Skip to main content
CVE-2026-53819 HIGH PATCH GHSA This Week

Arbitrary code execution in OpenClaw before 2026.5.27 lets attackers hijack the Homebrew executable resolved during skill installation by planting a workspace-level .env file that overrides the trusted Homebrew path. The flaw, classified as CWE-426 (Untrusted Search Path), enables full system compromise when an operator installs a tampered skill. There is no public exploit identified at time of analysis, and the issue is not on the CISA KEV list.

RCE Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-48059 HIGH PATCH GHSA This Week

Memory exhaustion in Netty's HAProxy PROXY protocol v2 codec (netty-codec-haproxy) allows remote unauthenticated attackers to permanently pin pooled ByteBuf memory by sending PROXY v2 headers containing nested PP2_TYPE_SSL TLVs at depth two or greater. Each malicious connection silently leaks native or heap memory on the successful parse path, enabling a sustained denial-of-service against any Netty-based server that terminates PROXY protocol traffic. No public exploit identified at time of analysis, and EPSS is low (0.04%), but the vendor advisory and fixed releases (4.1.135.Final, 4.2.15.Final) are published.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-48006 HIGH PATCH GHSA This Week

Memory exhaustion in Netty's RedisArrayAggregator handler (io.netty:netty-codec-redis) allows remote unauthenticated attackers to drain the JVM-wide direct-memory pool by repeatedly opening and closing Redis pipeline connections before RESP array aggregates complete. Affects netty-codec-redis 4.1.x through 4.1.134.Final and 4.2.0.Final through 4.2.14.Final; vendor patches are available in 4.1.135.Final and 4.2.15.Final. No public exploit identified at time of analysis, EPSS is low (0.04%), and the issue is not in CISA KEV.

Redis Information Disclosure
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-53817 HIGH PATCH GHSA This Week

Authentication bypass in OpenClaw before 2026.5.22 allows authenticated network attackers to spoof locality information during Control UI device pairing and escalate temporary shared access into durable, admin-capable device tokens that persist across token rotation. The flaw stems from insufficient locality-derived trust validation (CWE-290), enabling lateral conversion of low-privilege sessions into persistent administrative credentials. No public exploit identified at time of analysis, but a vendor patch and VulnCheck advisory are available.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-53814 HIGH PATCH GHSA This Week

Privilege escalation in OpenClaw before 2026.5.20 allows attackers holding a valid hook token to invoke owner-only MCP tools through the /hooks/agent endpoint, because hook-triggered agent runs are incorrectly granted owner-scoped MCP loopback authority. Successful exploitation lets a low-privileged hook caller execute privileged actions such as modifying persistent cron state, with no public exploit identified at time of analysis.

Privilege Escalation Openclaw
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-3329 HIGH PATCH This Week

Credential-guessing attacks against Sonatype Nexus Repository Manager are enabled by missing rate-limiting on authentication endpoints, allowing remote unauthenticated attackers to brute-force or password-spray valid user accounts. The flaw stems from improper restriction of excessive authentication attempts (CWE-307) and carries a CVSS 4.0 base score of 8.7 reflecting high confidentiality impact; no public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Information Disclosure Nexus Repository Manager
NVD VulDB
CVSS 4.0
8.7
EPSS
0.2%
CVE-2026-53816 HIGH PATCH GHSA This Week

Authorization bypass in OpenClaw before 2026.5.18 allows a paired node to forge exec lifecycle events and obtain capabilities reserved for nodes holding system.run authorization. By sending crafted node.event messages, an attacker controlling any peered node can steer gateway sessions into exec-event paths and execute privileged operations, with no public exploit identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-53777 HIGH PATCH This Week

Path traversal in Perry (PerryTS) CLI versions before 0.5.1159 allows a malicious or compromised build server to write arbitrary files anywhere the Perry process can write, or exfiltrate arbitrary local files, by sending crafted artifact_name or download_path values in ArtifactReady WebSocket messages. No public exploit identified at time of analysis, but the upstream commit and tests confirm the issue and a patched release is available.

