Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-41310 | MEDIUM | 5.3 | OpenTelemetry.Exporter.Zipkin is the .NET Zipkin exporter for OpenTelemetry. In versions 1.15.2 and earlier, the Zipkin exporter remote endpoint cache accepts unbounded key growth derived from … | May 06, 2026 |
| CVE-2026-40296 | MEDIUM | 5.4 | PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from … | May 06, 2026 |
| CVE-2026-3291 | UNKNOWN | — | Samsung Print Service Plugin for Android is potentially vulnerable to information disclosure when using an outdated version of the application via mobile devices. HP is … | May 06, 2026 |
| CVE-2026-40332 | UNKNOWN | — | Masa CMS is affected by an Open Redirect vulnerability due to improper handling of scheme-relative URLs. The application incorrectly interprets paths beginning with double slashes … | May 06, 2026 |
| CVE-2026-40281 | CRITICAL | 10.0 | Gotenberg is a Docker-powered stateless API for PDF files. In versions 8.30.1 and earlier, the metadata write endpoint validates metadata keys for control characters but … | May 06, 2026 |
| CVE-2026-40251 | UNKNOWN | — | Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated … | May 06, 2026 |
| CVE-2026-40243 | UNKNOWN | — | Incus is a system container and virtual machine manager. In versions before 7.0.0, broken TLS validation logic in the OVN database connection logic can allow … | May 06, 2026 |
| CVE-2026-40197 | UNKNOWN | — | Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage volume import logic allows an authenticated … | May 06, 2026 |
| CVE-2026-40195 | UNKNOWN | — | Incus is a system container and virtual machine manager. In versions before 7.0.0, missing validation logic in the storage bucket import logic allows an authenticated … | May 06, 2026 |
| CVE-2026-8033 | MEDIUM | 5.3 | A vulnerability has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. This affects an unknown function of the file /cdemos/echs/api/v2/ of the component Response … | May 06, 2026 |
| CVE-2026-8032 | HIGH | 7.3 | A flaw has been found in PicoTronica e-Clinic Healthcare System ECHS 5.7. The impacted element is an unknown function of the file /cdemos/echs/priv/echs.js. This manipulation … | May 06, 2026 |
| CVE-2026-44118 | HIGH | 7.8 | OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to … | May 06, 2026 |
| CVE-2026-44117 | MEDIUM | 5.8 | OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending … | May 06, 2026 |
| CVE-2026-44116 | HIGH | 8.6 | OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF … | May 06, 2026 |
| CVE-2026-44115 | HIGH | 8.8 | OpenClaw before 2026.4.22 contains an exec allowlist analysis vulnerability allowing shell expansion hiding in unquoted heredoc bodies. Attackers can bypass allowlist validation by embedding shell … | May 06, 2026 |
| CVE-2026-44114 | HIGH | 7.8 | OpenClaw before 2026.4.20 fails to properly reserve the OPENCLAW_ runtime-control environment namespace in workspace dotenv files, allowing attackers to override critical runtime variables. Malicious workspaces … | May 06, 2026 |
| CVE-2026-44113 | MEDIUM | 5.3 | OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in the OpenShell filesystem bridge that allows attackers to read files outside the intended mount root. Attackers … | May 06, 2026 |
| CVE-2026-44112 | MEDIUM | 5.3 | OpenClaw before 2026.4.22 contains a time-of-check/time-of-use race condition in OpenShell sandbox filesystem writes that allows attackers to redirect writes outside the intended mount root. Attackers … | May 06, 2026 |
| CVE-2026-44111 | MEDIUM | 4.3 | OpenClaw before 2026.4.15 contains an arbitrary file read vulnerability in the QMD backend memory_get function that allows callers to read any Markdown files within the … | May 06, 2026 |
| CVE-2026-44110 | HIGH | 8.8 | OpenClaw before 2026.4.15 contains an authorization bypass vulnerability in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute … | May 06, 2026 |
| CVE-2026-44109 | CRITICAL | 9.8 | OpenClaw before 2026.4.15 contains an authentication bypass vulnerability in Feishu webhook and card-action validation that allows unauthenticated requests to reach command dispatch. Missing encryptKey configuration … | May 06, 2026 |
| CVE-2026-43585 | HIGH | 8.1 | OpenClaw before 2026.4.15 captures resolved bearer-auth configuration at startup, allowing revoked tokens to remain valid after SecretRef rotation. Gateway HTTP and WebSocket handlers fail to … | May 06, 2026 |
| CVE-2026-43584 | HIGH | 8.8 | OpenClaw before 2026.4.10 contains an insufficient environment variable denylist vulnerability in its exec environment policy that allows operator-supplied overrides of high-risk interpreter startup variables including … | May 06, 2026 |
| CVE-2026-43583 | MEDIUM | 5.3 | OpenClaw versions 2026.4.10 before 2026.4.14 fail to persist session context during delivery queue recovery for media replay. Attackers can exploit recovered queued outbound media to … | May 06, 2026 |
| CVE-2026-43582 | MEDIUM | 6.3 | OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allows attackers to bypass hostname validation through DNS rebinding attacks. Attackers … | May 06, 2026 |