Skip to main content
CVE-2026-7206 MEDIUM This Month

SQL injection in dubydu sqlite-mcp up to version 0.1.0 allows remote attackers to manipulate the output_filename parameter in the extract_to_json function, enabling arbitrary SQL command execution. The vulnerability has publicly available exploit code and affects all default installations without authentication requirements.

SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6807 MEDIUM CISA This Month

XML External Entity (XXE) injection in GRASSMARLIN v3.2.1 allows authenticated local users to extract sensitive information through crafted session data that exploits insufficient XML parser hardening. The vulnerability has a CVSS score of 5.5 with local attack vector and high confidentiality impact, affecting users with login credentials on systems running the affected version.

XXE Grassmarlin
NVD GitHub
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-7271 MEDIUM This Month

Path traversal in DV0x creative-ad-agent server component (up to commit 751b9e5146604dc65049bd0f62dcbdad6212f8a3) allows remote unauthenticated attackers to read arbitrary files via manipulation of req.params arguments in server/sdk-server.ts. Public exploit code is available. CVSS 5.5 reflects low confidentiality impact with network-accessible attack vector and no authentication requirement.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-40296 MEDIUM PATCH GHSA This Month

It was discovered that there is a way to bypass HTML escaping in the HTML writer using custom number format codes. ## The Problem In `Writer/Html.php` around line 1592, the code checks if the formatted cell data equals the original data to decide whether to apply `htmlspecialchars()`: ```php if ($cellData === $origData) { $cellData = htmlspecialchars($cellData, ...); } ``` When a cell has a custom number format containing `@` (text placeholder) with any additional literal characters, the formatter replaces `@` with the cell value and adds the extra characters. This makes `$cellData !== $origData`, so `htmlspecialchars()` is **skipped entirely**. Even a single trailing space in the format (`@ `) is enough to bypass the escape. ## Proof of Concept ```php use PhpOffice\PhpSpreadsheet\Spreadsheet; use PhpOffice\PhpSpreadsheet\Writer\Html; use PhpOffice\PhpSpreadsheet\Cell\DataType; $spreadsheet = new Spreadsheet(); $sheet = $spreadsheet->getActiveSheet(); // XSS payload with malicious number format $sheet->setCellValueExplicit('A1', '<img src=x onerror=alert(document.cookie)>', DataType::TYPE_STRING); $sheet->getStyle('A1')->getNumberFormat()->setFormatCode('. @'); $writer = new Html($spreadsheet); $writer->save('output.html'); ``` The generated HTML contains: ```html <td>. <img src=x onerror=alert(document.cookie)></td> ``` The XSS payload is **completely unescaped**. ## Tested Bypass Formats | Format Code | Result | Escaped? | |---|---|---| | `General` (default) | Original value | YES (safe) | | `. @` | `. ` + value | **NO (XSS!)** | | `@ ` (trailing space) | value + ` ` | **NO (XSS!)** | | `x@` | `x` + value | **NO (XSS!)** | This was tested with PhpSpreadsheet 4.5.0 and confirmed the XSS executes in the browser. ## Impact Any application that: 1. Accepts uploaded XLSX files from users 2. Converts them to HTML using PhpSpreadsheet's HTML writer 3. Displays the HTML to other users ...is vulnerable to stored XSS. The attacker embeds the payload in a cell value and sets a custom number format in the XLSX file's `xl/styles.xml`. ## Suggested Fix Always apply `htmlspecialchars()` regardless of whether formatting changed the value: ```php // Instead of conditional escaping: $cellData = htmlspecialchars($cellData, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'); ``` Or escape AFTER formatting, not conditionally based on equality. ## Reporter Keyvan Hardani

PHP XSS
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-41392 MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 allows local authenticated users with user interaction to bypass exec allowlist restrictions via shell initialization file options (--rcfile, --init-file, --startup-file), enabling them to load attacker-controlled initialization files and achieve high-impact unauthorized access to confined resources. Exploitation requires local access, low privileges, user interaction, and specific timing conditions, but bypasses a critical security control intended to restrict executable trust.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
5.4
EPSS
0.0%
CVE-2026-38948 MEDIUM This Month

Cross-Site Scripting (XSS) via malicious SVG upload in FUEL CMS v1.5.2 and earlier allows low-privileged authenticated users to execute arbitrary JavaScript in the context of other users' browsers through the asset upload functionality. The vulnerability stems from inadequate sanitization of SVG file contents during upload, enabling attackers with valid credentials to craft weaponized SVG files that execute when viewed by administrators or other site visitors. No active exploitation in CISA KEV confirmed; CVSS 5.4 reflects moderate impact with user interaction requirement.

