BMC FootPrints ITSM contains an authentication bypass vulnerability allowing unauthenticated remote attackers to access restricted REST API endpoints and servlets without proper authorization. Affected versions range from 20.20.02 through 20.24.01.001, enabling attackers to invoke restricted functionality, access application data, and modify system resources. A public proof-of-concept exploit has been published by watchTowr Labs demonstrating pre-authentication remote code execution chains, significantly elevating the real-world risk.
BMC FootPrints ITSM contains a blind server-side request forgery (SSRF) vulnerability in the externalfeed/RSS API component that allows authenticated attackers to trigger arbitrary outbound requests from the server. Affected versions range from 20.20.02 through 20.24.01.001, and attackers can exploit insufficient validation of externally supplied resource references to interact with internal services or cause resource exhaustion impacting availability. The vulnerability carries a CVSS score of 4.3 with low complexity and low attack vector, requiring only authentication; no active exploitation in the wild has been confirmed, but the disclosure references suggest potential chaining with pre-authentication RCE vectors documented by security researchers.
A blind server-side request forgery (SSRF) vulnerability exists in the searchWeb API component of BMC FootPrints ITSM versions 20.20.02 through 20.24.01.001, allowing authenticated attackers to cause the server to initiate arbitrary outbound requests through improper URL validation. Attackers can exploit this to perform internal network scanning or interact with internal services, potentially impacting system availability and confidentiality. A publicly available proof-of-concept exists, and vendor patches are available.
Open Redirect in Angular SSR allows remote attackers to bypass redirect validation through a single backslash character in the X-Forwarded-Prefix header, causing browsers to interpret the malformed URL as a protocol-relative redirect to attacker-controlled domains. This vulnerability affects Angular SSR applications deployed behind proxies and represents an incomplete fix for a prior open redirect issue. An attacker can craft requests to redirect authenticated users away from the legitimate application without user interaction.
Stack buffer overflow in wolfSSL 5.8.4's ECH (Encrypted Client Hello) implementation allows remote attackers to crash TLS clients or achieve code execution by sending a maliciously crafted ECH configuration. The vulnerability affects clients that have explicitly enabled ECH support, which is disabled by default. An attacker controlling a TLS server can exploit this remotely without authentication or user interaction.
NiceGUI's media file serving functions fail to validate user-supplied query parameters used in range-response handling, allowing attackers to bypass streaming protections and force servers to load entire files into memory simultaneously. Applications using app.add_media_file() or app.add_media_files() to serve large media content are vulnerable to denial of service through memory exhaustion and performance degradation when handling concurrent malicious requests. No patch is currently available.
OpenClaw versions prior to 2026.3.1 contain an authentication bypass vulnerability where failed authentication bootstrap during startup leaves browser-control routes accessible without credentials. An attacker with local process access or ability to reach the application via loopback SSRF can exploit this to access sensitive browser-control functionality including code evaluation capabilities without valid authentication. This is a moderate-risk vulnerability with a CVSS score of 6.9 and realistic exploitation potential for local/SSRF-capable threats.
OpenClaw versions before 2026.2.23 allow authenticated users with sandbox access to bypass workspace restrictions through a path traversal flaw in the apply_patch tool, enabling arbitrary file modification on the system. The vulnerability stems from inconsistent validation of mounted paths outside the workspace directory, permitting attackers to write to writable mounts beyond the intended sandbox boundaries. No patch is currently available for this MEDIUM severity issue.
OpenClaw versions prior to 2026.2.25 contain an authorization bypass vulnerability in interactive callback handlers (block_action, view_submission, view_closed) that allows authenticated but unauthorized workspace members to bypass sender authorization checks and enqueue arbitrary system events into active sessions. This affects shared workspace deployments where multiple users with varying permission levels coexist, enabling privilege escalation and information disclosure attacks without requiring elevated privileges or user interaction.
