Skip to main content
CVE-2026-22440 HIGH This Week

Reflected cross-site scripting in Thecs through version 1.4.7 enables attackers to inject malicious scripts that execute in users' browsers when they click specially crafted links, potentially compromising session data and user credentials. The vulnerability requires user interaction and affects all versions up to 1.4.7, with no patch currently available. An attacker can exploit this to steal sensitive information or perform actions on behalf of affected users.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-22438 HIGH This Week

Reflected cross-site scripting in TheBi through version 1.0.5 enables attackers to inject malicious scripts that execute in users' browsers when they click on specially crafted links. This vulnerability requires user interaction but can lead to session hijacking, credential theft, or malware distribution across trusted domains. No patch is currently available for affected installations.

XSS
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28482 HIGH PATCH This Week

OpenClaw versions before 2026.2.12 suffer from a path traversal vulnerability in transcript file handling that allows authenticated local users to read and modify arbitrary files on the system by injecting directory traversal sequences into sessionId or sessionFile parameters. An attacker with local access can exploit this to access sensitive files outside the intended agent sessions directory without additional privileges. No patch is currently available for this vulnerability.

Path Traversal Openclaw
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28477 HIGH PATCH This Week

OpenClaw versions before 2026.2.14 fail to properly validate OAuth state parameters in the Chutes login flow, allowing attackers to bypass CSRF protections and hijack user sessions. An attacker can trick a user into pasting malicious OAuth callback data to gain unauthorized access and maintain persistent tokens under a compromised account. No patch is currently available for this high-severity vulnerability.

CSRF Openclaw
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-28548 HIGH This Week

Vulnerability of improper verification in the email application. Impact: Successful exploitation of this vulnerability may affect service confidentiality. [CVSS 7.1 HIGH]

Privilege Escalation Emui Harmonyos
NVD
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-21621 HIGH This Week

Hexpm's OAuth implementation fails to enforce read-only API key restrictions during token exchange, allowing an attacker with a victim's read-only API key and valid 2FA code to obtain a full-access API key with unrestricted permissions. This privilege escalation vulnerability affects users of the Hexpm package repository and enables unauthorized modification of packages and account settings. No patch is currently available.

Privilege Escalation Authentication Bypass Hexpm
NVD GitHub VulDB
CVSS 4.0
7.0
EPSS
0.0%
Prev Page 7 of 7

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy