ws
598 known vulnerabilities · 13 critical · 44 high
ws affected by a DoS when handling a request with many HTTP headers
ws: Memory exhaustion DoS from tiny fragments and data chunks
ws: Uninitialized memory disclosure
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup
browserstack-runner vulnerable to Remote Code Execution via vm sandbox escape in _log HTTP handler
BoxLite: Permission Bypass Allows Modification of Read-Only Files
actual Allows Electron to Run As Node
OpenClaw's andbox browser noVNC observer lacked VNC authentication
Paperclip: Cross-tenant agent API key IDOR in `/agents/:id/keys` routes allows full victim-company compromise
nadesiko3 allows remote attacker to inject invalid value to decodeURIComponent of nako3edit
vm2 has a CVE-2023-37903 patch bypass: nesting:true without explicit require still allows full RCE
browserstack-runner has an unauthenticated arbitrary file read via path traversal in HTTP server
NodeVM builtin denylist bypass via process and inspector/promises allows host code execution
Budibase: Missing Cache Invalidation on Public API Role Unassignment Allows Revoked Users to Retain Privileges for Up to 1 Hour
@node-oauth/oauth2-server: PKCE code_verifier ABNF not enforced in token exchange allows brute-force redemption of intercepted authorization codes
Malicious code in @browserbasehq/stagehand-docs (npm)
CamoFox MCP: Unauthenticated HTTP MCP browser-control surface
thlorenz browserify-shim vulnerable to prototype pollution
OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding
Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)
Markdownify MCP Server allows Server-Side Request Forgery (SSRF) via the Markdownify.get() function
Directus' insufficient permission checks can enable unauthenticated users to manually trigger Flows
radashi Allows Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
Malicious code in awsmcc (npm)
Malicious code in aws-features-signin-proxy-client (npm)
Malicious code in aws-ui-component-select (npm)
phoenix_html allows Cross-site Scripting in HEEx class attributes
n8n's Unsafe Buffer Allocation Allows In-Process Memory Disclosure in Task Runner
OpenClaw has a Command Injection via unescaped environment assignments in Windows Scheduled Task script generation
Stored XSS via <iframe> in HAX CMS allows access to sensitive client-side data and account takeover
Claude Code: Sandbox Escape via Symlink Following Allows Arbitrary File Write Outside Workspace
OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override
tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter
OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode
Pug allows JavaScript code execution if an application accepts untrusted input
Solid Lacks Escaping of HTML in JSX Fragments allows for Cross-Site Scripting (XSS)
Malicious code in steamdb-browser-extension (npm)
Exfiltration of hashed SMB credentials on Windows via file:// redirect
Directus allows redacted data extraction on the API through "alias"
Shescape potential environment variable exposure on Windows with CMD
OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests
OneUptime: Synthetic Monitor RCE via exposed Playwright browser object
OpenClaw: Chrome --no-sandbox disabled OS-level browser sandbox in sandbox browser container
OpenCode's Unauthenticated HTTP Server Allows Arbitrary Command Execution
vm2 Sandbox Access to Host Buffer.alloc Allows timeout Bypass Resulting in Memory Exhaustion
Flowise Cross-site Scripting in /api/v1/chatflows-streaming/id
parse-server's endpoint `/loginAs` allows `readOnlyMasterKey` to gain full read and write access as any user
llhttp allows HTTP Request Smuggling via Flawed Parsing of Transfer-Encoding
path-sanitizer allows bypassing the existing filters to achieve path-traversal vulnerability
Claude Code: Insecure System-Wide Configuration Loading Enables Local Privilege Escalation on Windows
OpenClaw's Telegram message_reaction authorization bypass allows unauthorized system-event injection
pnpm: Binary ZIP extraction allows arbitrary file write via path traversal (Zip Slip)
Parse Server's custom object ID allows to acquire role privileges
OpenClaw browser navigation guard allowed non-network URL schemes, enabling authenticated browser-tool users to access file:// local files
h3 has a Path Traversal via Percent-Encoded Dot Segments in serveStatic Allows Arbitrary File Read
Downloads Resources over HTTP in dalek-browser-chrome-canary
OpenClaw: Slack interactive callbacks could skip configured sender checks in some shared-workspace flows
Buttercup allows attackers to obtain the hash of the master password
Hono allows bypass of CSRF Middleware by a request without Content-Type header.
Flowise Cross-site Scripting in /api/v1/public-chatflows/id
Malicious code in ainruohkpglvwsmj (npm)
OpenClaw: Incomplete scope-clearing fix allows operator.admin escalation via trusted-proxy auth mode
tarteaucitron.js allows prototype pollution via custom text injection
Duplicate Advisory: OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions
Better Auth Passkey Plugin allows passkey deletion through IDOR
pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin
Malicious code in gulp-browserify-thin (npm)
Padding Oracle Attack due to Observable Timing Discrepancy in jose-browser-runtime
Shescape has potential environment variable exposure on Windows with CMD
Fastify's Missing End Anchor in "subtypeNameReg" Allows Malformed Content-Types to Pass Validation
OpenClaw: Self-Whitelisting in appendLocalMediaParentRoots Allows Arbitrary File Read & Credential Exfiltration
Malicious code in aws-amplify-unicorntrivia-workshop (npm)
BrowserStack Local vulnerable to Command Injection through logfile variable
Parse Server session creation endpoint allows overwriting server-generated session fields
Malicious code in ssf-desktop-api-browser (npm)
n8n's Missing Stripe-Signature Verification Allows Unauthenticated Forged Webhooks
AWS Lambda parser is vulnerable to Regular Expression Denial of Service
Malicious code in browserstack-utils (npm)
@mobilenext/mobile-mcp alllows arbitrary file write via Path Traversal in mobile screen capture tools
codecov NPM module allows remote attackers to execute arbitrary commands
Malicious code in aws-perspective (npm)
Malicious code in aws-simple-cicd (npm)
OpenClaw's Control UI Static File Handler Follows Symlinks and Allows Out-of-Root File Read
OpenClaw's Node role device-identity bypass allows unauthorized node.event injection
Malicious code in azure-event-hubs-browser (npm)
OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image
Malicious code in browserslist-config-usaa (npm)
Microsoft Playwright MCP Server vulnerable to DNS Rebinding Attack; Allows Attackers Access to All Server Tools
Malicious code in mv-browser-support (npm)
evershop allows unauthenticated attackers to exhaust application server's resources via "GET /images" API
tarteaucitron.js allows url scheme injection via unfiltered inputs
OpenClaw: Channel setup catalog lookups could include untrusted workspace plugin shadows
OpenClaw has Windows system.run approval mismatch on cmd.exe /c trailing arguments
thlorenz browserify-shim vulnerable to prototype pollution
n8n Unsafe Workflow Expression Evaluation Allows Remote Code Execution
OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling
billboard.js allows prototype pollution via the function generate
Malicious code in aws-solutions-constructs (npm)
@actual-app/sync-server: Missing authorization in sync endpoints allows cross-user budget file access in multi-user mode
Budibase: Unanchored Regex in `matchers.ts` Allows CSRF Bypass via Query String Injection in Budibase Worker
Malicious code in cobrowse-common (npm)
Malicious code in com.unity.xr.windowsmr (npm)
Malicious code in com.unity.xr.windowsmr.metro (npm)
Mattermost Desktop App allows the bypass of Transparency, Consent, and Control (TCC) via code injection
Malicious code in react-photo-views (npm)
Malicious code in ntwsc (npm)
OpenClaw's non-default autoAllowSkills setting could bypass on-miss exec prompt
fhir-works-on-aws-authz-smart handles permissions improperly
Mattermost Desktop App allows for bypassing TCC restrictions on macOS
OpenClaw improperly parses X-Forwarded-For behind trusted proxies allows client IP spoofing in security decisions
thlorenz browserify-shim vulnerable to prototype pollution
Malicious code in cowsay-fancy (npm)
Malicious code in strapi-provider-upload-aws-s3-auth (npm)
OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover
OpenClaw: Browser snapshot and screenshot routes could expose internal page content after navigation
OpenClaw affected by cross-site request forgery (CSRF) through loopback browser mutation endpoints
React Router allows pre-render data spoofing on React-Router framework mode
Malicious code in aws-logs (npm)
MJML allows mj-include directory traversal due to an incomplete fix for CVE-2020-12827
AWS Advanced NodeJS Wrapper: Privilege Escalation in Aurora PostgreSQL instance
Malicious code in abu-news-api (npm)
OpenClaw: Windows-compatible env override keys could bypass system.run approval binding
OpenClaw: Discord text `/approve` bypasses `channels.discord.execApprovals.approvers` and allows non-approvers to resolve pending exec approvals
Electron protocol handler browser vulnerable to Command Injection
