Skip to main content

CWE-183

Permissive List of Allowed Inputs

31 CVEs Avg CVSS 6.7 MITRE
2
CRITICAL
13
HIGH
14
MEDIUM
2
LOW
4
POC
0
KEV

Monthly

CVE-2026-59802 MEDIUM PATCH This Month

Cross-site scripting via data URI injection in PasswordPusher before 2.8.1 allows unauthenticated attackers to create URL pushes containing data:text/html payloads that execute arbitrary JavaScript in victims' browsers under the trusted PasswordPusher origin. The root cause is the valid_url function accepting data: URI schemes as valid URLs, meaning any attacker with push creation access can craft a link that, when clicked by a recipient, renders attacker-controlled HTML and JavaScript within the trusted application domain - enabling convincing phishing pages or session cookie harvesting. No public exploit has been identified at time of analysis, but a vendor-released patch (2.8.1) is available per the GitHub security advisory.

Information Disclosure Passwordpusher
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.2%
CVE-2026-50189 HIGH PATCH This Week

Authenticated command execution in Appsmith versions prior to 2.1 lets any administrator run arbitrary OS commands inside the application's Docker container. The bundled supervisord exposes an XML-RPC management interface on port 9001, which Appsmith's Caddy reverse proxy publishes externally at /supervisor/* on the public ingress; combined with the supervisord password being readable through GET /api/v1/admin/env, an admin can authenticate to supervisord and abuse twiddler.addProgramToGroup to spawn programs that execute shell commands. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV. Fixed in 2.1.

Information Disclosure Docker Appsmith
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.2%
CVE-2026-46608 PyPI HIGH PATCH GHSA This Week

Cross-origin data exposure in Glances XML-RPC server (versions 4.5.3 through 4.5.4) allows any malicious web page to read full system monitoring data from a victim's browser because the CORS allowlist silently collapses to 'Access-Control-Allow-Origin: *' whenever two or more origins are configured. This is an incomplete fix for CVE-2026-33533: the CORS header is computed once at startup and never validated against the request's Origin. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis as actively exploited.

Grafana Docker Python Authentication Bypass Kubernetes +1
NVD GitHub
CVSS 3.1
7.4
EPSS
0.4%
CVE-2026-8918 HIGH This Week

Local privilege abuse in ASUS Armoury Crate (versions up to and including 6.4.12) allows a local administrator to bypass input validation and perform arbitrary kernel memory read/write or trigger a system crash (BSOD). The flaw is reported by ASUS and tracked as EUVD-2026-38205; no public exploit identified at time of analysis. CVSS 4.0 base score is 7.1 with high attack complexity and high privileges required, reflecting that exploitation needs an existing administrative foothold.

Denial Of Service Armoury Crate
NVD VulDB
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-54316 npm MEDIUM PATCH GHSA This Month

Out-of-band data exfiltration in Claude Code (npm/@anthropic-ai/claude-code versions 0.2.54 through 2.1.162) allows a prompt-injection attacker to silently exfiltrate files, environment variables, and command output by exploiting a pre-approved bare hostname bypass in the WebFetch tool. Because huggingface.co was whitelisted at the hostname level only, any path on that domain - including attacker-controlled model repository paths - was auto-approved without triggering a permission prompt and without being constrained by --allowedTools restrictions. The prerequisite is the ability to inject untrusted content into a Claude Code context window (e.g., via a malicious README, dependency file, or data file read during a session); no public exploit code has been identified at time of analysis, and the vulnerability has been patched in version 2.1.163.

Code Injection
NVD GitHub VulDB
CVSS 4.0
6.0
EPSS
0.4%
CVE-2026-11525 npm LOW PATCH GHSA Monitor

SameSite attribute parsing in undici's cookie implementation uses substring matching instead of the case-insensitive exact match required by RFC 6265, enabling a malicious or non-compliant upstream server to silently downgrade a cookie's SameSite enforcement to a more permissive value. All undici installations from v5.15.0 onward through the unpatched release branches are affected when consuming Set-Cookie headers via undici's fetch or proxy code paths and forwarding or relying on the parsed sameSite attribute. No public exploit has been identified and no CISA KEV listing exists at time of analysis; however, the integrity impact is concrete in architectures where SameSite policy enforcement is delegated to the parsed cookie attribute.

Information Disclosure Undici
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.2%
CVE-2026-3490 PyPI CRITICAL PATCH GHSA Act Now

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked function past its scanner using pkgutil.resolve_name as an indirection primitive. Because pkgutil.resolve_name is not on the blocklist, an attacker can chain two REDUCE opcodes to resolve and invoke os.system, builtins.exec, subprocess.call, or any other dangerous function while the scanner reports the pickle as CLEAN - a universal blocklist bypass that defeats picklescan's entire safety premise. No public exploit is identified in CISA KEV, but the GHSA advisory authored by VulnCheck publishes a complete working technique, so weaponization is trivial.

RCE Picklescan
NVD GitHub
CVSS 4.0
10.0
EPSS
0.6%
CVE-2026-46391 npm HIGH PATCH GHSA This Week

Credential theft via SSRF in HAX open-apis (npm @haxtheweb/open-apis) before version 26.0.0 allows remote unauthenticated attackers to capture HTTP Basic authentication intended for hard-coded trusted domains. The flaw stems from substring-only hostname validation in cacheAddress.js, JOSHelpers.js, and elmslnToSite.js, which lets an attacker craft a URL containing the trusted substring but pointing to attacker infrastructure. A proof-of-concept exists and the maintainer confirmed the leaked credentials grant access to unreleased LMS content on downstream systems, though no public exploitation has been observed.

Information Disclosure
NVD GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-44111 npm LOW PATCH Monitor

OpenClaw before version 2026.4.15 allows authenticated users with access to the memory tool to read arbitrary Markdown files within the workspace root by bypassing path restrictions in the QMD backend's memory_get function. The vulnerability enables attackers to access workspace Markdown files outside canonical memory locations or indexed QMD result sets, effectively circumventing the intended memory-path policy. No public exploit code or active exploitation has been identified.

Canonical Authentication Bypass
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-43574 npm MEDIUM PATCH This Month

OpenClaw before version 2026.4.12 contains an improper authorization flaw in helper-backed channels where empty resolved approver lists are incorrectly interpreted as explicit approval authorization. Authenticated attackers who know an approval ID can resolve pending approvals without proper authorization by exploiting this logic error, bypassing intended sender authorization checks. This vulnerability has a CVSS score of 6.5 (medium) with network attack vector and requires only low privileges, though no public exploit code or active exploitation has been identified.

Information Disclosure Openclaw
NVD GitHub
CVSS 4.0
6.0
EPSS
0.0%
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

Cross-site scripting via data URI injection in PasswordPusher before 2.8.1 allows unauthenticated attackers to create URL pushes containing data:text/html payloads that execute arbitrary JavaScript in victims' browsers under the trusted PasswordPusher origin. The root cause is the valid_url function accepting data: URI schemes as valid URLs, meaning any attacker with push creation access can craft a link that, when clicked by a recipient, renders attacker-controlled HTML and JavaScript within the trusted application domain - enabling convincing phishing pages or session cookie harvesting. No public exploit has been identified at time of analysis, but a vendor-released patch (2.8.1) is available per the GitHub security advisory.

Information Disclosure Passwordpusher
NVD GitHub VulDB
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Authenticated command execution in Appsmith versions prior to 2.1 lets any administrator run arbitrary OS commands inside the application's Docker container. The bundled supervisord exposes an XML-RPC management interface on port 9001, which Appsmith's Caddy reverse proxy publishes externally at /supervisor/* on the public ingress; combined with the supervisord password being readable through GET /api/v1/admin/env, an admin can authenticate to supervisord and abuse twiddler.addProgramToGroup to spawn programs that execute shell commands. There is no public exploit identified at time of analysis, and it is not listed in CISA KEV. Fixed in 2.1.

Information Disclosure Docker Appsmith
NVD GitHub VulDB
EPSS 0% CVSS 7.4
HIGH PATCH This Week

Cross-origin data exposure in Glances XML-RPC server (versions 4.5.3 through 4.5.4) allows any malicious web page to read full system monitoring data from a victim's browser because the CORS allowlist silently collapses to 'Access-Control-Allow-Origin: *' whenever two or more origins are configured. This is an incomplete fix for CVE-2026-33533: the CORS header is computed once at startup and never validated against the request's Origin. Publicly available exploit code exists in the GHSA advisory, but there is no public exploit identified at time of analysis as actively exploited.

