04-08T00:14:58Z,"Drizzle ORM has SQL injection via improperly escaped SQL identifiers",drizzle-orm,0,0.45.2,,HIGH,CWE-89,
|
|
@@ -5764,6 +5767,7 @@ CVE-2026-39412,2026-04-08T15:04:39Z,"LiquidJS: ownPropertyOnly bypass via sort_n
|
|
|
5764
5767
|
CVE-2026-3965,2026-03-12T00:31:17Z,"@whyour/qinglong: manipulation of the argument command leads to protection mechanism failure",@whyour/qinglong,0,2.20.2,,LOW,CWE-693,
|
|
5765
5768
|
CVE-2026-39857,2026-04-16T20:45:15Z,"ApostropheCMS: Information Disclosure via choices/counts Query Parameters Bypassing publicApiProjection Field Restrictions",apostrophe,0,4.29.0,,MODERATE,CWE-200,
|
|
5766
5769
|
CVE-2026-39859,2026-04-08T15:04:44Z,"LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read",liquidjs,0,10.25.5,,MODERATE,CWE-22,
|
|
5770
|
+
CVE-2026-39861,2026-04-21T18:51:21Z,"Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace","@anthropic-ai/claude-code",0,2.1.64,,HIGH,CWE-22;CWE-61,
|
|
5767
5771
|
CVE-2026-39865,2026-04-08T15:51:48Z,"Axios HTTP/2 Session Cleanup State Corruption Vulnerability",axios,1.13.0,1.13.2,,MODERATE,CWE-400,
|
|
5768
5772
|
CVE-2026-39884,2026-04-14T22:32:15Z,"MCP Server Kubernetes has an Argument Injection in port_forward tool via space-splitting",mcp-server-kubernetes,0,3.5.0,,HIGH,CWE-88,
|
|
5769
5773
|
CVE-2026-39885,2026-04-08T19:22:53Z,"mcp-from-openapi is Vulnerable to SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications",@frontmcp/adapters,0,1.0.4,,HIGH,CWE-918,
|
|
@@ -5774,8 +5778,10 @@ CVE-2026-39943,2026-04-04T06:12:07Z,"Directus: Sensitive fields exposed in revis
|
|
|
5774
5778
|
CVE-2026-39974,2026-04-08T19:53:48Z,"n8n-mcp has authenticated SSRF via instance-URL header in multi-tenant HTTP mode",n8n-mcp,0,2.47.4,,HIGH,CWE-918,
|
|
5775
5779
|
CVE-2026-39983,2026-04-08T20:02:25Z,"basic-ftp has FTP Command Injection via CRLF",basic-ftp,5.2.0,5.2.1,,HIGH,CWE-93,
|
|
5776
5780
|
CVE-2026-40037,2026-04-09T17:37:08Z,"OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects",openclaw,0,2026.4.8,,HIGH,CWE-345,
|
|
5781
|
+
CVE-2026-40045,2026-04-07T18:16:06Z,"OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws://",openclaw,0,2026.4.2,,MODERATE,CWE-200,
|
|
5777
5782
|
CVE-2026-40073,2026-04-10T17:24:31Z,"@sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass",@sveltejs/kit,0,2.57.1,,HIGH,CWE-770,
|
|
5778
5783
|
CVE-2026-40074,2026-04-10T17:32:00Z,"@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service",@sveltejs/kit,0,2.57.1,,MODERATE,CWE-755,
|
|
5784
|
+
CVE-2026-40155,2026-04-21T15:21:46Z,"Auth0 Next.js SDK has Improper Proxy Cache Lookup",@auth0/nextjs-auth0,4.12.0,4.18.0,,MODERATE,CWE-362;CWE-863,
|
|
5779
5785
|
CVE-2026-40163,2026-04-10T19:30:27Z,"Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read",@saltcorn/server,0,1.4.5,,HIGH,CWE-22,
|
|
5780
5786
|
CVE-2026-40163,2026-04-10T19:30:27Z,"Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read",@saltcorn/server,1.5.0-beta.0,1.5.5,,HIGH,CWE-22,
|
|
5781
5787
|
CVE-2026-40163,2026-04-10T19:30:27Z,"Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read",@saltcorn/server,1.6.0-alpha.0,1.6.0-beta.4,,HIGH,CWE-22,
|
|
@@ -5800,8 +5806,52 @@ CVE-2026-40931,2026-04-17T21:32:59Z,"Complete Bypass of CVE-2026-24884 Patch via
|
|
|
5800
5806
|
CVE-2026-40931,2026-04-17T21:32:59Z,"Complete Bypass of CVE-2026-24884 Patch via Git-Delivered Symlink Poisoning in compressing",compressing,2.0.0,2.1.1,,HIGH,CWE-59,
|
|
5801
5807
|
CVE-2026-40933,2026-04-16T21:18:17Z,"Flowise: Authenticated RCE Via MCP Adapters",flowise,0,3.1.0,,CRITICAL,CWE-78,
|
|
5802
5808
|
CVE-2026-40933,2026-04-16T21:18:17Z,"Flowise: Authenticated RCE Via MCP Adapters",flowise-components,0,3.1.0,,CRITICAL,CWE-78,
|
|
5809
|
+
CVE-2026-41067,2026-04-21T20:39:49Z,"Astro: XSS in define:vars via incomplete </script> tag sanitization",astro,0,6.1.6,,MODERATE,CWE-79,
|
|
5810
|
+
CVE-2026-41139,2026-04-10T22:10:49Z,"mathjs Allows Improperly Controlled Modification of Dynamically-Determined Object Attributes",mathjs,13.1.0,15.2.0,,HIGH,CWE-915,
|
|
5811
|
+
CVE-2026-41238,2026-04-22T17:31:32Z,"DOMPurify: Prototype Pollution to XSS Bypass via CUSTOM_ELEMENT_HANDLING Fallback",dompurify,3.0.1,3.4.0,,MODERATE,CWE-1321;CWE-79,
|
|
5812
|
+
CVE-2026-41239,2026-04-22T17:32:54Z,"DOMPurify has a SAFE_FOR_TEMPLATES bypass in RETURN_DOM mode",dompurify,1.0.10,3.4.0,,MODERATE,CWE-1289;CWE-79,
|
|
5813
|
+
CVE-2026-41240,2026-04-22T17:34:17Z,"DOMPurify: FORBID_TAGS bypassed by function-based ADD_TAGS predicate (asymmetry with FORBID_ATTR fix)",dompurify,0,3.4.0,,MODERATE,CWE-183;CWE-79,
|
|
5803
5814
|
CVE-2026-41242,2026-04-16T22:34:57Z,"Arbitrary code execution in protobufjs",protobufjs,0,7.5.5,,CRITICAL,CWE-94,
|
|
5804
5815
|
CVE-2026-41242,2026-04-16T22:34:57Z,"Arbitrary code execution in protobufjs",protobufjs,8.0.0,8.0.1,,CRITICAL,CWE-94,
|
|
5816
|
+
CVE-2026-41264,2026-04-21T20:19:52Z,"Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability",flowise,0,3.1.0,,CRITICAL,CWE-184,
|
|
5817
|
+
CVE-2026-41264,2026-04-21T20:19:52Z,"Flowise: CSV Agent Prompt Injection Remote Code Execution Vulnerability",flowise-components,0,3.1.0,,CRITICAL,CWE-184,
|
|
5818
|
+
CVE-2026-41294,2026-04-01T00:02:42Z,"OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover",openclaw,0,2026.3.28,,CRITICAL,CWE-426,
|
|
5819
|
+
CVE-2026-41295,2026-04-07T18:15:41Z,"OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup",openclaw,0,2026.4.2,,MODERATE,CWE-829,
|
|
5820
|
+
CVE-2026-41296,2026-04-03T03:14:16Z,"OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile",openclaw,0,2026.3.31,,CRITICAL,CWE-367,
|
|
5821
|
+
CVE-2026-41297,2026-04-07T18:10:45Z,"OpenClaw: Marketplace Plugin Download Follows Redirects Without SSRF Protection",openclaw,0,2026.3.31,,MODERATE,CWE-918,
|
|
5822
|
+
CVE-2026-41298,2026-04-07T18:15:37Z,"OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill",openclaw,0,2026.4.2,,MODERATE,CWE-269,
|
|
5823
|
+
CVE-2026-41299,2026-03-31T23:57:51Z,"OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing",openclaw,0,2026.3.28,,HIGH,CWE-290;CWE-807,
|
|
5824
|
+
CVE-2026-41300,2026-04-03T03:26:14Z,"OpenClaw: Endpoint persists after trust decline, leaking gateway credentials",openclaw,0,2026.3.31,,MODERATE,CWE-670,
|
|
5825
|
+
CVE-2026-41301,2026-04-07T18:14:39Z,"OpenClaw: Forged Nostr DMs could create pairing state before signature verification",openclaw,2026.3.22,2026.3.31,,MODERATE,CWE-347,
|
|
5826
|
+
CVE-2026-41302,2026-04-02T21:22:56Z,"OpenClaw: SSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery",openclaw,0,2026.3.31,,MODERATE,CWE-918,
|
|
5827
|
+
CVE-2026-41303,2026-03-31T23:52:38Z,"OpenClaw: Discord text `/approve` bypasses `channels.discord.execApprovals.approvers` and allows non-approvers to resolve pending exec approvals",openclaw,0,2026.3.28,,HIGH,CWE-863,
|
|
5828
|
+
CVE-2026-41305,2026-04-24T15:31:42Z,"PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",postcss,0,8.5.10,,MODERATE,CWE-79,
|
|
5829
|
+
CVE-2026-41311,2026-04-24T15:34:00Z,"liquidjs has a Denial of Service via circular block reference in layout",liquidjs,0,10.25.7,,HIGH,CWE-674,
|
|
5830
|
+
CVE-2026-41321,2026-04-23T21:52:03Z,"Cloudflare has SSRF via redirect following through its image-binding-transform endpoint (incomplete fix for GHSA-qpr4)",@astrojs/cloudflare,0,13.1.10,,LOW,CWE-918,
|
|
5831
|
+
CVE-2026-41322,2026-04-23T14:36:03Z,"Astro: Cache Poisoning due to incorrect error handling when if-match header is malformed ",@astrojs/node,0,10.0.5,,MODERATE,CWE-525,
|
|
5832
|
+
CVE-2026-41329,2026-04-02T20:59:29Z,"OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation",openclaw,0,2026.3.31,,CRITICAL,CWE-863,
|
|
5833
|
+
CVE-2026-41330,2026-04-03T02:57:00Z,"OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls",openclaw,0,2026.3.31,,MODERATE,CWE-269,
|
|
5834
|
+
CVE-2026-41331,2026-04-03T03:15:56Z,"OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders",openclaw,0,2026.3.31,,MODERATE,CWE-770,
|
|
5835
|
+
CVE-2026-41495,2026-04-23T14:31:46Z,"n8n-MCP Logs Sensitive Request Data on Unauthorized /mcp Requests",n8n-mcp,0,2.47.11,,MODERATE,CWE-532,
|
|
5836
|
+
CVE-2026-41591,2026-04-22T19:55:51Z,"Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping",@marko/runtime-tags,0,6.0.164,,MODERATE,CWE-79,
|
|
5837
|
+
CVE-2026-41591,2026-04-22T19:55:51Z,"Marko: XSS via case-insensitive script/style closing tag bypass in runtime HTML escaping",marko,0,5.38.36,,MODERATE,CWE-79,
|
|
5838
|
+
CVE-2026-41640,2026-04-22T20:09:02Z,"@nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading",@nocobase/database,0,2.0.39,,HIGH,CWE-89,
|
|
5839
|
+
CVE-2026-41641,2026-04-22T20:07:11Z,"@nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call","@nocobase/plugin-collection-sql",0,2.0.39,,HIGH,CWE-89;CWE-284,
|
|
5840
|
+
CVE-2026-41650,2026-04-22T20:04:17Z,"fast-xml-parser XMLBuilder: XML Comment and CDATA Injection via Unescaped Delimiters",fast-xml-parser,0,5.7.0,,MODERATE,CWE-91,
|
|
5841
|
+
CVE-2026-41672,2026-04-22T20:16:07Z,"xmldom has XML node injection through unvalidated comment serialization",@xmldom/xmldom,0,0.8.13,,HIGH,CWE-91,
|
|
5842
|
+
CVE-2026-41672,2026-04-22T20:16:07Z,"xmldom has XML node injection through unvalidated comment serialization",@xmldom/xmldom,0.9.0,0.9.10,,HIGH,CWE-91,
|
|
5843
|
+
CVE-2026-41672,2026-04-22T20:16:07Z,"xmldom has XML node injection through unvalidated comment serialization",xmldom,0,,0.6.0,HIGH,CWE-91,
|
|
5844
|
+
CVE-2026-41673,2026-04-22T20:23:57Z,"xmldom: Uncontrolled recursion in XML serialization leads to DoS",@xmldom/xmldom,0,0.8.13,,HIGH,CWE-674,
|
|
5845
|
+
CVE-2026-41673,2026-04-22T20:23:57Z,"xmldom: Uncontrolled recursion in XML serialization leads to DoS",@xmldom/xmldom,0.9.0,0.9.10,,HIGH,CWE-674,
|
|
5846
|
+
CVE-2026-41673,2026-04-22T20:23:57Z,"xmldom: Uncontrolled recursion in XML serialization leads to DoS",xmldom,0,,0.6.0,HIGH,CWE-674,
|
|
5847
|
+
CVE-2026-41674,2026-04-22T20:19:12Z,"xmldom has XML injection through unvalidated DocumentType serialization",@xmldom/xmldom,0,0.8.13,,HIGH,CWE-91,
|
|
5848
|
+
CVE-2026-41674,2026-04-22T20:19:12Z,"xmldom has XML injection through unvalidated DocumentType serialization",@xmldom/xmldom,0.9.0,0.9.10,,HIGH,CWE-91,
|
|
5849
|
+
CVE-2026-41674,2026-04-22T20:19:12Z,"xmldom has XML injection through unvalidated DocumentType serialization",xmldom,0,,0.6.0,HIGH,CWE-91,
|
|
5850
|
+
CVE-2026-41675,2026-04-22T20:17:58Z,"xmldom has XML node injection through unvalidated processing instruction serialization",@xmldom/xmldom,0,0.8.13,,HIGH,CWE-91,
|
|
5851
|
+
CVE-2026-41675,2026-04-22T20:17:58Z,"xmldom has XML node injection through unvalidated processing instruction serialization",@xmldom/xmldom,0.9.0,0.9.10,,HIGH,CWE-91,
|
|
5852
|
+
CVE-2026-41675,2026-04-22T20:17:58Z,"xmldom has XML node injection through unvalidated processing instruction serialization",xmldom,0,,0.6.0,HIGH,CWE-91,
|
|
5853
|
+
CVE-2026-41683,2026-04-22T20:25:49Z,"i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header",i18next-http-middleware,0,3.9.3,,HIGH,CWE-113;CWE-79,
|
|
5854
|
+
CVE-2026-41900,2026-04-23T21:46:07Z,"OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Environment",openlearnx,0,2.0.3,,HIGH,"CWE-250;CWE-284;CWE-693;CWE-78;CWE-94",
|
|
5805
5855
|
CVE-2026-4258,2026-03-17T06:31:32Z,"sjcl is missing point-on-curve validation in sjcl.ecc.basicKey.publicKey",sjcl,0,1.0.9,,HIGH,CWE-325;CWE-347,
|
|
5806
5856
|
CVE-2026-4598,2026-03-23T06:30:29Z,"jsrsasign is vulnerable to DoS through Infinite Loop when processing zero or negative inputs",jsrsasign,0,11.1.1,,HIGH,CWE-835,
|
|
5807
5857
|
CVE-2026-4599,2026-03-23T06:30:29Z,"jsrsasign: Incomplete Comparison Allows DSA Private Key Recovery via Biased Nonce Generation",jsrsasign,7.0.0,11.1.1,,CRITICAL,CWE-1023,
|
|
@@ -5831,6 +5881,7 @@ CVE-2026-6216,2026-04-13T21:30:45Z,"DbGate has cross site scripting via the SVG
|
|
|
5831
5881
|
CVE-2026-6270,2026-04-16T22:29:04Z,"@fastify/middie vulnerable to middleware authentication bypass in child plugin scopes",@fastify/middie,0,9.3.2,,CRITICAL,CWE-436,
|
|
5832
5882
|
CVE-2026-6410,2026-04-16T22:34:30Z,"@fastify/static vulnerable to path traversal in directory listing",@fastify/static,8.0.0,9.1.1,,MODERATE,CWE-22,
|
|
5833
5883
|
CVE-2026-6414,2026-04-16T22:34:03Z,"@fastify/static vulnerable to route guard bypass via encoded path separators",@fastify/static,8.0.0,9.1.1,,MODERATE,CWE-177,
|
|
5884
|
+
CVE-2026-6594,2026-04-20T03:34:41Z,"Deep Merge is Vulnerable to Prototype Pollution Through Lack of Sanitization",@brikcss/merge,0,,1.3.1,MODERATE,CWE-1321;CWE-94,
|
|
5834
5885
|
GHSA-224h-p7p5-rh85,2020-09-01T17:32:26Z,"Directory Traversal in wenluhong1",wenluhong1,0.0.0,,,HIGH,CWE-22,
|
|
5835
5886
|
GHSA-224p-v68g-5g8f,2025-08-26T18:45:55Z,"GraphQL Armor Max-Depth Plugin Bypass via fragment caching","@escape.tech/graphql-armor-max-depth",0,2.4.2,,MODERATE,CWE-400,
|
|
5836
5887
|
GHSA-226w-6hhj-69hp,2020-09-03T19:06:52Z,"Malicious Package in cal_rd",cal_rd,0.0.0,,,CRITICAL,CWE-506,
|
|
@@ -5869,6 +5920,7 @@ GHSA-2c83-wfv3-q25f,2021-09-07T23:07:56Z,"Improper Neutralization of Special Ele
|
|
|
5869
5920
|
GHSA-2cf5-4w76-r9qv,2020-09-04T14:57:38Z,"Arbitrary Code Execution in handlebars",handlebars,0,3.0.8,,HIGH,CWE-94,
|
|
5870
5921
|
GHSA-2cf5-4w76-r9qv,2020-09-04T14:57:38Z,"Arbitrary Code Execution in handlebars",handlebars,4.0.0,4.5.2,,HIGH,CWE-94,
|
|
5871
5922
|
GHSA-2ch6-x3g4-7759,2026-03-03T23:19:46Z,"OpenClaw's commands.allowFrom sender authorization accepted conversation identifiers via ctx.From",openclaw,0,2026.2.23,,HIGH,CWE-639,
|
|
5923
|
+
GHSA-2cjr-5v3h-v2w4,2026-04-22T22:05:28Z,"Evolver has Prototype Pollution via `Object.assign()` in its mailbox store operations",@evomap/evolver,0,1.69.3,,MODERATE,CWE-1321,
|
|
5872
5924
|
GHSA-2cq5-mf3v-mx44,2026-04-17T22:16:04Z,"OpenClaw: busybox and toybox applet execution weakened exec approval binding",openclaw,2026.2.23,2026.4.12,,HIGH,CWE-863,
|
|
5873
5925
|
GHSA-2cwr-f5hx-gg3w,2026-03-19T03:30:57Z,"Duplicate Advisory: OpenClaw: stageSandboxMedia destination symlink traversal can overwrite files outside sandbox workspace",openclaw,0,,2026.3.1,MODERATE,CWE-59,
|
|
5874
5926
|
GHSA-2f7j-rp58-mr42,2026-04-07T18:15:44Z,"OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients",openclaw,0,2026.4.2,,MODERATE,CWE-200,
|
|
@@ -5892,7 +5944,7 @@ GHSA-2p62-c4rm-mr72,2020-09-01T19:44:57Z,"Malicious Package in another-date-pick
|
|
|
5892
5944
|
GHSA-2p99-6f47-8x9j,2020-09-02T18:38:39Z,"Malicious Package in asnc",asnc,0,,,CRITICAL,CWE-506,
|
|
5893
5945
|
GHSA-2pr6-76vf-7546,2019-06-05T14:35:29Z,"Denial of Service in js-yaml",js-yaml,0,3.13.0,,MODERATE,CWE-400,
|
|
5894
5946
|
GHSA-2qqc-p94c-hxwh,2026-04-16T21:22:00Z,"Flowise: Weak Default Express Session Secret",flowise,0,3.1.0,,MODERATE,CWE-798,
|
|
5895
|
-
GHSA-
|
|
5947
|
+
GHSA-2r2p-4cgf-hv7h,2026-04-22T14:52:03Z,"engram: HTTP server CORS wildcard + auth-off-by-default enables CSRF graph exfiltration and persistent indirect prompt injection",engramx,0,2.0.2,,HIGH,"CWE-1188;CWE-306;CWE-352;CWE-942",
|
|
5896
5948
|
GHSA-2r8f-2665-3gxq,2020-09-02T21:36:36Z,"Malicious Package in froever",froever,0,,,CRITICAL,CWE-506,
|
|
5897
5949
|
GHSA-2rqg-gjgv-84jm,2026-03-13T20:55:30Z,"OpenClaw: Gateway `agent` calls could override the workspace boundary",openclaw,0,2026.3.11,,HIGH,CWE-668,
|
|
5898
5950
|
GHSA-2vqq-jgxx-fxjc,2020-09-11T21:24:33Z,"Malicious Package in motiv.scss",motiv.scss,0.4.20,0.4.21,,CRITICAL,CWE-506,
|
|
@@ -6106,6 +6158,7 @@ GHSA-5f7h-p83x-5vc2,2026-04-10T00:30:29Z,"Duplicate Advisory: OpenClaw: Nextclou
|
|
|
6106
6158
|
GHSA-5f7m-mmpc-qhh4,2019-05-23T09:27:00Z,"mysql Node.JS Module Vulnerable to Remote Memory Exposure",mysql,2.0.0-alpha8,2.14.0,,MODERATE,CWE-201,
|
|
6107
6159
|
GHSA-5fc7-f62m-8983,2026-04-09T17:36:29Z,"OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix)",openclaw,0,2026.4.8,,LOW,CWE-732,
|
|
6108
6160
|
GHSA-5ff8-jcf9-fw62,2020-09-04T17:55:35Z,"Cross-Site Scripting in markdown-it-katex",markdown-it-katex,0.0.0,,,HIGH,CWE-79,
|
|
6161
|
+
GHSA-5fgg-jcpf-8jjw,2026-04-22T17:40:47Z,"i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters",i18next-http-middleware,0,3.9.3,,HIGH,CWE-1321;CWE-22,
|
|
6109
6162
|
GHSA-5fm9-jmv7-fcx5,2020-09-02T18:35:26Z,"Malicious Package in asynnc",asynnc,0,,,CRITICAL,CWE-506,
|
|
6110
6163
|
GHSA-5fp6-4xw3-xqq3,2023-06-12T18:37:31Z,"@keystone-6/core's bundled cuid package known to be insecure",@keystone-6/core,0,,5.3.1,LOW,,
|
|
6111
6164
|
GHSA-5fw2-mwhh-9947,2026-04-17T21:35:14Z,"Flowise: Unauthenticated TTS endpoint accepts arbitrary credential IDs — enables API credit abuse via stored credentials",flowise,0,3.1.0,,HIGH,CWE-639,
|
|
@@ -6117,7 +6170,6 @@ GHSA-5gqg-mqh5-2v39,2026-03-19T03:30:57Z,"Duplicate Advisory: OpenClaw Windows S
|
|
|
6117
6170
|
GHSA-5h2c-8v84-qpvr,2026-03-03T21:39:51Z,"OpenClaw shell-env fallback trusted startup env and could execute attacker-influenced login-shell paths",openclaw,0,2026.2.22,,MODERATE,CWE-15;CWE-78,
|
|
6118
6171
|
GHSA-5h2w-qmfp-ggp6,2026-03-31T23:57:34Z,"OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`",openclaw,0,2026.3.28,,HIGH,CWE-284;CWE-863,
|
|
6119
6172
|
GHSA-5h3f-885m-v22w,2026-04-09T17:36:02Z,"OpenClaw: Existing WS sessions survive shared gateway token rotation",openclaw,0,2026.4.8,,MODERATE,CWE-613,
|
|
6120
|
-
GHSA-5hff-46vh-rxmw,2026-04-07T18:15:37Z,"OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill",openclaw,0,2026.4.2,,MODERATE,CWE-269,
