OpenClaw before version 2026.3.25 allows unauthenticated remote attackers to bypass pre-authentication rate limiting on webhook token validation, enabling brute-force attacks against weak webhook secrets through rapid successive requests. The vulnerability stems from absent throttling on invalid token rejection attempts, permitting attackers to enumerate valid tokens without login credentials or triggering defensive rate-limiting mechanisms.
OpenClaw before version 2026.3.25 allows unauthenticated remote attackers to brute-force webhook authentication credentials due to missing rate limiting on password validation attempts. The vulnerability enables attackers to perform repeated authentication guesses against the webhook endpoint without throttling, potentially compromising webhook security and gaining unauthorized access to webhook functionality.
OpenClaw before version 2026.3.25 lacks rate limiting on Telegram webhook authentication, enabling unauthenticated remote attackers to brute-force weak webhook secrets through repeated guesses without throttling. This vulnerability permits systematic credential enumeration, potentially allowing attackers to forge webhook messages and intercept or manipulate Telegram-based communications processed by affected OpenClaw deployments. No public exploit code or active exploitation has been confirmed at this time.
Out-of-bounds read in wolfSSL's dual-algorithm CertificateVerify processing allows remote attackers to trigger information disclosure and data integrity violations through crafted input, but only when the library is compiled with both --enable-experimental and --enable-dual-alg-certs flags. The vulnerability affects wolfSSL versions before 5.9.1 and requires network access with low attack complexity, though the attack triggering mechanism involves a passive timing or state condition (AT:P). No public exploit code or active exploitation has been identified.
Heap buffer overflow in wolfSSL's CertFromX509 function allows remote attackers to cause information disclosure through malformed X.509 certificates containing oversized AuthorityKeyIdentifier extensions. The vulnerability requires a persistent attacker (AT:P per CVSS 4.0) but no authentication, affecting wolfSSL across all versions until patched. EPSS exploitation probability and active exploitation status cannot be determined from available data; no public exploit code has been independently confirmed.
OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in its Synology Chat extension that allows unauthenticated remote attackers to bypass per-account direct message access controls by collapsing multi-account configurations onto shared webhook paths. Attackers can exploit inherited or duplicate webhook paths to replace route ownership across accounts, potentially gaining unauthorized access to account-specific resources. No public exploit code or active exploitation has been confirmed at the time of analysis.
Padding oracle vulnerability in wolfSSL's PKCS7 CBC decryption allows unauthenticated remote attackers to recover plaintext through repeated decryption queries with modified ciphertext, exploiting insufficient validation of interior padding bytes. The vulnerability requires high attack complexity and persistent attacker interaction but presents practical risk to systems using affected wolfSSL versions for PKCS7-encrypted communications.
Juniper Networks Junos OS on MX Series allows authenticated local users with low privileges to execute 'request csds' CLI commands intended only for high-privileged administrators or CSDS operators, enabling complete compromise of managed devices. The vulnerability affects Junos OS 24.4 releases before 24.4R2-S3 and 25.2 releases before 25.2R2. No public exploit code or active exploitation has been identified at time of analysis, though the CVSS score of 6.3 reflects moderate severity with high system impact.
Memory exhaustion denial of service in PraisonAI's WSGI-based recipe registry server (server.py) affects versions prior to 4.5.128. The vulnerability allows unauthenticated local processes to send arbitrarily large POST requests by spoofing the Content-Length header, causing the server to allocate unbounded memory and crash. Authentication is disabled by default, eliminating any access control barrier. The Starlette-based alternative server (serve.py) includes a 10MB request size limit, but the WSGI implementation lacks equivalent protection. Vendor-released patch: version 4.5.128 or later.
PraisonAIAgents versions prior to 1.5.128 allow unauthenticated local attackers to read arbitrary files from the filesystem via the read_skill_file() function in skill_tools.py, which lacks the workspace boundary protections and approval requirements enforced by comparable file access functions. An agent subjected to prompt injection can exfiltrate sensitive files without user awareness or approval prompts, enabling confidentiality compromise with CVSS 6.2 (local attack vector, high confidentiality impact). No public exploit code or active exploitation has been reported at the time of analysis.
Cross-site scripting (XSS) in LimeSurvey 6.15.20+251021 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious Box[title] and box[url] parameters. The vulnerability requires user interaction (clicking a crafted link) but achieves stored or reflected XSS with cross-origin impact, affecting confidentiality and integrity. A public proof-of-concept is available, and an upstream fix has been merged into the LimeSurvey repository.
Unhead's useHeadSafe() composable, explicitly recommended by Nuxt documentation for safely rendering user-supplied content in document head, can be bypassed via padded HTML numeric character references that exceed regex digit limits. The hasDangerousProtocol() function silently fails to decode these entities, allowing blocked URI schemes (javascript:, data:, vbscript:) to pass validation; browsers then natively decode the padded entity during HTML parsing, enabling cross-site scripting (XSS) attacks. This affects Unhead versions prior to 2.1.13, with no confirmed active exploitation or public exploit code identified at time of analysis.
Wasmtime versions 25.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0 contain a compiler type-checking bug in the Winch backend where the table.grow operator returns incorrectly typed 64-bit values instead of 32-bit values for 32-bit tables, enabling read/write access to 16 bytes of host memory preceding linear memory and resulting in denial of service when Wasmtime detects the unauthorized access. The vulnerability requires explicit selection of the non-default Winch compiler backend and either disabled guard pages or modified memory layout to achieve information disclosure; default Wasmtime configurations using the Cranelift compiler and standard guard page placement are unaffected. No public exploit code or active exploitation has been identified, though the attack vector is remote and requires low-privilege authenticated access.
OpenClaw before version 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that improperly uses a synthetic operator.admin runtime scope, allowing authenticated attackers to execute privileged operations with unintended administrative access by triggering session deletion without a request-scoped client. CVSS score of 6.1 reflects the requirement for low-level user authentication (PR:L) and network accessibility; patch availability is confirmed.
rrweb-snapshot before v2.0.0-alpha.18 contains a reflected cross-site scripting vulnerability that allows remote attackers to execute arbitrary JavaScript or HTML in a victim's browser context through a crafted payload. The vulnerability requires user interaction (clicking a malicious link) and affects client-side snapshot capture functionality. Publicly available exploit code exists according to CISA SSVC assessment, though active exploitation has not been confirmed at time of analysis.
Reflected cross-site scripting in LimeSurvey prior to version 6.15.11+250909 allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a malicious URL containing an unsanitized gid parameter passed to the getInstance() function in QuestionCreate.php. The vulnerability requires user interaction (clicking a crafted link) but affects logged-in users and can lead to session hijacking, credential theft, or malicious actions performed on behalf of the victim. No public exploitation has been confirmed at time of analysis, though proof-of-concept code is publicly available.
Wasmtime prior to versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 allows authenticated remote attackers to corrupt memory by providing malicious realloc return values during string transcoding between WebAssembly components, enabling writes to arbitrary memory locations up to 4GiB away from linear memory base. On default configurations with 4GiB virtual memory reservation and guard pages, exploitation typically triggers process abort via unmapped memory access; however, configurations with reduced memory reservation and disabled guard pages risk corruption of host data structures or other guest linear memories.
Open redirect vulnerability in Apache Tomcat's LoadBalancerDrainingValve allows unauthenticated remote attackers to redirect users to untrusted sites via crafted URLs. Affects Tomcat 11.0.0-M1 through 11.0.18, 10.1.0-M1 through 10.1.52, 9.0.0.M23 through 9.0.115, and 8.5.30 through 8.5.100. The vulnerability requires user interaction (clicking a malicious link) and has low real-world exploitation probability (EPSS 0.01%), with no public exploit code or confirmed active exploitation identified at the time of analysis.
OpenClaw before version 2026.3.22 contains an improper authentication verification flaw in its Google Chat webhook handling that allows authenticated attackers with low privileges to bypass webhook authentication by supplying non-deployment add-on principals, enabling unauthorized actions through the Google Chat integration with a CVSS score of 6.0 and confirmed vendor patch availability.
wolfSSL's ARIA-GCM cipher suites in TLS 1.2 and DTLS 1.2 reuse an identical 12-byte nonce for every encrypted application-data record, enabling plaintext recovery through cryptanalytic attacks. This vulnerability affects only non-FIPS builds explicitly configured with --enable-aria and the proprietary MagicCrypto SDK (opt-in for Korean regulatory compliance). Authenticated remote attackers can exploit this to recover encrypted data, though AES-GCM implementations in the same product are unaffected due to independent invocation counters. No public exploit code or active exploitation has been identified at time of analysis.
