Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-7204 | CRITICAL | 9.8 | A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setPptpServerCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation … | Apr 28, 2026 |
| CVE-2026-7203 | CRITICAL | 9.8 | A vulnerability was found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setUrlFilterRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation … | Apr 28, 2026 |
| CVE-2026-7202 | CRITICAL | 9.8 | A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setWiFiWpsStart of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation … | Apr 28, 2026 |
| CVE-2026-32649 | MEDIUM | 6.8 | A command injection vulnerability exists in the web server of specific firmware versions of Milesight cameras. | Apr 28, 2026 |
| CVE-2026-32644 | CRITICAL | 9.8 | Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys. | Apr 28, 2026 |
| CVE-2026-20766 | HIGH | 8.8 | An out-of-bounds memory access vulnerability exists in specific firmware versions of Milesight AIOT cameras. | Apr 28, 2026 |
| CVE-2026-7200 | MEDIUM | 4.3 | A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this issue is some unknown functionality of the file /index.php?page=types. … | Apr 28, 2026 |
| CVE-2026-7199 | HIGH | 7.3 | A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=delete_product. Performing … | Apr 28, 2026 |
| CVE-2026-7196 | MEDIUM | 6.3 | A security vulnerability has been detected in CodeAstro Online Classroom 1.0. Affected is an unknown function of the file /guestdetails. Such manipulation of the argument … | Apr 28, 2026 |
| CVE-2026-41372 | MEDIUM | 5.8 | OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses … | Apr 28, 2026 |
| CVE-2026-41371 | HIGH | 8.5 | OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session reset operations. Attackers can rotate target … | Apr 28, 2026 |
| CVE-2026-41370 | MEDIUM | 6.5 | OpenClaw before 2026.3.31 contains a path traversal vulnerability in ACP dispatch that allows attackers to read arbitrary files by manipulating inbound channel attachment paths. Remote … | Apr 28, 2026 |
| CVE-2026-41369 | MEDIUM | 6.5 | OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can … | Apr 28, 2026 |
| CVE-2026-41368 | MEDIUM | 6.5 | OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block the $ENV filter. Attackers can bypass safe-bin … | Apr 28, 2026 |
| CVE-2026-41367 | MEDIUM | 5.0 | OpenClaw versions 2026.2.14 through 2026.3.24 fail to consistently apply guild and channel policy gates to Discord button and component interactions. Attackers can trigger privileged component … | Apr 28, 2026 |
| CVE-2026-41366 | MEDIUM | 5.5 | OpenClaw before 2026.3.31 contains a local roots self-whitelisting vulnerability in appendLocalMediaParentRoots that allows model-initiated arbitrary host file read. Attackers can exploit improper media parent directory … | Apr 28, 2026 |
| CVE-2026-41365 | MEDIUM | 5.4 | OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability in MS Teams thread history fetched via Graph API. Attackers can retrieve thread messages that should … | Apr 28, 2026 |
| CVE-2026-41364 | HIGH | 8.1 | OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files. Attackers can exploit this … | Apr 28, 2026 |
| CVE-2026-41363 | MEDIUM | 5.3 | OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension resolveUploadInput function that bypasses file-system sandbox restrictions. Attackers can exploit improper … | Apr 28, 2026 |
| CVE-2026-41362 | MEDIUM | 4.3 | OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers … | Apr 28, 2026 |
| CVE-2026-40977 | MEDIUM | 4.7 | When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the … | Apr 28, 2026 |
| CVE-2026-40976 | CRITICAL | 9.1 | In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be … | Apr 28, 2026 |
| CVE-2026-40975 | MEDIUM | 4.8 | Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as … | Apr 28, 2026 |
| CVE-2026-40974 | MEDIUM | 5.0 | Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), … | Apr 28, 2026 |
| CVE-2026-40973 | HIGH | 7.0 | A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is … | Apr 28, 2026 |