Skip to main content
CVE-2026-25243 HIGH PATCH This Week

Remote code execution in Redis server versions up to 8.6.3 allows authenticated attackers with RESTORE command privileges to execute arbitrary code by submitting maliciously crafted serialized payloads. The vulnerability stems from insufficient validation of serialized values in the RESTORE command, enabling heap-based buffer overflow conditions. Redis released version 8.6.3 to patch this flaw alongside four other critical RCE vulnerabilities. EPSS data not available; no CISA KEV listing identified at time of analysis, suggesting targeted rather than widespread exploitation.

Heap Overflow Redis RCE Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-43569 HIGH PATCH GHSA This Week

Authentication bypass in OpenClaw before 2026.4.9 enables untrusted workspace plugins to intercept provider authentication credentials during non-interactive onboarding. Malicious plugins can shadow legitimate provider authentication choices, causing the system to auto-enable attacker-controlled code and route sensitive API keys or credentials through untrusted handlers without user consent. Vendor-released patch available (v2026.4.9+). EPSS and KEV data not provided; exploitation requires user interaction (UI:P) and specific attack timing (AT:P), suggesting moderate real-world deployment complexity despite network attack vector.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-43885 HIGH PATCH GHSA This Week

AVideo version 29.0 and earlier exposes API authentication secrets (APISecret) to unauthenticated remote attackers via a publicly accessible plugin configuration endpoint at objects/plugins.json.php. This vulnerability enables complete bypass of authentication controls protecting sensitive API endpoints including user enumeration (users_list) and other privileged operations. Publicly available exploit code exists (proof-of-concept demonstrated in GitHub advisory GHSA-xr49-f4rh-qcjf). Upstream fix available via commit 1c36f229 but no tagged release version has been independently confirmed at time of analysis.

Authentication Bypass PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-43571 HIGH PATCH GHSA This Week

OpenClaw's channel setup catalog lookup mechanism allowed workspace plugins to shadow bundled channel plugins and bypass trust gates during setup-time plugin loading. Low-privileged authenticated attackers on the network can craft malicious workspace plugins that execute without the intended trust verification, enabling arbitrary code execution in the OpenClaw runtime. The vulnerability was responsibly disclosed by security researchers from Keen Security Lab and patched in version 2026.4.10. No public exploit identified at time of analysis, though the fix commit reveals the exact vulnerable lookup logic attackers would target.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-43884 HIGH PATCH GHSA This Week

Server-Side Request Forgery (SSRF) in AVideo versions up to 29.0 allows authenticated attackers to exfiltrate cloud metadata credentials and access internal services via HTTP redirect bypass and DNS rebinding attacks. Two endpoints in AVideo's AI plugin and EPG parser validate user-supplied URLs using isSSRFSafeURL() but then fetch them with file_get_contents() using PHP's default automatic redirect following. An attacker supplies a URL to a controlled server returning a 302 redirect to internal resources (e.g., AWS instance metadata at 169.254.169.254), bypassing SSRF protections since only the initial URL is validated. Vendor-released patch available via GitHub commit 603e7bf7. CVSS 7.7 reflects Changed Scope due to cross-boundary access to cloud infrastructure credentials.

Python SSRF PHP
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-42997 HIGH PATCH GHSA This Week

Credential forwarding vulnerability in OpenStack Ironic's idrac driver allows authenticated attackers to steal time-limited Keystone tokens or molds storage credentials by manipulating import operations. Attackers with low-privileged Ironic access can redirect these credentials to attacker-controlled endpoints, gaining unauthorized access to all OpenStack services that Ironic is authorized for. Fixed in versions 26.1.6, 29.0.5, 32.0.1, and 35.0.1. CVSS 7.7 with scope change (S:C) reflects the privilege escalation from Ironic-only access to full OpenStack service access.

