ses
254 known vulnerabilities · 8 critical · 16 high
SES's dynamic import and spread operator provides possible path to arbitrary exfiltration and execution
Claude Code Vulnerable to Command Injection via Directory Change Bypasses Write Protection
parse-server's session object properties can be updated by foreign user if object ID is known
Novu has SSRF via conditions filter webhook bypasses validateUrlSsrf() protection
@nyariv/sandboxjs vulnerable to sandbox escape via TOCTOU bug on keys in property accesses
Flowise: Weak Default Express Session Secret
OpenClaw: Voice-call still parses large WebSocket frames before start validation (Incomplete fix for CVE-2026-32062)
Malicious code in express-session-js (npm)
OpenClaw Hook Session Key Override Enables Targeted Cross-Session Routing
Malicious code in responses-starter-app (npm)
OpenClaw's unsanitized session ID enables path traversal in transcript file operations
NPM IP package incorrectly identifies some private IP addresses as public
Strapi mishandles hidden attributes within admin API responses
DOMPurify's ADD_TAGS function form bypasses FORBID_TAGS due to short-circuit evaluation
Unintentional leakage of private information via cross-origin websocket session hijacking
@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service
fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)
Apostrophe CMS Insufficient Session Expiration vulnerability
OpenClaw: Gateway HTTP /sessions/:sessionKey/kill Reaches Admin Kill Path Without Caller Scope Binding
Malicious code in assessment-zmarta (npm)
Compromised child renderer processes could obtain IPC access without nodeIntegrationInSubFrames being enabled
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching
OpenClaw's Trusted-proxy Control UI sessions retain privileged scopes without device identity on device-less allow paths
n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no
OpenClaw has multiple E2E/test Dockerfiles that run all processes as root
Shakapacker has environment variable leak via EnvironmentPlugin that exposes secrets to client-side bundles
Duplicate Advisory: OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns
Parse Server's LiveQuery bypasses CLP pointer permission enforcement
Duplicate Advisory: OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions
OpenClaw: Voice-call Plivo V3 webhook replay key uses unsorted URL, allowing replay via query-parameter reordering
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
OpenClaw: MSTeams thread history bypasses sender allowlist via Graph API
StudioCMS REST getUsers Exposes Owner Account Records to Admin Tokens
Sequelize - Default support for “raw attributes” when using parentheses
CommandKit has incorrect command name exposure in context object for message command aliases
OpenClaw: Discord voice manager bypasses channel-level member access allowlist
OpenClaw session tool visibility hardening and Telegram webhook secret fallback
OpenClaw: Telegram DM-Scoped Inline Button Callbacks Bypass DM Pairing and Mutate Session State
OpenClaw Gateway `operator.write` can reach admin-only session reset via `chat.send` `/reset`
Parse Server session creation endpoint allows overwriting server-generated session fields
Malicious code in @apple-pay-trust/merchant-session (npm)
OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill
@grackle-ai/server has a Missing Secure Flag on Session Cookie
OpenClaw has an arbitrary transcript path file write via gateway sessionFile
parse-url parses http URLs incorrectly, making it vulnerable to host name spoofing
Parse Server's GraphQL WebSocket endpoint bypasses security middleware
Child processes spawned by Renovate incorrectly have full access to environment variables
Parse Server: File metadata endpoint bypasses `beforeFind` / `afterFind` trigger authorization
OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image
Parse Dashboard Has a Cache Key Collision that Leaks Master Key to Read-Only Sessions
Malicious code in requestz-promises (npm)
ion-parser Prototype Pollution when malicious INI file submitted to application that parses with `parse`
OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement
h3: Double Decoding in `serveStatic` Bypasses `resolveDotSegments` Path Traversal Protection via `%252e%252e`
OpenClaw: `session_status` sessionId resolution bypasses sandboxed session-tree visibility
OpenClaw: config.get redaction bypass through sourceConfig and runtimeConfig aliases
n8n-mcp has unauthenticated session termination and information disclosure in HTTP transport
OpenClaw: Forwarding header spoofing bypasses gateway.trustedProxies origin detection
OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting
OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision
Parse Server vulnerable to session token exfiltration via `redirectClassNameForKey` query parameter
Malicious code in edit_session (npm)
OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback
Malicious code in cxd-npm-releases (npm)
OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks
Mattermost Desktop App fails to sufficiently configure Electron Fuses
mcp-handler has a tool response leak across concurrent client sessions ('Race Condition')
OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions
Malicious code in @bmw-chris/onlinesession-default-frontend (npm)
Duplicate Advisory: OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks
Malicious code in exsess (npm)
Malicious code in cloudshell-session (npm)
Duplicate Advisory: OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation
@backstage/plugin-scaffolder-backend Vulnerable to Potential Session Token Exfiltration via Log Redaction Bypass
OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover
OpenClaw: Non-owner command-authorized sender can change the owner-only `/send` session delivery policy
Malicious code in ing-util-scr-session (npm)
OpenClaw: Discord text `/approve` bypasses `channels.discord.execApprovals.approvers` and allows non-approvers to resolve pending exec approvals
OpenClaw: Leaf subagents could steer sibling sessions across sandbox boundaries
OpenClaw: `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement
Feathers exposes internal headers via unencrypted session cookie
express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network
OpenClaw has agent avatar symlink traversal in gateway session metadata
Duplicate Advisory: OpenClaw session transcript files were created without forced user-only permissions
Mattermost Desktop App exposes sensitive information in its application logs
Duplicate Advisory: OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision
OpenClaw: Feishu docx upload_file/upload_image Bypasses Workspace-Only Filesystem Policy (GHSA-qf48-qfv4-jjm9 Incomplete Fix)
Malicious code in poseshield (npm)
url-parse incorrectly parses hostname / protocol due to unstripped leading control characters.