OpenClaw 2026.3.1 contains an approval integrity bypass vulnerability in the system.run node-host execution feature where attackers can rewrite command-line arguments (argv) to change the semantics of operator-approved commands. An authenticated local attacker with low privileges can place malicious scripts in the working directory to execute unintended code despite the operator approving different command text, resulting in high-impact confidentiality, integrity, and availability violations. A patch is available from the vendor, and no public exploit code has been widely reported, but the vulnerability represents a critical trust boundary violation in approval workflows.
OpenClaw versions before 2026.2.22 allow high-privileged attackers to execute arbitrary shell commands by injecting malicious environment variables into the system.run function, bypassing the intended command allowlist protections. By exploiting bash xtrace expansion through SHELLOPTS and PS4 variables, an attacker with request-scoped environment variable access can achieve code execution beyond the restricted command set. No patch is currently available for this command injection vulnerability.
Libarchive fails to properly validate the pz_log2_bs field in ISO9660 Rock Ridge extensions during zisofs decompression, allowing remote attackers to supply a crafted ISO file that triggers undefined behavior and causes denial-of-service through incorrect memory allocation and application crashes. The vulnerability requires user interaction (ISO file opening) but no authentication, affects libarchive across multiple distributions, and carries a moderate EPSS score (0.11%, 30th percentile) suggesting low current exploitation probability despite the moderate CVSS severity.
Microsoft Bing contains a server-side request forgery vulnerability that enables unauthenticated remote attackers to manipulate network communications and access sensitive information. An attacker can exploit this flaw without user interaction to retrieve confidential data or cause service disruption. No patch is currently available.
Microsoft Copilot is vulnerable to command injection through improper neutralization of special elements in user input, allowing an unauthenticated attacker to execute arbitrary commands and disclose sensitive information over the network. The vulnerability affects Microsoft Copilot (version details unspecified in available advisories) and requires user interaction to trigger. While no public proof-of-concept or active exploitation in the wild has been confirmed in the provided intelligence, the moderate CVSS score of 6.5 with high confidentiality impact warrants prompt patching.
Improper path sanitization in OpenEMR's DICOM export feature prior to version 8.0.0.2 allows authenticated users with DICOM permissions to write arbitrary files outside the intended directory through path traversal sequences. An attacker could exploit this to place malicious PHP files within the web root, potentially achieving remote code execution. The vulnerability requires valid credentials but poses significant risk to systems containing sensitive healthcare data.
OpenClaw gateway plugin versions before 2026.2.26 allow remote attackers to bypass authentication by exploiting path traversal in the /api/channels endpoint through encoded dot-segment sequences. Attackers can manipulate these paths to access protected plugin routes that should be restricted, gaining unauthorized access to sensitive channel functionality. No patch is currently available for this medium-severity vulnerability.
OpenClaw versions prior to 2026.2.24 contain an improper path validation vulnerability (CWE-22: Path Traversal) in sandbox media handling that allows attackers with low privileges to read and exfiltrate arbitrary files from the host temporary directory. An authenticated attacker can exploit this by crafting malicious media references delivered through attachment mechanisms, bypassing sandbox isolation to access sensitive files outside the intended sandbox root. No active exploitation in the wild (KEV status unknown), but proof-of-concept code references are available in GitHub commit history.
OpenClaw prior to version 2026.3.2 allows unauthenticated attackers to bypass authentication controls on the /api/channels endpoint through path canonicalization mismatches, enabling access to protected API resources. The vulnerability exploits inconsistent handling of multi-encoded slash characters (%2f variants) between authentication checks and route processing. No patch is currently available, and exploitation requires only network access with no user interaction.
A path traversal vulnerability in /ftl/web/setup.cgi in Small Cell Sercomm SCE4255W (FreedomFi Englewood) firmware before DG3934v3@2308041842 allows remote authenticated users to read arbitrary files from the filesystem via crafted values in the...
A Denial of Service vulnerability exists in Kibana's Timelion visualization plugin that allows authenticated users to trigger excessive memory allocation through improper validation of specially crafted Timelion expressions. An attacker with valid Kibana credentials can overwrite internal series data properties with excessively large quantity values, causing the application to exhaust system resources and become unavailable. This is a network-accessible vulnerability requiring low privileges with a CVSS score of 6.5 and documented as a confirmed denial-of-service attack vector affecting multiple active Kibana versions.
An improper authentication vulnerability in Secomea GateManager's webserver modules allows authenticated users to bypass authentication controls and access resources they should not be permitted to access. This affects GateManager version 11.4.0 and potentially other versions within the 11.4 release line. An attacker with valid login credentials can exploit this flaw to gain unauthorized access to sensitive information, achieving high confidentiality impact without modifying data or degrading availability.
A remote code execution vulnerability in Discourse (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
An authorization bypass vulnerability in Really Simple Security Pro versions through 9.5.4.0 allows unauthenticated attackers to exploit incorrectly configured access control through user-controlled keys, resulting in integrity and availability impacts. The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) with a CVSS score of 6.5, indicating medium severity with network-based attack vector requiring no privileges or user interaction. Patchstack has documented this issue affecting the Really Simple Plugins B.V. Really Simple Security Pro WordPress plugin, though active exploitation status and POC availability from public sources require verification against current threat intelligence feeds.
libsoup versions prior to the patched release contain an integer underflow vulnerability in zero-length resource processing that enables unauthenticated remote attackers to read adjacent memory or trigger denial of service. The vulnerability stems from improper bounds checking during content handling, affecting any application using the vulnerable libsoup library for HTTP operations. No public exploit code has been identified, and the low EPSS score (0.04%, percentile 11%) indicates exploitation is unlikely in practice despite the moderate CVSS score of 6.5.
A DOM-based cross-site scripting (XSS) vulnerability exists in WPSight WPCasa WordPress plugin versions through 1.4.1, allowing authenticated attackers to inject malicious JavaScript that executes in users' browsers. The vulnerability stems from improper neutralization of user input during web page generation, enabling an attacker with login credentials to craft malicious payloads that execute in the context of other users' sessions. With a CVSS score of 6.5 and network-accessible attack vector requiring only user interaction, this vulnerability poses a moderate risk to WordPress installations using affected WPCasa versions, particularly those managing real estate listings where authenticated users have content creation privileges.
A post-type visibility filtering bypass in Discourse's `/private-posts` endpoint allows authenticated users with access to private message (PM) topics to view whisper posts that should be restricted to specific recipients. This information disclosure vulnerability affects Discourse versions prior to 2026.3.0-latest.1, 2026.2.1, and 2026.1.2, and requires only low-privilege user authentication to exploit. No active exploitation in the wild has been reported, but patches are available from the vendor.
OpenClaw versions before 2026.2.21 allow authenticated users with browser-tool access to bypass URL scheme validation and navigate to file:// URLs, enabling local file exfiltration through browser snapshot and extraction features. An attacker with valid credentials could read sensitive files accessible to the OpenClaw process and extract them from the system. No patch is currently available.
An authorization bypass vulnerability in OpenEMR versions prior to 8.0.0.2 allows authenticated non-administrator users to access reminder messages and associated patient information belonging to other users by manipulating GET request parameters. Any authenticated user can view sensitive data including patient names and message content from arbitrary user accounts without proper authorization checks. This vulnerability has a CVSS score of 6.5 (Medium) with high confidentiality impact but no integrity or availability impact, and a proof-of-concept has been published via the GitHub security advisory.
An authorization bypass vulnerability exists in Themeum Tutor LMS through version 3.9.4 that allows authenticated users to access resources they should not have permission to view through user-controlled keys in the access control mechanism. This Insecure Direct Object Reference (IDOR) vulnerability affects all Tutor LMS installations up to and including version 3.9.4, enabling an attacker with low privileges to read sensitive data by manipulating object identifiers. The vulnerability has a CVSS score of 6.5 reflecting moderate severity with high confidentiality impact, and while no KEV or widespread POC exploitation has been publicly confirmed, the attack requires only network access and valid authentication credentials.