Path Traversal Perry
NVD GitHub
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-40999 HIGH PATCH This Week

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) allows remote unauthenticated attackers to coerce the server into initiating outbound HTTP connections to attacker-controlled or internal destinations by abusing WS-Addressing ReplyTo/FaultTo headers. The flaw stems from WebServiceMessageSender instances dispatching to destinations taken directly from SOAP request headers without validating that the targets are safe. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Java SSRF Spring Web Services
NVD VulDB HeroDevs
CVSS 3.1
8.6
EPSS
0.0%
CVE-2026-48547 HIGH PATCH This Week

Command injection in KanaDojo's GitHub Actions release workflow (release.yml) allows attackers who can land a pull request to execute arbitrary commands on the repository's CI runner. The version and changes fields of patchNotesData.json are interpolated unsanitized into a child_process.execSync() call, granting any merged malicious PR access to GITHUB_TOKEN and contents:write permissions. No public exploit identified at time of analysis, but the supply-chain blast radius is significant for downstream KanaDojo consumers.

Command Injection Kana Dojo
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-48546 HIGH PATCH This Week

Sandbox escape leading to remote code execution affects KanaDojo (lingdojo/kana-dojo) before version 0.1.18, where the issue-auto-respond.yml GitHub Actions workflow passes the global require function into a Node.js vm.runInNewContext() sandbox. An attacker submitting a pull request that modifies messages.cjs can load arbitrary Node.js modules from within the sandbox and gain code execution on the Actions runner with access to AUTOMATION_PR_TOKEN. No public exploit identified at time of analysis, though the VulnCheck advisory documents the exploitation primitive in detail.

RCE Node.js Kana Dojo
NVD GitHub VulDB
CVSS 4.0
8.5
EPSS
0.1%
CVE-2026-45174 HIGH PATCH This Week

Local privilege/integrity compromise in CyberArk Idira Endpoint Privilege Manager Linux Agent versions prior to 26.5 allows an authenticated local attacker to interfere with the agent daemon's initialization sequence, potentially undermining the endpoint privilege controls the product is meant to enforce. The CVSS 4.0 score of 8.5 reflects high impact on confidentiality, integrity, and availability of the vulnerable system, though exploitation requires existing local access with low privileges. No public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Information Disclosure Idira Endpoint Privilege Manager
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-45175 HIGH PATCH This Week

Local privilege escalation and self-defense bypass in CyberArk (Palo Alto Networks) Idira Endpoint Privilege Manager Agent versions prior to 26.5 allows an authenticated local attacker to circumvent internal cryptographic validation and agent tamper-protection controls. Successful exploitation lets the attacker disable EPM enforcement and execute unauthorized operations on the endpoint, undermining the very privilege-management protections the product is meant to provide. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Authentication Bypass Idira Endpoint Privilege Manager
NVD VulDB
CVSS 4.0
8.5
EPSS
0.0%
CVE-2026-45178 HIGH PATCH This Week

Improper access control in CyberArk Conjur Enterprise (Idira Secrets Manager Self-Hosted) versions 13.8.0 and earlier allows authenticated attackers with standard node-level credentials to abuse internal cluster endpoints to retrieve unauthorized secrets or trigger denial of service. The flaw is rated CVSS 4.0 base 8.4 with high confidentiality impact extending to subsequent systems, but no public exploit identified at time of analysis. CyberArk has published Security Bulletin CA26-20 alongside fixed releases.

Authentication Bypass Denial Of Service Conjur Enterprise
NVD VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-45173 HIGH PATCH This Week

Origin validation failure in CyberArk's Idira Identity Browser Extension for Chrome, Firefox, and Edge (versions prior to 26.8.1) allows a remote attacker to abuse an authenticated user's browser session by luring them to a malicious page. Per CyberArk bulletin CA26-21, the extension's internal web-page verification routine fails to correctly enforce origin checks (CWE-346), enabling unauthorized application interaction in the victim's identity context. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.4 reflects high confidentiality impact and subsequent-system impact via the identity SaaS the extension brokers.