Duplicate Advisory: OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
OpenClaw SSRF guard misses four IPv6 special-use ranges
OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion
OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns
Malicious code in selenium-session-client (npm)
Malicious code in shelf-jwt-sessions (npm)
OpenClaw: Host exec environment sanitization misses package, registry, Docker, compiler, and TLS override variables
brace-expansion: Zero-step sequence causes process hang and memory exhaustion
OpenClaw: Message action attachment hydration bypasses local media root checks when sandboxRoot is unset
Directus tokens are not redacted in flow logs, exposing session credentials to all admin
Malicious code in adc-session-id (npm)
Parse Server: Classes `_GraphQLConfig` and `_Audience` master key bypass via generic class routes
OpenClaw: Heartbeat context inheritance bypasses sandbox via senderIsOwner escalation
Malicious code in x-session-parser (npm)
OpenClaw leaf subagents can bypass controlScope restrictions to send messages to child sessions
Elliptic Uses a Cryptographic Primitive with a Risky Implementation
OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure
OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials
OpenClaw: Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade
Malicious code in ty-web-session (npm)
OpenClaw: Sandboxed /acp spawn requests could initialize host ACP sessions
Malicious code in parse-session (npm)
OpenClaw: Gateway Plugin Subagent Fallback `deleteSession` Uses Synthetic `operator.admin`
Malicious code in cross-sessions (npm)
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion
Malicious code in session-keeper (npm)
@fastify/express's middleware path doubling causes authentication bypass in child plugin scopes
Claude Code has a Command Injection in find Command Bypasses User Approval Prompt
OpenClaw: SSH-based sandbox backends pass unsanitized process.env to child processes
Parse Server's Session Update endpoint allows overwriting server-generated session fields
OpenClaw: Write-scoped callers could reach admin-only session reset logic through `agent`
Malicious code in mongooses-db (npm)
Malicious code in dummy-loosesight-gc (npm)
H3: Unbounded Chunked Cookie Count in Session Cleanup Loop may Lead to Denial of Service
OpenClaw's image tool bypasses tools.fs.workspaceOnly on sandbox mount paths and exfiltrates out-of-workspace images
OpenClaw's message tool media parameter bypasses tool policy filesystem isolation
Passport vulnerable to session regeneration when a users logs in or out
Axios HTTP/2 Session Cleanup State Corruption Vulnerability
OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions
OpenClaw: Sandbox file operations use check-then-act, bypassing fd-based TOCTOU defenses
js-ini Prorotype Pollution when malicious INI files submitted to an application that parses it with `parse`
Malicious code in shopify-app-session-storage-test-utils (npm)
Malicious code in @web-utilities/session-id (npm)
Claude Code Vulnerable to Command Injection via Piped sed Command Bypasses File Write Restrictions
Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies
Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions
`OpenClaw: session_status` let sandboxed subagents access parent or sibling session state
Directus: SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in File Import
Parse Server exposes auth data via verify password endpoint
OpenClaw: Existing WS sessions survive shared gateway token rotation
Malicious code in hosted-lenses-ui (npm)
OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation
Malicious code in session-parse (npm)
OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard
OpenClaw: Gateway agent /reset exposes admin session reset to operator.write callers
Malicious code in @bmw-chris/vehiclesession-default-frontend (npm)
OpenClaw: Gateway HTTP Session History Route Bypasses Operator Read Scope
Duplicate Advisory: OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
Malicious code in posthog-react-native-session-replay (npm)
Malicious code in expi-session (npm)
code-server's session cookie can be extracted by having user visit specially crafted proxy URL
Duplicate Advisory: `OpenClaw: session_status` let sandboxed subagents access parent or sibling session state
Duplicate Advisory: OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure
Malicious code in smc-extendsession (npm)
Malicious code in discord-canvases (npm)
docusaurus-plugin-content-gists vulnerability exposes GitHub Personal Access Token
mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality
Malicious code in fierce-obsessions-the-phoenix-pack-6-by-suzanne-wright-online-new-pages- (npm)
parse-server's file creation and deletion bypasses `readOnlyMasterKey` write restriction
Duplicate Advisory: OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback
OpenClaw inter-session prompts could be treated as direct user instructions
Malicious code in xms-error-responses (npm)
form-data uses unsafe random function in form-data for choosing boundary
OpenClaw: MS Teams Feedback Invocation Bypasses Sender Allowlists and Records Unauthorized Session Feedback
Parser Server's streaming file download bypasses afterFind file trigger authorization
Duplicate Advisory: OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
Malicious code in @ncr-swt-retail/scox-npm-releases (npm)
OpenClaw has stored XSS in exported session HTML viewer via markdown/raw-HTML rendering
OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)
PDFME Affected by Decompression Bomb in FlateDecode Stream Parsing Causes Memory Exhaustion DoS
Malicious code in @w3m-frame/session_update (npm)
Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)
Electron: nodeIntegrationInWorker not correctly scoped in shared renderer processes
Malicious code in express-session-vailidator (npm)
Malicious code in sharedclasses (npm)
Malicious code in noblox.js-promises (npm)
Malicious code in envoy-curses (npm)
Malicious code in @ncr-design-system/cxd-npm-releases (npm)
Malicious code in trello-enterprises (npm)
Malicious code in pdf-gods-generals-the-military-lives-of-moses-the-buddha-and-muhammad-by-richard-a-gabriel-on-textbo (npm)
Malicious code in expo-audio-session (npm)
Malicious code in express-session-validator (npm)
Malicious code in telegraf-mysql2-session (npm)
pnpm incorrectly parses tar archives relative to specification
Malicious code in pagseguro-user-session (npm)
Malicious code in wm-publish-statuses (npm)
Malicious code in hope-session-manager (npm)
parse-server new anonymous user session acts as if it's created with password
Malicious code in express-sessions-id (npm)
Malicious code in eng-intern-assessment-react-native (npm)
Malicious code in shopify-app-session-storage-prisma (npm)
Malicious code in shopify-app-session-storage-drizzle (npm)
Malicious code in session-validate (npm)
OpenClaw Exposes Credentials Embedded in baseUrl Fields via config.get and channels.status
Malicious code in expo-sessoion (npm)
Malicious code in @sensort/session (npm)
Malicious code in fc-session-state (npm)
Malicious code in sess-mgmt (npm)
Malicious code in availab-le-alb-um-zip-25931-the-life-aquatic-studio-sessions-mocn6-tnmvnd (npm)
h3: Missing Path Segment Boundary Check in `mount()` Causes Middleware Execution on Unrelated Prefix-Matching Routes
OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
Duplicate Advisory: OpenClaw's message tool media parameter bypasses tool policy filesystem isolation
unity-cli Exposes Plaintext Credentials in Debug Logs (sign-package command)
OpenClaw: Sandboxed sessions_spawn(runtime="acp") bypassed sandbox inheritance and allowed host ACP initialization
Malicious code in requests-promises (npm)
Malicious code in pdf-a-court-of-wings-and-ruin-a-court-of-thorns-and-roses-3-by-sarah-j-maas-on-iphone-full-chapters- (npm)
OpenClaw has a Gateway HTTP /v1/models Route Bypasses Operator Read Scope
Parse Server has a session field immutability bypass via falsy-value guard
OpenClaw: `/phone arm`/`/phone disarm` Bypasses `operator.admin` Scope Check for External Channels
Malicious code in viseshthemed (npm)
OpenClaw: Gateway `device.token.rotate` does not terminate active WebSocket sessions after credential rotation
Malicious code in casesensitijepathswebpackplugin (npm)
OpenClaw session transcript files were created without forced user-only permissions
Malicious code in nexpi-session (npm)
Malicious code in sess-store (npm)
Malicious code in selenium-session (npm)
Malicious code in sessionfiy (npm)
Malicious code in cross-session (npm)
Malicious code in purchases-roku (npm)
Malicious code in rei-session (npm)
Malicious code in dummy-loosesight-gd (npm)