Admidio versions 5.0.0 through 5.0.6 contain an authorization bypass vulnerability in the forum module that allows any authenticated user to permanently delete forum topics and posts without proper permission checks. An attacker with basic forum access can delete any topic or post by knowing its UUID, which is publicly visible in URLs, completely circumventing the authorization controls that are properly enforced in edit/save operations. This vulnerability was fixed in version 5.0.7, and exploitation requires only low privileges (authenticated user status) with no user interaction.
OpenEMR versions prior to 8.0.0.2 contain an authorization bypass vulnerability in the encounter vitals API that allows authenticated users with encounters/notes permissions to overwrite any patient's vital signs by supplying another patient's vital ID in the request body. This constitutes medical record tampering with integrity implications rated CVSS 6.5. No evidence of active exploitation in KEV or public POC availability was identified in the provided intelligence, though the vulnerability is straightforward to exploit given valid API credentials.
Kibana's Detection Rule Management lacks proper authorization controls, allowing authenticated users with rule management privileges to configure unauthorized endpoint response actions including host isolation and process termination. An attacker with these privileges could exploit this missing access control to execute sensitive endpoint operations beyond their intended scope. No patch is currently available for this medium-severity vulnerability affecting Elastic products.
Ella Core contains a null pointer dereference vulnerability (CWE-476) that causes the process to panic when processing malformed UL NAS Transport NAS messages that lack a Request Type field, particularly when no SM Context is present. An attacker with network access and minimal privileges can send crafted NAS messages to trigger this crash, resulting in complete denial of service for all connected subscribers without requiring authentication. The CVSS 6.5 score reflects the high availability impact, though the requirement for low privileges (PR:L) and network-only access (AV:N) constrains the overall severity.
Stack-based buffer overflow in PX4 autopilot versions 1.17.0-rc2 and below allows attackers with MAVLink link access to crash the flight controller by exploiting an unconstrained sscanf operation in the MavlinkLogHandler. An attacker can trigger this by creating deeply nested directories via MAVLink FTP and then requesting the log list, causing the MAVLink task to crash and resulting in loss of telemetry and command capability. This denial of service affects drone and unmanned vehicle systems relying on vulnerable PX4 versions.
Ella Core contains an input validation flaw that causes the process to panic when receiving NGAP messages with PDU Session IDs outside the valid range of 1-15, enabling unauthenticated attackers to trigger denial of service affecting all connected subscribers. The vulnerability (CWE-129: Improper Validation of Array Index) carries a CVSS score of 6.5 with network-level attack vector and low complexity, though it requires low privilege context according to the vector string. No active exploitation in the wild has been confirmed, but the straightforward nature of crafting malformed NGAP messages means proof-of-concept development is feasible.
A remote code execution vulnerability in Discourse (CVSS 6.5). Remediation should follow standard vulnerability management procedures.
A Host Header Spoofing vulnerability in the @local_check decorator of pyload-ng allows unauthenticated external attackers to bypass local-only IP address restrictions on the Click'N'Load API endpoints by sending a crafted HTTP Host header. This authentication bypass enables remote attackers to queue arbitrary downloads on the affected pyload instance, leading to Server-Side Request Forgery (SSRF) attacks against internal or external systems and Denial of Service through resource exhaustion. A proof-of-concept exploit exists in the form of a simple curl command that demonstrates immediate exploitability without user interaction.
Email verification resend endpoints in the Pages and legacy PublicAPI routes leak information about valid usernames through distinguishable responses, enabling unauthenticated attackers to enumerate active accounts. The default `emailVerifySuccessOnInvalidEmail` configuration option, which mitigates this issue, was not applied to these specific routes. A patch is available that extends the protection to both routes.
The Info Cards - Add Text and Media in Card Layouts WordPress plugin versions up to 2.0.7 contains a Stored Cross-Site Scripting vulnerability in the 'btnUrl' parameter of the Info Cards block that allows authenticated attackers with Contributor-level access to inject arbitrary JavaScript code. The vulnerability exists because the plugin fails to validate URL protocols (specifically javascript: schemes) on the server side, and the client-side rendering directly inserts unsanitized URLs into anchor href attributes, enabling script execution when users click the malicious button links. While there is no indication of active KEV exploitation, the low attack complexity and low privilege requirements make this a practical threat in multi-author WordPress environments.