Dell Information Disclosure Ironic
NVD VulDB
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-40934 HIGH PATCH GHSA This Week

Jupyter Server allows authenticated users to maintain indefinite access even after password changes due to persistent authentication cookie secrets stored in an unrotated file. An attacker who obtains a valid authentication cookie can continue using it to access the server with full privileges regardless of subsequent password resets or server restarts, affecting all Jupyter Server deployments using password authentication.

Information Disclosure Suse Red Hat
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.1%
CVE-2026-40110 HIGH PATCH GHSA This Week

Cross-Origin Resource Sharing (CORS) bypass in Jupyter Server <= 2.17.0 allows attackers controlling malicious subdomains to bypass origin validation and access sensitive notebook data. The vulnerability stems from incorrect use of Python's re.match() function in the allow_origin_pat configuration, which only anchors at the start of strings. An attacker registering a domain like 'trusted.example.com.evil.com' can pass validation intended only for 'trusted.example.com', enabling unauthorized cross-origin requests to Jupyter sessions. Fixed in version 2.18.0 via commits 057869a and 49b3439. No active exploitation or public POC identified at time of analysis.

Python Information Disclosure
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-35397 HIGH PATCH GHSA This Week

Authenticated users can access, modify, and delete files in sibling directories outside Jupyter Server's configured root_dir by exploiting a flawed string prefix check in path validation (CWE-22). Jupyter Server <=2.17.0 incorrectly uses startswith() validation, allowing attackers to traverse to directories like 'testtest/' when root is 'test/'. Publicly available exploit code exists. This primarily threatens multi-tenant deployments with predictable naming schemes (e.g., user1, user10-user19) where low-privileged users can escalate to access other users' workspaces. CVSS 7.1 reflects network-accessible attack requiring low privileges but high attack complexity; EPSS data not provided but real-world risk is significant for affected multi-tenant environments.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-43535 HIGH PATCH This Week

Authorization context reuse in OpenClaw's collect-mode queue batching allows attackers with low-privilege accounts to execute messages with elevated permissions inherited from subsequent higher-privileged senders. The vulnerability occurs when messages from multiple senders are batched together, causing earlier queued messages to execute under the authorization context of the final sender in the batch rather than their own. Vendor-released patch (version 2026.4.14) confirmed available via GitHub advisory GHSA-jwrq-8g5x-5fhm and commit 43d4be9. No public exploit identified at time of analysis.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
7.6
EPSS
0.0%
CVE-2026-42285 HIGH PATCH GHSA This Week

GoBGP v4.4.0 crashes with SIGSEGV panic when an unauthenticated remote BGP peer sends malformed UPDATE messages with inconsistent attribute lengths. The nil pointer dereference in AdjRib.Update (adj.go:127) causes complete process termination and loss of BGP service. Publicly available exploit code exists (POC in GitHub advisory GHSA-p3w2-64xm-833j). Vendor-released patch available in v4.5.0. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects the trivial remote exploitation of critical network infrastructure with no mitigating factors.

Denial Of Service Null Pointer Dereference Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-5100 HIGH This Week

SQL injection in AWP Classifieds plugin for WordPress versions up to 4.4.5 allows remote unauthenticated attackers to extract sensitive database contents via array key manipulation in the 'regions' parameter. The vulnerability stems from insufficient escaping of user input in search functionality, affecting the plugin's query integration and page search components. With CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) and no authentication required, this poses significant risk to WordPress sites running this classifieds plugin, though no public exploit or active exploitation has been identified at time of analysis.

SQLi WordPress
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-3359 HIGH This Week

Unauthenticated SQL injection in Form Maker by 10Web plugin allows remote attackers to extract sensitive database contents including user credentials, form submissions, and WordPress configuration data. The vulnerability affects all versions through 1.15.42 and requires no special configuration - any WordPress site running the plugin with default settings is exploitable. CVSS 7.5 (High) reflects network-based unauthenticated access with high confidentiality impact. EPSS data not provided; no CISA KEV listing identified, indicating no confirmed widespread exploitation at time of analysis. Patch available in version 1.15.43 per Trac changeset 3518461.