XSS
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2024-54011 MEDIUM PATCH This Month

Penetration Testing engineers at Amazon have discovered a flaw where the camera system fails to properly handle data supplied in certain requests, causing a service disruption. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Qnd 8080R
NVD VulDB
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-4911 MEDIUM This Month

Booking Package plugin for WordPress up to version 1.7.06 allows unauthenticated attackers to manipulate booking prices via the intentForStripe() function, which accepts unsanitized $_POST['amount'] values and passes them directly to the Stripe PaymentIntent API without validation. The vulnerability is compounded by commented-out code in CreditCard.php that would normally enforce server-calculated pricing, enabling attackers to complete bookings at arbitrary prices (e.g., $0.01 instead of $500.00) with no authentication required. This is a confirmed price manipulation vulnerability with no active KEV exploitation reported but represents significant financial fraud risk.

PHP WordPress RCE
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-41310 MEDIUM PATCH GHSA This Month

OpenTelemetry's Zipkin exporter for .NET allows unauthenticated remote attackers to trigger denial of service by sending spans with high-cardinality remote endpoint attributes, causing unbounded memory growth in the remote endpoint cache and eventual process degradation. CVSS 5.3 (network-accessible, low complexity). Patch available from vendor; no active exploitation identified.

Denial Of Service
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-42420 MEDIUM PATCH This Month

OpenClaw before 2026.4.8 contains improper input validation in base64 decode paths that allocate memory before enforcing decoded-size limits. Attackers can exploit multiple code paths to cause memory exhaustion or denial of service through crafted base64-encoded input.

Denial Of Service Openclaw
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-60887 MEDIUM This Month

Insecure deserialization in Cista v0.15 and below allows remote unauthenticated attackers to leak stack and heap addresses through reference tampering in the cista::raw namespace, potentially defeating ASLR protections. The vulnerability arises from insufficient validation of pointer-like objects during deserialization, enabling attackers to observe deserialized values and extract memory layout information for subsequent exploitation.

Deserialization
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-41367 MEDIUM PATCH This Month

OpenClaw versions 2026.2.14 through 2026.3.24 fail to enforce guild and channel policy gates on Discord button and component interactions, allowing authenticated users to trigger privileged component actions from contexts where those actions should be blocked. The vulnerability bypasses channel policy enforcement via policy gate inconsistency, enabling privilege escalation within Discord servers where OpenClaw is deployed.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-41365 MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 allows authenticated remote attackers to bypass sender allowlist filters when retrieving MS Teams thread history via Microsoft Graph API, enabling access to messages that should be restricted by security policies. The vulnerability affects organizations using OpenClaw's Teams integration and has been patched as of the specified version.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-41606 MEDIUM PATCH This Month

Stack overflow in Apache Thrift c_glib dispatch mechanism allows remote attackers to trigger denial of service via crafted network requests. The vulnerability affects Apache Thrift versions prior to 0.23.0 and requires no authentication or user interaction, resulting in application crashes or service unavailability. Patch is available from the vendor.

Node.js Denial Of Service Apache Thrift
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-32699 MEDIUM GHSA This Month

### Summary The application fails to validate the ```nick``` parameter during a ```POST``` request to the ```EditUser``` controller. Although the UI prevents editing this field, a user can bypass this restriction using a proxy to rename any account (including the Administrator). This leads to Broken Access Control and potential Audit Log Corruption. ### Details The vulnerability exists in the user update logic. When a ```POST``` request is sent to ```/EditUser```, the backend processes the ```nick``` form-data parameter without checking if it matches the original value or if the user has the privilege to change a unique identifier that is intended to be immutable. ### PoC ***1.*** Log in to the dashboard as any user (e.g. admin user). ***2.*** Go to your Profile by clicking your username/avatar in the top right. ***3.*** Open Burp Suite and ensure Intercept is ON. ***5.*** Click the Save button in the UI. ***6.*** In Burp Suite, locate ```nick``` in the body: <img width="1915" height="1013" alt="Screenshot_2026-03-04_05_26_32" src="https://github.com/user-attachments/assets/aea4e6fd-beba-4a47-96da-8b9bd9075681" /> ***7.*** Change the value admin to Vulnerable (or any other string). ***8.*** Click Forward in Burp Suite. The application will log the user out. It is possible to now log back in using the username "Vulnerable" and the original password. ### Impact An attacker can effectively sabotage the system’s audit trail, performing malicious actions and then renaming their account to evade detection or frame other users. This breakdown in accountability facilitates identity impersonation and risks data corruption, as internal references to the original username become orphaned, undermining the overall integrity of the multi-user environment. ### Result #### Before <img width="1920" height="996" alt="Screenshot_2026-03-04_05_25_30" src="https://github.com/user-attachments/assets/3b2d34e5-a2b9-4da9-9a56-963fe1a8fd65" /> #### After <img width="1920" height="955" alt="Screenshot_2026-03-04_05_27_00" src="https://github.com/user-attachments/assets/af1de0ef-2b55-4d29-9557-29ee26a3775a" />

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-41377 MEDIUM PATCH This Month

OpenClaw before version 2026.3.31 fails to block plugin installation when security scans detect threats, allowing authenticated users to install malicious plugins by ignoring visible scan warnings. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), but enables installation of untrusted code with moderate integrity impact when exploited.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-41914 MEDIUM PATCH This Month

OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in QQ Bot media download paths that bypass SSRF protection. Attackers can exploit unprotected media fetch endpoints to access internal resources and bypass allowlist policies.

SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-40974 MEDIUM PATCH This Month

Spring Boot's Cassandra auto-configuration fails to verify hostnames during SSL/TLS connection establishment to Cassandra servers, enabling man-in-the-middle attackers on the local network to intercept credentials and data by presenting a valid certificate for any domain. Affects Spring Boot 2.7.0-4.0.5; vendor-released patches available for all supported versions (4.0.6, 3.5.14, 3.4.16, 3.3.19, 2.7.33). No public exploit code identified at time of analysis.

Information Disclosure Java
NVD HeroDevs VulDB
CVSS 3.1
5.0
EPSS
0.0%
CVE-2026-5794 MEDIUM PATCH This Month

A vulnerability affecting the detailed versions of Cryptobox allows a legitimate user to prevent another to login by triggering an account lockout via sending a specially crafted request.

Information Disclosure Cryptobox
NVD
CVSS 4.0
4.9
EPSS
0.0%
CVE-2026-42430 MEDIUM PATCH This Month

OpenClaw before 2026.4.8 contains a server-side request forgery vulnerability in Playwright redirect handling that allows attackers to bypass strict SSRF checks. Attackers can exploit request-time navigation to reach private targets that should be restricted by browser SSRF protections.

SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-41912 MEDIUM PATCH This Month

OpenClaw before 2026.4.8 contains a server-side request forgery policy bypass vulnerability allowing attackers to trigger navigations bypassing normal SSRF checks. Attackers can exploit browser interactions to bypass SSRF protections and access restricted resources.

SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2025-10539 MEDIUM PATCH This Month

Remote code execution in DeskTime Time Tracking App before version 1.3.674 via improper TLS certificate validation allows network-positioned attackers to serve malicious executables during application updates without requiring user interaction. The vulnerability exploits the update mechanism's failure to properly validate TLS certificates, enabling an attacker in a man-in-the-middle position to achieve user-level code execution. EPSS score of 0.02% suggests low real-world exploitation probability despite RCE severity, likely due to the requirement for network positioning and the attack's reliance on coinciding update requests.

