2026-07-17
Missing authorization in mosaxiv clawlet up to version 0.2.10 allows low-privileged remote attackers to list and remove cron jobs through the cron Chat Tool component without proper permission checks. The affected functions are list and remove in tools/tool_cron.go, enabling unauthorized enumeration and deletion of scheduled tasks. A public exploit exists via the project's GitHub issue tracker; the maintainer closed the report as 'not planned,' meaning no vendor patch is forthcoming.
Missing authentication on the executor_manager control-plane API in poco-ai/poco-claw through version 0.5.4 allows adjacent-network attackers to invoke the `create_task` endpoint without any credentials, enabling unauthorized task submission to the AI agent execution engine. The CVSS 4.0 vector (AV:A) confirms exploitation requires adjacency to the internal network segment hosting the executor manager service - it is not directly internet-exploitable. Public exploit code has been disclosed via GitHub issues #136/#137 and PR #135; no CISA KEV listing exists at time of analysis.
SQL injection in itsourcecode Hospital Management System 1.0 allows authenticated remote attackers to manipulate database queries via the `delid` parameter of `/prescriptionorderdetail.php`. An authenticated low-privilege user can extract, alter, or delete sensitive patient and prescription records stored in the backend database. A public exploit proof-of-concept is available on GitHub (E:P per CVSS 4.0), lowering the barrier to exploitation; however, no CISA KEV listing has been identified, and the overall impact is bounded to low-level confidentiality, integrity, and availability effects.
HCL DevOps Loop omits critical HTTP security response headers, degrading browser-enforced protections against clickjacking, MIME-type sniffing, and cross-site scripting for all users of the application. The absence of headers such as Content-Security-Policy, X-Frame-Options, and X-Content-Type-Options does not introduce a standalone exploit path but removes a layer of defense-in-depth that browsers rely on to block client-side attack chains. CVSS assigns a low score of 3.7 with high attack complexity, reflecting that meaningful impact requires chaining this weakness with a secondary technique; no public exploit has been identified and the vulnerability is not listed in CISA KEV.
Insecure file permissions on the HCL DFMPro (for CATIA), DFXAnalytics, and DFXServer installer executables allow any locally authenticated non-administrative user to overwrite or replace those binaries with malicious code. When a privileged user subsequently runs the tampered installer - during installation, upgrade, or reinstallation - the attacker's binary executes in the elevated context, completing a local privilege escalation. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; however, the vendor-reported CVSS 3.3 score materially understates the potential impact of a successful exploitation scenario.
Insufficient input validation in HCL DevOps Loop permits special characters in fields where they should be restricted, enabling authenticated network-accessible attackers under high-complexity conditions to trigger unintended application behavior resulting in limited information disclosure. The CVSS score of 3.1 (Low) reflects constrained real-world impact: exploitation requires prior authentication and specific conditions to materialize. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, indicating no confirmed active exploitation at time of analysis.
OpenClaw's QQBot media upload feature fails to enforce network-destination policy for lower-trust callers, enabling server-side requests to reach internal or blocked network addresses. Versions 2026.4.20 up to (but not including) 2026.5.28 are affected; the CVSS 4.0 score of 2.3 reflects that practical impact is tightly bounded by operator configuration - only subsequent-system confidentiality at a Low level is indicated (SC:L), with no direct impact to the vulnerable component itself. No public exploit code or active exploitation has been identified at time of analysis.
Broken access control in Grav Flex-Objects before 1.4.3 permits authenticated users holding only the api.access permission to perform full CRUD operations on directories lacking explicit permission configurations via the admin-next REST API. The vulnerability bypasses intended authorization controls (CWE-862) because the REST API fails to enforce object-level permission checks when no explicit policy is defined for a directory. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; however, the CVSS 4.0 AT:P metric confirms exploitation depends on the target instance containing permission-less directories, which may be common in default or lightly configured deployments.
Authorization bypass in OpenClaw before version 2026.5.18 allows authenticated low-privilege callers to exceed their intended permissions within the skill command dispatch subsystem. Exploiting misconfigured or reachable input paths, an attacker can circumvent tool policy restrictions and execute or persist actions at a higher trust level than authorized when the affected feature is active and reachable. No public exploit code or active exploitation has been identified; the CVSS 4.0 score of 2.3 reflects the specific preconditions required for successful exploitation.
Authorization bypass in OpenClaw MS Teams before 2026.5.12 allows authenticated lower-privileged users to escalate their effective permissions by spoofing display names that the `allowFrom` access-control feature trusts as immutable identifiers. The root flaw (CWE-290) is that the authorization decision is anchored to a mutable attribute - the display name - rather than a stable, non-spoofable identity token. No public exploit code and no CISA KEV listing have been identified at time of analysis; the CVSS 4.0 score of 2.3 reflects the limited blast radius and the attack requirement precondition.
Incorrect authorization in OpenClaw's ClickClack allowFrom feature permits a lower-trust, authenticated caller to exceed their intended permission boundary - executing or persisting non-allowlisted commands - on versions 2026.5.12 through before 2026.5.26. The flaw (CWE-863) is contingent on the ClickClack allowFrom feature being both enabled and reachable, which meaningfully limits the exploitable population. No public exploit exists and the vulnerability is not listed in CISA KEV; a CVSS 4.0 score of 2.3 reflects the constrained attack surface.
CSRF in grav-plugin-login before 3.8.11 allows a remote unauthenticated attacker to rotate a logged-in victim's TOTP secret by luring them to an attacker-controlled page that performs a top-level GET navigation to the Grav site's regenerate2FASecret task endpoint. Because Grav dispatches frontend tasks via GET URI parameters and the default SameSite=Lax session cookie policy permits cross-origin top-level GET navigations to carry cookies, the victim's authenticator app is silently invalidated, forcing 2FA re-enrollment - though the attacker gains no account access. No public exploit has been identified at time of analysis; CVSS 4.0 score is 2.3, reflecting genuinely low severity.
Prototype pollution in sagold json-schema-library 11.5.0 and 11.5.1 allows remote low-privileged attackers to corrupt the JavaScript Object prototype by supplying crafted schema definitions or input data containing reserved keys such as `__proto__` processed by the `parsePropertyDependencies` function. The CVSS 4.0 vector confirms low-privilege network exploitation with limited but real confidentiality, integrity, and availability impact; the E:P supplemental metric confirms proof-of-concept code exists. No CISA KEV listing is present, so confirmed mass exploitation is not established at time of analysis.