SQLi WordPress
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-3456 HIGH This Week

Unauthenticated SQL injection in GeekyBot WordPress plugin allows remote attackers to extract sensitive database contents via the 'attributekey' parameter. Affects all versions through 1.2.0. The CVSS 7.5 rating reflects network-based exploitation requiring no authentication or user interaction, with high confidentiality impact. Wordfence Threat Intelligence identified this vulnerability, with a patch committed in changeset 3474168. No active exploitation confirmed in CISA KEV at time of analysis, though the trivial attack complexity (AC:L) and unauthenticated vector (PR:N) make this a realistic target for automated scanning and exploitation.

SQLi WordPress
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-5192 HIGH This Week

Path Traversal in Forminator Forms plugin allows unauthenticated remote attackers to read arbitrary files from WordPress servers, potentially exposing database credentials, configuration files, and sensitive user data. Exploitation requires a publicly accessible form with File Upload field and specific 'Save and Continue' behavior settings enabled. CVSS 7.5 (High) with network vector and no authentication required. No CISA KEV listing or public exploit identified at time of analysis, suggesting limited active exploitation despite high theoretical severity.

WordPress Path Traversal File Upload
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42334 HIGH PATCH GHSA This Week

Authentication bypass in Mongoose 6.x-9.x allows remote attackers to inject malicious MongoDB query operators via the $nor clause when sanitizeFilter is enabled. The vulnerability exists because Mongoose's sanitizeFilter mechanism fails to recursively sanitize the $nor logical operator, allowing injection of operators like $ne, $gt, or $regex that bypass authentication checks or extract unauthorized data. This affects only applications that explicitly enable sanitizeFilter and pass unsanitized user input directly into query methods while relying on sanitizeFilter for protection. Vendor-released patches are available for all supported release lines. No public exploit identified at time of analysis, though exploitation is straightforward for affected configurations.

Authentication Bypass
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43891 HIGH PATCH GHSA This Week

Arbitrary local file disclosure in changedetection.io allows remote unauthenticated attackers to read sensitive system files via crafted backup archives. When a malicious backup ZIP is uploaded and restored, the application trusts attacker-controlled paths in the history.txt file, enabling reads of files like /etc/passwd, environment variables, application secrets, and mounted Docker volumes through the Preview UI or history API. This vulnerability (CVSS 7.5) affects all versions through 0.54.10, with fix available in 0.55.1. No active exploitation (KEV) confirmed, but a detailed proof-of-concept exists demonstrating the complete attack chain from backup modification to file exfiltration. EPSS data not available, but the combination of network attack vector, no authentication requirement, and public exploit code makes this a priority for immediate patching.

Python Docker RCE
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-43873 HIGH PATCH GHSA This Week

Unauthenticated information disclosure in AVideo CloneSite plugin (versions ≤29.0) leaks the installation's shared secret authentication key through an error message, enabling attackers to impersonate the victim installation to its federated clone server and trigger a full database dump into a publicly accessible directory. The vulnerability chains two flaws: cloneClient.json.php echoes the local myKey credential in HTTP responses to any unauthenticated request due to incorrect $argv handling in web contexts, and the remote cloneServer.json.php then accepts this leaked key to authenticate mysqldump operations without IP restrictions or access controls on the resulting dump files. Patch available via GitHub commit e6566f56. No evidence of active exploitation (not in CISA KEV); EPSS data not provided. CVSS 7.5 (AV:N/AC:L/PR:N/UI:N) reflects high confidentiality impact from direct credential exposure plus cross-site database access in federated deployments.

