Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-33467 | MEDIUM | 5.9 | Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents … | Apr 28, 2026 |
| CVE-2026-7295 | LOW | 2.4 | A vulnerability has been found in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this issue is the function save_menu of the file /admin/ajax.php?action=save_menu. Such manipulation … | Apr 28, 2026 |
| CVE-2026-7294 | LOW | 2.4 | A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function save_settings of the file /admin/index.php?page=save_settings. This manipulation … | Apr 28, 2026 |
| CVE-2026-7293 | MEDIUM | 4.7 | A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected is the function delete_category of the file /admin/ajax.php?action=delete_category. The manipulation of the argument ID … | Apr 28, 2026 |
| CVE-2026-7292 | MEDIUM | 5.6 | A security vulnerability has been detected in o2oa up to 10.0. This impacts the function syncFile of the file NodeAgent.java of the component NodeAgent. The … | Apr 28, 2026 |
| CVE-2026-7291 | MEDIUM | 6.3 | A weakness has been identified in o2oa up to 10.0. This affects the function FileAction of the file FileAction.java of the component URL Fetching. Executing … | Apr 28, 2026 |
| CVE-2026-7290 | MEDIUM | 6.3 | A vulnerability was determined in JeecgBoot up to 3.9.1. Impacted is the function SqlInjectionUtil of the file jeecg-boot/jeecg-boot-base-core/src/main/java/org/jeecg/common/util/SqlInjectionUtil.java of the component loadDict Endpoint. This manipulation … | Apr 28, 2026 |
| CVE-2026-6807 | MEDIUM | 5.5 | A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to trigger improper handling of XML input, which may result in unintended exposure of sensitive information. … | Apr 28, 2026 |
| CVE-2026-6238 | MEDIUM | 6.5 | The deprecated functions ns_printrrf, ns_printrr and fp_nquery in the GNU C Library version 2.2 and newer fail to validate the RDATA content against the RDATA … | Apr 28, 2026 |
| CVE-2026-5794 | UNKNOWN | — | A vulnerability affecting the detailed versions of Cryptobox allows a legitimate user to prevent another to login by triggering an account lockout via sending a … | Apr 28, 2026 |
| CVE-2026-42432 | HIGH | 7.8 | OpenClaw before 2026.4.8 contains a privilege escalation vulnerability allowing previously paired nodes to reconnect with exec-capable commands without operator.admin scope requirement. Attackers can bypass re-pairing … | Apr 28, 2026 |
| CVE-2026-42431 | HIGH | 8.1 | OpenClaw before 2026.4.8 contains a security bypass vulnerability in node.invoke(browser.proxy) that allows mutation of persistent browser profiles. Attackers can exploit this path to circumvent the … | Apr 28, 2026 |
| CVE-2026-42430 | MEDIUM | 6.5 | OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in Playwright redirect handling that allows attackers to bypass strict SSRF checks. Attackers can exploit request-time … | Apr 28, 2026 |
| CVE-2026-42429 | HIGH | 7.1 | OpenClaw before 2026.4.8 contains a privilege escalation vulnerability in the gateway plugin HTTP authentication mechanism that widens identity-bearing operator.read requests into runtime operator.write permissions. Attackers … | Apr 28, 2026 |
| CVE-2026-42428 | HIGH | 7.1 | OpenClaw versions before 2026.4.8 fail to enforce integrity verification on downloaded plugin archives. Attackers can install malicious or tampered plugin packages without detection, compromising the … | Apr 28, 2026 |
| CVE-2026-42427 | MEDIUM | 5.3 | OpenClaw before 2026.4.8 contains a remote code execution vulnerability caused by missing environment variable denylist entries for HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS. Attackers can inject … | Apr 28, 2026 |
| CVE-2026-42426 | HIGH | 8.8 | OpenClaw before 2026.4.8 contains an improper authorization vulnerability where the node.pair.approve method accepts operator.write scope instead of the narrower operator.pairing scope, allowing unprivileged users to … | Apr 28, 2026 |
| CVE-2026-42424 | MEDIUM | 5.7 | OpenClaw before 2026.4.8 treats shared reply MEDIA paths as trusted, allowing crafted references to trigger cross-channel local file exfiltration. Attackers can exploit this by crafting … | Apr 28, 2026 |
| CVE-2026-42423 | HIGH | 7.5 | OpenClaw before 2026.4.8 contains an approval-timeout fallback mechanism that bypasses strictInlineEval explicit-approval requirements on gateway and node exec hosts. Attackers can exploit this timeout fallback … | Apr 28, 2026 |
| CVE-2026-42422 | HIGH | 8.8 | OpenClaw before 2026.4.8 contains a role bypass vulnerability in the device.token.rotate function that allows minting tokens for unapproved roles. Attackers can bypass device role-upgrade pairing … | Apr 28, 2026 |
| CVE-2026-42421 | MEDIUM | 5.4 | OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections … | Apr 28, 2026 |
| CVE-2026-42420 | MEDIUM | 4.3 | OpenClaw before 2026.4.8 contains improper input validation in base64 decode paths that allocate memory before enforcing decoded-size limits. Attackers can exploit multiple code paths to … | Apr 28, 2026 |
| CVE-2026-41916 | MEDIUM | 5.4 | OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated … | Apr 28, 2026 |
| CVE-2026-41915 | MEDIUM | 5.3 | OpenClaw before 2026.4.8 fails to remove git plumbing environment variables from the execution environment before host exec operations. Attackers can exploit this by setting GIT_DIR … | Apr 28, 2026 |
| CVE-2026-41914 | HIGH | 8.5 | OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch … | Apr 28, 2026 |