RCE Desktime Time Tracking
NVD VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-35453 MEDIUM PATCH GHSA This Month

### Summary The HTML Writer in PhpSpreadsheet bypasses `htmlspecialchars()` output escaping when a cell uses a custom number format containing the `@` text placeholder with additional literal text (e.g., `@ "items"` or `"Total: "@`). This allows an attacker to inject arbitrary HTML and JavaScript into the generated HTML output by crafting a malicious XLSX file. ### Details #### 1. Conditional escaping in `Html.php:1586-1594` ```php $cellData = NumberFormat::toFormattedString( $origData2, $formatCode ?? NumberFormat::FORMAT_GENERAL, [$this, 'formatColor'] ); if ($cellData === $origData) { $cellData = htmlspecialchars($cellData, Settings::htmlEntityFlags()); } ``` `htmlspecialchars()` is only called when `$cellData === $origData` (strict comparison). If the formatted output differs from the original value in any way, escaping is skipped entirely. #### 2. Early return in `Formatter.php:136-152` ```php if (preg_match(self::SECTION_SPLIT, $format) === 0 && preg_match(self::SYMBOL_AT, $formatx) === 1) { if (!str_contains($format, '"')) { return str_replace('@', /* raw value */, $format); } return str_replace(/* ... preg_replace with raw value ... */); } ``` When the format code contains `@` with additional literal text (e.g., `@ "items"`), the formatter substitutes the raw cell value into the format string and **returns early** - the `formatColor` callback (which would have applied `htmlspecialchars`) is never invoked. ### PoC **test.php** ``` php <?php require '/app/vendor/autoload.php'; use PhpOffice\PhpSpreadsheet\Spreadsheet; use PhpOffice\PhpSpreadsheet\Writer\Html; $spreadsheet = new Spreadsheet(); $sheet = $spreadsheet->getActiveSheet(); $payload = '<img src=x onerror=alert(document.domain)>'; $formatCode = '@ "items"'; $sheet->setCellValue('A1', $payload); $sheet->getStyle('A1')->getNumberFormat()->setFormatCode($formatCode); $writer = new Html($spreadsheet); $html = $writer->generateHTMLAll(); file_put_contents('/app/output.html', $html); echo "HTML output saved to /app/output.html\n"; ``` The produced output contains unescaped data. ``` html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="generator" content="PhpSpreadsheet, https://github.com/PHPOffice/PhpSpreadsheet" /> <title>Untitled Spreadsheet</title> <meta name="author" content="Unknown Creator" /> <meta name="title" content="Untitled Spreadsheet" /> <meta name="lastModifiedBy" content="Unknown Creator" /> <meta name="created" content="2026-04-02T16:34:44+00:00" /> <meta name="modified" content="2026-04-02T16:34:44+00:00" /> <style type="text/css"> [..SNIP..] </style> </head> <body> <div style='page: page0'> <table border='0' cellpadding='0' cellspacing='0' id='sheet0' class='sheet0 gridlines'> <col class="col0" /> <tbody> <tr class="row0"> <td class="column0 style1 s"><img src=x onerror=alert(document.domain)> items</td> </tr> </tbody></table> </div> </body> </html> ``` <img width="719" height="716" alt="Screenshot 2026-04-02 at 18 45 53" src="https://github.com/user-attachments/assets/b758b063-a2d1-4e76-87bb-931eae81dbfe" /> ### Impact The impact changes based on the way the HTML is served. In case it is served from the web server it is typical XSS, in case the file is downloaded and opened locally, the attack vector is more limited.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2026-40977 MEDIUM PATCH This Month

Spring Boot applications configured with ApplicationPidFileWriter are vulnerable to local file corruption when a high-privilege user can write to the PID file directory. An attacker with high privileges and write access to the PID file location can corrupt arbitrary files each time the application restarts, achieving denial of service or data integrity violations. Exploitation requires local access and elevated privileges, limiting real-world impact to co-resident or insider threat scenarios. No active exploitation has been publicly reported.

Information Disclosure Java Red Hat
NVD HeroDevs VulDB
CVSS 3.1
4.7
EPSS
0.0%
CVE-2026-40552 MEDIUM Monitor

Remote command execution in mpGabinet 23.12.19 and below allows authenticated database administrators or unauthenticated attackers (via chained exploitation of CVE-2026-40550 and CVE-2026-40551) to achieve system command execution by manipulating attachment storage paths in the database to reference attacker-controlled resources that execute when users open the files. The vulnerability requires direct database access and user interaction to trigger execution, but becomes unauthenticated when chained with companion CVE vulnerabilities that grant database and application access.