Grafana Docker Python +3
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

Local privilege abuse in ASUS Armoury Crate (versions up to and including 6.4.12) allows a local administrator to bypass input validation and perform arbitrary kernel memory read/write or trigger a system crash (BSOD). The flaw is reported by ASUS and tracked as EUVD-2026-38205; no public exploit identified at time of analysis. CVSS 4.0 base score is 7.1 with high attack complexity and high privileges required, reflecting that exploitation needs an existing administrative foothold.

Denial Of Service Armoury Crate
NVD VulDB
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

Out-of-band data exfiltration in Claude Code (npm/@anthropic-ai/claude-code versions 0.2.54 through 2.1.162) allows a prompt-injection attacker to silently exfiltrate files, environment variables, and command output by exploiting a pre-approved bare hostname bypass in the WebFetch tool. Because huggingface.co was whitelisted at the hostname level only, any path on that domain - including attacker-controlled model repository paths - was auto-approved without triggering a permission prompt and without being constrained by --allowedTools restrictions. The prerequisite is the ability to inject untrusted content into a Claude Code context window (e.g., via a malicious README, dependency file, or data file read during a session); no public exploit code has been identified at time of analysis, and the vulnerability has been patched in version 2.1.163.

Code Injection
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

SameSite attribute parsing in undici's cookie implementation uses substring matching instead of the case-insensitive exact match required by RFC 6265, enabling a malicious or non-compliant upstream server to silently downgrade a cookie's SameSite enforcement to a more permissive value. All undici installations from v5.15.0 onward through the unpatched release branches are affected when consuming Set-Cookie headers via undici's fetch or proxy code paths and forwarding or relying on the parsed sameSite attribute. No public exploit has been identified and no CISA KEV listing exists at time of analysis; however, the integrity impact is concrete in architectures where SameSite policy enforcement is delegated to the parsed cookie attribute.

Information Disclosure Undici
NVD GitHub VulDB
EPSS 1% CVSS 10.0
CRITICAL PATCH Act Now

Remote code execution against users of picklescan versions prior to 1.0.4 is achievable by smuggling any blocked function past its scanner using pkgutil.resolve_name as an indirection primitive. Because pkgutil.resolve_name is not on the blocklist, an attacker can chain two REDUCE opcodes to resolve and invoke os.system, builtins.exec, subprocess.call, or any other dangerous function while the scanner reports the pickle as CLEAN - a universal blocklist bypass that defeats picklescan's entire safety premise. No public exploit is identified in CISA KEV, but the GHSA advisory authored by VulnCheck publishes a complete working technique, so weaponization is trivial.

RCE Picklescan
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Credential theft via SSRF in HAX open-apis (npm @haxtheweb/open-apis) before version 26.0.0 allows remote unauthenticated attackers to capture HTTP Basic authentication intended for hard-coded trusted domains. The flaw stems from substring-only hostname validation in cacheAddress.js, JOSHelpers.js, and elmslnToSite.js, which lets an attacker craft a URL containing the trusted substring but pointing to attacker infrastructure. A proof-of-concept exists and the maintainer confirmed the leaked credentials grant access to unreleased LMS content on downstream systems, though no public exploitation has been observed.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before version 2026.4.15 allows authenticated users with access to the memory tool to read arbitrary Markdown files within the workspace root by bypassing path restrictions in the QMD backend's memory_get function. The vulnerability enables attackers to access workspace Markdown files outside canonical memory locations or indexed QMD result sets, effectively circumventing the intended memory-path policy. No public exploit code or active exploitation has been identified.

Canonical Authentication Bypass
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM PATCH This Month

OpenClaw before version 2026.4.12 contains an improper authorization flaw in helper-backed channels where empty resolved approver lists are incorrectly interpreted as explicit approval authorization. Authenticated attackers who know an approval ID can resolve pending approvals without proper authorization by exploiting this logic error, bypassing intended sender authorization checks. This vulnerability has a CVSS score of 6.5 (medium) with network attack vector and requires only low privileges, though no public exploit code or active exploitation has been identified.

Information Disclosure Openclaw
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy