Use-after-free in Zephyr's IPv4 IGMP implementation (igmp_send(), subsys/net/ip/igmp.c) allows a remote unauthenticated attacker to trigger undefined behavior and sporadic denial-of-service crashes on devices running Zephyr v2.6.0 through v4.4.0. The flaw arises because the network packet's interface pointer is re-read via net_pkt_iface(pkt) after net_send_data() may have already released the packet's last reference, returning the slab block to the free list. No public exploit code exists and the vulnerability is not in CISA KEV; however, the remote trigger path via IGMP membership queries (224.0.0.1) requires no authentication, and the analogous IPv6 MLD path (mld_send) carries the same unpatched pattern.
Local information disclosure in Oracle VM VirtualBox 7.2.8 via the VMSVGA virtual graphics device allows a high-privileged guest or host attacker to read a subset of VirtualBox-accessible data across the VM isolation boundary. The scope change (S:C) in the CVSS vector indicates the vulnerability crosses the hypervisor boundary, making it relevant to multi-tenant or shared virtualization deployments despite the low base score of 3.2. No public exploit has been identified and this vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog; Oracle addressed it in the June 2026 Critical Patch Update.
Information disclosure in the VMSVGA device component of Oracle VM VirtualBox 7.2.8 enables a highly privileged local attacker already present on the virtualization host to read a subset of VirtualBox-accessible data. The scope change (S:C) in the CVSS vector is the most operationally significant element - exploitation can impact components beyond the VirtualBox process itself, potentially reaching adjacent VMs or host resources. No public exploit code and no active exploitation have been identified at time of analysis; CVSS base score of 3.2 (Low) reflects limited confidentiality impact and a high privilege bar.
Unauthorized read access in Oracle VM VirtualBox 7.2.8's VMSVGA device component can be triggered by a locally authenticated, highly privileged attacker, resulting in a scope-change impact that may expose a subset of confidential data from resources beyond the guest VM boundary, potentially the host layer. Oracle's June 2026 Critical Patch Update describes the flaw as easily exploitable once the high-privilege prerequisite is met, though the constrained attack surface limits realistic exposure to administrative accounts with existing local host access. No public exploit code or active exploitation via CISA KEV has been identified at time of analysis; the low CVSS base score of 3.2 reflects the narrow confidentiality-only impact and strict access requirements.
Oracle VM VirtualBox 7.2.8 Core component exposes a local information disclosure path exploitable by a high-privileged attacker already logged on to the host infrastructure, resulting in unauthorized read access to a subset of VirtualBox-accessible data. The CVSS scope change (S:C) indicates the read impact may cross virtualization boundaries and affect additional products - such as guest VMs - beyond the VirtualBox process itself. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog, placing this in a low-urgency but operationally meaningful category for multi-tenant virtualization environments.
Stored XSS in the HTML session export feature of pi-coding-agent allows script execution in an exported document when a user clicks a crafted Markdown link. Affected npm packages (@mariozechner/pi-coding-agent 0.27.5–0.73.1 and @earendil-works/pi-coding-agent 0.74.0–0.78.0) either omitted URL scheme validation entirely or implemented a blocklist that could be defeated by prepending C0 control characters (bytes 0x00–0x1F), which browsers silently strip before navigation. No public exploit is identified at time of analysis and this vulnerability is not in CISA KEV; the CVSS score of 2.5 and local attack vector reflect the multi-step, user-dependent exploitation chain discovered and responsibly disclosed by CrowdStrike researchers.
OpenClaw before version 2026.5.26 exposes an exec allowlist bypass that lets authenticated operators with low privileges invoke unintended side effects through transparent command wrappers that circumvent allowlist validation at the wrapper layer. The root cause is CWE-184 (Incomplete List of Disallowed Inputs), where allowlist checks succeed at the surface request level but fail to constrain behavior triggered deeper in the wrapper execution path, yielding a limited but confirmed integrity impact on the vulnerable system. No public exploit code has been identified at time of analysis, and the CVSS 4.0 score of 2.3 reflects the constrained scope: exploitation requires authenticated operator access plus a specific attack target precondition.
Hook-based policy enforcement bypass in OpenClaw before 2026.5.6 allows authenticated low-privilege network attackers to route skill commands through a specific vulnerable dispatch path, causing before-tool-call hooks to be skipped entirely. This silently circumvents audit logging and policy enforcement mechanisms that defenders rely on to detect and govern tool invocation behavior within the framework. No public exploit code has been identified at time of analysis, and CVSS 4.0 rates this at 2.3 (Low) with specific attack requirements (AT:P), limiting real-world risk primarily to environments that actively depend on hook-based security controls.
Scope containment bypass in OpenClaw before 2026.4.25 allows authenticated operators to recover broader device access than their current authorization permits by exploiting a missing validation path in the device re-pairing flow. By sending re-pairing requests with empty scope sets, an operator can silently skip containment guards and retain or restore access to devices outside their assigned scope boundaries - an especially significant risk in multi-tenant or shared-operator deployments. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis.
Sender policy bypass in OpenClaw's BlueBubbles integration before version 2026.5.7 allows low-privileged conversation participants to impersonate allowlisted senders by manipulating conversation-level metadata rather than being validated against stable sender identity. An attacker who is already a participant in a conversation can craft or influence mutable conversation identifiers to match configured allowlist entries, causing the agent to respond to them as if they were an authorized sender and circumventing access controls. No public exploit code or active exploitation has been identified at time of analysis; the low CVSS score (2.3) and high attack complexity reflect real-world constraints.
Bootstrap token replay in OpenClaw before version 2026.5.12 permits callers holding a pending bootstrap token to resubmit that token with a broader scope than originally requested, bypassing intended pairing authority limits. The flaw, rooted in incorrect privilege assignment (CWE-266), exploits the gap between token issuance and administrative approval to escalate pairing access. No public exploit code has been identified and the vulnerability carries a CVSS 4.0 score of 2.3, reflecting significant mitigating factors including high attack complexity, a required target precondition, and passive user interaction - making this a low real-world priority outside environments with high-value pairing workflows.
Stored cross-site scripting in OpenClaw's session HTML export feature allows unsafe javascript: and data: URI schemes to survive into generated output files. All OpenClaw versions before 2026.5.12 are affected; exploitation requires a trusted operator to open an exported session HTML file and actively click a crafted link, at which point arbitrary JavaScript executes in their browser context. No public exploit has been identified at time of analysis and no CISA KEV listing exists; the CVSS 4.0 score of 2.1 reflects the narrow attack prerequisites and limited subsequent-system impact.
In Camera, there is a possible unauthorized way to access photos due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
In keymint, there is a possible Permission Bypass due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.