Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
11202
Total
755
Critical
3234
High
3640
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-27694 | MEDIUM | 5.4 | Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the email notification templates insert user-controlled device, geofence, and … | May 05, 2026 |
| CVE-2026-27693 | MEDIUM | 5.4 | Traccar is an open source GPS tracking system. In org.traccar:traccar versions starting at 6.11.1 before 6.13.0, the KML and GPX export functionality writes device names … | May 05, 2026 |
| CVE-2026-27644 | MEDIUM | 6.5 | Traccar is an open source GPS tracking system. In versions between 6.11.1 and 6.13.0, the CSV export functionality writes position data, including user-controlled device and … | May 05, 2026 |
| CVE-2026-6262 | MEDIUM | 6.5 | The Betheme theme for WordPress is vulnerable to Arbitrary File Deletion in versions up to, and including, 28.4. This is due to the upload_icons() function … | May 05, 2026 |
| CVE-2026-6261 | HIGH | 8.8 | The Betheme theme for WordPress is vulnerable to Arbitrary File Upload in versions up to, and including, 28.4. This is due to the upload_icons() function … | May 05, 2026 |
| CVE-2026-43574 | MEDIUM | 6.5 | OpenClaw before 2026.4.12 contains an improper authorization vulnerability in helper-backed channels where empty resolved approver lists are interpreted as explicit approval authorization. Attackers can resolve … | May 05, 2026 |
| CVE-2026-43573 | HIGH | 7.7 | OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with … | May 05, 2026 |
| CVE-2026-43572 | MEDIUM | 5.3 | OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers … | May 05, 2026 |
| CVE-2026-43571 | HIGH | 8.8 | OpenClaw before 2026.4.10 contains a plugin trust bypass vulnerability that allows channel setup catalog lookups to resolve workspace plugin shadows before bundled channel plugins. Attackers … | May 05, 2026 |
| CVE-2026-43570 | MEDIUM | 6.5 | OpenClaw versions 2026.3.22 before 2026.4.5 contain a symlink traversal vulnerability in remote marketplace repository path handling that allows attackers to escape the expected repository root. … | May 05, 2026 |
| CVE-2026-43569 | HIGH | 8.8 | OpenClaw before 2026.4.9 contains an authentication bypass vulnerability allowing untrusted workspace plugins to be auto-enabled during non-interactive onboarding when provider auth choices are shadowed. Attackers … | May 05, 2026 |
| CVE-2026-43568 | MEDIUM | 6.5 | OpenClaw versions 2026.4.5 before 2026.4.10 contain a privilege escalation vulnerability allowing write-scoped operators to modify persistent memory dreaming settings. Attackers with write-scoped gateway access can … | May 05, 2026 |
| CVE-2026-43567 | MEDIUM | 6.5 | OpenClaw before 2026.4.10 contains a path traversal vulnerability in the screen_record tool's outPath parameter that bypasses workspace-only filesystem guards. Attackers can exploit this by specifying … | May 05, 2026 |
| CVE-2026-43566 | CRITICAL | 9.1 | OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can exploit … | May 05, 2026 |
| CVE-2026-43535 | MEDIUM | 6.8 | OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization … | May 05, 2026 |
| CVE-2026-43534 | CRITICAL | 9.1 | OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook … | May 05, 2026 |
| CVE-2026-43533 | HIGH | 8.6 | OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage … | May 05, 2026 |
| CVE-2026-43532 | HIGH | 7.7 | OpenClaw versions 2026.4.7 before 2026.4.10 fail to normalize Discord event cover image parameters in sandbox media processing. Attackers can bypass media normalization to inject host-local … | May 05, 2026 |
| CVE-2026-43531 | HIGH | 7.3 | OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, … | May 05, 2026 |
| CVE-2026-43530 | HIGH | 8.8 | OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet execution that allows attackers to obscure which applet … | May 05, 2026 |
| CVE-2026-43529 | LOW | 2.5 | OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFileForShellBleed function that allows local attackers to bypass workspace boundary checks. An attacker with workspace write … | May 05, 2026 |
| CVE-2026-43528 | MEDIUM | 6.5 | OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attackers with … | May 05, 2026 |
| CVE-2026-43527 | HIGH | 7.7 | OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to … | May 05, 2026 |
| CVE-2026-43526 | HIGH | 8.2 | OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit … | May 05, 2026 |
| CVE-2026-42439 | HIGH | 8.5 | OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser … | May 05, 2026 |