Stack buffer overflow in wolfSSL's PKCS7 implementation allows local attackers to cause a denial of service or potentially execute code by crafting a CMS EnvelopedData message with an oversized OID in an OtherRecipientInfo recipient structure. The vulnerability affects wolfSSL when compiled with --enable-pkcs7 (disabled by default) and only when an application explicitly registers an ORI decrypt callback, significantly limiting real-world exposure. No public exploit code or active exploitation has been identified at time of analysis.
Wasmtime's Winch compiler (versions 25.0.0 through 36.0.6, 42.0.0-42.0.1, and 43.0.0) contains a table indexing vulnerability in the table.fill instruction that causes host panic when compiled by Winch on any architecture. A valid WebAssembly guest can trigger this denial-of-service condition due to incorrect table reference indexing left behind after a historical refactoring. EPSS score of 5.9 reflects medium exploitability, and the vulnerability is patched in Wasmtime 36.0.7, 42.0.2, and 43.0.1.
Wasmtime prior to versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 fails to properly validate pointer alignment when transcoding strings into UTF-16 or Latin-1+UTF-16 encodings within the Component Model, allowing authenticated malicious WebAssembly guests to trigger host panics by passing specially crafted unaligned pointers across component boundaries. This denial-of-service vulnerability requires authenticated access and specific string configurations but results in controllable host crashes. CVSS score 5.9 reflects moderate severity with attack vector network and authentication requirement; SSVC framework rates exploitation as not yet observed with non-automatable exploitation.
Wasmtime runtime before versions 24.0.7, 36.0.7, 42.0.2, and 43.0.1 panics when lifting component model flags-typed values with out-of-specification bit patterns, enabling guest-controlled denial-of-service in the host environment. The vulnerability requires high privilege and user interaction but affects a critical WebAssembly runtime used in production systems. No public exploit code is confirmed at time of analysis.
Regular expression denial of service (ReDoS) in jsVideoUrlParser library version 0.5.1 and earlier allows remote attackers to cause application availability loss by supplying a malicious timestamp argument to the getTime function in lib/util.js. The vulnerability exhibits inefficient regular expression complexity that can be triggered without authentication or user interaction. Publicly available exploit code exists, though the maintainer has not yet responded to early notification of the issue.
SQL injection in code-projects Simple Laundry System 1.0 allows remote unauthenticated attackers to manipulate the userid parameter in /userchecklogin.php, enabling arbitrary SQL query execution with potential impact on data confidentiality, integrity, and availability. CVSS 6.9 reflects low-impact confidentiality, integrity, and availability effects without lateral propagation; exploit code is publicly available, increasing practical risk despite moderate CVSS scoring.
Out-of-bounds read in osslsigncode versions 2.12 and earlier allows local attackers to crash the application via crafted PE files with malicious section headers during page-hash computation. The vulnerability exists in the pe_page_hash_calc() function, which fails to validate that section headers' PointerToRawData and SizeOfRawData values reference valid file regions. An attacker can trigger the flaw by providing a malicious PE file for signing with page hashing enabled (-ph flag) or by providing an already-signed malicious PE file for verification, where verification does not require the -ph flag. CVSS 5.5 with high availability impact; no public exploit identified at time of analysis.
Osslsigncode 2.12 and earlier contains an integer underflow in PE page-hash computation that allows local attackers to trigger an out-of-bounds heap read and crash the process via a specially crafted PE file with SizeOfHeaders larger than SectionAlignment. The vulnerability is triggered either when signing a malicious PE file with page hashing enabled (-ph flag) or when verifying an already-signed PE file containing page hashes, making verification particularly dangerous since no special flags are required. This is a denial-of-service vulnerability with no public exploit code identified at time of analysis, though the root cause (missing validation in integer subtraction) is straightforward to exploit.
Remote OS command injection in Agions taskflow-ai up to version 2.1.8 allows authenticated remote attackers to execute arbitrary operating system commands via manipulation of the terminal_execute component in src/mcp/server/handlers.ts, with CVSS 6.3 reflecting moderate severity. Vendor-released patch is available in version 2.1.9 (commit c1550b445b9f24f38c4414e9a545f5f79f23a0fe), and the vendor responded promptly to early notification.
Ziggeo plugin for WordPress up to version 3.1.1 allows authenticated attackers with Subscriber-level access or above to perform unauthorized administrative operations including modifying translations, creating or deleting event templates, changing SDK settings, and managing notifications through missing capability checks in AJAX handlers. While nonce validation is present, the absence of current_user_can() checks combined with nonce exposure to all logged-in users enables privilege escalation from basic subscribers to near-administrative functionality. CVSS 5.4 reflects moderate impact with low complexity exploitability.
CSRF vulnerability in Dockyard prior to 1.1.0 allows unauthenticated remote attackers to start or stop Docker containers by tricking a logged-in administrator into clicking a malicious link, since container control endpoints accept GET requests without CSRF token validation. An attacker can disrupt service availability or trigger unintended container state changes without authentication credentials. No active exploitation or public exploit code has been confirmed.
Stored cross-site scripting (XSS) in PraisonAI versions prior to 4.5.128 allows remote attackers to inject arbitrary JavaScript into agent output rendered by the Flask API endpoint. The vulnerability exists because the _sanitize_html function depends on the nh3 library, which is not declared as a required dependency in pyproject.toml; when nh3 is absent (default installation), HTML sanitization becomes a no-op. Attackers can exploit this via RAG data poisoning, malicious web scraping results, or prompt injection to execute malicious scripts in the browsers of users viewing API output. No public exploit code or active exploitation has been confirmed.
Authenticated privilege escalation in pyLoad's WebUI JSON endpoints (/json/package_order, /json/link_order, /json/abort_link) allows low-privileged users to perform unauthorized MODIFY operations that violate the application's permission model. Versions prior to 0.5.0b3.dev97 are affected; the vulnerability requires valid authentication but enables privilege boundary bypass without requiring elevated credentials.
Stored cross-site scripting in Kiamo before version 8.4 allows authenticated administrative users to inject persistent JavaScript payloads into administrative interfaces due to improper output encoding, resulting in execution within browsers of subsequent users accessing affected pages. The vulnerability requires valid admin credentials and user interaction (clicking a link or viewing a page) to trigger payload execution, making it a targeted attack vector against administrative personnel. EPSS probability is extremely low at 0.02%, and no active exploitation has been confirmed, though the issue affects a web-based application platform.
Man-in-the-middle attackers can intercept unverified TLS connections in dde-control-center versions prior to 6.1.80 and 5.9.9, allowing replacement of user avatar images fetched from openapi.deepin.com with malicious or misleading content, potentially enabling user identification or social engineering attacks. The vulnerability stems from disabled TLS certificate verification in the plugin-deepinid component and requires no authentication but does require user interaction to trigger avatar fetches.
Cross-site scripting (XSS) in ChurchCRM prior to 7.1.0 allows unauthenticated remote attackers to inject arbitrary JavaScript through the EName and EDesc parameters in EditEventAttendees.php, which is rendered without proper output encoding. Successful exploitation requires user interaction (UI:P) and results in session hijacking, credential theft, or malware distribution to victims' browsers. No public exploit code or active exploitation has been identified at time of analysis.
fast-jwt before 6.2.1 fails to properly validate JWTs when RegExp modifiers with stateful behavior (/g for global matching and /y for sticky matching) are used in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options. This causes valid authentication tokens to be rejected in an alternating 50% failure pattern due to RegExp state persistence across verification calls, degrading availability of JWT-protected services without compromising token security itself. The vulnerability is fixed in version 6.2.1.
PraisonAIAgents versions prior to 1.5.128 allow unauthenticated remote attackers to enumerate arbitrary files on the filesystem by exploiting unvalidated glob patterns in the list_files() tool. An attacker can use relative path traversal sequences (../) within the glob pattern parameter to bypass workspace directory boundary checks, revealing file metadata including existence, names, sizes, and timestamps for any path accessible to the application process. This information disclosure vulnerability has a CVSS score of 5.3 (low/medium impact) and no public exploit code has been identified.
Improper input validation in Apache Tomcat allows remote unauthenticated attackers to obtain sensitive information via an incomplete fix of the prior CVE-2025-66614 vulnerability. Affected versions include Tomcat 11.0.15-11.0.19, 10.1.50-10.1.52, and 9.0.113-9.0.115. The CVSS score of 5.3 reflects low confidentiality impact with no integrity or availability impact, and the 0.04% EPSS score indicates minimal real-world exploitation probability at time of analysis with no public exploit code or KEV status confirmed.
