Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
11202
Total
755
Critical
3234
High
3640
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-42438 | HIGH | 7.7 | OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthorized local file disclosure. Attackers … | May 05, 2026 |
| CVE-2026-42437 | HIGH | 7.5 | OpenClaw versions 2026.4.9 before 2026.4.10 contain a denial of service vulnerability in the voice-call realtime WebSocket path that accepts oversized frames without proper validation. Remote … | May 05, 2026 |
| CVE-2026-42436 | HIGH | 7.7 | OpenClaw before 2026.4.14 contains an improper access control vulnerability in browser snapshot, screenshot, and tab routes that fail to consistently validate the final browser target … | May 05, 2026 |
| CVE-2026-42435 | HIGH | 8.8 | OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can … | May 05, 2026 |
| CVE-2026-42434 | HIGH | 8.8 | OpenClaw versions 2026.4.5 before 2026.4.10 contain a sandbox escape vulnerability allowing sandboxed agents to override exec routing by specifying host=node. Attackers can bypass sandbox boundaries … | May 05, 2026 |
| CVE-2026-42433 | MEDIUM | 6.5 | OpenClaw before 2026.4.10 contains an authorization bypass vulnerability allowing operator.write message-tool paths to access Matrix profile persistence requiring admin-level authority. Attackers can exploit insufficient access … | May 05, 2026 |
| CVE-2023-54349 | MEDIUM | 6.1 | AmazCart CMS 3.4 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by submitting payloads through the search functionality. Attackers … | May 05, 2026 |
| CVE-2023-54348 | HIGH | 8.8 | ERPGo SaaS 3.9 contains a CSV injection vulnerability that allows authenticated attackers to execute arbitrary code by injecting formula payloads into vendor name fields. Attackers … | May 05, 2026 |
| CVE-2023-54347 | HIGH | 7.5 | OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login … | May 05, 2026 |
| CVE-2023-54346 | HIGH | 7.5 | WordPress Plugin Backup Migration 1.2.8 contains an information disclosure vulnerability that allows unauthenticated attackers to download complete database backups by accessing predictable file paths. Attackers … | May 05, 2026 |
| CVE-2023-54345 | HIGH | 8.8 | Frappe Framework ERPNext 13.4.0 contains a sandbox escape vulnerability in RestrictedPython that allows authenticated users with System Manager role to execute arbitrary code by exploiting … | May 05, 2026 |
| CVE-2023-54344 | CRITICAL | 9.8 | Eclipse Equinox OSGi 3.7.2 and earlier contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by sending payloads to the … | May 05, 2026 |
| CVE-2023-54342 | CRITICAL | 9.8 | Eclipse Equinox OSGi versions 3.8 through 3.18 contain a remote code execution vulnerability in the console interface that allows unauthenticated attackers to execute arbitrary code … | May 05, 2026 |
| CVE-2026-6322 | HIGH | 7.5 | fast-uri normalize() decoded percent-encoded authority delimiters inside the host component and then re-emitted them as raw delimiters during serialization. A host that combined an allowed … | May 05, 2026 |
| CVE-2025-42611 | MEDIUM | 6.5 | RouterOS provides various services that rely on correct verification of client and server certificates to secure confidentiality and integrity of communications. This includes OpenVPN, CAPsMAN, … | May 05, 2026 |
| CVE-2026-43870 | UNKNOWN | — | Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), … | May 05, 2026 |
| CVE-2026-43868 | MEDIUM | 5.3 | Memory Allocation with Excessive Size Value vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, … | May 05, 2026 |
| CVE-2026-3601 | MEDIUM | 4.3 | The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `embed_form_action()` function … | May 05, 2026 |
| CVE-2026-3359 | HIGH | 7.5 | The Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder plugin for WordPress is vulnerable to SQL Injection via the 'inputs' parameter … | May 05, 2026 |
| CVE-2026-43869 | UNKNOWN | — | Improper Validation of Certificate with Host Mismatch vulnerability in Apache Thrift. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version … | May 05, 2026 |
| CVE-2026-7824 | UNKNOWN | — | An issue was discovered in the PaperCut Hive Ricoh embedded application. When the "Deep Logging" (diagnostic) mode is enabled, the application inadvertently records administrative credentials … | May 05, 2026 |
| CVE-2026-6418 | UNKNOWN | — | An issue was discovered in the Shared Account Synchronization component of PaperCut MF (version 25.0.4). The application allows administrative users to configure a source path … | May 05, 2026 |
| CVE-2026-6180 | UNKNOWN | — | A race condition exists in PaperCut MF when processing badge-swipe data from certain HP multifunction devices. Under specific network conditions involving dropped packets and out-of-order … | May 05, 2026 |
| CVE-2026-5192 | HIGH | 7.5 | The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress is vulnerable to Path Traversal in versions up to, and … | May 05, 2026 |
| CVE-2026-40797 | CRITICAL | 9.3 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Saleswonder LLC WebinarIgnition allows Blind SQL Injection. This issue affects WebinarIgnition: … | May 05, 2026 |