|
|
6121
6173
|
GHSA-5hx7-77g4-wqx3,2021-02-23T21:30:56Z,"Incorrect Authorization",aedes,0.1.0,0.35.1,,MODERATE,,
|
|
6122
6174
|
GHSA-5j35-xr4g-vwf4,2026-03-25T17:32:39Z,"@grackle-ai/server has a Missing Secure Flag on Session Cookie",@grackle-ai/server,0,0.70.5,,LOW,CWE-614,
|
|
6123
6175
|
GHSA-5j4m-89xf-mf5p,2020-08-27T22:58:46Z,"Missing Origin Validation in parcel-bundler",parcel-bundler,0,1.10.0,,MODERATE,,
|
|
@@ -6163,6 +6215,7 @@ GHSA-6343-m2qr-66gf,2020-09-03T23:10:41Z,"Malicious Package in js-sja3",js-sja3,
|
|
|
6163
6215
|
GHSA-6394-6h9h-cfjg,2019-06-07T21:12:35Z,"Regular Expression Denial of Service",nwmatcher,0,1.4.4,,MODERATE,CWE-400,
|
|
6164
6216
|
GHSA-63f5-hhc7-cx6p,2026-03-16T20:40:23Z,"OpenClaw bootstrap setup codes could be replayed to escalate pending pairing scopes before approval",openclaw,0,2026.3.13,,HIGH,CWE-269,
|
|
6165
6217
|
GHSA-644f-hrff-mf96,2025-12-02T18:30:35Z,"Duplicate Advisory: Authentication Bypass via Default JWT Secret in NocoBase docker-compose Deployments",@nocobase/auth,0,1.9.23,,LOW,,
|
|
6218
|
+
GHSA-6457-mxpq-4fqq,2026-04-22T17:42:24Z,"i18nextify has DOM XSS via javascript:/data: URL schemes in translated href/src attributes",i18nextify,0,4.0.8,,MODERATE,CWE-79;CWE-94,
|
|
6166
6219
|
GHSA-6475-r3vj-m8vf,2026-01-08T21:52:45Z,"AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value",@smithy/config-resolver,0,4.4.0,,LOW,CWE-20,
|
|
6167
6220
|
GHSA-647h-p824-99w7,2026-03-25T17:23:11Z,"@grackle-ai/mcp has a workspace authorization bypass in its knowledge_search MCP tool",@grackle-ai/mcp,0,0.70.2,,HIGH,CWE-284,
|
|
6168
6221
|
GHSA-64g7-mvw6-v9qj,2022-01-14T21:09:50Z,"Improper Privilege Management in shelljs",shelljs,0,0.8.5,,MODERATE,CWE-269,
|
|
@@ -6229,7 +6282,6 @@ GHSA-6v7q-wjvx-w8wg,2026-04-10T20:18:23Z,"basic-ftp: Incomplete CRLF Injection P
|
|
|
6229
6282
|
GHSA-6x2m-hqfw-hvpj,2026-03-02T22:29:45Z,"OpenClaw: Node exec approvals could be replayed across nodes",openclaw,0,2026.2.23,,MODERATE,CWE-285;CWE-863,
|
|
6230
6283
|
GHSA-6x33-pw7p-hmpq,2020-09-04T17:59:49Z,"Denial of Service in http-proxy",http-proxy,0,1.18.1,,HIGH,CWE-184;CWE-693,
|
|
6231
6284
|
GHSA-6xg2-cf6h-x4v8,2020-09-03T21:53:05Z,"Malicious Package in buffer-por",buffer-por,0.0.0,,,CRITICAL,CWE-506,
|
|
6232
|
-
GHSA-6xg4-82hv-cp6f,2026-03-31T23:57:51Z,"OpenClaw: Gateway chat.send ACP-only provenance guard could be bypassed by client identity spoofing",openclaw,0,2026.3.28,,HIGH,CWE-290;CWE-807,
|
|
6233
6285
|
GHSA-6xm4-p6r2-mwrc,2020-09-03T22:47:30Z,"Malicious Package in cuffer-xor",cuffer-xor,0.0.0,,,CRITICAL,CWE-506,
|
|
6234
6286
|
GHSA-724c-6vrf-99rq,2020-09-02T21:49:48Z,"Sensitive Data Exposure in loopback",loopback,0,2.42.0,,LOW,CWE-200,
|
|
6235
6287
|
GHSA-724c-6vrf-99rq,2020-09-02T21:49:48Z,"Sensitive Data Exposure in loopback",loopback,3.0.0,3.26.0,,LOW,CWE-200,
|
|
@@ -6315,7 +6367,6 @@ GHSA-82jv-9wjw-pqh6,2024-04-17T22:26:37Z,"Prototype pollution in emit function",
|
|
|
6315
6367
|
GHSA-82jv-9wjw-pqh6,2024-04-17T22:26:37Z,"Prototype pollution in emit function",derby,4.0.0-beta1,4.0.0-beta.11,,LOW,CWE-1321,
|
|
6316
6368
|
GHSA-82qx-6vj7-p8m2,2026-04-17T21:58:46Z,"OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows",openclaw,0,2026.4.10,,HIGH,CWE-862,
|
|
6317
6369
|
GHSA-8372-7vhw-cm6q,2026-04-17T21:47:15Z,"OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases",openclaw,0,2026.4.14,,HIGH,CWE-212,
|
|
6318
|
-
GHSA-83f3-hh45-vfw9,2026-04-07T18:16:06Z,"OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws://",openclaw,0,2026.4.2,,MODERATE,CWE-200,
|
|
6319
6370
|
GHSA-83pq-466j-fc6j,2020-09-04T15:17:50Z,"Prototype Pollution in sahmat",sahmat,0.0.0,,,HIGH,CWE-1321,
|
|
6320
6371
|
GHSA-83rx-c8cr-6j8q,2019-06-05T20:48:55Z,"Insecure Default Configuration in tesseract.js",tesseract.js,0,1.0.19,,MODERATE,CWE-829,
|
|
6321
6372
|
GHSA-846p-hgpv-vphc,2026-04-07T18:15:00Z,"OpenClaw: QQ Bot structured payloads could read arbitrary local files",openclaw,0,2026.4.2,,MODERATE,CWE-22,
|
|
@@ -6341,6 +6392,7 @@ GHSA-87mg-h5r3-hw88,2019-05-30T17:23:28Z,"Cross-Site Scripting in bootbox",bootb
|
|
|
6341
6392
|
GHSA-87qp-7cw8-8q9c,2024-03-25T06:30:24Z,"Duplicate Advisory: web3-utils Prototype Pollution vulnerability",web3-utils,0,4.2.1,,HIGH,CWE-1321,
|
|
6342
6393
|
GHSA-87qw-7v97-w34r,2020-09-02T18:33:18Z,"Malicious Package in asinc",asinc,0,,,CRITICAL,CWE-506,
|
|
6343
6394
|
GHSA-87v3-4cfp-cm76,2026-03-18T16:10:26Z,"Cross-Site Scripting (XSS) via SVG Schema innerHTML Injection in @pdfme/schemas",@pdfme/schemas,0,5.5.9,,MODERATE,CWE-79,
|
|
6395
|
+
GHSA-8847-338w-5hcj,2026-04-22T17:43:14Z,"i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite",i18next-fs-backend,0,2.6.4,,HIGH,CWE-22;CWE-73,
|
|
6344
6396
|
GHSA-886v-mm6p-4m66,2019-06-05T09:48:02Z,"High severity vulnerability that affects gun",gun,0,0.2019.416,,HIGH,CWE-22,
|
|
6345
6397
|
GHSA-88h9-fc6v-jcw7,2020-09-03T20:28:51Z,"Unintended Require in larvitbase-www",larvitbase-www,0.0.0,,,MODERATE,,
|
|
6346
6398
|
GHSA-88qp-p4qg-rqm6,2026-02-19T20:30:25Z,"CPU exhaustion in SvelteKit remote form deserialization (experimental only)",@sveltejs/kit,2.49.0,2.52.2,,MODERATE,CWE-843,
|
|
@@ -6397,7 +6449,6 @@ GHSA-8r4g-cg4m-x23c,2021-09-22T18:22:02Z,"Denial of Service in node-static",node
|
|
|
6397
6449
|
GHSA-8r69-3cvp-wxc3,2022-11-02T18:18:10Z,"Batched HTTP requests may set incorrect `cache-control` response header",@apollo/server,0,4.1.0,,MODERATE,CWE-524,
|
|
6398
6450
|
GHSA-8r69-3cvp-wxc3,2022-11-02T18:18:10Z,"Batched HTTP requests may set incorrect `cache-control` response header",apollo-server-core,3.0.0,3.11.0,,MODERATE,CWE-524,
|
|
6399
6451
|
GHSA-8rgj-285w-qcq4,2025-02-10T17:59:09Z,"Unknown vulnerability in Coinbase Wallet SDK",@coinbase/wallet-sdk,4.0.0-beta.0,4.3.0,,HIGH,,
|
|
6400
|
-
