Security
CVE Feed
Latest vulnerabilities from the National Vulnerability Database.
14240
Total
958
Critical
4175
High
4515
Medium
| CVE ID | Severity | Score | Description | Published |
|---|---|---|---|---|
| CVE-2026-33576 | MEDIUM | 6.5 | OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to … | Mar 31, 2026 |
| CVE-2026-33276 | UNKNOWN | — | Stored cross-site scripting (XSS) in Checkmk 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in … | Mar 31, 2026 |
| CVE-2026-30314 | UNKNOWN | — | Ridvay Code's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile … | Mar 31, 2026 |
| CVE-2026-30312 | UNKNOWN | — | DSAI-Cline's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on string-based parsing … | Mar 31, 2026 |
| CVE-2026-30311 | UNKNOWN | — | Ridvay Code's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile … | Mar 31, 2026 |
| CVE-2026-30309 | HIGH | 7.8 | InfCode's terminal auto-execution module contains a critical command filtering vulnerability that renders its blacklist security mechanism completely ineffective. The predefined blocklist fails to cover native … | Mar 31, 2026 |
| CVE-2026-29870 | HIGH | 7.6 | A directory traversal vulnerability in the agentic-context-engine project versions up to 0.7.1 allows arbitrary file writes via the checkpoint_dir parameter in OfflineACE.run. The save_to_file method … | Mar 31, 2026 |
| CVE-2026-20915 | UNKNOWN | — | Stored cross-site scripting (XSS) in Checkmk version 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create pending changes to inject malicious JavaScript into … | Mar 31, 2026 |
| CVE-2026-0596 | CRITICAL | 9.6 | A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash … | Mar 31, 2026 |
| CVE-2026-3308 | UNKNOWN | — | An integer overflow vulnerability in 'pdf-image.c' in Artifex's MuPDF version 1.27.0 allows an attacker to maliciously craft a PDF that can trigger an integer overflow … | Mar 31, 2026 |
| CVE-2026-34156 | CRITICAL | 9.9 | NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScript inside … | Mar 31, 2026 |
| CVE-2026-34155 | UNKNOWN | — | RAUC controls the update process on embedded Linux systems. Prior to version 1.15.2, RAUC bundles using the 'plain' format exceeding a payload size of 2 … | Mar 31, 2026 |
| CVE-2026-30310 | UNKNOWN | — | In its design for automatic terminal command execution, Sixth offers two options: Execute safe commands and Execute all commands. The description for the former states … | Mar 31, 2026 |
| CVE-2026-5198 | HIGH | 7.3 | A vulnerability was determined in code-projects Student Membership System 1.0. The impacted element is an unknown function of the file /admin/index.php of the component Admin … | Mar 31, 2026 |
| CVE-2026-4267 | HIGH | 7.2 | The Query Monitor – The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘$_SERVER['REQUEST_URI']’ parameter in all … | Mar 31, 2026 |
| CVE-2026-3191 | MEDIUM | 5.4 | The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing … | Mar 31, 2026 |
| CVE-2026-3139 | MEDIUM | 4.3 | The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference … | Mar 31, 2026 |
| CVE-2026-34509 | MEDIUM | 4.3 | OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a … | Mar 31, 2026 |
| CVE-2026-34508 | MEDIUM | 6.5 | OpenClaw before 2026.3.12 applies rate limiting only after webhook authentication succeeds, allowing attackers to bypass rate limits and brute-force webhook secrets without triggering 429 responses. … | Mar 31, 2026 |
| CVE-2026-34506 | MEDIUM | 4.3 | OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a … | Mar 31, 2026 |
| CVE-2026-34505 | MEDIUM | 6.5 | OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated … | Mar 31, 2026 |
| CVE-2026-32988 | HIGH | 7.5 | OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged writes where temporary file creation and population are not pinned to a verified … | Mar 31, 2026 |
| CVE-2026-32982 | HIGH | 7.5 | OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes Telegram bot tokens in error messages. When media downloads fail, the … | Mar 31, 2026 |
| CVE-2026-32977 | MEDIUM | 6.3 | OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that uses an unanchored container path during the final move … | Mar 31, 2026 |
| CVE-2026-32976 | MEDIUM | 6.5 | OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing channel commands to mutate protected sibling-account configuration despite configWrites restrictions. Attackers with authorized access on one … | Mar 31, 2026 |