OsVault/npm/call

npm1 critical

call

117 known vulnerabilities · 1 critical · 10 high

CVE-2016-10543MEDIUM

Route Validation Bypass in call

Published Feb 18, 2019

GHSA-8cph-rgr4-g5vj

Parse Server's GraphQL "Did you mean ...?" validation suggestions disclose schema to unauthenticated callers

Published May 29, 2026

GHSA-c73c-x77g-854r

OpenClaude MCP OAuth Callback: State Check Bypass via error Param Leads to DoS

Published May 12, 2026

GHSA-2rqg-gjgv-84jm

OpenClaw: Gateway `agent` calls could override the workspace boundary

Published Mar 13, 2026

GHSA-89r3-6x4j-v7wf

OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection

Published Apr 2, 2026

CVE-2023-30541MEDIUM

OpenZeppelin Contracts TransparentUpgradeableProxy clashing selector calls may not be delegated

Published Apr 17, 2023

MAL-2022-663

Malicious code in @tinyspeck/calls-desktop-interop (npm)

Published Jun 20, 2022

CVE-2020-7677HIGH

thenify before 3.3.1 made use of unsafe calls to `eval`.

Published Jul 18, 2022

CVE-2026-28446

OpenClaw has an inbound allowlist policy bypass in voice-call extension (empty caller ID + suffix matching)

Published Feb 17, 2026

CVE-2026-32053

OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse

Published Mar 3, 2026

CVE-2020-7679HIGH

Improperly Controlled Modification of Dynamically-Determined Object Attributes in casperjs

Published May 17, 2021

GHSA-9p93-7j67-5pc2

OpenClaw: Gateway HTTP /sessions/:sessionKey/kill Reaches Admin Kill Path Without Caller Scope Binding

Published Mar 27, 2026

CVE-2026-29606

OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled

Published Feb 18, 2026

CVE-2023-30542MEDIUM

GovernorCompatibilityBravo may trim proposal calldata

Published Apr 20, 2023

GHSA-f275-5h5c-5wg5

Duplicate Advisory: OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation

Published Mar 31, 2026

CVE-2026-32005

OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows

Published Mar 4, 2026

CVE-2020-7641MEDIUM

grunt-util-property 0.0.2 function call can add/modify properties of Object.prototype using a __proto__ payload

Published Jul 18, 2022

GHSA-8689-gm9g-jgr6

OpenClaw: Voice-call Plivo V3 webhook replay key uses unsorted URL, allowing replay via query-parameter reordering

Published Mar 31, 2026

GHSA-jj6q-rrrf-h66h

OpenClaw: Shared-secret comparison call sites leaked length information through timing

Published Apr 7, 2026

GHSA-j4c9-w69r-cw33

OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State

Published Mar 29, 2026

MAL-2022-1176

Malicious code in auth0-react-03-calling-an-api (npm)

Published Jun 20, 2022

CVE-2026-27191

Feathers has an open redirect in OAuth callback enables account takeover

Published Feb 19, 2026

GHSA-3r78-rqg8-95gg

Duplicate Advisory: OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse

Published Mar 21, 2026

CVE-2020-7616MEDIUM

Improperly Controlled Modification of Dynamically-Determined Object Attributes in express-mock-middleware

Published Dec 9, 2021

CVE-2023-49798MEDIUM

OpenZeppelin Contracts and Contracts Upgradeable duplicated execution of subcalls in v4.9.4

Published Dec 12, 2023

CVE-2017-16028MEDIUM

Cryptographically Weak PRNG in randomatic

Published Oct 9, 2018

MAL-2026-5668

Malicious code in fed-callnative (npm)

Published Jun 11, 2026

CVE-2025-68130

tRPC has possible prototype pollution in `experimental_nextAppDirCaller`

Published Dec 16, 2025

CVE-2025-65110

Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope

Published Jan 5, 2026

MAL-2022-1817

Malicious code in callrail_eks (npm)

Published Jun 20, 2022

CVE-2020-15262LOW

Unprotected dynamically loaded chunks

Published Oct 19, 2020

MAL-2025-1501

Malicious code in truecaller-profile-validation (npm)

Published Feb 19, 2025

CVE-2026-28465

OpenClaw optional voice-call plugin: webhook verification may be bypassed behind certain proxy configurations

Published Feb 17, 2026

CVE-2011-1714MEDIUM

QooxDoo XSS in Callback Parameter

Published May 17, 2022

CVE-2022-24858MEDIUM

NextAuth.js default redirect callback vulnerable to open redirects

Published Apr 22, 2022

GHSA-8883-9w57-vwv6

OpenClaw: Mattermost callback dispatch allowed non-allowlisted sender actions

Published Mar 26, 2026

CVE-2021-32702HIGH

Reflected XSS from the callback handler's error query parameter

Published Jun 28, 2021

CVE-2026-29091

locutus call_user_func_array vulnerable to Remote Code Execution (RCE) due to Code Injection

