Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
22193
Total
1583
Critical
6780
High
7106
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-12008 | HIGH | 8.3 | Use after free in DigitalCredentials in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a … | Jun 11, 2026 |
| CVE-2026-12007 | HIGH | 8.8 | Use after free in Core in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker to execute arbitrary code via a crafted HTML … | Jun 11, 2026 |
| CVE-2026-53819 | HIGH | 8.8 | OpenClaw before 2026.5.27 contains an arbitrary code execution vulnerability in skill install flows where workspace .env files can override the Homebrew executable selection. Attackers with … | Jun 11, 2026 |
| CVE-2026-53818 | MEDIUM | 6.6 | OpenClaw before 2026.4.24 contains an authorization bypass vulnerability in the MCP loopback feature that allows non-owner callers to skip owner-only tool policies and before-tool-call hooks. … | Jun 11, 2026 |
| CVE-2026-53817 | HIGH | 8.8 | OpenClaw before 2026.5.22 contains a locality validation vulnerability in Control UI pairing that allows attackers with network access to spoof locality information and obtain durable … | Jun 11, 2026 |
| CVE-2026-53816 | HIGH | 7.2 | OpenClaw before 2026.5.18 contains an insufficient provenance validation vulnerability in node event handling that allows paired nodes to forge exec lifecycle events without system.run authorization. … | Jun 11, 2026 |
| CVE-2026-53815 | MEDIUM | 6.5 | OpenClaw before 2026.5.19 contains an authorization bypass vulnerability in message read actions that skips channel allowlist checks. Lower-trust callers can request messages from channels not … | Jun 11, 2026 |
| CVE-2026-53814 | HIGH | 8.3 | OpenClaw before 2026.5.20 contains a privilege escalation vulnerability where hook-triggered agent runs incorrectly receive owner-scoped MCP loopback authority instead of hook-appropriate scope. Attackers with a … | Jun 11, 2026 |
| CVE-2026-53813 | HIGH | 7.8 | OpenClaw before 2026.4.25 contains a path traversal vulnerability in memory-core artifact loading where workspace state influences local package root resolution. Attackers with access to affected … | Jun 11, 2026 |
| CVE-2026-53812 | HIGH | 7.7 | OpenClaw before 2026.5.18 contains a server-side request forgery vulnerability in browser control that allows authenticated users to bypass private-network navigation checks through Playwright act interactions. … | Jun 11, 2026 |
| CVE-2026-53811 | HIGH | 8.8 | OpenClaw before 2026.5.7 contains a privilege escalation vulnerability in the Matrix allowFrom feature that allows authenticated accounts to match policy entries through mutable display name … | Jun 11, 2026 |
| CVE-2026-53810 | HIGH | 8.8 | OpenClaw before 2026.5.18 contains a code execution vulnerability where marketplace runtime extension metadata can redirect loading toward unscanned package payloads. Attackers with trusted operator access … | Jun 11, 2026 |
| CVE-2026-53809 | LOW | 3.8 | OpenClaw before 2026.4.25 contains a policy bypass vulnerability in embedded runner policy that allows requests using provider aliases to compare against aliases instead of canonical … | Jun 11, 2026 |
| CVE-2026-53808 | MEDIUM | 6.5 | OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls to set apply: true despite … | Jun 11, 2026 |
| CVE-2026-53807 | HIGH | 8.8 | OpenClaw before 2026.5.6 contains an authorization bypass vulnerability in Telegram interactive callbacks that allows authenticated users to skip commands.allowFrom validation. Attackers can invoke affected callbacks … | Jun 11, 2026 |
| CVE-2026-53806 | HIGH | 8.8 | OpenClaw before 2026.5.12 contains a shell option parsing vulnerability that allows combined POSIX shell flags to bypass exec revalidation checks. Attackers can exploit this by … | Jun 11, 2026 |
| CVE-2026-50245 | HIGH | 7.7 | Brickcom cameras allow unauthenticated access to live snapshot images via the /ONVIF endpoint and no authentication is required to retrieve still images from the camera … | Jun 11, 2026 |
| CVE-2026-50005 | HIGH | 7.7 | Brickcom cameras ship with default credentials that allows any unauthenticated remote attacker to silently access camera feeds. | Jun 11, 2026 |
| CVE-2026-41005 | CRITICAL | 9.0 | Cloud Foundry UAA incorrectly treated XML encryption to the Service Provider (confidentiality) as a substitute for XML signatures from the Identity Provider (authenticity) in two … | Jun 11, 2026 |
| CVE-2026-53782 | HIGH | 7.4 | Summarize before 0.17.0 contains a server-side request forgery vulnerability that allows attackers who control a podcast RSS feed to direct the host to fetch transcript … | Jun 11, 2026 |
| CVE-2026-53781 | MEDIUM | 4.3 | Summarize before 0.17.0 contains a resource exhaustion vulnerability that allows remote attackers to cause disk exhaustion by serving media responses that bypass the enforced size … | Jun 11, 2026 |
| CVE-2026-49973 | CRITICAL | 9.4 | Hermes WebUI before version 0.51.358 contains an improper access control vulnerability that allows unauthenticated remote attackers to hijack initial setup by submitting the _set_password parameter … | Jun 11, 2026 |
| CVE-2026-49949 | MEDIUM | 5.3 | CodexBar before 0.33.0 contains a credential forwarding vulnerability that allows network-adjacent attackers to intercept sensitive credentials by issuing cross-origin or HTTP-downgrade redirects to the shared … | Jun 11, 2026 |
| CVE-2026-46622 | HIGH | 8.1 | SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, API tokens used to authenticate all REST API requests are stored as plaintext strings in … | Jun 11, 2026 |
| CVE-2026-46489 | HIGH | 8.1 | SolidInvoice is an open-source invoicing platform. Prior to version 2.3.17, the company logo upload feature accepts any file type without validation. An authenticated administrator can … | Jun 11, 2026 |