Information Disclosure Mpgabinet
NVD
CVSS 4.0
4.7
EPSS
0.0%
CVE-2026-7309 MEDIUM This Month

OpenShift Container Platform build system allows authenticated users with the edit ClusterRole to inject arbitrary environment variables into docker-build containers via the buildconfigs/instantiate API, enabling information disclosure attacks such as build traffic interception through LD_PRELOAD or http_proxy manipulation. This represents an incomplete remediation of a prior vulnerability, affecting confidentiality of sensitive build data with CVSS 4.3 (network-accessible, low complexity, authenticated). No public exploit code or active exploitation has been confirmed at the time of analysis.

Docker Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-7340 MEDIUM PATCH This Month

Integer overflow in ANGLE in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)

Google Buffer Overflow Microsoft Red Hat Suse +1
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-40968 MEDIUM PATCH This Month

Spring gRPC 1.0.0 through 1.0.2 inherits authenticated user identity on gRPC worker threads after access denial, allowing a subsequent unauthenticated request on the same thread to gain escalated permissions. The vulnerability requires an authenticated attacker with prior knowledge of thread reuse patterns and affects only configurations where both authenticated and unauthenticated requests share gRPC worker threads. A patch is available in version 1.0.3.

Java Privilege Escalation
NVD
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-40969 LOW PATCH Monitor

Spring gRPC versions 1.0.0 through 1.0.2 leak sensitive authentication failure details in gRPC status descriptions to unauthenticated remote callers, enabling reconnaissance for follow-up attacks. The vulnerability exposes raw server-side AuthenticationException messages without sanitization, providing attackers with information about authentication mechanisms and potential weaknesses. This low-severity information disclosure (CVSS 3.7) requires high attack complexity but affects default configurations.

Information Disclosure Java
NVD VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-7360 LOW PATCH Monitor

Insufficient validation of untrusted input. in Compositing in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)

Google Authentication Bypass Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-7351 LOW PATCH Monitor

Race in MHTML in Google Chrome prior to 147.0.7727.138 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security severity: High)

Information Disclosure Google Race Condition Chrome
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-7303 LOW PATCH Monitor

A security flaw has been discovered in Xuxueli xxl-job up to 3.3.2. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improper control of resource identifiers. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.4.0 is recommended to address this issue. The patch is identified as d24e4ccd6073cc75305e1d3b9c29bc8db7437e7a. It is suggested to upgrade the affected component.

Information Disclosure Java
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.1%
CVE-2026-7306 LOW Monitor

A security vulnerability has been detected in Xuxueli xxl-job up to 3.3.2. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key . It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is regarded as difficult. The exploit has been disclosed publicly and may be used.

Information Disclosure Java
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-41916 LOW PATCH Monitor

OpenClaw before 2026.4.8 contains an authentication state management vulnerability where the resolvedAuth closure becomes stale after configuration reload. Newly accepted gateway connections continue using outdated resolved auth state, allowing attackers to bypass authentication controls through config reload operations.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-41910 LOW PATCH Monitor

OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist modifications against different channels, violating the intended trust model.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-41406 LOW PATCH Monitor

OpenClaw before version 2026.3.31 contains a sender allowlist bypass vulnerability allowing remote attackers to access restricted messages by exploiting quoted, root, and thread context message retrieval mechanisms. The vulnerability affects default configurations and requires user interaction (CVSS UI:P), making it a moderate-risk authentication bypass that undermines message access controls.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-41362 LOW PATCH Monitor

OpenClaw versions 2026.2.19 before 2026.3.31 allow authenticated attackers to suppress legitimate webhook events across different accounts in multi-tenant deployments by exploiting improper cache isolation in the Zalo webhook replay-deduplication mechanism. An attacker with control of one authenticated Zalo webhook path can match event_name and message_id parameters to suppress events on victim accounts, causing denial of service to webhook processing. No public exploit code or active exploitation has been identified, though the vulnerability requires valid authentication and incremental exploitation (AT:P), limiting immediate risk.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-41408 LOW PATCH Monitor

OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can exhaust disk space by downloading media files without triggering intended safety restrictions, causing availability impact.