PHP Information Disclosure Nginx
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-44167 HIGH PATCH GHSA This Week

Denial of service attacks against PHP applications using phpseclib can be triggered by providing maliciously crafted ASN.1 encoded files containing oversized Object Identifiers. The vulnerability bypasses a previous CVE-2024-27355 mitigation, allowing OID amplification attacks that exhaust server resources when processing untrusted X.509 certificates, PKCS8 keys, or other ASN.1 structures. Vendor-released patches are available across all affected major versions (1.x, 2.x, 3.x). CVSS 7.5 indicates network-exploitable, unauthenticated denial of service with no public exploit identified at time of analysis.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-66369 HIGH This Week

Denial of Service vulnerability in Samsung Exynos chipsets (980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, W920, W930, W1000, and modems 5123, 5300, 5400) allows remote unauthenticated attackers to crash devices by sending malformed 5G NR NAS registration accept messages. The flaw affects the Mobility Management (MM) component's message parser, triggering resource exhaustion (CWE-770) that disrupts cellular connectivity. CVSS 7.5 (High) with network attack vector and no prerequisites, though EPSS indicates only 0.02% exploitation probability and no public exploits identified at time of analysis.

Denial Of Service Samsung N A
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-42304 HIGH PATCH GHSA This Week

Remote denial of service in Twisted's DNS name decompression (twisted.names module) allows unauthenticated attackers to freeze the single-threaded reactor by sending a crafted TCP DNS packet with deeply chained compression pointers and thousands of questions. Publicly available exploit code exists. Despite high CVSS score (7.5), real-world impact is limited to applications using the twisted.names DNS server-not the broader Twisted framework. Vendor-released patch available in version 26.4.0rc2.

Denial Of Service Python Suse
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2024-52911 HIGH This Week

Bitcoin Core through 28.x has a security issue, the details of which are not disclosed. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-44028 HIGH PATCH This Week

Stack-to-heap overflow in Nix and Lix daemon's NAR parser enables local privilege escalation to root in multi-user installations. Low-privileged users with daemon access can trigger unbounded recursion in the coroutine-based parser to overwrite heap memory and achieve arbitrary code execution as the Nix daemon (root), provided ASLR can be bypassed. Vulnerability affects Nix 2.24.4-2.34.6 and Lix 2.93.0-2.95.1, with vendor-confirmed patches released across multiple version branches. CVSS vector indicates local attack with high complexity but cross-scope privilege escalation, consistent with the EPSS score suggesting targeted exploitation scenarios rather than mass scanning.

RCE Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-4304 HIGH This Week

SQL injection in WeePie Cookie Allow plugin for WordPress versions ≤3.4.11 allows remote unauthenticated attackers to extract sensitive database contents via the 'consent' parameter. The vulnerability stems from insufficient SQL query preparation and parameter escaping, enabling attackers to append malicious SQL queries to existing database operations. EPSS data not available; no CISA KEV listing indicates targeted rather than widespread exploitation at time of analysis.

SQLi WordPress
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-7865 HIGH PATCH This Week

Command injection in Crestron Touchpanels (X60/X70 series) allows authenticated SSH users to execute arbitrary OS commands via control characters in a hidden console command's second argument. Discovered by Eugene Lim, this popen-based injection requires high privilege SSH access and high attack complexity. CVSS 7.4 with CVSS:4.0 metrics indicates network vector (AV:N) but requires high privileges (PR:H) and high complexity (AC:H), limiting real-world exploitation to scenarios where attackers have already compromised SSH credentials. Vendor patch available (firmware 3.003.0015.001). No active exploitation or public POC identified at time of analysis.

Command Injection Touchpanels X60 X70
NVD
CVSS 4.0
7.4
EPSS
0.3%
CVE-2026-29168 HIGH PATCH This Week

Uncontrolled resource consumption in Apache HTTP Server's mod_md module allows remote unauthenticated attackers to exhaust server resources via malformed OCSP response data, affecting versions 2.4.30 through 2.4.66. The vulnerability enables attackers to achieve confidentiality, integrity, and availability impacts with low complexity exploitation over the network. No active exploitation confirmed (not in CISA KEV), but the network-accessible attack surface and lack of authentication requirement make this a credible threat requiring prompt patching to version 2.4.67.

Denial Of Service Apache Suse Red Hat Apache HTTP Server
NVD VulDB
CVSS 3.1
7.3
EPSS
0.1%
CVE-2026-43939 HIGH PATCH GHSA This Week

Stored Cross-Site Scripting in YAFNET forum software allows authenticated attackers to inject arbitrary JavaScript into thread posts and replies that automatically executes in the browser of every user who views the affected thread. Affects YAFNET.Core versions ≤3.2.11 and 4.0.0-beta01 through 4.0.4. The payload triggers on page load without victim interaction, enabling session hijacking, credential theft, and account takeover of all viewers including administrators. Vendor-released patches are available (v3.2.12 and v4.0.5). No active exploitation confirmed by CISA KEV, though the attack requires only a standard forum account and proof-of-concept payload is documented in the GitHub advisory.

XSS
NVD GitHub
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-34462 HIGH PATCH This Week

Stack-based buffer overflow in Sandboxie-Plus ProcessServer handlers allows local authenticated attackers to execute arbitrary code as SYSTEM or crash the SbieSvc service. The vulnerability affects versions 1.17.2 and earlier, stems from unsafe wcscpy operations on unchecked WCHAR fields from service pipe requests, and has been patched in version 1.17.3. The service pipe's NULL DACL permits any local process to connect and trigger the flaw before authorization checks execute, enabling privilege escalation from low-privileged local accounts. No public exploit code identified at time of analysis, though the technical details in the GitHub advisory provide sufficient information for skilled attackers to develop exploits.

Stack Overflow Microsoft RCE Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-34461 HIGH PATCH This Week

Local privilege escalation to SYSTEM in Sandboxie-Plus 1.17.2 and earlier allows low-privileged interactive users to trigger stack buffer overflow in SbieSvc service via unauthenticated IPC, bypassing sandbox isolation controls. The vulnerability exists in the RunSbieCtrl handler which processes crafted messages before security checks and copies unbounded input into a 128-character stack buffer. Fixed in version 1.17.3. EPSS data unavailable; not listed in CISA KEV at time of analysis, but publicly disclosed via GitHub Security Advisory with technical details sufficient for exploit development.

Stack Overflow Microsoft RCE Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-43870 HIGH PATCH GHSA This Week

Path traversal vulnerability in Apache Thrift Node.js web_server.js (versions prior to 0.23.0) allows remote unauthenticated attackers to read arbitrary files, write to unauthorized locations, and potentially execute code. Disclosed via oss-security mailing list pre-NVD publication. EPSS score of 0.01% indicates low observed exploitation probability despite network-accessible attack vector and no authentication requirement. CISA SSVC framework classifies this as automatable with partial technical impact but no confirmed exploitation. Patch available in version 0.23.0.

Apache Java Path Traversal Node.js
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-43869 HIGH PATCH GHSA This Week

TLS hostname verification is disabled in Apache Thrift's Java TSSLTransportFactory implementation (versions prior to 0.23.0), allowing remote unauthenticated attackers to perform man-in-the-middle attacks against encrypted communications. The vulnerability enables interception and potential modification of data in transit with low attack complexity and no user interaction required. While EPSS shows minimal current exploitation activity (0.00%), CISA SSVC classifies this as automatable with partial technical impact, and a vendor patch is available in version 0.23.0.

Information Disclosure Apache Java Node.js Thrift
NVD VulDB
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-4803 HIGH This Week

Stored Cross-Site Scripting in Royal Elementor Addons WordPress plugin allows unauthenticated remote attackers to inject malicious scripts that execute in victim browsers. The vulnerability exists in all versions up to 1.7.1056 due to a publicly leaked static nonce that bypasses authentication checks for the wpr_update_form_action_meta AJAX endpoint. Combined with insufficient input sanitization on the 'status' parameter, attackers can inject persistent XSS payloads without authentication. EPSS data not provided; no CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

XSS WordPress Elementor
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-43874 HIGH PATCH GHSA This Week

Unauthenticated remote code execution in AVideo ≤29.0 allows attackers to inject and execute arbitrary JavaScript in the browsers of any logged-in users through a WebSocket message relay bypass. An attacker obtains a WebSocket token without authentication from plugin/YPTSocket/getWebSocket.json.php, connects to the WebSocket server, and sends a crafted message with autoEvalCodeOnHTML nested under the json field instead of msg. The incomplete server-side sanitization from prior fix c08694bf6 (GHSA-gph2-j4c9-vhhr) only strips autoEvalCodeOnHTML from $json['msg'], but the relay function msgToResourceId() preferentially selects $msg['json'] as the outbound message carrier. The payload bypasses sanitization, reaches the victim's browser via WebSocket relay, and executes through eval() at plugin/YPTSocket/script.js:573-575. Vendor-released patch: commit 9f3006f9a (recursive stripping across all message carriers). No public exploit identified at time of analysis, but the advisory includes functional proof-of-concept Python code.

PHP CSRF Python XSS RCE +2
NVD GitHub
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-43528 HIGH PATCH GHSA This Week

Authenticated configuration readers in OpenClaw gateway deployments can extract unredacted sensitive credentials through alias field bypass in versions prior to 2026.4.14. Attackers with legitimate config read permissions exploit sourceConfig and runtimeConfig alias fields to obtain provider API keys, gateway authentication tokens, and channel credentials that the redaction mechanism fails to sanitize. The vulnerability affects npm package 'openclaw' in gateway configurations where authenticated clients have config read access, confirmed fixed by vendor in version 2026.4.14 with patch commit 86734ef. CVSS 7.1 reflects network-accessible attack requiring low privileges with high confidentiality impact; no public exploit identified at time of analysis, though technical details published in GHSA-8372-7vhw-cm6q enable reproduction.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-43568 HIGH PATCH This Week

OpenClaw npm package versions 2026.4.5 through 2026.4.9 allow privilege escalation from write-scoped operators to administrator-level configuration access. Authenticated attackers with 'operator.write' gateway credentials can modify persistent memory dreaming settings via the /dreaming endpoint, bypassing intended admin-only restrictions. Vendor-released patch available (v2026.4.10); no active exploitation confirmed at time of analysis.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-43567 HIGH PATCH This Week

Path traversal in OpenClaw's screen_record tool allows authenticated users to write files outside workspace boundaries via crafted outPath parameters, bypassing filesystem security controls. OpenClaw versions before 2026.4.10 are affected. Vendor-released patch available (version 2026.4.10 and later, including current release 2026.4.14). No active exploitation confirmed (CISA KEV negative), but publicly documented vulnerability with working proof-of-concept code in GitHub commit diff. CVSS 7.1 with high integrity impact reflects potential for unauthorized file system modifications outside intended workspace scope.

Authentication Bypass Path Traversal Openclaw
NVD GitHub
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-42433 HIGH PATCH GHSA This Week

Authorization bypass in OpenClaw before 2026.4.10 allows low-privileged authenticated users with operator.write permissions to mutate persistent Matrix profile configurations that should require admin-level authority. Exploitation enables unauthorized modification of system-wide profile settings through message-tool paths, bypassing role-based access controls (CVSS:4.0 7.1 High, VI:H). Vendor patch available via GitHub commit fe0f686c. No confirmed active exploitation or public POC identified at time of analysis, with EPSS data not yet available for this 2026 CVE.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.0%
CVE-2026-43062 HIGH PATCH This Week

Type confusion in Linux kernel's Bluetooth L2CAP Enhanced Credit-Based Reconfiguration Response handler allows adjacent network attackers to trigger integrity violations and potential denial of service. The vulnerability affects kernel versions from 5.7 onwards (commit 15f02b910562) and has vendor patches available across stable branches (5.10.253, 5.15.203, 6.1.167, 6.6.130, 6.12.78, 6.18.20, 6.19.10, 7.0). EPSS score of 0.02% (7th percentile) indicates low observed exploitation probability, with no active exploitation confirmed by CISA KEV at time of analysis.

