Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-41385 | MEDIUM | 6.5 | OpenClaw before 2026.3.31 stores Nostr privateKey as plaintext in configuration, allowing exposure through config.get method calls that bypass redaction mechanisms. Attackers can retrieve unredacted configuration … | Apr 28, 2026 |
| CVE-2026-41384 | HIGH | 7.8 | OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configuration. … | Apr 28, 2026 |
| CVE-2026-41383 | HIGH | 8.1 | OpenClaw before 2026.4.2 contains an arbitrary directory deletion vulnerability in mirror mode that allows attackers to delete remote directories by influencing remoteWorkspaceDir and remoteAgentWorkspaceDir configuration … | Apr 28, 2026 |
| CVE-2026-41382 | MEDIUM | 5.4 | OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord voice ingress that allows attackers to bypass channel and member allowlist restrictions. Attackers can exploit … | Apr 28, 2026 |
| CVE-2026-41381 | MEDIUM | 5.4 | OpenClaw before 2026.3.31 contains an access control bypass vulnerability in the Discord voice manager that allows attackers to bypass channel-level member access allowlist restrictions. Attackers … | Apr 28, 2026 |
| CVE-2026-41380 | HIGH | 7.3 | OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows allow-always persistence to trust wrapper carrier executables instead of invoked targets. Attackers can … | Apr 28, 2026 |
| CVE-2026-41379 | HIGH | 7.1 | OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Talk Voice configuration persistence. Attackers with operator.write privileges … | Apr 28, 2026 |
| CVE-2026-41378 | HIGH | 8.8 | OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestricted gateway-side tool access. Attackers with … | Apr 28, 2026 |
| CVE-2026-41377 | MEDIUM | 4.6 | OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures … | Apr 28, 2026 |
| CVE-2026-41376 | MEDIUM | 5.4 | OpenClaw before 2026.3.31 contains an allowlist bypass vulnerability in Matrix thread root and reply context handling that fails to properly validate message senders. Attackers can … | Apr 28, 2026 |
| CVE-2026-41375 | MEDIUM | 6.5 | OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the /phone arm and /phone disarm endpoints that fails to properly enforce operator.admin scope checks for … | Apr 28, 2026 |
| CVE-2026-41374 | MEDIUM | 5.3 | OpenClaw before 2026.3.31 performs Discord audio preflight transcription before validating member authorization, allowing unauthenticated attackers to consume resources. Remote attackers can trigger audio preflight processing … | Apr 28, 2026 |
| CVE-2026-41373 | MEDIUM | 6.1 | OpenClaw before 2026.3.31 contains an incomplete host-env-security-policy.json that fails to restrict compiler binary environment variables, allowing untrusted models to substitute CC, CXX, CARGO_BUILD_RUSTC, and CMAKE_C_COMPILER … | Apr 28, 2026 |
| CVE-2026-3893 | CRITICAL | 9.4 | The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, allowing an attacker with network access to directly access and modify its configuration and operational functions … | Apr 28, 2026 |
| CVE-2026-38949 | UNKNOWN | — | Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user … | Apr 28, 2026 |
| CVE-2026-24231 | MEDIUM | 6.3 | NVIDIA NemoClaw contains a vulnerability in the validateEndpointUrl() SSRF protection component, where an attacker could cause a server-side request forgery by supplying a crafted endpoint … | Apr 28, 2026 |
| CVE-2026-24222 | HIGH | 8.6 | NVIDIA NeMoClaw contains a vulnerability in the sandbox environment initialization component, where a remote attacker could cause improper access control by sending prompt-injected content that … | Apr 28, 2026 |
| CVE-2026-24204 | MEDIUM | 6.5 | NVIDIA Flare SDK contains a vulnerability where an Attacker may cause an Improper Input Validation by path traversing. A successful exploit of this vulnerability may … | Apr 28, 2026 |
| CVE-2026-24186 | HIGH | 8.8 | NVIDIA FLARE SDK contains a vulnerability in FOBS, where an attacker may cause deserialization of untrusted data by sending a malicious FOBS- encoded message. A … | Apr 28, 2026 |
| CVE-2026-24178 | CRITICAL | 9.8 | NVIDIA NVFlare Dashboard contains a vulnerability in the user management and authentication system where an unauthenticated attacker may cause authorization bypass through user-controlled key. A … | Apr 28, 2026 |
| CVE-2026-41873 | CRITICAL | 9.8 | ** UNSUPPORTED WHEN ASSIGNED ** Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') vulnerability in Pony Mail leading to admin account takeover. This issue affects … | Apr 28, 2026 |
| CVE-2026-38948 | MEDIUM | 5.4 | Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, … | Apr 28, 2026 |
| CVE-2026-38651 | HIGH | 8.2 | Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. … | Apr 28, 2026 |
| CVE-2025-60889 | UNKNOWN | — | Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 under certain conditions may allow attackers to execute arbitrary code or other unspecified impacts. | Apr 28, 2026 |
| CVE-2025-60887 | MEDIUM | 5.3 | An issue was discovered in Cista v0.15 and below. Insecure deserialization of untrusted input under certain conditions may lead to leaking of stack/heap addresses which … | Apr 28, 2026 |