Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12604
Total
849
Critical
3630
High
3947
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-34155 | UNKNOWN | — | RAUC controls the update process on embedded Linux systems. Prior to version 1.15.2, RAUC bundles using the 'plain' format exceeding a payload size of 2 … | Mar 31, 2026 |
| CVE-2026-30310 | UNKNOWN | — | In its design for automatic terminal command execution, Sixth offers two options: Execute safe commands and Execute all commands. The description for the former states … | Mar 31, 2026 |
| CVE-2026-5198 | HIGH | 7.3 | A vulnerability was determined in code-projects Student Membership System 1.0. The impacted element is an unknown function of the file /admin/index.php of the component Admin … | Mar 31, 2026 |
| CVE-2026-4267 | HIGH | 7.2 | The Query Monitor – The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘$_SERVER['REQUEST_URI']’ parameter in all … | Mar 31, 2026 |
| CVE-2026-3191 | MEDIUM | 5.4 | The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing … | Mar 31, 2026 |
| CVE-2026-3139 | MEDIUM | 4.3 | The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference … | Mar 31, 2026 |
| CVE-2026-34509 | MEDIUM | 4.3 | OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a … | Mar 31, 2026 |
| CVE-2026-34508 | MEDIUM | 6.5 | OpenClaw before 2026.3.12 applies rate limiting only after webhook authentication succeeds, allowing attackers to bypass rate limits and brute-force webhook secrets without triggering 429 responses. … | Mar 31, 2026 |
| CVE-2026-34506 | MEDIUM | 4.3 | OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a … | Mar 31, 2026 |
| CVE-2026-34505 | MEDIUM | 6.5 | OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated … | Mar 31, 2026 |
| CVE-2026-32988 | HIGH | 7.5 | OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged writes where temporary file creation and population are not pinned to a verified … | Mar 31, 2026 |
| CVE-2026-32982 | HIGH | 7.5 | OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes Telegram bot tokens in error messages. When media downloads fail, the … | Mar 31, 2026 |
| CVE-2026-32977 | MEDIUM | 6.3 | OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that uses an unanchored container path during the final move … | Mar 31, 2026 |
| CVE-2026-32976 | MEDIUM | 6.5 | OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing channel commands to mutate protected sibling-account configuration despite configWrites restrictions. Attackers with authorized access on one … | Mar 31, 2026 |
| CVE-2026-32971 | HIGH | 7.1 | OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays extracted shell payloads instead of the executed argv. Attackers can place wrapper … | Mar 31, 2026 |
| CVE-2026-32970 | LOW | 2.5 | OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are treated as unset, allowing fallback to remote credentials in … | Mar 31, 2026 |
| CVE-2026-32921 | MEDIUM | 6.3 | OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain … | Mar 31, 2026 |
| CVE-2026-32920 | HIGH | 8.4 | OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including … | Mar 31, 2026 |
| CVE-2026-32917 | CRITICAL | 9.8 | OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary commands on configured remote … | Mar 31, 2026 |
| CVE-2026-32916 | CRITICAL | 9.4 | OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administrative … | Mar 31, 2026 |
| CVE-2026-27854 | MEDIUM | 4.8 | An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. … | Mar 31, 2026 |
| CVE-2026-27853 | MEDIUM | 5.9 | An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in … | Mar 31, 2026 |
| CVE-2026-24030 | MEDIUM | 5.3 | An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in … | Mar 31, 2026 |
| CVE-2026-24029 | MEDIUM | 6.5 | When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check … | Mar 31, 2026 |
| CVE-2026-24028 | MEDIUM | 5.3 | An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse … | Mar 31, 2026 |