Denial Of Service Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-41402 LOW PATCH Monitor

OpenClaw before version 2026.3.31 allows authenticated attackers to bypass webhook replay protection through overly broad cache keying, enabling delivery of duplicate webhook messages to unintended sibling targets when the same messageId is reused. The vulnerability exploits insufficient scope isolation in the webhook replay cache deduplication mechanism, allowing message replay across organizational boundaries within a single authentication context.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-42421 LOW PATCH Monitor

OpenClaw before 2026.4.8 contains a session management vulnerability where existing WebSocket sessions survive shared gateway token rotation. Attackers can maintain unauthorized access to WebSocket connections after token rotation by exploiting the failure to disconnect existing shared-token sessions.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-41382 LOW PATCH Monitor

OpenClaw before version 2026.3.31 allows authenticated attackers to bypass authorization controls on Discord voice channels through exploitation of stale-role validation gaps and improper channel name validation, enabling unauthorized access to restricted voice channels that should be protected by member and channel allowlists. The vulnerability requires valid Discord credentials but enables privilege escalation within voice channel access controls. No public exploit code has been identified at the time of analysis.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-41381 LOW PATCH Monitor

OpenClaw before version 2026.3.31 contains an access control bypass in its Discord voice manager that allows authenticated attackers to send voice ingress requests before channel allowlist authorization checks are enforced, gaining unauthorized access to restricted voice channels. The vulnerability exploits a race condition or authorization sequencing flaw in the voice channel access control mechanism, affecting deployments with member-level access restrictions.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-41376 LOW PATCH Monitor

OpenClaw before version 2026.3.31 fails to properly validate message senders in Matrix thread root and reply context handling, allowing remote unauthenticated attackers to bypass sender allowlists and access filtered messages. The vulnerability requires user interaction and has low attack complexity, but impact is limited to information disclosure of message context that should have been restricted by access controls.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-7305 LOW Monitor

A weakness has been identified in Xuxueli xxl-job up to 3.3.2. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. There is ongoing doubt regarding the real existence of this vulnerability. The project maintainer explains (translated from Chinese): "Triggers are manually activated and involve login and access control, thus requiring management." The pull request by the researcher got rejected because of that.

Java SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7200 LOW Monitor

Reflected cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote attackers to inject malicious scripts via manipulation of the ID parameter in the /index.php?page=types endpoint. User interaction is required for exploitation, and publicly available exploit code exists, though the vulnerability carries limited impact (integrity only, no confidentiality or availability compromise) with a CVSS score of 5.3.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7230 LOW Monitor

Stored or reflected cross-site scripting (XSS) in SourceCodester Safety Anger Pad 1.0 allows remote unauthenticated attackers to inject malicious scripts via the angerDisplay parameter, potentially compromising user sessions and stealing sensitive data. The vulnerability requires user interaction (UI:R per CVSS) but has publicly available exploit code and a moderate CVSS score of 4.3, making it a practical attack vector for credential harvesting or malware distribution.

XSS Safety Anger Pad
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-41398 LOW PATCH Monitor

OpenClaw before version 2026.4.2 improperly trusts local-network pages in its iOS A2UI bridge, allowing attackers to inject unauthorized agent.request commands by serving malicious content from local-network or tailnet hosts. This can pollute session state and consume user budget without authentication, though exploitation requires user interaction and proximity to the target network.

Apple Authentication Bypass
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-40556 LOW PATCH Monitor

GNU nano creates the ~/.local directory with world-writable permissions (0777) on first use of XDG data storage features when the directory does not exist, allowing local attackers in systems with relaxed umasks (such as containers, CI/CD runners, or environments with umask 000) to write attacker-controlled files into the victim's XDG directory hierarchy via a race condition. The vulnerability affects nano versions before 9.0 and carries a CVSS score of 2.1 with CISA SSVC assessment indicating partial technical impact but no known public exploitation.

Information Disclosure Nano
NVD VulDB
CVSS 4.0
2.1
CVE-2026-7318 LOW Monitor

A vulnerability was detected in elie mcp-project 0.1.0. The affected element is the function search_papers of the file research_server.py. The manipulation of the argument topic results in path traversal. Attacking locally is a requirement. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7283 LOW Monitor

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in the save_expired function of /ajax.php. The vulnerability affects an administrative interface endpoint and has publicly available exploit code. CVSS 5.1 reflects low confidentiality, integrity, and availability impact despite network accessibility due to high-privilege requirement (PR:H).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
Prev Page 5 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy