Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12618
Total
849
Critical
3639
High
3952
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-32982 | HIGH | 7.5 | OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes Telegram bot tokens in error messages. When media downloads fail, the … | Mar 31, 2026 |
| CVE-2026-32977 | MEDIUM | 6.3 | OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that uses an unanchored container path during the final move … | Mar 31, 2026 |
| CVE-2026-32976 | MEDIUM | 6.5 | OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing channel commands to mutate protected sibling-account configuration despite configWrites restrictions. Attackers with authorized access on one … | Mar 31, 2026 |
| CVE-2026-32971 | HIGH | 7.1 | OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays extracted shell payloads instead of the executed argv. Attackers can place wrapper … | Mar 31, 2026 |
| CVE-2026-32970 | LOW | 2.5 | OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are treated as unset, allowing fallback to remote credentials in … | Mar 31, 2026 |
| CVE-2026-32921 | MEDIUM | 6.3 | OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain … | Mar 31, 2026 |
| CVE-2026-32920 | HIGH | 8.4 | OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including … | Mar 31, 2026 |
| CVE-2026-32917 | CRITICAL | 9.8 | OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary commands on configured remote … | Mar 31, 2026 |
| CVE-2026-32916 | CRITICAL | 9.4 | OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administrative … | Mar 31, 2026 |
| CVE-2026-27854 | MEDIUM | 4.8 | An attacker might be able to trigger a use-after-free by sending crafted DNS queries to a DNSdist using the DNSQuestion:getEDNSOptions method in custom Lua code. … | Mar 31, 2026 |
| CVE-2026-27853 | MEDIUM | 5.9 | An attacker might be able to trigger an out-of-bounds write by sending crafted DNS responses to a DNSdist using the DNSQuestion:changeName or DNSResponse:changeName methods in … | Mar 31, 2026 |
| CVE-2026-24030 | MEDIUM | 5.3 | An attacker might be able to trick DNSdist into allocating too much memory while processing DNS over QUIC or DNS over HTTP/3 payloads, resulting in … | Mar 31, 2026 |
| CVE-2026-24029 | MEDIUM | 6.5 | When the early_acl_drop (earlyACLDrop in Lua) option is disabled (default is enabled) on a DNS over HTTPs frontend using the nghttp2 provider, the ACL check … | Mar 31, 2026 |
| CVE-2026-24028 | MEDIUM | 5.3 | An attacker might be able to trigger an out-of-bounds read by sending a crafted DNS response packet, when custom Lua code uses newDNSPacketOverlay to parse … | Mar 31, 2026 |
| CVE-2026-0397 | LOW | 3.1 | When the internal webserver is enabled (default is disabled), an attacker might be able to trick an administrator logged to the dashboard into visiting a … | Mar 31, 2026 |
| CVE-2026-0396 | LOW | 3.1 | An attacker might be able to inject HTML content into the internal web dashboard by sending crafted DNS queries to a DNSdist instance where domain-based … | Mar 31, 2026 |
| CVE-2025-14213 | UNKNOWN | — | Cato Networks’ Socket versions prior to 25 contain a command injection vulnerability that allows an authenticated attacker with access to the Socket web interface (UI) … | Mar 31, 2026 |
| CVE-2024-14031 | HIGH | 8.1 | Sereal::Encoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library. Sereal::Encoder embeds a version of the … | Mar 31, 2026 |
| CVE-2024-14030 | HIGH | 8.1 | Sereal::Decoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library. Sereal::Decoder embeds a version of the … | Mar 31, 2026 |
| CVE-2026-4400 | UNKNOWN | — | Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. … | Mar 31, 2026 |
| CVE-2026-4399 | UNKNOWN | — | Prompt injection vulnerability in 1millionbot Millie chatbot that occurs when a user manages to evade chat restrictions using Boolean prompt injection techniques (formulating a question … | Mar 31, 2026 |
| CVE-2026-34887 | MEDIUM | 6.5 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Extend Themes Kubio AI Page Builder allows Stored XSS.This issue affects Kubio AI … | Mar 31, 2026 |
| CVE-2025-15618 | CRITICAL | 9.1 | Business::OnlinePayment::StoredTransaction versions through 0.01 for Perl uses an insecure secret key. Business::OnlinePayment::StoredTransaction generates a secret key by using a MD5 hash of a single call … | Mar 31, 2026 |
| CVE-2026-5197 | MEDIUM | 6.3 | A vulnerability was found in code-projects Student Membership System 1.0. The affected element is an unknown function of the file /delete_user.php. The manipulation of the … | Mar 31, 2026 |
| CVE-2026-4317 | UNKNOWN | — | SQL inyection (SQLi) vulnerability in Umami Software web application through an improperly sanitized parameter, which could allow an authenticated attacker to execute arbitrary SQL commands … | Mar 31, 2026 |