Malicious code in loblaws-mkt-bundle (npm)
OpenClaw: Existing-session browser interaction routes bypassed SSRF policy enforcement
Mass Assignment in AdonisJS Lucid Allows Overwriting Internal ORM State
DOMPurify USE_PROFILES prototype pollution allows event handlers
Malicious code in node-jaws (npm)
Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion
OpenClaw safeBins jq `$ENV` filter bypass allows environment variable disclosure
OpenClaw: Sender policy bypass in host media attachment reads allows unauthorized local file disclosure
Malicious code in @asyncapi/nodejs-ws-template (npm)
Vercel Workflow Allows Webhook Creation with Predictable User-Specified Tokens
OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host
Malicious code in @kvytech/medusa-plugin-product-reviews (npm)
Malicious code in @clausehq/flows-step-sendgridemail (npm)
Malicious code in angra_temple_of_shadows_songbook_pdf_105_kssry (npm)
Malicious code in vue-gws (npm)
SillyTavern: Path Traversal allows file existence oracle
OpenClaw: Browser SSRF policy default allowed private-network navigation
OpenClaw: Path traversal via inbound channel attachment path in ACP dispatch allows arbitrary file read
Oceanic allows unsanitized user input to lead to path traversal in URLs
jsPDF has PDF Injection in AcroFormChoiceField that allows Arbitrary JavaScript Execution
Malicious code in aws-check (npm)
Malicious code in legacyreact-aws-s3-typescript (npm)
Duplicate Advisory: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows
Directus `search` query parameter allows enumeration of non permitted fields
Malicious code in @wso-utils/json-mapper (npm)
OpenClaw: Browser interaction routes could pivot into local CDP and regain file reads
Malicious code in abunews-components (npm)
OpenClaw: Browser tabs action select and close routes bypassed SSRF policy
estree-util-value-to-estree allows prototype pollution in generated ESTree
evershop allows unauthenticated attackers to force server to initiate HTTP request via "GET /images" API
Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate
hemmelig allows SSRF Filter bypass via Secret Request functionality
Duplicate Advisory: OpenClaw has browser trace/download path symlink escape in temp output handling
OpenClaw's hook transform module path allows traversal and arbitrary JavaScript module loading
llhttp allows HTTP Request Smuggling via Improper Delimiting of Header Fields
Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client
Malicious code in com.unity.assetbundlebrowser (npm)
Electron: Named window.open targets not scoped to the opener's browsing context
Parse Server: `PagesRouter` path traversal allows reading files outside configured pages directory
Vite allows server.fs.deny to be bypassed with .svg or relative paths
Malicious code in @clausehq/flows-step-jsontoxml (npm)
Malicious code in @clausehq/flows-step-mqtt (npm)
Malicious code in medusa-plugin-product-reviews-kvy (npm)
Malicious code in aws-data-replication-hub (npm)
Malicious code in aws-delivlib-sample (npm)
Electerm has an unvalidated shell.openExternal that allows arbitrary protocol execution via terminal link click
OpenClaw: Incomplete host-env-security-policy allows untrusted model to substitute compiler binaries via env overrides
Malicious code in node-js-playwright-browserstack (npm)
Malicious code in vue2-webviews (npm)
Zowe CLI allows storage of previously entered secure credentials in a plaintext file
Malicious code in browsersilst (npm)
Malicious code in browserslist-config-freight-trust (npm)
http-proxy-middleware allows fixRequestBody to proceed even if bodyParser has failed
OpenClaw has a path traversal in browser trace/download output paths may allow arbitrary file writes
Malicious code in mws-common-ui (npm)
Malicious code in co-browsing (npm)
Malicious code in browser-gaming-client (npm)
OpenClaw has a path traversal in browser upload allows local file read
Malicious code in @zapier/browserslist-config-zapier (npm)
OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path
Summarize's hover summary feature allows malicious pages to dispatch synthetic mouseover events over attacker-controlled links
Claude SDK for TypeScript: Memory Tool Path Validation Allows Sandbox Escape to Sibling Directories
Fastify's Content-Type header tab character allows body validation bypass
OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval
Directus allows unauthenticated file upload and file modification due to lacking input sanitization
Duplicate Advisory: OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation
OpenClaw: Sandbox noVNC helper route exposed interactive browser session credentials
