Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
10692
Total
727
Critical
3080
High
3407
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-41296 | HIGH | 8.2 | OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path … | Apr 21, 2026 |
| CVE-2026-41295 | HIGH | 7.8 | OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone … | Apr 21, 2026 |
| CVE-2026-41294 | HIGH | 8.6 | OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file … | Apr 21, 2026 |
| CVE-2026-41285 | MEDIUM | 4.3 | In OpenBSD through 7.8, the slaacd and rad daemons have an infinite loop when they receive a crafted ICMPv6 Neighbor Discovery (ND) option (over a … | Apr 21, 2026 |
| CVE-2026-40045 | MEDIUM | 5.7 | OpenClaw before 2026.4.2 accepts non-loopback cleartext ws:// gateway endpoints and transmits stored gateway credentials over unencrypted connections. Attackers can forge discovery results or craft setup … | Apr 21, 2026 |
| CVE-2026-35588 | MEDIUM | 6.3 | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (`glances/exports/glances_cassandra/__init__.py`) interpolates `keyspace`, `table`, and `replication_factor` configuration values directly … | Apr 21, 2026 |
| CVE-2026-35587 | UNKNOWN | — | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due … | Apr 21, 2026 |
| CVE-2026-35570 | HIGH | 8.4 | OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside … | Apr 21, 2026 |
| CVE-2026-34839 | UNKNOWN | — | Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without … | Apr 21, 2026 |
| CVE-2026-5721 | MEDIUM | 4.7 | The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up … | Apr 20, 2026 |
| CVE-2026-34082 | UNKNOWN | — | Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps/<appId>/conversations/<conversationId>` has poor authorization checking and allows any Dify-authenticated user to … | Apr 20, 2026 |
| CVE-2026-6729 | MEDIUM | 6.3 | HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other … | Apr 20, 2026 |
| CVE-2026-29643 | UNKNOWN | — | XiangShan (Open-source high-performance RISC-V processor) commit edb1dfaf7d290ae99724594507dc46c2c2125384 (2024-11-28) contains an improper exceptional-condition handling flaw in its CSR subsystem (NewCSR). On affected versions, certain sequences of … | Apr 20, 2026 |
| CVE-2026-22051 | UNKNOWN | — | StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0.0.6 are susceptible to a Information Disclosure vulnerability. Successful exploit could allow an authenticated attacker with … | Apr 20, 2026 |
| CVE-2026-0930 | UNKNOWN | — | Potential read out of bounds case with wolfSSHd on Windows while handling a terminal resize request. An authenticated user could trigger the out of bounds … | Apr 20, 2026 |
| CVE-2026-5928 | UNKNOWN | — | Calling the ungetwc function on a FILE stream with wide characters encoded in a character set that has overlaps between its single byte and multi-byte … | Apr 20, 2026 |
| CVE-2026-5450 | UNKNOWN | — | Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format … | Apr 20, 2026 |
| CVE-2026-5358 | UNKNOWN | — | The obsolete nis_local_principal function in the GNU C Library version 2.43 and older may overflow a buffer in the data section, which could allow an … | Apr 20, 2026 |
| CVE-2026-4852 | MEDIUM | 6.4 | The Image Source Control Lite – Show Image Credits and Captions plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'Image Source' attachment … | Apr 20, 2026 |
| CVE-2026-34403 | UNKNOWN | — | Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader … | Apr 20, 2026 |
| CVE-2026-33626 | HIGH | 7.5 | LMDeploy is a toolkit for compressing, deploying, and serving large language models. Versions prior to 0.12.3 have a Server-Side Request Forgery (SSRF) vulnerability in LMDeploy's … | Apr 20, 2026 |
| CVE-2026-33432 | UNKNOWN | — | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, … | Apr 20, 2026 |
| CVE-2026-33431 | UNKNOWN | — | Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config/<service>/show API endpoint accepts a configver … | Apr 20, 2026 |
| CVE-2026-33031 | UNKNOWN | — | Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can … | Apr 20, 2026 |
| CVE-2026-32613 | CRITICAL | 9.9 | Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around … | Apr 20, 2026 |