Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
12618
Total
849
Critical
3639
High
3952
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-4946 | HIGH | 8.8 | Ghidra versions prior to 12.0.3 improperly process annotation directives embedded in automatically extracted binary data, resulting in arbitrary command execution when an analyst interacts with … | Mar 29, 2026 |
| CVE-2026-0562 | HIGH | 8.3 | A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The … | Mar 29, 2026 |
| CVE-2026-0560 | HIGH | 7.5 | A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the `/api/files/export-content` endpoint. The `_download_image_to_temp()` function in `backend/routers/files.py` fails to … | Mar 29, 2026 |
| CVE-2026-0558 | HIGH | 7.5 | A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does … | Mar 29, 2026 |
| CVE-2026-34005 | HIGH | 8.8 | In Sofia on Xiongmai DVR/NVR (AHB7008T-MH-V2 and NBD7024H-P) 4.03.R11 devices, root OS command injection can occur via shell metacharacters in the HostName value via an … | Mar 29, 2026 |
| CVE-2026-5046 | HIGH | 8.8 | A flaw has been found in Tenda FH1201 1.2.0.14(408). Affected is the function formWrlExtraSet of the file /goform/WrlExtraSet of the component Parameter Handler. Executing a … | Mar 29, 2026 |
| CVE-2026-5045 | HIGH | 8.8 | A vulnerability was detected in Tenda FH1201 1.2.0.14(408). This impacts the function WrlclientSet of the file /goform/WrlclientSet of the component Parameter Handler. Performing a manipulation … | Mar 29, 2026 |
| CVE-2026-5044 | HIGH | 8.8 | A security vulnerability has been detected in Belkin F9K1122 1.00.33. This affects the function formSetSystemSettings of the file /goform/formSetSystemSettings of the component Setting Handler. Such … | Mar 29, 2026 |
| CVE-2026-33575 | HIGH | 7.5 | OpenClaw before 2026.3.12 embeds long-lived shared gateway credentials directly in pairing setup codes generated by /pair endpoint and OpenClaw qr command. Attackers with access to … | Mar 29, 2026 |
| CVE-2026-33574 | MEDIUM | 6.2 | OpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer that validates the tools root lexically but reuses the mutable path during … | Mar 29, 2026 |
| CVE-2026-33573 | HIGH | 8.8 | OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in the gateway agent RPC that allows authenticated operators with operator.write permission to override workspace boundaries by … | Mar 29, 2026 |
| CVE-2026-33572 | HIGH | 8.4 | OpenClaw before 2026.2.17 creates session transcript JSONL files with overly broad default permissions, allowing local users to read transcript contents. Attackers with local access can … | Mar 29, 2026 |
| CVE-2026-32987 | CRITICAL | 9.8 | OpenClaw before 2026.3.13 allows bootstrap setup codes to be replayed during device pairing verification in src/infra/device-bootstrap.ts. Attackers can verify a valid bootstrap code multiple times … | Mar 29, 2026 |
| CVE-2026-32980 | HIGH | 7.5 | OpenClaw before 2026.3.13 reads and buffers Telegram webhook request bodies before validating the x-telegram-bot-api-secret-token header, allowing unauthenticated attackers to exhaust server resources. Attackers can send … | Mar 29, 2026 |
| CVE-2026-32979 | HIGH | 7.3 | OpenClaw before 2026.3.11 contains an approval integrity vulnerability allowing attackers to execute rewritten local code by modifying scripts between approval and execution when exact file … | Mar 29, 2026 |
| CVE-2026-32978 | HIGH | 8.0 | OpenClaw before 2026.3.11 contains an approval integrity vulnerability where system.run approvals fail to bind mutable file operands for certain script runners like tsx and jiti. … | Mar 29, 2026 |
| CVE-2026-32975 | CRITICAL | 9.8 | OpenClaw before 2026.3.12 contains a weak authorization vulnerability in Zalouser allowlist mode that matches mutable group display names instead of stable group identifiers. Attackers can … | Mar 29, 2026 |
| CVE-2026-32974 | HIGH | 8.6 | OpenClaw before 2026.3.12 contains an authentication bypass vulnerability in Feishu webhook mode when only verificationToken is configured without encryptKey, allowing acceptance of forged events. Unauthenticated … | Mar 29, 2026 |
| CVE-2026-32973 | CRITICAL | 9.8 | OpenClaw before 2026.3.11 contains an exec allowlist bypass vulnerability where matchesExecAllowlistPattern improperly normalizes patterns with lowercasing and glob matching that overmatches on POSIX paths. Attackers … | Mar 29, 2026 |
| CVE-2026-32972 | HIGH | 7.1 | OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing authenticated operators with only operator.write permission to access admin-only browser profile management routes through browser.request. Attackers … | Mar 29, 2026 |
| CVE-2026-32924 | CRITICAL | 9.8 | OpenClaw before 2026.3.12 contains an authorization bypass vulnerability where Feishu reaction events with omitted chat_type are misclassified as p2p conversations instead of group chats. Attackers … | Mar 29, 2026 |
| CVE-2026-32923 | MEDIUM | 5.4 | OpenClaw before 2026.3.11 contains an authorization bypass vulnerability in Discord guild reaction ingestion that fails to enforce member users and roles allowlist checks. Non-allowlisted guild … | Mar 29, 2026 |
| CVE-2026-32922 | CRITICAL | 9.9 | OpenClaw before 2026.3.11 contains a privilege escalation vulnerability in device.token.rotate that allows callers with operator.pairing scope to mint tokens with broader scopes by failing to … | Mar 29, 2026 |
| CVE-2026-32919 | MEDIUM | 6.1 | OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing write-scoped callers to reach admin-only session reset logic. Attackers with operator.write scope can issue agent requests … | Mar 29, 2026 |
| CVE-2026-32918 | HIGH | 8.4 | OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the session_status tool that allows sandboxed subagents to access parent or sibling session state. Attackers … | Mar 29, 2026 |