Information Disclosure Linux
NVD VulDB
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-43531 HIGH PATCH This Week

Environment variable injection in OpenClaw npm package versions before 2026.4.9 allows local attackers with low privileges to compromise application behavior through malicious workspace .env files. Attackers can redirect update sources to serve backdoored packages, modify gateway URLs and ClawHub resolution endpoints to intercept traffic, and override browser executable paths to launch attacker-controlled binaries. Vendor-released patch: version 2026.4.9, with fix also present in latest npm release 2026.4.14. No public exploit identified at time of analysis, but exploitation requires only an untrusted repository with a crafted .env file opened by a victim user.

Code Injection Openclaw
NVD GitHub
CVSS 4.0
7.0
EPSS
0.0%
CVE-2026-42600 MEDIUM PATCH GHSA This Month

Path traversal in MinIO's ReadMultiple internode storage-REST endpoint allows authenticated cluster peers or root-credential holders to read arbitrary files from the host filesystem outside configured drive roots. Distributed-erasure (multi-node) deployments are affected; single-node standalone deployments are not. The vulnerability exists in all releases from RELEASE.2022-07-24T01-54-52Z through RELEASE.2025-09-07T16-13-09Z and has been fixed as of MinIO AIStor RELEASE.2024-10-23T19-38-07Z (with security patch RELEASE.2026-04-14T21-32-45Z recommended). No public exploit code or active exploitation has been identified at time of analysis.

Kubernetes Microsoft Docker Apple Path Traversal
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-42841 MEDIUM PATCH GHSA This Month

Stored cross-site scripting in Grav CMS via Markdown media attribute injection allows authenticated page editors to inject executable JavaScript event-handler attributes into rendered image HTML. An editor can craft Markdown syntax like `![alt](image.gif?attribute=onload,alert(1))` which bypasses the attribute() media method's input validation and renders as `<img onload="alert(1)">`, executing arbitrary JavaScript in the browsers of any user viewing the affected page, including administrators and reviewers in multi-user installations. Publicly available patch confirmed in version 2.0.0-beta.2.

XSS PHP
NVD GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-43901 MEDIUM GHSA This Month

Arbitrary file write in wireshark-mcp up to version 1.1.5 allows remote attackers to write files to any filesystem location via prompt injection in pcap payloads that trigger the wireshark_export_objects MCP tool. The vulnerability exploits missing mandatory path restrictions when the WIRESHARK_MCP_ALLOWED_DIRS environment variable is not configured (default state). An attacker can craft a malicious pcap with embedded HTTP objects bearing filenames like authorized_keys, manipulate an AI model using the MCP server into calling export_objects with dest_dir=/home/user/.ssh/, and achieve SSH access, cron hijacking, or web shell placement. Publicly available proof of concept confirms exploitation against version 1.1.5 with tshark 4.6.4; no vendor-released patch exists at time of analysis.

Python Path Traversal
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-43875 MEDIUM PATCH GHSA This Month

Password hash exposure in AVideo's MobileManager OAuth redirect enables account takeover when unauthenticated attackers capture the redirect URL from server logs, browser history, or referrer leakage, then replay the hash via the login endpoint's encodedPass bypass. The vulnerability affects all users who authenticate through OAuth (Google, etc.) when the MobileManager plugin is enabled, including administrators, and requires only user interaction to trigger the initial OAuth flow-no active exploitation in the wild has been confirmed at analysis time, but a working proof-of-concept exists and patch has been released by the vendor.

PHP CSRF Google
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-42194 MEDIUM PATCH GHSA This Month

DNS rebinding in Admidio's SSO metadata fetch endpoint bypasses SSRF protections by validating a hostname's IP address with gethostbyname() but passing the original hostname to curl_init(), allowing attackers to redirect requests to internal services including cloud metadata endpoints. Authenticated administrators can exploit this TOCTOU window between DNS resolution check and cURL connection to access internal IP ranges, read instance metadata, or scan internal networks.

Python SSRF PHP
NVD GitHub
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-31893 MEDIUM PATCH This Month

Arbitrary file read as root via symlink following vulnerability in Tunnelblick versions 3.3beta26 through 9.0beta01 allows any local user to exploit tunnelblick-helper through the world-accessible tunnelblickd Unix socket to read arbitrary root-owned files. The vulnerability exists because tunnelblick-helper constructs paths to configuration files within user-controlled directories and reads them as root without validating symlinks, enabling attackers to redirect reads to sensitive files. Vendor-released patch available in version 9.0beta02. SSVC framework identifies this as exploitable with publicly available proof-of-concept code but not automatically exploitable.

Apple Information Disclosure
NVD GitHub VulDB
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-44217 MEDIUM PATCH GHSA This Month

Event spoofing in sse-channel (npm) allows attackers to inject arbitrary Server-Sent Events (SSE) messages by passing unsanitized user input to the event, retry, or id fields, enabling client-side manipulation and data integrity violations. Affects sse-channel versions 4.0.0 and earlier; patched in v4.0.1. No public exploit code identified at time of analysis, but vulnerability is straightforward to exploit if user-controlled data reaches SSE field parameters.

Code Injection
NVD GitHub
CVSS 4.0
6.6
EPSS
0.0%
CVE-2026-4362 MEDIUM This Month

ElementsKit Elementor Addons plugin for WordPress versions up to 3.8.2 allows unauthenticated attackers to overwrite Elementor widget content via a missing capability check in the Live_Action::reset() function. By crafting a URL with specific GET parameters (post and action=elementor), attackers can permanently replace any elementskit_widget custom post type's design, text, and configurations with a blank template, causing data loss without requiring authentication or user interaction.

Authentication Bypass WordPress Elementor
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-5957 MEDIUM This Month

EmailKit plugin for WordPress versions up to 1.6.5 allows authenticated attackers with Author-level access to read arbitrary files from the server due to a path traversal vulnerability in the create_template() method. The vulnerability exploits a PHP 8.x type coercion flaw where realpath() returns false for non-existent directories, causing strpos() validation to incorrectly evaluate and bypass directory restrictions. Attackers can retrieve sensitive files such as wp-config.php by submitting absolute paths via the emailkit-editor-template REST API parameter. No public exploit code identified at time of analysis, though the vulnerability mechanism is trivial to weaponize once authentication is obtained.

PHP WordPress Path Traversal
NVD VulDB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-42314 MEDIUM PATCH GHSA This Month

Path traversal in PyLoad-ng package folder name sanitization allows authenticated users with ADD permission to write files outside the intended download directory via insufficient string replacement logic. The sanitizer replaces `../` with `_`, but the pattern `....//` bypasses this filter by becoming `.._` after replacement, leaving exploitable `..` sequences that the OS later resolves. CVSS 6.5 (network-accessible, low complexity, requires low-privilege authentication, high integrity impact). Publicly available proof-of-concept code demonstrates exploitation against default credentials.

Python Path Traversal
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-4409 MEDIUM This Month

Subscribe To Comments Reloaded plugin for WordPress up to version 240119 allows unauthenticated attackers to extract a global secret key from public post pages and forge authorization tokens, enabling unauthorized modification of comment subscription preferences for arbitrary users. The vulnerability stems from weak hash generation and key exposure, affecting all installations without authentication requirements. Active exploitation potential is high given the trivial access vector (network, no user interaction) and the ability to manipulate user subscription data.

Information Disclosure WordPress
NVD
CVSS 3.1
6.5
EPSS
0.0%
Prev Page 3 of 6 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy