Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
21987
Total
1565
Critical
6684
High
7043
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-53815 | MEDIUM | 6.5 | OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks. Lower-trust callers can request messages from channels not … | Jun 11, 2026 |
| CVE-2026-53814 | HIGH | 8.3 | OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a … | Jun 11, 2026 |
| CVE-2026-53813 | HIGH | 7.8 | OpenClaw before 2026.4.25 contains a path traversal vulnerability in memory-core artifact loading where workspace state influences local package root resolution. Attackers with access to affected … | Jun 11, 2026 |
| CVE-2026-53812 | HIGH | 7.7 | OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypass private-network navigation checks through Playwright act interactions. … | Jun 11, 2026 |
| CVE-2026-53811 | HIGH | 8.8 | OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name … | Jun 11, 2026 |
| CVE-2026-53810 | HIGH | 8.8 | OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extension metadata can redirect loading toward unscanned package payloads. Attackers with trusted operator access … | Jun 11, 2026 |
| CVE-2026-53809 | LOW | 3.8 | OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allows requests using provider aliases to compare against aliases instead of canonical … | Jun 11, 2026 |
| CVE-2026-53808 | MEDIUM | 6.5 | OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls to set apply: true despite … | Jun 11, 2026 |
| CVE-2026-53807 | HIGH | 8.8 | OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks … | Jun 11, 2026 |
| CVE-2026-53806 | HIGH | 8.8 | OpenClaw before 2026.5.12 contains a shell option parsing vulnerability that allows combined POSIX shell flags to bypass exec revalidation checks. Attackers can exploit this by … | Jun 11, 2026 |
| CVE-2026-50245 | HIGH | 7.7 | Brickcom cameras allow unauthenticated access to live snapshot images via the /ONVIF endpoint and no authentication is required to retrieve still images from the camera … | Jun 11, 2026 |
| CVE-2026-50005 | HIGH | 7.7 | Brickcom cameras ship with default credentials that allows any unauthenticated remote attacker to silently access camera feeds. | Jun 11, 2026 |
| CVE-2026-41005 | CRITICAL | 9.0 | Cloud Foundry UAA incorrectly treated XML encryption to the Service Provider (confidentiality) as a substitute for XML signatures from the Identity Provider (authenticity) in two … | Jun 11, 2026 |
| CVE-2026-53782 | HIGH | 7.4 | Summarize before 0.17.0 contains a server-side request forgery vulnerability that allows attackers who control a podcast RSS feed to direct the host to fetch transcript … | Jun 11, 2026 |
| CVE-2026-53781 | MEDIUM | 4.3 | Summarize before 0.17.0 contains a resource exhaustion vulnerability that allows remote attackers to cause disk exhaustion by serving media responses that bypass the enforced size … | Jun 11, 2026 |
| CVE-2026-49973 | CRITICAL | 9.4 | Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter … | Jun 11, 2026 |
| CVE-2026-49949 | MEDIUM | 5.3 | CodexBar before 0.33.0 contains a credential forwarding vulnerability that allows network-adjacent attackers to intercept sensitive credentials by issuing cross-origin or HTTP-downgrade redirects to the shared … | Jun 11, 2026 |
| CVE-2026-46622 | HIGH | 8.1 | SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in … | Jun 11, 2026 |
| CVE-2026-46489 | HIGH | 8.1 | SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can … | Jun 11, 2026 |
| CVE-2026-45802 | UNKNOWN | — | FPDI is a collection of PHP classes that facilitate reading pages from existing PDF documents and using them as templates in FPDF. Prior to version … | Jun 11, 2026 |
| CVE-2026-45175 | UNKNOWN | — | Idira Endpoint Privilege Manager Agent versions prior to 26.5 exhibit improper access control within internal agent validation processes. A local attacker could potentially bypass built-in … | Jun 11, 2026 |
| CVE-2026-12038 | UNKNOWN | — | Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this … | Jun 11, 2026 |
| CVE-2026-53702 | MEDIUM | 6.5 | A stack buffer overflow flaw was found in the GStreamer H.265 codec parser library (gst-plugins-bad). When parsing a buffering period SEI message, the parser uses … | Jun 11, 2026 |
| CVE-2026-53701 | MEDIUM | 6.5 | An out-of-bounds write vulnerability was found in GStreamer's H.266/VVC PPS picture partition parser in gst-plugins-bad. In the multi-slice-in-tile processing of gst_h266_parser_parse_picture_partition() (gsth266parser.c), the loop iterates … | Jun 11, 2026 |
| CVE-2026-52860 | UNKNOWN | — | Vim is an open source, command line text editor. Prior to version 9.2.0597, Vim's Python omni-completion executes reconstructed function and class definitions from the current … | Jun 11, 2026 |