Server-side request forgery (SSRF) in OpenClaw before version 2026.3.25 allows authenticated attackers to bypass configured endpoint protections through unguarded fetch() calls in channel extensions, enabling rebinding of requests to internal resources and potential unauthorized access to restricted services. The vulnerability affects multiple channel extensions that fail to properly validate or restrict base URL usage, with a CVSS score of 5.3 reflecting moderate risk due to required authentication and limited initial impact scope.
Price manipulation in Bookly WordPress plugin (versions up to 27.0) allows unauthenticated attackers to reduce appointment booking costs to zero by submitting negative values to the 'tips' parameter, exploiting insufficient server-side validation of user-supplied pricing input. No public exploit code or active exploitation has been confirmed, but the vulnerability carries moderate risk due to its ease of exploitation and direct financial impact on e-commerce transactions.
OpenClaw before version 2026.3.25 allows authenticated attackers to bypass authorization controls in mention-gated groups by triggering reaction events that circumvent the requireMention access control mechanism, enabling them to enqueue agent-visible system events that should remain restricted. This medium-severity vulnerability (CVSS 5.3) affects the integrity of group-based access policies and requires user interaction at the network level but leverages low privilege requirements.
oma package manager prior to version 1.25.2 fails to validate the name field in Topic Manifest metadata, allowing remote attackers with high privileges and network access to inject malicious APT source entries into /etc/apt/sources.list.d/atm.list. This manipulation could lead to supply chain attacks by redirecting package installation to attacker-controlled repositories, though exploitation requires specific preconditions including user interaction and partial attack timing. The vulnerability has been fixed in version 1.25.2.
Stored cross-site scripting (XSS) in Juniper Networks Junos Space allows unauthenticated remote attackers to inject malicious script tags into the list filter field, which execute with the permissions of any user who views the affected page, including administrators. All versions before 24.1R5 Patch V3 are vulnerable. No public exploit code or active exploitation has been identified at time of analysis.
OpenClaw before version 2026.3.23 contains an authentication bypass in the Canvas gateway where the authorizeCanvasRequest() function unconditionally allows local-direct requests without validating bearer tokens or Canvas capabilities, enabling unauthenticated attackers on the local system to send loopback HTTP and WebSocket requests to bypass authentication and access Canvas routes. The vulnerability requires local network access but no prior authentication, affecting all versions prior to the patched release.
Use-after-free in libpng 1.0.9 through 1.6.56 allows local attackers to leak heap memory and corrupt PNG chunk metadata by passing a pointer from png_get_PLTE, png_get_tRNS, or png_get_hIST directly into the corresponding setter function on the same structure, exploiting a freed buffer dereference. The vulnerability enables information disclosure and silent data corruption with low attack complexity and no user interaction required; fixed in version 1.6.57.
Helm versions 3.20.1 and earlier, and 4.1.3 and earlier, allow local attackers with user interaction to write Chart contents to arbitrary directories via path traversal in the helm pull --untar command. A specially crafted Chart will bypass the expected subdirectory naming convention and extract files to the current working directory or a user-specified destination, potentially overwriting existing files. Vendor-released patches are available in versions 3.20.2 and 4.1.4.
Stored Cross-Site Scripting in Experto Dashboard for WooCommerce plugin versions up to 1.0.4 allows authenticated administrators to inject arbitrary JavaScript into plugin settings fields (Navigation Font Size, Font Weight, Heading Font Size, Font Weight, Text Font Size, and Font Weight) due to missing input sanitization and output escaping. The injected scripts execute when any user accesses the settings page, affecting only multi-site WordPress installations or single-site installations with unfiltered_html disabled. No public exploit code identified at time of analysis.
Authenticated subscribers and above in WordPress sites using MStore API plugin up to version 4.18.3 can modify arbitrary user meta fields on their own accounts, including legacy privilege escalation keys like wp_user_level and plugin-specific authorization flags, potentially leading to privilege escalation or stored XSS. The vulnerability stems from the update_user_profile() function accepting unsanitized, user-supplied meta_data JSON without allowlist or validation before passing it directly to update_user_meta(). No public exploit code or active exploitation has been identified at this time.
Open redirect vulnerability in LORIS (Longitudinal Online Research and Imaging System) versions prior to 27.0.3 and 28.0.1 allows unauthenticated remote attackers to redirect authenticated users to arbitrary external websites via a malicious redirect parameter during login. The vulnerability requires user interaction (clicking a crafted link) but poses a meaningful phishing risk in neuroimaging research environments where LORIS deployments are common. No public exploit code or active exploitation has been confirmed at the time of analysis.