GHSA-8rh7-6779-cjqq,2026-04-01T00:02:42Z,"OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover",openclaw,0,2026.3.28,,CRITICAL,CWE-426,
|
|
6401
6452
|
GHSA-8v5f-hp78-jgxq,2019-06-06T15:30:33Z,"Signature Verification Bypass in jwt-simple",jwt-simple,0,0.5.3,,HIGH,CWE-347,
|
|
6402
6453
|
GHSA-8vj3-jgcf-77jv,2020-09-02T20:26:49Z,"Malicious Package in requeest",requeest,0,,,CRITICAL,CWE-506,
|
|
6403
6454
|
GHSA-8vvx-qvq9-5948,2025-03-14T18:48:44Z,"Flowise allows arbitrary file write to RCE",flowise,0,,2.2.7,CRITICAL,CWE-94,
|
|
@@ -6414,6 +6465,9 @@ GHSA-8www-cffh-4q98,2023-07-28T15:33:14Z,"Anyone with a share link can RESET all
|
|
|
6414
6465
|
GHSA-8x4m-qw58-3pcx,2026-03-29T15:15:36Z,"mppx has multiple payment bypass and griefing vulnerabilities",mppx,0,0.4.8,,CRITICAL,CWE-288;CWE-294;CWE-345,
|
|
6415
6466
|
GHSA-8x6c-cv3v-vp6g,2023-02-11T00:13:31Z,"Withdrawn: cacheable-request depends on http-cache-semantics, which is vulnerable to Regular Expression Denial of Service",cacheable-request,0,10.2.7,,HIGH,CWE-1333,
|
|
6416
6467
|
GHSA-8xqr-4cpm-wx7g,2019-05-31T23:47:27Z,"Cross-Site Scripting in react-svg",react-svg,0,2.2.18,,HIGH,CWE-79,
|
|
6468
|
+
GHSA-9237-rg5p-rhfw,2026-04-22T14:31:34Z,"@saltcorn/data: Tenant user role is used for tenant creation role check",@saltcorn/data,0,1.4.4,,HIGH,CWE-863,
|
|
6469
|
+
GHSA-9237-rg5p-rhfw,2026-04-22T14:31:34Z,"@saltcorn/data: Tenant user role is used for tenant creation role check",@saltcorn/data,1.5.0-beta.0,1.5.2,,HIGH,CWE-863,
|
|
6470
|
+
GHSA-9237-rg5p-rhfw,2026-04-22T14:31:34Z,"@saltcorn/data: Tenant user role is used for tenant creation role check",@saltcorn/data,1.6.0-alpha.0,1.6.0-beta.2,,HIGH,CWE-863,
|
|
6417
6471
|
GHSA-9272-59x2-gwf2,2020-09-03T17:04:13Z,"Malicious Package in ripedm160",ripedm160,0.0.0,,,CRITICAL,CWE-506,
|
|
6418
6472
|
GHSA-9298-m7jf-55h2,2020-09-04T16:42:08Z,"Malicious Package in bitconid-rpc",bitconid-rpc,0.0.0,,,CRITICAL,CWE-506,
|
|
6419
6473
|
GHSA-929m-phjg-qwcc,2025-04-01T21:31:30Z,"Duplicate Advisory: MathLive's Lack of Escaping of HTML allows for XSS",mathlive,0,0.104.0,,MODERATE,CWE-79,
|
|
@@ -6426,17 +6480,14 @@ GHSA-97mg-3cr6-3x4c,2020-09-04T17:27:23Z,"Remote Code Execution in mongodb-query
|
|
|
6426
6480
|
GHSA-97mp-9g5c-6c93,2020-09-04T16:50:48Z,"Malicious Package in bs58chcek",bs58chcek,0.0.0,,,CRITICAL,CWE-506,
|
|
6427
6481
|
GHSA-984p-xq9m-4rjw,2019-06-07T21:01:53Z,"Rate Limiting Bypass in express-brute",express-brute,0,,1.0.1,MODERATE,CWE-77,
|
|
6428
6482
|
GHSA-98ch-45wp-ch47,2026-04-07T18:15:48Z,"OpenClaw: Windows-compatible env override keys could bypass system.run approval binding",openclaw,0,2026.4.2,,MODERATE,CWE-178,
|
|
6429
|
-
GHSA-98hh-7ghg-x6rq,2026-03-31T23:52:38Z,"OpenClaw: Discord text `/approve` bypasses `channels.discord.execApprovals.approvers` and allows non-approvers to resolve pending exec approvals",openclaw,0,2026.3.28,,HIGH,CWE-863,
|
|
6430
6483
|
GHSA-98pf-gfh3-x3mp,2022-11-10T16:02:51Z,"Read the Docs vulnerable to Cross-Site Scripting (XSS)",readthedocs,0,8.8.1,,MODERATE,CWE-79,
|
|
6431
6484
|
GHSA-992f-wf4w-x36v,2020-09-01T21:16:13Z,"Prototype Pollution in merge-objects",merge-objects,0.0.0,,,LOW,CWE-1321,
|
|
6432
6485
|
GHSA-9959-c6q6-6qp3,2017-10-24T18:33:36Z,"Moderate severity vulnerability that affects validator",validator,0,2.0.0,,MODERATE,,
|
|
6433
6486
|
GHSA-99pg-hqvx-r4gf,2025-09-15T20:00:39Z,"Flowise has an Arbitrary File Read",flowise,3.0.5,3.0.6,,CRITICAL,,
|
|
6434
6487
|
GHSA-9c4c-g95m-c8cp,2025-04-07T18:55:13Z,"FlowiseDB vulnerable to SQL Injection by authenticated users",flowise,0,,2.2.7,MODERATE,CWE-564,
|
|
6435
6488
|
GHSA-9cph-cqqh-36pw,2020-09-04T15:29:25Z,"Malicious Package in babel-loqder",babel-loqder,0.0.0,,,CRITICAL,CWE-506,
|
|
6436
|
-
GHSA-9f4w-67g7-mqwv,2026-04-03T03:26:14Z,"OpenClaw: Endpoint persists after trust decline, leaking gateway credentials",openclaw,0,2026.3.31,,MODERATE,CWE-670,
|
|
6437
6489
|
GHSA-9f72-qcpw-2hxc,2026-03-03T19:08:08Z,"OpenClaw: Native prompt image auto-load did not honor tools.fs.workspaceOnly in sandboxed runs",openclaw,0,2026.2.24,,HIGH,CWE-200;CWE-284,
|
|
6438
6490
|
GHSA-9f79-7pw8-3fj8,2026-03-21T03:31:14Z,"Duplicate Advisory: OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf",openclaw,0,,2026.2.25,HIGH,CWE-22,
|
|
6439
|
-
GHSA-9gp8-hjxr-6f34,2026-04-03T02:57:00Z,"OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls",openclaw,0,2026.3.31,,MODERATE,CWE-269,
|
|
6440
6491
|
GHSA-9gvx-vj57-vqqx,2026-04-10T00:30:30Z,"Duplicate Advisory: OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication",openclaw,0,2026.3.23,,MODERATE,CWE-288,
|
|
6441
6492
|
GHSA-9gxr-rhx6-4jgv,2020-09-04T15:18:57Z,"Sandbox Breakout / Prototype Pollution in notevil",notevil,0,1.3.3,,MODERATE,CWE-1321,
|
|
6442
6493
|
GHSA-9h6g-pr28-7cqp,2024-01-31T22:42:54Z,"nodemailer ReDoS when trying to send a specially crafted email",nodemailer,0,6.9.9,,MODERATE,CWE-1333,
|
|
@@ -6447,7 +6498,6 @@ GHSA-9hrv-gvrv-6gf2,2026-04-16T21:23:17Z,"Flowise Execute Flow function has an S
|
|
|
6447
6498
|
GHSA-9mjp-gv34-3jcf,2020-09-02T18:37:35Z,"Malicious Package in aasync",aasync,0,,,CRITICAL,CWE-506,
|
|
6448
6499
|
GHSA-9mmw-3fmh-96g3,2020-09-02T20:23:38Z,"Malicious Package in calk",calk,0,,,CRITICAL,CWE-506,
|
|
6449
6500
|
GHSA-9mph-4f7v-fmvh,2026-03-04T19:02:59Z,"OpenClaw has agent avatar symlink traversal in gateway session metadata",openclaw,0,2026.2.22,,MODERATE,CWE-59,
|
|
6450
|
-
GHSA-9p3r-hh9g-5cmg,2026-04-03T03:14:16Z,"OpenClaw: Sandbox escape via TOCTOU race in remote FS bridge readFile",openclaw,0,2026.3.31,,CRITICAL,CWE-367,
|
|
6451
6501
|
GHSA-9p64-h5q4-phpm,2020-09-02T15:44:58Z,"Remote Code Execution in office-converter",office-converter,0.0.0,,,HIGH,CWE-20,
|
|
6452
6502
|
GHSA-9p93-7j67-5pc2,2026-03-27T22:28:25Z,"OpenClaw: Gateway HTTP /sessions/:sessionKey/kill Reaches Admin Kill Path Without Caller Scope Binding",openclaw,0,,2026.3.24,HIGH,CWE-226;CWE-863,
|
|
6453
6503
|
GHSA-9pcf-h8q9-63f6,2020-09-03T17:12:41Z,"Sandbox Breakout / Arbitrary Code Execution in safe-eval",safe-eval,0.0.0,,,HIGH,,
|
|
@@ -6458,7 +6508,6 @@ GHSA-9q2p-vc84-2rwm,2026-03-09T19:54:46Z,"OpenClaw: system.run allow-always pers
|
|
|
6458
6508
|
GHSA-9q64-mpxx-87fg,2020-04-01T16:35:08Z,"Open Redirect in ecstatic",ecstatic,0,2.2.2,,HIGH,CWE-601,
|
|
6459
6509
|
GHSA-9q64-mpxx-87fg,2020-04-01T16:35:08Z,"Open Redirect in ecstatic",ecstatic,3.0.0,3.3.2,,HIGH,CWE-601,
|
|
6460
6510
|
GHSA-9q64-mpxx-87fg,2020-04-01T16:35:08Z,"Open Redirect in ecstatic",ecstatic,4.0.0,4.1.2,,HIGH,CWE-601,
|
|
6461
|
-
GHSA-9q7v-8mr7-g23p,2026-04-02T21:22:56Z,"OpenClaw: SSRF via Unguarded `fetch()` in Marketplace Plugin Download and Ollama Model Discovery",openclaw,0,2026.3.31,,MODERATE,CWE-918,
|
|
6462
6511
|
GHSA-9q82-xgwf-vj6h,2026-03-26T21:53:10Z,"Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention",@apollo/server,0,5.5.0,,MODERATE,CWE-200,
|
|
6463
6512
|
GHSA-9q82-xgwf-vj6h,2026-03-26T21:53:10Z,"Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention",apollo-server-core,0,,3.13.0,MODERATE,CWE-200,
|
|
6464
6513
|
GHSA-9q8j-chc7-wpgp,2026-03-29T15:30:20Z,"Duplicate Advisory: OpenClaw session transcript files were created without forced user-only permissions",openclaw,0,2026.2.17,,MODERATE,CWE-378,
|
|
@@ -6652,7 +6701,6 @@ GHSA-g3qj-j598-cxmq,2026-03-24T19:10:38Z,"fido2-lib is vulnerable to DoS via cbo
|
|
|
6652
6701
|
GHSA-g3qw-9pgp-xpj4,2020-09-01T21:08:44Z,"Out-of-bounds Read in njwt",njwt,0,1.0.0,,LOW,CWE-125,
|
|
6653
6702
|
GHSA-g49q-jw42-6x85,2024-05-09T21:31:35Z,"thelounge may publicly disclose of all usernames/idents via port 113",thelounge,0,,4.4.3,LOW,,
|
|
6654
6703
|
GHSA-g4m3-rpxr-h7vg,2020-09-03T19:52:25Z,"Malicious Package in mogodb-core",mogodb-core,0.0.0,,,CRITICAL,CWE-506,
|
|
6655
|
-
GHSA-g5cg-8x5w-7jpm,2026-04-02T20:59:29Z,"OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation",openclaw,0,2026.3.31,,CRITICAL,CWE-863,
|
|
6656
6704
|
GHSA-g5q2-fcg9-j526,2020-09-03T17:40:18Z,"Malicious Package in hsf-clients",hsf-clients,0.0.0,,,CRITICAL,CWE-506,
|
|
6657
6705
|
GHSA-g64q-3vg8-8f93,2020-09-03T15:47:10Z,"Prototype Pollution in pez",pez,0.0.0,,,HIGH,CWE-1321,
|
|
6658
6706
|
GHSA-g6f4-j6c2-w3p3,2018-10-09T00:39:43Z,"High severity vulnerability that affects uglify-js",uglify-js,0,2.4.24,,HIGH,,
|
|
@@ -6731,7 +6779,6 @@ GHSA-h36m-2vh5-x699,2026-03-19T03:30:57Z,"Duplicate Advisory: ACPX Windows wrapp
|
|
|
6731
6779
|
GHSA-h3hw-29fv-2x75,2026-01-21T16:36:27Z,"@envelop/graphql-modules has a Race Condition vulnerability",@envelop/graphql-modules,0,9.1.0,,HIGH,CWE-362,
|
|
6732
6780
|
GHSA-h3m2-h22h-695r,2020-09-03T17:29:31Z,"Malicious Package in ali-contributor",ali-contributor,0.0.0,,,CRITICAL,CWE-506,
|
|
6733
6781
|
GHSA-h42x-xx2q-6v6g,2025-03-13T22:38:03Z,"Flowise Pre-auth Arbitrary File Upload",flowise,0,,2.2.7,CRITICAL,CWE-434,
|
|
6734
|
-
GHSA-h43v-27wg-5mf9,2026-04-07T18:14:39Z,"OpenClaw: Forged Nostr DMs could create pairing state before signature verification",openclaw,2026.3.22,2026.3.31,,MODERATE,CWE-347,
|
|
6735
6782
|
GHSA-h44f-769q-j6px,2020-09-02T20:33:14Z,"Malicious Package in requet",requet,0,,,CRITICAL,CWE-506,
|
|
6736
6783
|
GHSA-h45p-w933-jxh3,2021-06-01T21:20:22Z,"Improper Verification of Cryptographic Signature in aws-encryption-sdk-javascript ","@aws-crypto/client-browser",0,1.9.0,,MODERATE,CWE-347,
|
|
6737
6784
|
GHSA-h45p-w933-jxh3,2021-06-01T21:20:22Z,"Improper Verification of Cryptographic Signature in aws-encryption-sdk-javascript ","@aws-crypto/client-browser",2.0.0,2.2.0,,MODERATE,CWE-347,
|
|
@@ -6805,6 +6852,7 @@ GHSA-j5g3-5c8r-7qfx,2023-08-30T21:24:57Z,"Prevent logging invalid header values"
|
|
|
6805
6852
|
GHSA-j5g3-5c8r-7qfx,2023-08-30T21:24:57Z,"Prevent logging invalid header values",apollo-server-core,0,2.26.1,,LOW,,
|
|
6806
6853
|
GHSA-j5g3-5c8r-7qfx,2023-08-30T21:24:57Z,"Prevent logging invalid header values",apollo-server-core,3.0.0,3.12.1,,LOW,,
|
|
6807
6854
|
GHSA-j5qh-5234-4rqp,2026-03-31T12:31:35Z,"Duplicate Advisory: OpenClaw: Workspace plugin auto-discovery allowed code execution from cloned repositories",openclaw,0,2026.3.12,,HIGH,CWE-829,
|
|
6855
|
+
GHSA-j5w5-568x-rq53,2026-04-22T22:06:03Z,"Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution",@evomap/evolver,0,1.69.3,,CRITICAL,CWE-78,
|
|
6808
6856
|
GHSA-j67m-jg9p-ppg4,2020-09-03T23:18:05Z,"Malicious Package in ns-sha3",ns-sha3,0.0.0,,,CRITICAL,CWE-506,
|
|
6809
6857
|
GHSA-j6c7-3h5x-99g9,2026-04-17T21:53:36Z,"OpenClaw: Shell-wrapper detection missed env-argv assignment injection forms",openclaw,2026.2.22,2026.4.12,,MODERATE,CWE-78,
|
|
6810
6858
|
GHSA-j6v9-xgvh-f796,2020-09-11T21:11:34Z,"Command Injection in wxchangba",wxchangba,0.0.0,,,MODERATE,CWE-77,
|
|
@@ -6860,12 +6908,12 @@ GHSA-jqvv-r4w3-8f7w,2020-09-04T15:35:00Z,"Malicious Package in bictoind-rpc",bic
|
|
|
6860
6908
|
GHSA-jqx4-9gpq-rppm,2025-05-06T16:44:22Z,"@misskey-dev/summaly allows IP Filter Bypass via Redirect",@misskey-dev/summaly,5.1.0,5.2.1,,MODERATE,CWE-346,
|
|
6861
6909
|
GHSA-jr6x-2q95-fh2g,2026-03-02T21:59:51Z,"OpenClaw's authorization mismatch allowed write-scope agent runs to reach owner-only tools",openclaw,0,2026.3.1,,HIGH,CWE-269;CWE-862,
|
|
6862
6910
|
GHSA-jrj9-5qp6-2v8q,2020-09-03T23:22:19Z,"Machine-In-The-Middle in airtable",airtable,0.1.19,0.7.2,,HIGH,,
|
|
6863
|
-
GHSA-jvff-x2qm-6286,2026-04-10T22:10:49Z,"mathjs Allows Improperly Controlled Modification of Dynamically-Determined Object Attributes",mathjs,13.1.0,15.2.0,,HIGH,CWE-915,
|
|
6864
6911
|
GHSA-jvfv-jhw9-jmpp,2020-09-03T21:23:09Z,"Malicious Package in b5ffer-xor",b5ffer-xor,0.0.0,,,CRITICAL,CWE-506,
|
|
6865
6912
|
GHSA-jwrq-8g5x-5fhm,2026-04-17T21:35:35Z,"OpenClaw: Collect-mode queue batches could reuse the last sender authorization context",openclaw,0,2026.4.14,,MODERATE,CWE-863,
|
|
6866
6913
|
GHSA-jxf5-7x3j-8j9m,2020-09-03T18:19:14Z,"Malicious Package in load-from-cwd-or-npm",load-from-cwd-or-npm,3.0.2,3.0.4,,CRITICAL,CWE-506,
|
|
6867
6914
|
GHSA-jxrq-8fm4-9p58,2026-03-03T23:09:31Z,"OpenClaw: Zip extraction symlink traversal could write outside destination",openclaw,0,2026.2.22,,HIGH,CWE-59,
|
|
6868
6915
|
GHSA-m2fp-c79h-rr79,2020-09-02T21:42:56Z,"Malicious Package in tensorplow",tensorplow,0,,,CRITICAL,CWE-506,
|
|
6916
|
+
GHSA-m2m6-cff5-3w7c,2026-04-24T15:36:52Z,"RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions",rwsdk,1.0.0-beta.50,1.2.3,,MODERATE,CWE-352,
|
|
6869
6917
|
GHSA-m34q-h93w-vg5x,2026-04-07T18:14:57Z,"OpenClaw: OpenShell mirror mode could delete arbitrary remote directories when roots were mis-scoped",openclaw,0,2026.4.2,,MODERATE,CWE-22,
|
|
6870
6918
|
GHSA-m36m-x4c5-rjxj,2020-09-01T19:01:58Z,"Silently Runs Cryptocoin Miner in hooka-tools",hooka-tools,0.0.0,,,LOW,,
|
|
6871
6919
|
GHSA-m45f-4828-5cv5,2020-08-19T22:39:44Z,"Regular Expression Denial of Service in highcharts",highcharts,0,6.1.0,,MODERATE,,
|
|
@@ -6883,7 +6931,6 @@ GHSA-m5p4-7wf9-6w99,2020-09-01T21:10:53Z,"Malicious Package in regenrator",regen
|
|
|
6883
6931
|
GHSA-m5qc-5hw7-8vg7,2025-04-02T15:04:58Z,"image-size Denial of Service via Infinite Loop during Image Processing",image-size,1.1.0,1.2.1,,HIGH,CWE-770,
|
|
6884
6932
|
GHSA-m5qc-5hw7-8vg7,2025-04-02T15:04:58Z,"image-size Denial of Service via Infinite Loop during Image Processing",image-size,2.0.0,2.0.2,,HIGH,CWE-770,
|
|
6885
6933
|
GHSA-m69h-jm2f-2pv8,2026-03-13T20:54:30Z,"OpenClaw: Feishu reaction events could bypass group authorization and mention gating",openclaw,0,2026.3.12,,MODERATE,CWE-285;CWE-863,
|
|
6886
|
-
GHSA-m6fx-m8hc-572m,2026-04-03T03:15:56Z,"OpenClaw: Telegram audio preflight transcription enables resource consumption by unauthorized senders",openclaw,0,2026.3.31,,MODERATE,CWE-770,
|
|
6887
6934
|
GHSA-m6q2-9pfm-2wvr,2020-09-03T17:02:49Z,"Malicious Package in wallet-address-vaildator",wallet-address-vaildator,0.0.0,,,CRITICAL,CWE-506,
|
|
6888
6935
|
GHSA-m6w8-fq7v-ph4m,2022-01-13T16:09:36Z,"GovernorCompatibilityBravo incorrect ABI encoding may lead to unexpected behavior","@openzeppelin/contracts-upgradeable",4.3.0,4.4.2,,MODERATE,,
|
|
6889
6936
|
GHSA-m6w8-fq7v-ph4m,2022-01-13T16:09:36Z,"GovernorCompatibilityBravo incorrect ABI encoding may lead to unexpected behavior",@openzeppelin/contracts,4.3.0,4.4.2,,MODERATE,,
|
|
@@ -6909,6 +6956,7 @@ GHSA-mfc2-93pr-jf92,2020-10-01T17:10:15Z,"Malicious code in `loadyaml`",loadyaml
|
|
|
6909
6956
|
GHSA-mfcp-34xw-p57x,2020-09-03T21:20:52Z,"Authentication Bypass in saml2-js",saml2-js,0,2.0.5,,MODERATE,CWE-287,
|
|
6910
6957
|
GHSA-mg69-6j3m-jvgw,2020-09-03T15:45:08Z,"HTML Injection in marky-markdown",marky-markdown,0.0.0,,,HIGH,CWE-79,
|
|
6911
6958
|
GHSA-mg85-8mv5-ffjr,2020-09-03T15:45:40Z,"Denial of Service in ammo",ammo,0.0.0,,,HIGH,,
|
|
6959
|
+
GHSA-mgcp-mfp8-3q45,2026-04-22T20:28:27Z,"i18next-locize-backend has URL Injection via Unsanitized Path Parameters",i18next-locize-backend,0,9.0.2,,MODERATE,CWE-22;CWE-74,
|
|
6912
6960
|
GHSA-mgff-xpg3-3gwc,2020-09-03T19:42:25Z,"Malicious Package in bsae-x",bsae-x,0.0.0,,,CRITICAL,CWE-506,
|
|
6913
6961
|
GHSA-mgv2-57vj-99xc,2019-10-07T16:54:24Z,"Low severity vulnerability that affects eye.js",eye.js,1.2.0,1.2.1,,LOW,,
|
|
6914
6962
|
GHSA-mh5c-679w-hh4r,2020-09-03T21:12:01Z,"Denial of Service in mongodb",mongodb,0,3.1.13,,HIGH,,
|
|
@@ -6951,6 +6999,7 @@ GHSA-mxmg-3p7m-2ghr,2026-03-21T03:31:14Z,"Duplicate Advisory: OpenClaw: system.r
|
|
|
6951
6999
|
GHSA-mxmj-84q8-34r7,2020-09-03T02:39:49Z,"Command Injection in expressfs",expressfs,0,,,HIGH,CWE-77,
|
|
6952
7000
|
GHSA-mxq6-vrrr-ppmg,2022-05-24T17:04:00Z,"Duplicate Advisory: tree-kill vulnerable to remote code execution",tree-kill,0,,1.2.1,CRITICAL,CWE-94,
|
|
6953
7001
|
GHSA-p33q-w45h-2hcj,2020-09-02T18:30:03Z,"Malicious Package in 4equest",4equest,0,,,CRITICAL,CWE-506,
|
|
7002
|
+
GHSA-p3h2-2j4p-p83g,2026-04-22T20:50:19Z,"MCPHub has Path Traversal via Malicious MCPB Manifest Name",@samanhappy/mcphub,0,0.12.13,,HIGH,CWE-22,
|
|
6954
7003
|
GHSA-p3jx-g34v-q56j,2020-09-03T22:54:02Z,"Malicious Package in j3-sha3",j3-sha3,0.0.0,,,CRITICAL,CWE-506,
|
|
6955
7004
|
GHSA-p464-m8x6-vhv8,2026-04-03T02:54:38Z,"OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion",openclaw,0,2026.3.31,,MODERATE,CWE-400,
|
|
6956
7005
|
GHSA-p4h8-56qp-hpgv,2026-04-14T00:04:10Z,"SSH/SCP option injection allowing local RCE in @aiondadotcom/mcp-ssh",@aiondadotcom/mcp-ssh,0,1.3.5,,HIGH,CWE-78;CWE-88,
|
|
@@ -7029,6 +7078,7 @@ GHSA-q7jf-gf43-6x6p,2025-10-24T19:15:13Z,"Hono vulnerable to Vary Header Injecti
|
|
|
7029
7078
|
GHSA-q83v-hq3j-4pq3,2024-08-15T06:32:22Z,"Duplicate Advisory: Improper access control in Directus",directus,0,,10.13.0,MODERATE,CWE-639,
|
|
7030
7079
|
GHSA-q849-wxrc-vqrp,2024-12-02T20:11:39Z,"hull.js Code Injection Vulnerability",hull.js,0.2.2,1.0.10,,CRITICAL,CWE-94,
|
|
7031
7080
|
GHSA-q86m-697p-h7fh,2026-03-19T03:30:57Z,"Duplicate Advisory: OpenClaw: system.run approvals did not bind PATH-token executable identity, enabling post-approval executable rebind",openclaw,0,,,MODERATE,CWE-367,
|
|
7081
|
+
GHSA-q89c-q3h5-w34g,2026-04-22T17:41:24Z," i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns",i18next-http-backend,0,3.0.5,,MODERATE,CWE-22;CWE-74,
|
|
7032
7082
|
GHSA-q94v-v6m9-jhq9,2026-03-21T03:31:13Z,"Duplicate Advisory: OpenClaw has an improper sandbox configuration vulnerability",openclaw,0,,,MODERATE,CWE-1188,
|
|
7033
7083
|
GHSA-q9r2-f3vc-rjg8,2020-08-19T22:28:51Z,"Command Injection in macaddress",macaddress,0,0.2.9,,HIGH,,
|
|
7034