Mozilla Authentication Bypass Google Identity Browser Extensions
NVD VulDB
CVSS 4.0
8.4
EPSS
0.1%
CVE-2026-12031 HIGH PATCH This Week

Sandbox escape in Google Chrome on Windows prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the Chromium sandbox via a crafted HTML page abusing the Views UI framework. Chromium rates the severity High, and no public exploit is identified at time of analysis, but sandbox-escape primitives are routinely chained with renderer RCE bugs into full browser compromise on Windows endpoints.

Microsoft Google Information Disclosure Suse Red Hat
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-12030 HIGH PATCH This Week

Sandbox escape in Google Chrome on Android prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox through a heap-based out-of-bounds write in the GPU process triggered by a crafted HTML page. Chromium rates the severity High and a vendor patch is available, but no public exploit has been identified at time of analysis. The CVSS 8.3 score reflects the chained nature of the attack (compromised renderer required) combined with full impact across confidentiality, integrity, and availability.

Heap Overflow Google Buffer Overflow Suse Red Hat
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-12029 HIGH PATCH This Week

Use after free in Video in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Microsoft Use After Free Memory Corruption Denial Of Service Google +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-12028 HIGH PATCH This Week

Use after free in GPU in Google Chrome on Android prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Use After Free Memory Corruption Denial Of Service Suse +1
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-12023 HIGH PATCH This Week

Use after free in GPU in Google Chrome on Mac prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Google Use After Free Memory Corruption Denial Of Service Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-12008 HIGH PATCH This Week

Use after free in DigitalCredentials in Google Chrome prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Google Use After Free Memory Corruption Denial Of Service
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-12034 HIGH PATCH This Week

Insufficient validation of untrusted input in Linux Toolkit Theming in Google Chrome on Linux prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a malicious file. (Chromium security severity: High)

Google Information Disclosure Suse Red Hat
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-12016 HIGH PATCH This Week

Sandbox escape in Google Chrome's DevTools component before version 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page. Rated High severity by Chromium with a CVSS of 8.3, this is a second-stage vulnerability typically chained with a renderer RCE bug. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Google Information Disclosure
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-12009 HIGH PATCH This Week

Sandbox escape in Google Chrome on macOS prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the browser sandbox via a crafted HTML page that exercises the Accessibility subsystem. Chromium rates the issue Critical severity; no public exploit identified at time of analysis, and the flaw is not on the CISA KEV list. The bug is reachable only after a prior renderer compromise and requires user interaction, which limits drive-by exploitation but makes it a key second-stage primitive in a full browser chain.

Google Information Disclosure Suse Red Hat
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-12019 HIGH PATCH This Week

Sandbox escape in Google Chrome on Linux and ChromeOS prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a heap buffer overflow in the Codecs component triggered by a crafted HTML page. Google rates the underlying issue as High severity and a vendor patch is available, but no public exploit is identified at time of analysis and the bug is not listed in CISA KEV. Exploitation is conditional on chaining with a prior renderer compromise, which raises real-world complexity.

Google Memory Corruption Buffer Overflow Suse Red Hat
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-12011 HIGH PATCH This Week

Use after free in WebMIDI in Google Chrome on Windows prior to 149.0.7827.115 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Microsoft Use After Free Memory Corruption Denial Of Service Google +2
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-12010 HIGH PATCH This Week

Sandbox escape in Google Chrome on Android prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a crafted HTML page that triggers a heap buffer overflow in the GPU process. Chromium rates this severity Critical, and while no public exploit identified at time of analysis, the bug is part of a classic two-stage exploitation chain typically used in browser zero-day exploits. Patch is available from vendor in Chrome 149.0.7827.115 and later.

Heap Overflow Google Buffer Overflow Suse
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-12022 HIGH PATCH This Week

Sandbox escape in Google Chrome on macOS prior to 149.0.7827.115 allows a remote attacker who has already compromised the renderer process to break out of the sandbox via a race condition in Safe Browsing handling of a malicious file. Chromium rates the issue High severity and a vendor patch is available, though no public exploit has been identified at time of analysis.

Race Condition Google Information Disclosure Suse Red Hat
NVD VulDB
CVSS 3.1
8.3
EPSS
0.1%
CVE-2026-8464 HIGH PATCH This Week

Arbitrary file disclosure in Golem OEE MES (Neuron Soft) before 11.6.0 lets an unauthenticated attacker on the same local network read any file readable by the server process by manipulating HTTP request paths. Reported by CERT-PL with no public exploit identified at time of analysis, the issue is fixed in 11.6.0 and carries a CVSS 4.0 base score of 8.3 driven by adjacent-network access and high confidentiality impact extending beyond the application.

Path Traversal Golem Oee Mes
NVD VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-9694 MEDIUM POC PATCH This Month

Content injection via Service Desk email template processing in GitLab CE/EE allows an unauthenticated attacker to impersonate the GitLab Support Bot and inject arbitrary content into issue threads. The vulnerability affects all GitLab instances running versions from 15.9 through 19.0.1 with the Service Desk feature active, and stems from improper neutralization of substitution characters (CWE-153) in email template rendering. A publicly available exploit exists on HackerOne, though no active exploitation has been confirmed by CISA KEV; the official CVSS score of 2.6 reflects the high attack complexity and limited integrity-only impact.

Gitlab Code Injection
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6277 MEDIUM POC PATCH This Month

Incorrect authorization enforcement in GitLab Enterprise Edition allows an authenticated user holding the Security Manager role to manage project security configurations even when the relevant security feature has been administratively disabled. Affecting all EE versions from 13.9 through the patched releases (18.10.8, 18.11.5, 19.0.2), the flaw bypasses the feature-disabled gate by failing to validate feature state alongside role-based permissions. No public exploit is confirmed as actively exploited (not in CISA KEV), though a publicly available HackerOne exploit report exists, and EPSS data was not provided in available intelligence.

Gitlab Authentication Bypass
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-12014 HIGH PATCH This Week

Use after free in Cast in Google Chrome prior to 149.0.7827.115 allowed an attacker on the local network segment to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: High)

Google Use After Free Memory Corruption Denial Of Service
NVD VulDB
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-47189 HIGH PATCH This Week

Cross-tenant AutoMod rule deletion in Quest Bot (Discord bot) prior to 1.0.5 lets a user with Manage Server permission in any guild delete AutoMod rules belonging to other guilds. The flaw stems from looking up rules by global database ID without verifying guild ownership, and rule IDs are discoverable via the bot's autocomplete feature. No public exploit identified at time of analysis, but the GitHub Security Advisory and patched release v1.0.5 are public.

Authentication Bypass Quest Bot
NVD GitHub VulDB
CVSS 4.0
8.3
EPSS
0.0%
CVE-2026-48109 HIGH PATCH GHSA This Week

Denial-of-service in MessagePack-CSharp's optional LZ4 decompression path (Lz4Block and Lz4BlockArray modes) allows remote unauthenticated attackers to crash .NET applications that deserialize untrusted MessagePack payloads. A crafted payload with manipulated LZ4 token/length fields triggers an out-of-bounds read raising an AccessViolationException, and may also leak limited adjacent memory before the process dies. No public exploit identified at time of analysis, but the vendor has published an advisory (GHSA-hv8m-jj95-wg3x) with patched releases 2.5.301 and 3.1.7.

Deserialization Denial Of Service
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-49982 HIGH POC PATCH GHSA This Week

Path traversal in node-tmp 0.2.6 allows remote attackers to create files or directories outside the temp directory by supplying non-string `prefix`, `postfix`, or `template` values (arrays, Buffers, or objects) whose `includes('..')` check returns falsy but whose string coercion contains `../`. The 0.2.6 `_assertPath` guard checks only strings, so JSON body fields or `qs`-parsed bracket arrays such as `?prefix[]=..` bypass it and write at attacker-controlled paths with host-process privileges. No public exploit identified at time of analysis, but the bypass pattern is trivial and the library is widely used in Node.js applications.

Authentication Bypass Node.js Node Tmp Suse
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-40998 HIGH PATCH This Week

XML External Entity (XXE) exposure in Spring Web Services' Jaxp13XPathTemplate allows remote attackers to abuse XPath evaluation over StreamSource and SAXSource inputs because the underlying parser falls back to the JDK's default DocumentBuilderFactory rather than Spring's hardened configuration. Affected versions span the 3.1.x, 4.0.x, 4.1.x and 5.0.x release lines, and while no public exploit was identified at time of analysis, the CVSS 8.2 vector (AV:N/AC:L/PR:N/UI:N) indicates that any service that feeds untrusted XML through this template can be reached by unauthenticated remote attackers. The flaw was reported by VMware/Spring and is tracked in the official Spring security advisory.

Java XXE Spring Web Services
NVD VulDB HeroDevs
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-40994 HIGH PATCH This Week

Insecure default initialization in Spring Web Services' Wss4jSecurityInterceptor disables WSS4J BSP (WS-I Basic Security Profile) enforcement on inbound RequestData, allowing remote attackers to submit SOAP messages that violate BSP-mandated WS-Security rules. Affected versions span 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1, with no public exploit identified at time of analysis. The CVSS 8.2 score reflects high integrity impact because protocol-level cryptographic checks expected by downstream consumers are silently weakened.

Java Information Disclosure Spring Web Services
NVD HeroDevs VulDB
CVSS 3.1
8.2
EPSS
0.0%
CVE-2026-50633 HIGH PATCH This Week

Remote code execution in Apache CXF's JCA integration module allows attackers to achieve arbitrary code execution via JNDI injection when they can manipulate the JCA deployment descriptor (ra.xml) or runtime activation parameters. Affected versions span Apache CXF 4.2.0 to before 4.2.2, and all versions prior to 4.1.7. Despite a CVSS of 8.1, there is no public exploit identified at time of analysis and EPSS sits at 0.04%, suggesting limited near-term exploitation likelihood.

Apache RCE Cxf
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-50632 HIGH PATCH This Week

Remote code execution in Apache CXF versions 4.2.0 through 4.2.1 and all versions prior to 4.1.7 can occur when untrusted users are permitted to configure JMS transport, representing a third attempt to fully address the original advisory CVE-2026-44417. With no public exploit identified at time of analysis and an EPSS score of 0.04%, near-term mass exploitation appears unlikely, but the SSVC technical impact is rated total and the flaw is deemed automatable once weaponized.

Apache RCE Cxf
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-11816 HIGH PATCH This Week

Path traversal in Keras archive extraction utilities prior to version 3.14.0 allows remote attackers to write files outside the intended extraction directory when a victim loads a malicious model archive. The flaw stems from validating archive member paths against the process current working directory rather than the actual extraction destination, which collapses to the filesystem root in common Docker, CI/CD, and Jupyter setups. No public exploit identified at time of analysis, but the upstream fix and a Huntr bounty disclosure make targeted exploitation against ML pipelines plausible.

Path Traversal Python Docker Keras
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-7787 HIGH PATCH This Week

Insecure direct object reference (IDOR) in IBM Langflow OSS 1.0.0 through 1.9.1 allows an authenticated user to read or modify sensitive resources belonging to other users by manipulating object identifiers. The flaw carries a CVSS 8.1 (High) rating due to high confidentiality and integrity impact over the network, though EPSS exploitation probability remains low at 0.04% and there is no public exploit identified at time of analysis. SSVC classifies exploitation as 'none' but flags the issue as automatable with partial technical impact, indicating defenders should still prioritize patching given the trivial attack complexity.