StudioCMS: IDOR in User Notification Preferences Allows Any Authenticated User to Modify Any User's Settings
OpenClaw: Windows media loaders accepted remote-host file URLs before local path validation
Malicious code in new-relic-browser (npm)
Malicious code in jade-browserify (npm)
Malicious code in windowscleaner (npm)
Shescape on Windows escaping may be bypassed in threaded context
Malicious code in outline-shadowsocksconfig (npm)
Parse Server's Session Update endpoint allows overwriting server-generated session fields
Malicious code in @mcd-gws/fetlife-assets (npm)
Malicious code in dws-dx (npm)
OpenClaw's browser-origin WebSocket auth hardening gap could enable loopback password brute-force chains
Hono IPv4 address validation bypass in IP Restriction Middleware allows IP spoofing
OpenClaw allows unauthenticated discovery TXT records to steer routing and TLS pinning
Malicious code in mongodb-stitch-browser-testutils (npm)
OneUptime:: node:vm sandbox escape in probe allows any project member to achieve RCE
Better Auth allows bypassing the trustedOrigins Protection which leads to ATO
Malicious code in trae-browser-inspect (npm)
Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization
FlowiseAI: Dataset create+update mass-assignment allows cross-workspace dataset takeover
FlowiseAI has Mass Assignment in Chatflow Update Endpoint that Allows Cross-Workspace AgentFlow Reassignment
FlowiseAI has Mass Assignment in Variable Update Endpoint that Allows Cross-Workspace Resource Reassignment
OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions
FlowiseAI: CustomTemplate create+update mass-assignment allows cross-workspace template takeover
FlowiseAI: DatasetRow create+update mass-assignment allows cross-workspace row takeover
Malicious code in aws-centralized-waf-and-vpc-security-group-management (npm)
Malicious code in aws-data-api-ux (npm)
Malicious code in aws-ms-deploy-assistant (npm)
CpenClaw's ACPX Windows wrapper shell fallback allowed cwd injection in specific paths
ghost vulnerable to unauthorized newsletter modification via improper access controls
AngularJS allows attackers to bypass common image source restrictions
Claude Code has a Domain Validation Bypass which Allows Automatic Requests to Attacker-Controlled Domains
OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws://
OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation
Malicious code in browser-sign-in (npm)
StudioCMS: REST API Missing Rank Check Allows Admin to Create Peer Admin Accounts
OpenClaw: Sandbox media fallback tmp symlink alias bypass allows host file reads outside sandboxRoot
Duplicate Advisory: ACPX Windows wrapper shell fallback allowed cwd injection in specific paths
Claude Code has a Path Restriction Bypass via ZSH Clobber which Allows Arbitrary File Writes
OpenClaw: Existing WS sessions survive shared gateway token rotation
Malicious code in aws-public (npm)
Malicious code in browser-client-neptune (npm)
Electron: Unquoted executable path in app.setLoginItemSettings on Windows
OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding
OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard
OpenClaw: Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0
Malicious code in dowsersync (npm)
Malicious code in browser-warning-ui (npm)
Malicious code in browser-wurfl (npm)
Malicious code in adult-content-detection-aws (npm)
Malicious code in my-rei-browser-shim (npm)
Malicious code in open-data-registry-browser (npm)
Malicious code in belzqadykjcpmwsk (npm)
Malicious code in autotel-aws (npm)
passport-wsfed-saml2 vulnerable to Signature Bypass in SAML2 token
Uptime Kuma Server-side Template Injection (SSTI) in Notification Templates Allows Arbitrary File Read
Malicious code in loblaws-mkt (npm)
Duplicate Advisory: OpenClaw: HTTP operator endpoints lack browser-origin validation in trusted-proxy mode
Malicious code in lana-ws (npm)
n8n has Public API Variables IDOR that Allows Cross-Project Secret Disclosure
Malicious code in node-env-resolver-aws (npm)
Qwik City has array method pollution in FormData processing allows type confusion and DoS
Duplicate Advisory: OpenClaw has Windows Lobster shell fallback command injection in constrained fallback path
Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions
n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover
MeshCentral cross-site websocket hijacking (CSWSH) vulnerability
Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention
FlowiseAI: Evaluator create+update mass-assignment allows cross-workspace evaluator takeover
Malicious code in lezer-snowsql (npm)
Malicious code in opbox-web-browser (npm)
Malicious code in @browserbasehq/bb9 (npm)
Malicious code in @browserbasehq/director-ai (npm)
Malicious code in aws-centralized-logging (npm)
Malicious code in img-aws-s3-object-multipart-copy (npm)
OpenClaw: Browser CDP profile creation skipped strict-mode SSRF checks
OpenClaw's incomplete host env sanitization blocklist allows supply-chain redirection via package-manager env overrides
AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value
Malicious code in cms-ui-views (npm)
Malicious code in zip-mp3-a-lbum-do-wnload-new-gift-of-screws-q2h3s-xswcix (npm)
AngularJS allows attackers to bypass common image source restrictions
Malicious code in kagi_browser_ext (npm)
OpenClaw vulnerable to path traversal in Feishu media temp-file naming allows writes outside os.tmpdir()
Malicious code in athira-windows-x64 (npm)
OpenClaude: Sandbox Bypass via Early-Exit Logic Flaw Allows Path Traversal
Malicious code in sentrybrowser5 (npm)
Marked allows Regular Expression Denial of Service (ReDoS) attacks
Malicious code in grenache-browser-http (npm)
Malicious code in vkchtoewspkjrfld (npm)
n8n's Credential Authorization Bypass in dynamic-node-parameters Allows Foreign API Key Replay
Duplicate Advisory: OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling
mathjs Allows Improperly Controlled Modification of Dynamically-Determined Object Attributes
OneUptime has Synthetic Monitor RCE via exposed Playwright browser object
OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable
Malicious code in woo-better-reviews (npm)
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access
OpenClaw's Windows cmd.exe parsing may bypass exec allowlist/approval gating
Duplicate Advisory: OpenClaw's andbox browser noVNC observer lacked VNC authentication
Malicious code in browser-timings (npm)
Malicious code in @xvideos/aws (npm)
Malicious code in awsume (npm)
jsPDF has a PDF Injection in AcroForm module allows Arbitrary JavaScript Execution (RadioButton.createOption and "AS" property)
Malicious code in moralis-web3-providers-ws (npm)
Malicious code in int-browsing-gateway (npm)
Malicious code in nemo-jaws (npm)
OpenClaw: Marketplace Plugin Download Follows Redirects Without SSRF Protection
OpenClaw: Browser control startup could continue unauthenticated after auth bootstrap failure
Duplicate Advisory: OpenClaw host-env blocklist missing `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE` allows code execution via env override
Path traversal in oak allows transfer of hidden files within the served root directory
OpenClaw's dashboard leaked gateway auth material via browser URL/query and localStorage
OpenClaw: `browser.request` still allows `POST /reset-profile` through the `operator.write` surface
OpenClaw: `browser.request` let `operator.write` persist admin-only browser profile changes
Malicious code in ig-release-aws (npm)
Malicious code in mergify-browser-extension (npm)
hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR
Malicious code in aws-instance-scheduler (npm)
Malicious code in aws-iot-greengrass-accelerators (npm)
Malicious code in aws-track-and-trace (npm)
Malicious code in aws-video-transcriber (npm)
OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows
Hono: Path traversal in toSSG() allows writing files outside the output directory
Malicious code in sentrybrowser7 (npm)
Claude Code Command Validation Bypass Allows Arbitrary Code Execution
OpenClaw: Media download follows cross-origin redirects with Authorization headers intact
Malicious code in lingewindows (npm)
Malicious code in platform-browser-dynamic (npm)
FlowiseAI has Mass Assignment in Assistant Update Endpoint that Allows Cross-Workspace Resource Reassignment
jsrsasign: Division by Zero Allows Invalid JWK Modulus to Cause Deterministic Zero Output in RSA Operations
OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage
Malicious code in ntwsx (npm)
FlowiseAI: Evaluation create+update mass-assignment allows cross-workspace evaluation takeover
Malicious code in vue-webviews (npm)
Duplicate Advisory: OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage
Malicious code in crooked-kingdom-six-of-crows-2-by-leigh-bardugo-on-mac-full-format- (npm)
Malicious code in aws-greengrass-provisioner (npm)
Malicious code in evycfpkhwsoqljrg (npm)
Malicious code in jan-browser (npm)
Malicious code in analytics-browser (npm)
Malicious code in browser-compat-data (npm)
Malicious code in node-hide-console-windows (npm)
Malicious code in loblaws-product-listing (npm)
Malicious code in loblawsdigitalflyer (npm)
Malicious code in @flowselections/core (npm)
Malicious code in windowsreveal (npm)
Malicious code in whatsapp-flows-endpoint (npm)
Malicious code in newsda (npm)
Malicious code in web3tool-providers-ws (npm)
Malicious code in awsm-core (npm)
Malicious code in nextcloud-news (npm)
Malicious code in ng-browser-info (npm)
Malicious code in trex-proxy-browser-extension-sdk (npm)
Nodemailer: CRLF injection in Nodemailer List-* header comments allows arbitrary message header injection
tmp: Type-confusion bypass of _assertPath allows path traversal via non-string prefix/postfix/template
Malicious code in ai-aws-manager (npm)
aws-cdk-lib: OS Command Injection in NodejsFunction Bundling
Malicious code in aws-iot-samples-util (npm)
vite: `server.fs.deny` bypass on Windows alternate paths
Vitest Browser: Exposed Browser Mode API Can Proxy CDP and Overwrite Config Files, Leading to RCE
Malicious code in jaws-node (npm)
Malicious code in axios-browseragent (npm)
Malicious code in facetec-browser-sdk (npm)
launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows
FlowiseAI has Mass Assignment in Tool Update Endpoint that Allows Cross-Workspace Resource Reassignment
Malicious code in azure-accessplatform-windows-gpu (npm)
Malicious code in browserslist-db (npm)
Malicious code in identity-browser-manual-tests (npm)
Malicious code in update-browserslist (npm)
Malicious code in si-wsl (npm)
Malicious code in @postman/pm-bin-windows-x64 (npm)
Malicious code in freekws-devportal-api-client-angular (npm)
Malicious code in rawspec (npm)
WebdriverIO BrowserStack Service has a Command Injection issue
Malicious code in @clausehq/flows-step-taskscreateurl (npm)
Duplicate Advisory: Command Injection via unescaped environment assignments in Windows Scheduled Task script generation
Malicious code in react-hackernews-bootcamp-one-v2 (npm)
Malicious code in browserslist-db-sync (npm)
Hono JWT Middleware's JWT Algorithm Confusion via Unsafe Default (HS256) Allows Token Forgery and Auth Bypass
Malicious code in @hemanshu_patil/xcode-windows-x64 (npm)
Malicious code in print-vault-browser (npm)
Malicious code in proton-vpn-browser-extension (npm)
Malicious code in reviewstack (npm)
Malicious code in freekws-devportal-api-client-nestjs (npm)
Malicious code in react-native-windows-repo (npm)
Flowise is vulnerable to stored XSS via "View Messages" allows credential theft in FlowiseAI admin panel
Malicious code in windows-confirm (npm)
Malicious code in kbxozjiervwstgyp (npm)
Malicious code in windows-version-check (npm)
Malicious code in @browserbasehq/mcp-server-browserbase (npm)
Malicious code in wsticket (npm)
Malicious code in aws-target-mediator (npm)
Malicious code in vue-browserupdate-nuxt (npm)
Malicious code in @puppeteer/browsers (npm)
fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes
MCP Watch has a Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL
OpenClaw has browser trace/download path symlink escape in temp output handling
tarteaucitron.js allows UI manipulation via unrestricted CSS injection
Malicious code in service-workbench-on-aws (npm)
Vditor allows Cross-site Scripting via an attribute of an `A` element
Malicious code in @adidas-data-mesh/common-aws (npm)
DbGate: Zip Slip in archive/unzip allows arbitrary file write leading to RCE
Network-AI missing authentication on MCP HTTP endpoint, which allows unauthenticated privileged tool calls
@joplin/onenote-converter: Path traversal in OneNote importer allows overwriting arbitrary files
OpenClaw has auth inconsistency on local Browser Extension Relay /extension endpoint
Hono is Vulnerable to Authentication Bypass by IP Spoofing in AWS Lambda ALB conninfo
Claude Code: Trust Dialog Bypass via Git Worktree Spoofing Allows Arbitrary Code Execution
NocoDB: Plaintext Password Comparison in Shared Views
systeminformation has a Command Injection vulnerability in fsSize() function on Windows
Malicious code in elasticagent-windows-arm (npm)
Malicious code in gme-loblawsinc (npm)
Malicious code in mqttoverwsprovider (npm)
OpenClaw's owner-only gateway tool access checks were incomplete in specific authenticated DM flows
OpenClaw: node.pair.approve missing callerScopes validation allows low-privilege operator to approve malicious nodes
Malicious code in newspack-blocks (npm)
Malicious code in social-previews (npm)
Malicious code in browser-interaction-time-demo (npm)
Malicious code in browser-interaction-time-utils (npm)
OpenClaw: Unified root-bound write hardening for browser output and related path-boundary flows
Malicious code in @velorum/browser-authenticator (npm)
jsrsasign: Incomplete Comparison Allows DSA Private Key Recovery via Biased Nonce Generation
vercel/serve allows access to restricted files if filename is URL encoded.
@delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections
Tryton sao allows XSS because it does not escape completion values
Malicious code in sentrybrowser (npm)
pnpm Has Lockfile Integrity Bypass that Allows Remote Dynamic Dependencies
i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite
Malicious code in ideals-views (npm)
Malicious code in skinnyvans-windows-arm64 (npm)
Malicious code in skinnyvans-windows-x64 (npm)
Malicious code in ws-gp-security-action (npm)
Malicious code in wso-core (npm)
Evolver: Command Injection via `execSync` in `_extractLLM()` function allows Remote Code Execution
MCP-Framework: Unbounded memory allocation in readRequestBody allows denial of service via HTTP transport
FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover
Malicious code in codeceptjs-browserstack (npm)
OpenClaw has command injection via Windows shell fallback in Lobster tool execution
JWS and JWT signature validation vulnerability with special characters
FUXA allows Remote Code Execution (RCE) via the project import functionality.
Malicious code in lolnews (npm)
electerm allows unauthorized users to execute arbitrary commands
qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion
basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands
Flowise: Cross-Workspace Chatflow Disclosure via chatflows/apikey Endpoint Returns All Unprotected Chatflows
Vitest browser mode serves unsanitized otelCarrier query parameter as inline script
SSRF in @aborruso/ckan-mcp-server via base_url allows access to internal networks
Flowise: Mass Assignment in PUT /api/v1/user Allows Authenticated Users to Override Password Hash and Bypass Password Change Verification
Azure MCP Server has Server-Side Request Forgery issue that allows authorized attacker to elevate privileges over a network
OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows
Open WebUI: Missing `workspace.tools` Authorization Check on Tool Update Endpoint Allows Privilege Escalation to Code Execution
Strapi allows unauthenticated attacker to reset admin password without valid reset token
Electron: Registry key path injection in app.setAsDefaultProtocolClient on Windows
Directus: TUS Upload Authorization Bypass Allows Arbitrary File Overwrite
Malicious code in ember-views (npm)
SillyTavern: Path Traversal in `/api/chats/export` and `/api/chats/delete` allows arbitrary file read/delete within user data root
Malicious code in string_decoder-browserify (npm)
Malicious code in @antoncallahan/aws-user-helper (npm)
@evomap/evolver: Path Traversal in `evolver fetch` default-branch `safeId` allows Hub-controlled overwrite of project files (RCE)
vm2 has a NodeVM require.root bypass via symlink traversal that allows sandbox escape
vm2: Mutable Proxies for Host Intrinsic Prototypes Allows Sandbox Escape
HAX CMS: Stored XSS via '<video-player>' component allows arbitrary JavaScript execution and token theft
@hapi/content header parser has a parameter smuggling issue that allows upload-filter bypass via duplicate parameters
Malicious code in @browserbasehq/sdk-functions (npm)
vm2 has a NodeVM builtin allowlist bypass via `module` builtin's `Module._load` that allows sandbox escape
Duplicate Advisory: OpenClaw: Feishu extension resolveUploadInput bypasses file-system sandbox and allows arbitrary file reads via upload_image
OneUpTime's Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE
Typebot.io has stored XSS via `javascript`: URI in text bubble links — bot author executes JS on visitors' browsers
Malicious code in bfx-ws2-api-audit (npm)
Malicious code in @access-risk/browser-remedy-react (npm)
Malicious code in axios-browserify (npm)
Duplicate Advisory: OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding
Malicious code in cowsay-caps (npm)
Malicious code in cowsay-deluxe (npm)
Malicious code in pdf-reading-the-signs-by-keira-andrews-on-textbook-new-chapters- (npm)
n8n: MCP Browser HTTP Transport Exposes Unauthenticated Browser-Control Sessions
react-dev-utils on Windows vulnerable to Remote Code Execution
Budibase: Row Action Trigger Bypasses View Row Filter Security Boundary Allowing Action on Out-of-Scope Rows
@diplodoc/search-extension allows stored XSS via Markdown file title
hono: Body Limit Middleware can be bypassed on AWS Lambda by understating `Content-Length`
Malicious code in @uipath/packager-tool-workflowcompiler-browser (npm)
Strapi may leak sensitive user information, user reset password, tokens via content-manager views
hono: Path traversal in `serve-static` on Windows via encoded backslash (`%5C`)
Malicious code in efergvthdaadgfhrgewsfqwf (npm)
Malicious code in loadtest-browser-lib (npm)
@steipete/summarize allows local attackers to read bearer tokens and API credentials stored in ~/.summarize/daemon.json
Malicious code in browserstack-electron-forge-include-package-plugin (npm)
SillyTavern: Incomplete IP validation in /api/search/visit allows SSRF via localhost and IPv6
Malicious code in msal-browser-1p (npm)
Malicious code in rsflows-pexml (npm)
Malicious code in nnabla-browser (npm)
Malicious code in jwscube (npm)
Malicious code in windows-api-codec-pack (npm)
launch-editor vulnerable to command injection via the crafted request on Windows
Malicious code in browser-nextjs (npm)
Malicious code in awsm-acslibs (npm)
SillyTavern has a path traversal in `/api/chats/import` allows arbitrary file write outside intended chat directory
Malicious code in @mastra/voice-aws-nova-sonic (npm)
Malicious code in windowston (npm)
Malicious code in aws-crt-nodejs (npm)
Malicious code in dev.voltstro.unitywebbrowser (npm)
basic-ftp allows a malicious FTP server to cause client-side denial of service via unbounded multiline control response buffering
NocoDB: Missing File Size Enforcement in Upload-by-URL Allows Denial of Service via Disk Exhaustion
@hulumi/policies: GitHub OIDC trust policy bypass via AWS set-qualified condition operators
NocoDB: OAuth Token Scope Not Enforced at ACL Layer Allows Scope Escalation
Budibase: CouchDB Reduce Injection via Unsanitized Calculation Parameter in V1 Views API
Prototype Pollution via file load in aws-sdk and @aws-sdk/shared-ini-file-loader
CryptPad has a Sanitizer Bypass in Diffmarked.js that Allows Arbitrary HTML Injection and Potential XSS
samlify: XML Injection in AttributeValue Allows Privilege Escalation in Signed SAML Assertions
webpack-dev-server users' source code may be stolen when they access a malicious web site with non-Chromium based browser
Axios: no_proxy bypass via IP alias allows SSRF
Malicious code in athira-windows-arm64 (npm)
Macro in MathJax running untrusted Javascript within a web browser
Duplicate Advisory: OpenClaw: SSH sandbox tar upload follows symlinks, enabling arbitrary file write on remote host
Malicious code in ps-request-ws (npm)
Malicious code in @snowsight/debug-tooling (npm)
Malicious code in cowsay-allcaps (npm)
Malicious code in sa-kws-demo-web (npm)
Evolver: Path Traversal via `--out` flag in `fetch` command allows Arbitrary File Write
Malicious code in wdesk_browser_environment (npm)
Malicious code in @mastra/agent-browser (npm)
Malicious code in @ws-amplify/core (npm)
Malicious code in @wso-utils/form-utils (npm)
Malicious code in @wso-utils/localization (npm)
esbuild allows arbitrary file read when running the development server on Windows
Cordova Plugin InAppBrowser: iOS: Arbitrary Cordova callback IDs can be dispatched without validation from InAppBrowser WebViews.
Budibase: Webhook schema endpoint authorization bypass allows unauthenticated mutation of webhook and automation schema
xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion
Chrome DevTools for agents: daemon.pid write follows symlinks in /tmp fallback runtime directory
http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass
hono: AWS Lambda adapter merges multiple `Set-Cookie` headers into one value, dropping cookies on ALB single-header and Lattice
Network-AI: Poisoned environment backup manifest allows arbitrary recursive deletion during backup pruning
Network-AI: EnvironmentManager.backup() follows symlinked directories and copies files outside the environment root into backups
OpenClaw: Node browser proxy `allowProfiles` bypass through persistent profile mutation and runtime profile selection
Electron: Use-after-free in PowerMonitor on Windows and macOS
Uni-CLI: Legacy HTTP MCP transport accepted browser-originated localhost requests
Malicious code in awsspeedtest (npm)
Malicious code in new-al-bum-av-ailable-2014-15374-tourniquets-hacksaws-and-graves-53p3g-eabxqr (npm)
Malicious code in jbrowse (npm)
Malicious code in @kvytech/medusa-plugin-newsletter (npm)
Malicious code in @ntnx/passport-wso2 (npm)
Malicious code in @browserbasehq/mcp (npm)
Malicious code in @browserbasehq/stagehand (npm)
Malicious code in @clausehq/flows-step-httprequest (npm)
Malicious code in @fishingbooker/browser-sync-plugin (npm)