7084
|
GHSA-q9w8-cf67-r238,2026-04-03T03:22:32Z,"OpenClaw: macOS Tailnet DNS Spoofing & Credential Exfiltration",openclaw,0,2026.3.31,,HIGH,CWE-346;CWE-350,
|
|
@@ -7091,6 +7141,7 @@ GHSA-r3xc-47qg-h929,2020-09-03T17:06:09Z,"Cross-Site Scripting in @ionic/core",@
|
|
|
7091
7141
|
GHSA-r3xc-47qg-h929,2020-09-03T17:06:09Z,"Cross-Site Scripting in @ionic/core",@ionic/core,4.1.0,4.1.3,,HIGH,CWE-79,
|
|
7092
7142
|
GHSA-r3xc-47qg-h929,2020-09-03T17:06:09Z,"Cross-Site Scripting in @ionic/core",@ionic/core,4.2.0,4.2.1,,HIGH,CWE-79,
|
|
7093
7143
|
GHSA-r3xc-47qg-h929,2020-09-03T17:06:09Z,"Cross-Site Scripting in @ionic/core",@ionic/core,4.3.0,4.3.1,,HIGH,CWE-79,
|
|
7144
|
+
GHSA-r466-rxw4-3j9j,2026-04-22T22:06:15Z,"Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write",@evomap/evolver,0,1.69.3,,HIGH,CWE-22,
|
|
7094
7145
|
GHSA-r4c2-gq3j-7rpj,2026-04-10T00:30:30Z,"Duplicate Advisory: OpenClaw: Telegram Webhook Missing Guess Rate Limiting Enables Brute-Force Guessing of Weak Webhook Secret",openclaw,0,,2026.3.24,MODERATE,CWE-307,
|
|
7095
7146
|
GHSA-r4m5-47cq-6qg8,2020-09-04T17:25:13Z,"Server-Side Request Forgery in ftp-srv",ftp-srv,1.0.0,2.19.6,,HIGH,CWE-918,
|
|
7096
7147
|
GHSA-r4m5-47cq-6qg8,2020-09-04T17:25:13Z,"Server-Side Request Forgery in ftp-srv",ftp-srv,3.0.0,3.1.2,,HIGH,CWE-918,
|
|
@@ -7192,7 +7243,6 @@ GHSA-vjf3-2gpj-233v,2026-02-26T22:45:13Z,"n8n has an SSO Enforcement Bypass in i
|
|
|
7192
7243
|
GHSA-vjh7-7g9h-fjfh,2025-02-12T19:47:52Z,"Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string)",elliptic,0,6.6.1,,CRITICAL,CWE-200,
|
|
7193
7244
|
GHSA-vjqw-w5jr-g9w5,2026-03-29T15:30:19Z,"Duplicate Advisory: OpenClaw: Feishu webhook mode accepted forged events when only `verificationToken` was configured",openclaw,0,2026.3.12,,HIGH,CWE-347,
|
|
7194
7245
|
GHSA-vjvw-wcmw-pr26,2020-09-04T17:37:08Z,"Insufficient Entropy in parsel",parsel,0.0.0,,,CRITICAL,CWE-331,
|
|
7195
|
-
GHSA-vjx8-8p7h-82gr,2026-04-07T18:10:45Z,"OpenClaw: Marketplace Plugin Download Follows Redirects Without SSRF Protection",openclaw,0,2026.3.31,,MODERATE,CWE-918,
|
|
7196
7246
|
GHSA-vm29-7mq3-9jrg,2026-03-31T12:31:35Z,"Duplicate Advisory: OpenClaw: Unavailable local auth SecretRefs could fall through to remote credentials in local mode",OpenClaw,0,2026.3.11,,LOW,CWE-636,
|
|
7197
7247
|
GHSA-vm67-mh96-95mq,2020-09-03T21:40:48Z,"Malicious Package in bubfer-xor",bubfer-xor,0.0.0,,,CRITICAL,CWE-506,
|
|
7198
7248
|
GHSA-vm6v-w6q2-mrrq,2020-09-03T19:20:05Z,"Malicious Package in bb-builder",bb-builder,0.0.0,,,CRITICAL,CWE-506,
|
|
@@ -7272,6 +7322,7 @@ GHSA-w4hv-vmv9-hgcr,2024-02-16T19:29:31Z,"GitHub Security Lab (GHSL) Vulnerabili
|
|
|
7272
7322
|
GHSA-w4vp-3mq7-7v82,2020-09-03T15:49:48Z,"Cross-Site Scripting in lazysizes",lazysizes,0,5.2.1-rc1,,HIGH,CWE-79,
|
|
7273
7323
|
GHSA-w5c7-9qqw-6645,2026-02-18T00:56:51Z,"OpenClaw inter-session prompts could be treated as direct user instructions",openclaw,0,2026.2.13,,HIGH,CWE-345,
|
|
7274
7324
|
GHSA-w5cr-2qhr-jqc5,2026-02-13T21:04:00Z,"Cloudflare Agents has a Reflected Cross-Site Scripting (XSS) vulnerability in AI Playground site",agents,0,0.3.10,,MODERATE,CWE-79,
|
|
7325
|
+
GHSA-w5hq-g745-h8pq,2026-04-22T20:53:24Z,"uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided",uuid,0,14.0.0,,MODERATE,CWE-1285;CWE-787,
|
|
7275
7326
|
GHSA-w5q7-3pr9-x44w,2020-09-02T15:59:19Z,"Denial of Service in serialize-to-js",serialize-to-js,0,2.0.0,,HIGH,,
|
|
7276
7327
|
GHSA-w65v-hx54-xrqx,2020-09-03T17:41:23Z,"Malicious Package in midway-xtpl",midway-xtpl,0.0.0,,,CRITICAL,CWE-506,
|
|
7277
7328
|
GHSA-w673-8fjw-457c,2026-03-27T18:06:28Z,"n8n: Authenticated XSS and Open Redirect via Form Node",n8n,0,1.123.24,,MODERATE,CWE-601;CWE-79,
|
|
@@ -7290,6 +7341,7 @@ GHSA-w8fh-pvq2-x8c4,2021-01-29T18:11:20Z,"Malicious npm package: sonatype",sonat
|
|
|
7290
7341
|
GHSA-w8g9-x8gx-crmm,2026-04-09T17:36:59Z,"OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable",openclaw,0,2026.4.8,,MODERATE,CWE-918,
|
|
7291
7342
|
GHSA-w8hx-hqjv-vjcq,2026-04-16T22:46:52Z,"Paperclip: Malicious skills able to exfiltrate and destroy all user data",@paperclipai/server,0,2026.416.0,,HIGH,CWE-77,
|
|
7292
7343
|
GHSA-w8rf-7qf8-65ww,2026-03-31T12:31:35Z,"Duplicate Advisory: OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv",openclaw,0,2026.3.11,,HIGH,CWE-451,
|
|
7344
|
+
GHSA-w937-fg2h-xhq2,2026-04-22T20:32:11Z,"locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor ",locize,0,4.0.21,,HIGH,CWE-79;CWE-346,
|
|
7293
7345
|
GHSA-w992-2gmj-9xxj,2020-09-11T21:23:29Z,"Cross-Site Scripting in swagger-ui",swagger-ui,0,2.2.1,,MODERATE,CWE-79,
|
|
7294
7346
|
GHSA-w9cg-v44m-4qv8,2026-03-03T22:09:52Z,"OpenClaw affected by BASH_ENV / ENV startup-file injection into spawned shell commands",openclaw,0,2026.2.21,,HIGH,CWE-15;CWE-78,
|
|
7295
7347
|
GHSA-w9hw-v97w-g5f5,2020-09-04T16:43:14Z,"Malicious Package in bitconi-ops",bitconi-ops,0.0.0,,,CRITICAL,CWE-506,
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@openrewrite/recipes-nodejs",
|
|
3
|
-
"version": "0.44.
|
|
3
|
+
"version": "0.44.1",
|
|
4
4
|
"license": "Moderne Proprietary",
|
|
5
5
|
"description": "OpenRewrite recipes for Node.js library migrations.",
|
|
6
6
|
"homepage": "https://github.com/moderneinc/rewrite-node",
|
|
@@ -25,7 +25,7 @@
|
|
|
25
25
|
"ci:test": "jest"
|
|
26
26
|
},
|
|
27
27
|
"dependencies": {
|
|
28
|
-
"@openrewrite/rewrite": "
|
|
28
|
+
"@openrewrite/rewrite": "^8.81.6",
|
|
29
29
|
"mutative": "^1.1.0",
|
|
30
30
|
"semver": "^7.7.3"
|
|
31
31
|
},
|
|
@@ -36,7 +36,7 @@
|
|
|
36
36
|
"bun": "^1.3.5",
|
|
37
37
|
"fs-extra": "^11.3.3",
|
|
38
38
|
"jest": "^29.7.0",
|
|
39
|
-
"jest-junit": "^
|
|
39
|
+
"jest-junit": "^17.0.0",
|
|
40
40
|
"tmp-promise": "^3.0.3",
|
|
41
41
|
"ts-jest": "^29.2.5",
|
|
42
42
|
"ts-node": "^10.9.2",
|