Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-35064 | HIGH | 7.5 | A vulnerability in SenseLive X3050’s management ecosystem allows unauthenticated discovery of deployed units through the vendor’s management protocol, enabling identification of device presence, identifiers, and … | Apr 24, 2026 |
| CVE-2026-31952 | HIGH | 7.6 | Xibo is an open source digital signage platform with a web content management system and Windows display player software. Versions 1.7 through 4.4.0 have an … | Apr 24, 2026 |
| CVE-2026-29197 | MEDIUM | 4.3 | In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, … | Apr 24, 2026 |
| CVE-2026-29051 | MEDIUM | 4.4 | melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, `melange lint --persist-lint-results` (opt-in flag, also … | Apr 24, 2026 |
| CVE-2026-29050 | MEDIUM | 6.1 | melange allows users to build apk packages using declarative pipelines. Starting in version 0.32.0 and prior to version 0.43.4, an attacker who can influence a … | Apr 24, 2026 |
| CVE-2026-27843 | CRITICAL | 9.1 | A vulnerability exists in SenseLive X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentication or server-side validation. By applying … | Apr 24, 2026 |
| CVE-2026-27841 | HIGH | 8.1 | A vulnerability in SenseLive X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery (CSRF) protections. Because the application does … | Apr 24, 2026 |
| CVE-2026-25775 | CRITICAL | 9.8 | A vulnerability in SenseLive X3050’s remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-related … | Apr 24, 2026 |
| CVE-2026-25720 | MEDIUM | 5.4 | A vulnerability exists in SenseLive X3050’s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without … | Apr 24, 2026 |
| CVE-2026-1789 | MEDIUM | 4.9 | A vulnerability in the browser-based remote management interface may allow an administrator to access sensitive information on the device via crafted requests, affecting certain production … | Apr 24, 2026 |
| CVE-2026-6732 | MEDIUM | 6.5 | A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an … | Apr 23, 2026 |
| CVE-2026-41361 | HIGH | 7.1 | OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting … | Apr 23, 2026 |
| CVE-2026-41360 | MEDIUM | 6.7 | OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can … | Apr 23, 2026 |
| CVE-2026-41359 | HIGH | 7.1 | OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settings via the … | Apr 23, 2026 |
| CVE-2026-41358 | MEDIUM | 5.4 | OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages … | Apr 23, 2026 |
| CVE-2026-41357 | LOW | 3.3 | OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by … | Apr 23, 2026 |
| CVE-2026-41356 | MEDIUM | 5.4 | OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket … | Apr 23, 2026 |
| CVE-2026-41355 | HIGH | 7.3 | OpenShell before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access … | Apr 23, 2026 |
| CVE-2026-41354 | LOW | 3.7 | OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. … | Apr 23, 2026 |
| CVE-2026-41353 | HIGH | 8.1 | OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and … | Apr 23, 2026 |
| CVE-2026-41352 | HIGH | 8.8 | OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing … | Apr 23, 2026 |
| CVE-2026-41351 | MEDIUM | 5.3 | OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can … | Apr 23, 2026 |
| CVE-2026-41350 | MEDIUM | 4.3 | OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invocations. Attackers can invoke … | Apr 23, 2026 |
| CVE-2026-41349 | HIGH | 8.8 | OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this … | Apr 23, 2026 |
| CVE-2026-41348 | MEDIUM | 5.4 | OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized … | Apr 23, 2026 |