OsVault/npm/payload

npm2 critical

payload

28 known vulnerabilities · 2 critical · 6 high

CVE-2025-4644

Payload's SQLite adapter Session Fixation vulnerability

Published Aug 29, 2025

CVE-2025-4643

Payload does not invalidate JWTs after log out

Published Aug 29, 2025

CVE-2023-30843HIGH

Hidden fields can be leaked on readable collections in Payload

Published Apr 26, 2023

CVE-2026-34746HIGH

Risk: 38.51/100

Payload has Authenticated SSRF via Upload Functionality

Published Apr 1, 2026

CVE-2026-25574

payload-preferences has Cross-Collection IDOR in Access Control (Multi-Auth Environments)

Published Feb 5, 2026

CVE-2026-34751CRITICAL

Risk: 45.51/100

Payload: Pre-Authentication Account Takeover via Parameter Injection in Password Recovery

Published Apr 1, 2026

CVE-2026-27567

Payload: Server-Side Request Forgery (SSRF) in External File URL Uploads

Published Feb 24, 2026

CVE-2026-34749MEDIUM

Risk: 27.01/100

Payload has a CSRF Protection Bypass in Authentication Flow

Published Apr 1, 2026

CVE-2026-34747HIGH

Risk: 42.51/100

Payload has an SQL Injection via Query Handling

Published Apr 1, 2026

CVE-2022-27952CRITICAL

Unrestricted Upload of File with Dangerous Type in Payload

Published Apr 13, 2022

GHSA-2858-xg23-26fp

OpenClaw: Node camera URL payload host-binding bypass allowed gateway fetch pivots

Published Mar 3, 2026

CVE-2020-7641MEDIUM

grunt-util-property 0.0.2 function call can add/modify properties of Object.prototype using a __proto__ payload

Published Jul 18, 2022

CVE-2018-3711HIGH

Denial of Service vulnerability with large JSON payloads in fastify

Published Jul 18, 2018

CVE-2023-49293MEDIUM

Vite XSS vulnerability in `server.transformIndexHtml` via URL payload

Published Dec 5, 2023

CVE-2022-25854MEDIUM

tagify can pass a malicious placeholder to initiate the cross-site scripting (XSS) payload

Published Apr 30, 2022

GHSA-8mf7-vv8w-hjr2

OpenClaw's tools.exec.safeBins generic fallback allowed interpreter-style inline payload execution in allowlist mode

Published Mar 3, 2026

GHSA-9q2p-vc84-2rwm

OpenClaw: system.run allow-always persistence included shell-commented payload tails

Published Mar 9, 2026

CVE-2023-32688MEDIUM

Invalid push request payload crashes Parse Server

Published May 22, 2023

CVE-2026-34748HIGH

Risk: 43.51/100

@payloadcms/next has Stored XSS in Admin Panel

Published Apr 1, 2026

GHSA-w8rf-7qf8-65ww

Duplicate Advisory: OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv

Published Mar 31, 2026

CVE-2026-34750MEDIUM

Risk: 32.52/100

Payload has Insufficient Filename Validation in Client-Upload Signed-URL Endpoints

Published Apr 1, 2026

GHSA-jf56-mccx-5f3f

OpenClaw: Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel

Published Apr 9, 2026

GHSA-rw39-5899-8mxp

OpenClaw: Node-host approvals could show misleading shell payloads instead of the executed argv

Published Mar 13, 2026

CVE-2022-35142HIGH

Raneto Denial of Service via crafted payload injected into `Search` parameter

Published Aug 5, 2022

CVE-2026-25544

@payloadcms/drizzle has SQL Injection in JSON/RichText Queries on PostgreSQL/SQLite Adapters

Published Feb 5, 2026

GHSA-65w6-pf7x-5g85

@delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections

Published Apr 8, 2026

GHSA-846p-hgpv-vphc

OpenClaw: QQ Bot structured payloads could read arbitrary local files

Published Apr 7, 2026

MAL-2025-4959

Malicious code in zora-exploit-payload (npm)

Published Jun 15, 2025

Check your entire dependency tree at onceRun dependency scan →