Authentication Bypass IBM Langflow Oss
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-12012 HIGH PATCH This Week

Use after free in Network in Google Chrome prior to 149.0.7827.115 allowed an attacker in a privileged network position to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High)

Google Use After Free Memory Corruption Denial Of Service
NVD VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-46622 HIGH PATCH This Week

Plaintext credential exposure in SolidInvoice open-source invoicing platform prior to 2.3.17 allows any actor with read access to the application database to harvest every user's REST API token directly from the api_tokens table. Because tokens are stored unhashed, secondary exposures such as SQL injection, stolen backups, replicated databases, or insider access become full account-takeover paths against the API. No public exploit is identified at time of analysis and the issue is not listed in CISA KEV, but the patch in 2.3.17 (commit 8645391) introduces HMAC-SHA256 token hashing keyed by SOLIDINVOICE_APP_SECRET.

SQLi Solidinvoice
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-41700 HIGH PATCH This Week

Cross-Site WebSocket Hijacking in Spring for GraphQL allows remote attackers to execute arbitrary GraphQL operations under an authenticated victim's identity when the application has enabled the GraphQL WebSocket transport. The flaw stems from missing origin validation on WebSocket handshakes (CWE-346), affecting Spring for GraphQL 1.0.x, 1.3.x, 1.4.x, and 2.0.x branches up to 2.0.3. No public exploit identified at time of analysis, but the high CVSS (8.1) and reliance only on a single victim click make this a meaningful risk for any deployment exposing the WebSocket endpoint.

Java Information Disclosure Spring For Graphql
NVD VulDB HeroDevs
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-46489 HIGH PATCH This Week

Stored cross-site scripting in SolidInvoice prior to 2.3.17 allows an authenticated administrator to upload a malicious SVG as the company logo, with the file's contents being base64-encoded and injected unescaped into every page of the application. The embedded JavaScript executes in every authenticated user's browser session, enabling session hijacking and privileged action abuse across the tenant. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

XSS Solidinvoice
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-31272 HIGH PATCH This Week

Privilege escalation in Apple macOS Sequoia prior to 15.4 allows a locally executing application to bypass launch constraint protections and run malicious code with elevated privileges. The flaw, reported by Apple and tracked as EUVD-2025-210116, carries CVSS 7.8 (local, low complexity, low privileges) and CWE-269 improper privilege management, with no public exploit identified at time of analysis and CISA SSVC marking exploitation status as 'none'.

Privilege Escalation Apple
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-10847 HIGH This Week

Local privilege escalation in Check Point Identity Agent Full for Windows allows an authenticated local user to execute arbitrary code with SYSTEM privileges through improper executable resolution during the log collection process. The flaw is a classic CWE-427 uncontrolled search path issue, and no public exploit has been identified at time of analysis. Exploitation is constrained to attackers who already have a foothold on the endpoint but provides a reliable path to full SYSTEM compromise.

Checkpoint Privilege Escalation Microsoft RCE
NVD VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-53806 HIGH PATCH GHSA This Week

Command execution bypass in OpenClaw before 2026.5.12 lets low-privileged remote users smuggle inline shell content past exec allowlist revalidation by combining POSIX shell flags into a single argument. The flaw exists because parsing logic treats grouped option characters differently from discrete flags, enabling unintended command paths when the affected exec feature is enabled. No public exploit identified at time of analysis, but the issue was reported by VulnCheck and a vendor advisory plus patch are available.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.1%
CVE-2026-53810 HIGH PATCH GHSA This Week

Arbitrary code execution in OpenClaw before 2026.5.18 allows operators with trusted marketplace access to redirect extension loading to unscanned package payloads, bypassing the platform's security scanning controls. The flaw stems from improper validation of runtime extension metadata (CWE-829), and while no public exploit has been identified at time of analysis, a vendor patch is available via GHSA-v6r2-jh58-xx6w and VulnCheck has tagged it as RCE.

RCE Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-53807 HIGH PATCH This Week

Authorization bypass in OpenClaw prior to 2026.5.6 allows authenticated Telegram users to circumvent the commands.allowFrom sender allowlist by invoking interactive callbacks that mark the caller as authorized before validation runs. Reported by VulnCheck with a vendor patch available, this CWE-863 flaw lets attackers execute restricted command behaviors outside configured Telegram sender restrictions, though no public exploit identified at time of analysis.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
7.7
EPSS
0.0%
Prev Page 2 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy