OsVault/npm/eta

npm2 critical

eta

155 known vulnerabilities · 2 critical · 2 high

CVE-2023-23630HIGH

XSS Attack with Express API

Published Jan 31, 2023

CVE-2022-25967HIGH

Eta vulnerable to Code Injection via templates rendered with user-defined data

Published Jan 30, 2023

MAL-2025-191174

Malicious code in @accordproject/concerto-metamodel (npm)

Published Nov 25, 2025

CVE-2026-34773MEDIUM

Risk: 23.51/100

Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows

Published Apr 3, 2026

GHSA-392f-ggf5-fp3c

OpenClaw: Unicode canonicalization drift in node metadata policy classification could broaden node allowlists

Published Mar 2, 2026

GHSA-48vw-m3qc-wr99

OpenClaw's Trusted-proxy Control UI sessions retain privileged scopes without device identity on device-less allow paths

Published Mar 26, 2026

CVE-2025-69874

nanotar is vulnerable to path traversal in parseTar() and parseTarGzip()

Published Feb 11, 2026

MAL-2022-1279

Malicious code in azure-arm-resourcegraph-samples-js-beta (npm)

Published Jun 20, 2022

MAL-2022-1285

Malicious code in azure-arm-servicemap-samples-js-beta (npm)

Published Jun 20, 2022

CVE-2021-32796MEDIUM

Misinterpretation of malicious XML input

Published Aug 3, 2021

MAL-2022-1245

Malicious code in azure-arm-dnsresolver-samples-js-beta (npm)

Published Jun 20, 2022

MAL-2022-1246

Malicious code in azure-arm-dnsresolver-samples-ts-beta (npm)

Published Jun 20, 2022

CVE-2022-21122CRITICAL

Code Injection in metacalc

Published Jun 9, 2022

MAL-2022-1250

Malicious code in azure-arm-machinelearningexperimentation-samples-js-beta (npm)

Published Jun 20, 2022

MAL-2022-1251

Malicious code in azure-arm-machinelearningexperimentation-samples-ts-beta (npm)

Published Jun 20, 2022

MAL-2022-1264

Malicious code in azure-arm-oep-samples-js-beta (npm)

Published Jun 20, 2022

CVE-2026-32896

OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)

Published Mar 3, 2026

CVE-2026-30850

Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization

Published Mar 9, 2026

CVE-2026-32014

OpenClaw: Node reconnect metadata spoofing could bypass platform-based node command policy

Published Mar 3, 2026

MAL-2022-2012

Malicious code in colors-beta (npm)

Published Jun 20, 2022

CVE-2026-32898

OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata

Published Feb 27, 2026

MAL-2022-4568

Malicious code in metadata-api-nodejs (npm)

Published Jun 20, 2022

MAL-2022-1283

Malicious code in azure-arm-servicefabricmesh-samples-js-beta (npm)

Published Jun 20, 2022

MAL-2022-1248

Malicious code in azure-arm-labservices-samples-js-beta (npm)

Published Jun 20, 2022

MAL-2022-1284

Malicious code in azure-arm-servicefabricmesh-samples-ts-beta (npm)

Published Jun 20, 2022

MAL-2022-1280

Malicious code in azure-arm-resourcegraph-samples-ts-beta (npm)

Published Jun 20, 2022

MAL-2022-1295

Malicious code in azure-arm-visualstudio-samples-js-beta (npm)

Published Jun 20, 2022

MAL-2022-3958

Malicious code in is-meta (npm)

Published Jun 20, 2022

CVE-2026-22178

OpenClaw has ReDoS and regex injection via unescaped Feishu mention metadata in RegExp construction

Published Mar 2, 2026

MAL-2023-8283

Malicious code in meta-horizon (npm)

Published Oct 3, 2023

MAL-2023-8284

Malicious code in meta-horizon-remake (npm)

Published Oct 3, 2023

GHSA-9mph-4f7v-fmvh

OpenClaw has agent avatar symlink traversal in gateway session metadata

Published Mar 4, 2026

MAL-2022-452

Malicious code in @ncr-swt-retail/scox-npm-group (npm)

Published Jun 20, 2022

MAL-2022-4569

Malicious code in metalmi (npm)

Published Aug 19, 2022

MAL-2022-4572

Malicious code in metamask-docs (npm)

Published Jun 20, 2022

CVE-2023-40027LOW

When `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible

Published Aug 15, 2023

CVE-2026-31993

OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains

Published Mar 2, 2026

CVE-2025-13033

Nodemailer: Email to an unintended domain can occur due to Interpretation Conflict

Published Oct 7, 2025

MAL-2024-10555

Malicious code in careers-job-detail (npm)

Published Nov 10, 2024

CVE-2022-39350MEDIUM

@dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via Vulnerability Details

Published Oct 25, 2022

MAL-2025-191321

Malicious code in @sme-ui/aoma-vevasound-metadata-lib (npm)

Published Nov 24, 2025

MAL-2024-9197

Malicious code in updated-script-retail-tycoon-2-script-h-a-c-k-9u9pw3 (npm)

Published Oct 9, 2024

MAL-2024-965

Malicious code in ngpd-merceros-ui-meta (npm)

Published Feb 5, 2024

MAL-2025-1148

Malicious code in metamask-sdk-monorepo (npm)

Published Feb 3, 2025

GHSA-fvcv-3m26-pcqx

Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain

Published Apr 10, 2026

MAL-2022-1249

Malicious code in azure-arm-labservices-samples-ts-beta (npm)

Published Jun 20, 2022

MAL-2022-1262

Malicious code in azure-arm-netapp-samples (npm)

Published Jun 20, 2022

CVE-2026-30835

parse-server: Malformed `$regex` query leaks database error details in API response

Published Mar 6, 2026

MAL-2026-1623

Malicious code in @f5rest/odata-v4-service-metadata (npm)

Published Mar 18, 2026

MAL-2022-1286

Malicious code in azure-arm-servicemap-samples-ts-beta (npm)

Published Jun 20, 2022

MAL-2025-3528

Malicious code in metadata-collector (npm)

Published Apr 29, 2025

CVE-2022-4942LOW

eslint-detailed-reporter vulnerable to cross-site scripting

Published Apr 20, 2023

MAL-2025-36806

Malicious code in theta-tv-charts (npm)

Published Aug 14, 2025

GHSA-rcx4-77x4-hjx5

Duplicate Advisory: OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata

Published Mar 21, 2026

GHSA-rvqr-hrcc-j9vv

OpenClaw: Bonjour/DNS-SD TXT metadata steers CLI routing after failed service resolution

Published Mar 26, 2026

CVE-2026-26324

OpenClaw has a SSRF guard bypass via full-form IPv4-mapped IPv6 (loopback / metadata reachable)

Published Feb 17, 2026

CVE-2019-10788CRITICAL

OS Command Injection in im-metadata

Published Apr 13, 2021

CVE-2026-32236

@backstage/plugin-auth-backend: SSRF in experimental CIMD metadata fetch

Published Mar 12, 2026

GHSA-vh4c-j2xv-9pv9

Duplicate Advisory: OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)

Published Mar 21, 2026

MAL-2022-1388

Malicious code in azure-template-samples-ts-beta (npm)

Published Jun 20, 2022

CVE-2026-32256

music-metadata has an infinite loop vulnerability in ASF parser

Published Mar 17, 2026

MAL-2024-2506

Malicious code in importlib-metadata (npm)

Published Jun 25, 2024

MAL-2022-627

Malicious code in @tekion/beta (npm)

Published Jun 20, 2022

MAL-2024-8823

Malicious code in com.meta.xrpa (npm)

Published Sep 5, 2024

CVE-2025-12816

node-forge has an Interpretation Conflict vulnerability via its ASN.1 Validator Desynchronization

Published Nov 26, 2025

MAL-2024-10264

Malicious code in metadata-attacher (npm)

Published Oct 29, 2024

MAL-2022-2041

Malicious code in com.meta.quest.sdk.empty (npm)

Published Sep 26, 2022

CVE-2021-21366MEDIUM

Misinterpretation of malicious XML input

Published Mar 12, 2021

MAL-2022-2172

Malicious code in contract-metadata (npm)

Published Jun 20, 2022

MAL-2025-3234

Malicious code in dc-comments-beta-dropin (npm)

Published Apr 17, 2025

MAL-2022-554

Malicious code in @ramp106/timetable (npm)

Published Jun 20, 2022

MAL-2025-48508

Malicious code in src_components_ibtdetail_index_tsx (npm)

Published Oct 18, 2025

MAL-2025-3905

Malicious code in meta-ai-client (npm)

Published May 16, 2025

MAL-2025-4069

Malicious code in com.meta.xr.sdk.avatars.sample.assets (npm)

Published May 21, 2025

MAL-2025-3518

Malicious code in @reserach_org_jfhalsdhfkslsfds/metadata-collector (npm)

Published Apr 29, 2025

MAL-2025-4384

Malicious code in package-meta-resolver (npm)

Published May 23, 2025

MAL-2022-2500

Malicious code in discord.js-beta (npm)

Published Jun 20, 2022

GHSA-5326-6f73-m96w

Duplicate Advisory: OpenClaw macOS companion app (beta): allowlist parsing mismatch for system.run shell chains

Published Mar 19, 2026

CVE-2026-31873

Unhead Vulnerable to Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity

Published Mar 12, 2026

MAL-2022-4870

Malicious code in noblox.js-beta (npm)

Published Jun 20, 2022

CVE-2018-3773MEDIUM

metascraper before v5.2.0 vulnerable to stored cross-site scripting

Published Aug 8, 2018

MAL-2024-10786

Malicious code in scm-retail-ui (npm)

Published Nov 16, 2024

MAL-2023-536

Malicious code in jpeg-metadata (npm)

Published Jun 12, 2023

MAL-2022-1238

Malicious code in azure-arm-containerregistry-samples-ts-beta (npm)

Published Jun 20, 2022

MAL-2022-2042

Malicious code in com.meta.xr.sdk.empty (npm)

Published Sep 26, 2022

MAL-2022-453

Malicious code in @ncr-swt-retail/scox-npm-releases (npm)

Published Jun 20, 2022

MAL-2025-47999

Malicious code in metadata-lib (npm)

Published Oct 4, 2025

MAL-2025-1142

Malicious code in lead-marketing-metadata (npm)

Published Feb 3, 2025

MAL-2025-41450

Malicious code in @metadata-ipfs/bonk.fun-ipfs (npm)

Published Aug 28, 2025

CVE-2026-24043

jsPDF Vulnerable to Stored XMP Metadata Injection (Spoofing & Integrity Violation)

Published Feb 2, 2026

MAL-2025-5012

Malicious code in metaplex (npm)

Published Jun 17, 2025

MAL-2026-3109

Malicious code in @apiary-annex/meta (npm)

Published Apr 27, 2026

MAL-2025-824

Malicious code in dvpawebwidgetsdetailspageclient (npm)

Published Feb 3, 2025

MAL-2022-1237

Malicious code in azure-arm-containerregistry-samples-js-beta (npm)

Published Jun 20, 2022

MAL-2022-1261

Malicious code in azure-arm-mobilenetwork-samples-js-beta (npm)

Published Jun 20, 2022

MAL-2022-1263

Malicious code in azure-arm-netapp-samples-ts (npm)

Published Jun 20, 2022

MAL-2022-1326

Malicious code in azure-dtdl-parser-samples-js-beta (npm)

Published Jun 20, 2022

MAL-2026-2617

Malicious code in upstartautoretailadmin (npm)

Published Apr 12, 2026

MAL-2025-191237

Malicious code in @ifings/metatron3 (npm)

Published Nov 24, 2025

MAL-2025-2767

Malicious code in invoicetax-paypal (npm)

Published Mar 28, 2025

MAL-2026-2897

Malicious code in chai-beta (npm)

Published Apr 15, 2026

MAL-2024-1633

Malicious code in detailimg (npm)

Published Jun 18, 2024

MAL-2022-4340

Malicious code in load-image-meta (npm)

Published Jun 20, 2022

MAL-2023-8285

Malicious code in meta-titik (npm)

Published Oct 3, 2023

MAL-2023-912

Malicious code in ttf-metadata (npm)

Published Jun 12, 2023

MAL-2023-361

Malicious code in fc-personal-details (npm)

Published Jun 6, 2023

MAL-2022-4570

Malicious code in metalsapi-adapter (npm)

Published Jun 20, 2022

MAL-2022-4567

Malicious code in meta-left-pad (npm)

Published Jun 20, 2022

MAL-2022-4571

Malicious code in metamask (npm)

Published Jun 20, 2022

MAL-2022-4573

Malicious code in metamask-state-log-explorer (npm)

Published Jun 20, 2022

MAL-2022-3586

Malicious code in heflectmetadata (npm)

Published Aug 19, 2022

MAL-2023-590

Malicious code in metaflow-ui (npm)

Published Jul 10, 2023

MAL-2025-2785

Malicious code in shipmentdetails-paypal (npm)

Published Mar 28, 2025

MAL-2022-5057

Malicious code in olrfdwpetayuknqb (npm)

Published Jul 11, 2022

MAL-2023-247

Malicious code in devcenter-internal-beta (npm)

Published Mar 15, 2023

MAL-2023-8170

Malicious code in beta-fhr (npm)

Published Sep 19, 2023

MAL-2023-8228

Malicious code in beta-fhr-nxt (npm)

Published Sep 25, 2023

MAL-2024-10328

Malicious code in sc-meta-layer (npm)

Published Nov 3, 2024

MAL-2024-9232

Malicious code in ens-metadata-service (npm)

Published Oct 10, 2024

CVE-2023-30857LOW

Possible prototype pollution in metadata record, when using meta decorator

Published May 1, 2023

MAL-2024-26

Malicious code in metabase-enterprise (npm)

Published Jan 3, 2024

MAL-2025-1525

Malicious code in metamask-sdk-create-react-app (npm)

Published Feb 22, 2025

MAL-2025-1533

Malicious code in metamask-design-tokens-tailwind (npm)

Published Feb 23, 2025

MAL-2022-868

Malicious code in adobetagmanager (npm)

Published Jun 20, 2022

MAL-2025-5197

Malicious code in next-sweetalert2 (npm)

Published Jun 20, 2025

MAL-2025-568

Malicious code in com.unity.test.metadata-manager (npm)

Published Jan 24, 2025

MAL-2026-3186

Malicious code in ac-sasskit-beta (npm)

Published Apr 29, 2026

MAL-2026-2219

Malicious code in @solmasterv3/solana-metadata-sdk (npm)

Published Mar 26, 2026

MAL-2024-10779

Malicious code in retail-common (npm)

Published Nov 15, 2024

MAL-2025-1174

Malicious code in setan (npm)

Published Feb 3, 2025

MAL-2022-5769

Malicious code in retact-vrtualiied (npm)

Published Aug 19, 2022

MAL-2024-10500

Malicious code in eth-cmeta (npm)

Published Nov 8, 2024

MAL-2024-1191

Malicious code in metacord (npm)

Published Apr 3, 2024

MAL-2024-12002

Malicious code in metamodel-editor (npm)

Published Dec 19, 2024

MAL-2025-2569

Malicious code in cargo_metadata (npm)

Published Mar 20, 2025

MAL-2025-62

Malicious code in old-mpl-token-metadata (npm)

Published Jan 5, 2025

GHSA-6g25-pc82-vfwp

OpenClaw: macOS beta onboarding exposed PKCE verifier via OAuth state

Published Mar 3, 2026

GHSA-796m-2973-wc5q

OpenClaw has exec allowlist/safeBins policy-runtime mismatch via env -S wrapper interpretation

Published Mar 3, 2026

MAL-2026-134

Malicious code in meta-code-verify (npm)

Published Dec 21, 2025

MAL-2025-190803

Malicious code in @ensdomains/cypress-metamask (npm)

Published Nov 24, 2025

MAL-2025-190840

Malicious code in esbuild-plugin-eta (npm)

Published Nov 24, 2025

MAL-2026-885

Malicious code in metadata-stripper (npm)

Published Feb 13, 2026

MAL-2025-3986

Malicious code in beta1 (npm)

Published May 19, 2025

MAL-2024-10510

Malicious code in ethmetadata (npm)

Published Nov 8, 2024

MAL-2025-47265

Malicious code in @pumpfun-sdk/metadata (npm)

Published Sep 16, 2025

MAL-2025-47969

Malicious code in @pumpswap-sdk4/metadata (npm)

Published Oct 7, 2025

MAL-2026-1398

Malicious code in meta-internal-logger-drzak (npm)

Published Mar 13, 2026

MAL-2026-756

Malicious code in cat-retail-app (npm)

Published Feb 5, 2026

MAL-2026-1620

Malicious code in @f5rest/odata-v4-metadata (npm)

Published Mar 18, 2026

MAL-2026-1938

Malicious code in @metaplex-foundations/umi-public-keys (npm)

Published Mar 20, 2026

MAL-2025-710

Malicious code in mpl-token-metadata (npm)

Published Jan 31, 2025

MAL-2025-3878

Malicious code in com.meta.xr.sdk.avatars (npm)

Published May 16, 2025

MAL-2026-1616

Malicious code in @f5rest/icr-metadata-generator (npm)

Published Mar 18, 2026

MAL-2025-4678

Malicious code in @sasmeee/wabetainfo (npm)

Published Jun 4, 2025

MAL-2026-848

Malicious code in npm_cimetadata (npm)

Published Feb 11, 2026

Check your entire dependency tree at onceRun dependency scan →