{{author+link}} template tag when no author URL is present, which will execute whenever users visit pages containing the [drafts] shortcode. The vulnerability has a CVSS score of 6.4 with a network attack vector and low attack complexity, requiring only low-level privileges.
The dasel YAML reader contains an unbounded alias expansion vulnerability (CWE-674) that allows attackers to trigger extreme CPU and memory consumption through specially crafted YAML documents. Affected versions include dasel v3.0.0 through v3.3.1 and the current default branch. An attacker who can supply YAML input-via CLI, file processing, or library usage-can cause denial of service with a malicious 342-byte payload that fails to complete within 5 seconds and exhibits unbounded resource growth, as demonstrated by the provided proof-of-concept.
OpenClaw versions prior to 2026.3.1 contain a current working directory (cwd) injection vulnerability in Windows wrapper resolution for .cmd/.bat files that allows local attackers to manipulate command execution through directory control during shell fallback mechanisms. An authenticated local attacker with low privileges can exploit this vulnerability to achieve command execution integrity loss by controlling the working directory, potentially leading to unauthorized code execution or privilege escalation. While no active in-the-wild exploitation has been reported in KEV databases, the vulnerability is documented with a proof-of-concept available through the vendor's security advisory on GitHub.
Mozilla's Embed extension contains a domain allowlist bypass in the DomainFilteringAdapter due to insufficient hostname boundary validation in its regex pattern, allowing attacker-controlled domains like youtube.com.evil to pass validation checks for youtube.com. This vulnerability enables Server-Side Request Forgery attacks via the OscaroteroEmbedAdapter to probe internal services, and Cross-Site Scripting attacks through unsanitized oEmbed HTML responses returned by compromised domains. No patch is currently available for this medium-severity flaw.
OpenClaw versions prior to 2026.2.25 suffer from a webhook replay vulnerability where valid signed Nextcloud Talk webhook requests lack durable replay state suppression, allowing attackers to capture and replay previously legitimate signed requests to trigger duplicate inbound message processing. This can result in message duplication, data integrity issues, and potential availability degradation. While the CVSS score of 4.8 is moderate, the attack requires no authentication and can be executed over the network with medium complexity, making it a viable attack vector for threat actors with network visibility to webhook traffic.
UiPress Lite versions through 3.5.09 contain a missing authorization vulnerability (CWE-862) that allows authenticated users to exploit incorrectly configured access control security levels, enabling privilege escalation or unauthorized resource access. An attacker with low-level user credentials can bypass authorization checks to access or modify functionality restricted to higher-privilege roles. The vulnerability has a CVSS score of 6.3 with network-based attack vector requiring only low privileges, indicating moderate real-world exploitability.
A remote code execution vulnerability (CVSS 6.3). Remediation should follow standard vulnerability management procedures.
CVE-2026-32021 is a security vulnerability (CVSS 6.3). Remediation should follow standard vulnerability management procedures.
OpenClaw versions before 2026.2.22 allow local authenticated attackers to bypass the safe-bin allowlist by exploiting sort's --compress-program flag, enabling execution of arbitrary programs despite allowlist restrictions. This command injection vulnerability affects deployments using safe-bin configuration with ask=on-miss mode enabled, permitting unauthorized code execution without operator approval.
CVE-2026-32029 is a security vulnerability (CVSS 6.3). Remediation should follow standard vulnerability management procedures.
IBM QRadar SIEM versions 7.5.0 through 7.5.0 Update Package 14 contain an information disclosure vulnerability where sensitive configuration data is stored in plaintext or insufficiently protected files readable by unprivileged local users. An attacker with local filesystem access can read these configuration files to extract sensitive information such as credentials, API keys, or system parameters, potentially enabling lateral movement or further compromise of the SIEM infrastructure. A patch is available from IBM, and this vulnerability should be prioritized for organizations running affected QRadar versions as SIEM systems are high-value targets.