Published Mar 4, 2026

CVE-2023-29529MEDIUM

matrix-js-sdk vulnerable to invisible eavesdropping in group calls

Published Apr 14, 2023

CVE-2024-28176MEDIUM

jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext

Published Mar 7, 2024

CVE-2025-32996

http-proxy-middleware can call writeBody twice because "else if" is not used

Published Apr 15, 2025

GHSA-hc5h-pmr3-3497

OpenClaw: /pair approve command path omitted caller scope subsetting and reopened device pairing escalation

Published Mar 31, 2026

CVE-2019-10808HIGH

Improperly Controlled Modification of Dynamically-Determined Object Attributes in utilitify

Published May 7, 2021

GHSA-jf6w-m8jw-jfxc

OpenClaw: Write-scoped callers could reach admin-only session reset logic through `agent`

Published Mar 13, 2026

GHSA-vw3h-q6xq-jjm5

OpenClaw: Voice-call realtime WebSocket accepted oversized frames

Published Apr 17, 2026

CVE-2026-33720

n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK

Published Mar 25, 2026

CVE-2022-35916MEDIUM

OpenZeppelin Contracts's Cross chain utilities for Arbitrum L2 see EOA calls as cross chain calls

Published Aug 14, 2022

CVE-2026-32062

OpenClaw voice-call media stream validated streams after upgrade, which could allow pre-start unauthenticated sockets to increase resource pressure

Published Mar 2, 2026

GHSA-77w2-crqv-cmv3

OpenClaw: Feishu Raw Card Send Surface Can Mint Legacy Card Callbacks That Bypass DM Pairing

Published Mar 29, 2026

CVE-2022-3225HIGH

Budibase Improper Control of Dynamically-Managed Code Resources vulnerability

Published Sep 17, 2022

MAL-2025-48692

Malicious code in infobip-calls-showcase (npm)

Published Oct 22, 2025

GHSA-wq58-2pvg-5h4f

OpenClaw: Gateway agent /reset exposes admin session reset to operator.write callers

Published Mar 26, 2026

GHSA-2w79-r9g8-wmcr

OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062)

Published Apr 3, 2026

GHSA-cw28-63x4-37c3

Duplicate Advisory: OpenClaw: Voice-call Plivo replay mutates in-process callback origin before replay rejection

Published Apr 24, 2026

GHSA-gcj7-r3hg-m7w6

OpenClaw's voice-call Twilio replay dedupe now bound to authenticated webhook identity

Published Mar 3, 2026

MAL-2022-1818

Malicious code in callwithchat (npm)

Published Jun 20, 2022

MAL-2025-192404

Malicious code in callback-hook (npm)

Published Dec 10, 2025

CVE-2020-7600MEDIUM

Improperly Controlled Modification of Dynamically-Determined Object Attributes in querymen

Published May 7, 2021

GHSA-jvff-x2qm-6286

mathjs Allows Improperly Controlled Modification of Dynamically-Determined Object Attributes

Published Apr 10, 2026

GHSA-qm2m-28pf-hgjw

OpenClaw: Gateway Plugin HTTP Auth Grants Unrestricted operator.admin Runtime Scope to All Callers

Published Mar 27, 2026

CVE-2026-1721

Cloudflare Agents is Vulnerable to Reflected Cross-Site Scripting in the AI Playground's OAuth callback handler

Published Feb 13, 2026

MAL-2026-2573

Malicious code in @aircall-ecosystem/integrations-msteams-frontend (npm)

Published Apr 13, 2026

GHSA-rm59-992w-x2mv

OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling

Published Mar 26, 2026

MAL-2022-448

Malicious code in @naugtur/callhome (npm)

Published Jun 20, 2022

CVE-2021-26276MEDIUM

Improper Control of Dynamically-Managed Code Resources in config-shield

Published Apr 13, 2021

GHSA-wg4g-395p-mqv3

n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode

Published Apr 25, 2026

GHSA-rcmh-qjqh-p98v

Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls

Published Dec 1, 2025

CVE-2024-28121HIGH

StimulusReflex arbitrary method call

Published Mar 12, 2024

MAL-2022-3986

Malicious code in iv-api-call-tracker (npm)

Published Jun 20, 2022

CVE-2022-36045CRITICAL

Cryptographically weak PRNG in `utils.generateUUID`

Published Aug 30, 2022

MAL-2023-580

Malicious code in managed-vip-2-by-kristen-callihan-on-iphone-full-volumes- (npm)

Published May 10, 2023

CVE-2026-29792

Feathers has an OAuth Callback Account Takeover issue

Published Mar 10, 2026

MAL-2022-1814

Malicious code in calling-component-bindings (npm)

Published Jun 20, 2022

MAL-2022-1815

Malicious code in calling-stateful-client (npm)

Published Jun 20, 2022

MAL-2026-5446

Malicious code in housecall-ui (npm)

Published Jun 9, 2026

MAL-2026-3297

Malicious code in ally-call-wait-time (npm)

Published May 3, 2026

MAL-2025-191003

Malicious code in react-native-phone-call (npm)

Published Nov 24, 2025

CVE-2019-10806MEDIUM

Improperly Controlled Modification of Dynamically-Determined Object Attributes in vega-util

Published May 7, 2021

MAL-2024-9220

Malicious code in com.sendbird.calls (npm)

Published Oct 10, 2024

GHSA-g8f2-4f4f-5jqw

SandboxJS has a sandbox escape via Function.caller leakage of internal call op

Published May 11, 2026

MAL-2022-5865

Malicious code in run-topologically (npm)

Published Jun 20, 2022

GHSA-36cp-mh65-x882

Duplicate Advisory: OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling

Published Apr 10, 2026

MAL-2022-5783

Malicious code in rhynocallbackpackage (npm)

Published Jun 30, 2022

GHSA-fj4g-2p96-q6m3

Network-AI missing authentication on MCP HTTP endpoint, which allows unauthenticated privileged tool calls

Published May 5, 2026

CVE-2022-31093HIGH

Improper Handling of `callbackUrl` parameter in next-auth

Published Jun 21, 2022

GHSA-wxw3-q3m9-c3jr

Better Auth: OAuth callback accepts mismatched `state` when cookie-backed state storage is used without PKCE

Published May 15, 2026

GHSA-xrq9-jm7v-g9h7

OpenClaw: Paired-device pairing actions were not limited to the caller device

Published Apr 25, 2026

CVE-2026-33577HIGH

Risk: 40.5/100

OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes

Published Apr 1, 2026

MAL-2026-3770

Malicious code in prisma-callback (npm)

Published May 14, 2026

CVE-2026-34774HIGH

Risk: 40.51/100

Electron: Use-after-free in offscreen child window paint callback

Published Apr 3, 2026

MAL-2022-1816

Malicious code in callrail-package-cleanup (npm)

Published Jun 20, 2022

GHSA-hcf7-66rw-9f5r

Trubo: Login callback CSRF/session fixation

Published May 19, 2026

MAL-2026-5101

Malicious code in @antoncallahan/aws-user-helper (npm)

Published Jun 1, 2026

CVE-2025-27143

Beter Auth has an Open Redirect via Scheme-Less Callback Parameter

Published Feb 24, 2025

MAL-2024-11803

Malicious code in discord-json-scaller (npm)

Published Dec 12, 2024

GHSA-wrwh-c28m-9jjh

@nocobase/plugin-collection-sql: SQL Validation Bypass Through Missing `checkSQL` Call

Published Apr 22, 2026

MAL-2026-1548

Malicious code in syntax-class-constructor-call (npm)

Published Mar 16, 2026

MAL-2026-3610

Malicious code in housecallpro (npm)

Published May 12, 2026

GHSA-6vhh-4xw6-h2h2

Element Call reports full URLs of visited pages to analytics server

Published Jun 11, 2026

CVE-2022-36083MEDIUM

JOSE vulnerable to resource exhaustion via specifically crafted JWE

Published Sep 16, 2022

MAL-2026-4240

Malicious code in ethers-multicall-utils (npm)

Published May 20, 2026

CVE-2026-34772MEDIUM

Risk: 29/100

Electron: Use-after-free in download save dialog callback

Published Apr 3, 2026

GHSA-q42j-x8rq-pjg6

Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews.

Published Jun 8, 2026

GHSA-68xw-r643-9p5w

OpenClaw: Skill-command dispatch could skip before-tool-call hooks

Published Jun 18, 2026

GHSA-8mg9-j9cf-54cj

OpenClaw: Empty-scope device re-pairing could confuse caller scope containment

Published Jun 18, 2026

GHSA-8wmm-344f-mpjg

Duplicate Advisory: Tool group policy callers could accept unvalidated group IDs

Published Jun 16, 2026

GHSA-985f-72mj-8gf7

OpenClaw: Tool group policy callers could accept unvalidated group IDs

Published Jun 18, 2026

GHSA-hc4w-hm59-9w88

Duplicate Advisory: Empty-scope device re-pairing could confuse caller scope containment

Published Jun 16, 2026

GHSA-j4f3-55x4-r6q2

npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call

Published Jun 18, 2026

GHSA-r7vv-6763-m739

Duplicate Advisory: Skill-command dispatch could skip before-tool-call hooks

Published Jun 16, 2026

MAL-2024-8973

Malicious code in quickstart-calls-chat-integration (npm)

Published Sep 25, 2024

CVE-2026-27904

minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions

Published Feb 26, 2026

CVE-2026-34771HIGH

Risk: 37.51/100

Electron: Use-after-free in WebContents fullscreen, pointer-lock, and keyboard-lock permission callbacks

Published Apr 3, 2026

CVE-2026-34764LOW

Risk: 21/100

Electron: Use-after-free in offscreen shared texture release() callback

Published Apr 3, 2026

GHSA-h2w2-v7j6-xqm4

npm PraisonAI AgentLoop onToolCall approval runs after tool execution

Published Jun 18, 2026

MAL-2024-9345

Malicious code in availab-le-alb-um-zip-26387-this-is-the-second-album-of-a-band-called-adebisi-shank-pdmrd-ikxtvt (npm)

Published Oct 16, 2024

MAL-2025-148

Malicious code in 3cx-call-control-apps (npm)

Published Jan 20, 2025

Check your entire dependency tree at onceRun dependency scan →