Skip to main content

CWE-706

Use of Incorrectly-Resolved Name or Reference

76 CVEs Avg CVSS 6.7 MITRE
13
CRITICAL
25
HIGH
34
MEDIUM
4
LOW
22
POC
2
KEV

Monthly

CVE-2026-62190 HIGH This Week

Authorization bypass in OpenClaw before 2026.6.9 lets a lower-trust caller escape the exec-approval trust boundary through the flock wrapper, executing or persisting privileged actions the caller was never authorized to perform. The CVSS 4.0 vector (PR:L) indicates an authenticated but low-privilege actor can achieve high confidentiality, integrity, and availability impact when the affected feature is enabled. Reported by VulnCheck with a vendor GitHub Security Advisory (GHSA-3fp5-v549-9v66); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-57054 MEDIUM PATCH This Month

Web filtering bypass on Juniper Networks Junos OS MX Series exposes downstream resources to unauthenticated network attackers by allowing a specially formatted URL to evade the URL filtering plugin. The flaw stems from incorrect name or reference resolution (CWE-706), causing the router to forward traffic that security policy mandates be dropped. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 6.9 carries an Automatable:Yes modifier, indicating the bypass is scriptable at scale against any qualifying deployment.

Authentication Bypass Juniper Junos Os
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2025-12506 MEDIUM PATCH This Month

Content spoofing in GitLab CE/EE versions 16.5 through 18.x, 19.0, and 19.1 allows authenticated users to construct repositories where the web interface renders content that diverges from the actual downloadable source, exploiting improper Git reference name resolution (CWE-706). The CVSS score of 3.5 (Low) reflects the authentication requirement (PR:L), mandatory viewer interaction (UI:R), and limited integrity-only impact with no confidentiality or availability consequences. No public exploit code or CISA KEV listing has been identified at time of analysis, placing real-world risk firmly in the low tier despite the broad version range affected.

Gitlab Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-13372 HIGH PATCH This Week

Privilege/context escalation in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 lets an authenticated user with write access to a shared workspace plant a custom PowerShell VPN editor entry whose display name collides with an existing VPN script link, causing the attacker's PowerShell to run in another user's context when that link is resolved. The flaw stems from incorrect link resolution by display name (CWE-706) rather than a stable identifier, yielding total compromise of the victim's session (C:H/I:H/A:H). There is no public exploit identified at time of analysis and it is not in CISA KEV; a vendor patch is available.

Information Disclosure Remote Desktop Manager
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2026-10696 HIGH This Week

Use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog package and to execute an attacker-controlled installer via a crafted catalog package whose normalized name is contained as a substring within the installed application name when a user applies the proposed update.

Information Disclosure Unigetui
NVD VulDB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-54022 PyPI MEDIUM PATCH GHSA This Month

Private note disclosure in Open WebUI (≤0.8.10) allows any authenticated user to read the full contents of another user's private notes by exploiting a namespace collision in the Socket.IO collaborative editing subsystem. The ydoc:document:join handler enforces authorization only for document IDs prefixed with 'note:' (colon), but the YdocManager storage layer normalizes all IDs by substituting underscores for colons - making 'note:abc' and 'note_abc' identical storage keys. A fully functional public PoC exploit script is included in the GitHub Security Advisory. No KEV listing; fix is available in version 0.8.11.

Python Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-8716 MEDIUM PATCH This Month

Unauthorized CI data access in GitLab CE/EE allows an authenticated low-privileged user to read CI pipeline data from a ref type (branch, tag, or merge request ref) other than the one they are authorized to view, under certain unspecified conditions. All GitLab installations - both Community and Enterprise editions - running versions from 12.7 through the unpatched releases are affected. The vulnerability is classified as information disclosure with low confidentiality impact; no public exploit code has been identified at time of analysis and it is not listed in the CISA KEV catalog.

Gitlab Information Disclosure
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-45306 PyPI MEDIUM PATCH GHSA This Month

Authenticated admin users in pyLoad-ng can bypass the CVE-2026-33509 fix by setting the storage_folder to the Flask session directory (/tmp/pyLoad/flask), then downloading and reusing session files of other users via the /files/get/ endpoint to achieve account takeover. The original patch failed to block access to the session cache directory, leaving it accessible through the directory traversal protection bypass. Publicly available proof-of-concept code confirms the bypass is functional.

Authentication Bypass Python
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-41402 npm LOW PATCH Monitor

OpenClaw before version 2026.3.31 allows authenticated attackers to bypass webhook replay protection through overly broad cache keying, enabling delivery of duplicate webhook messages to unintended sibling targets when the same messageId is reused. The vulnerability exploits insufficient scope isolation in the webhook replay cache deduplication mechanism, allowing message replay across organizational boundaries within a single authentication context.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-42254 Cargo MEDIUM PATCH This Month

Hickory DNS recursor versions 0.1 through 0.25.2 allow cross-zone DNS poisoning attacks due to cached DNS responses not being directly associated with the query that triggered them, enabling attackers to inject malicious DNS records across zone boundaries and potentially redirect traffic to attacker-controlled servers without user interaction or authentication.

Information Disclosure Hickory Dns
NVD GitHub VulDB
CVSS 3.1
4.0
EPSS
0.0%
EPSS 0% CVSS 8.7
HIGH This Week

Authorization bypass in OpenClaw before 2026.6.9 lets a lower-trust caller escape the exec-approval trust boundary through the flock wrapper, executing or persisting privileged actions the caller was never authorized to perform. The CVSS 4.0 vector (PR:L) indicates an authenticated but low-privilege actor can achieve high confidentiality, integrity, and availability impact when the affected feature is enabled. Reported by VulnCheck with a vendor GitHub Security Advisory (GHSA-3fp5-v549-9v66); no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Web filtering bypass on Juniper Networks Junos OS MX Series exposes downstream resources to unauthenticated network attackers by allowing a specially formatted URL to evade the URL filtering plugin. The flaw stems from incorrect name or reference resolution (CWE-706), causing the router to forward traffic that security policy mandates be dropped. No public exploit has been identified at time of analysis, but the CVSS 4.0 score of 6.9 carries an Automatable:Yes modifier, indicating the bypass is scriptable at scale against any qualifying deployment.

Authentication Bypass Juniper Junos Os
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Content spoofing in GitLab CE/EE versions 16.5 through 18.x, 19.0, and 19.1 allows authenticated users to construct repositories where the web interface renders content that diverges from the actual downloadable source, exploiting improper Git reference name resolution (CWE-706). The CVSS score of 3.5 (Low) reflects the authentication requirement (PR:L), mandatory viewer interaction (UI:R), and limited integrity-only impact with no confidentiality or availability consequences. No public exploit code or CISA KEV listing has been identified at time of analysis, placing real-world risk firmly in the low tier despite the broad version range affected.

Gitlab Information Disclosure
NVD VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Privilege/context escalation in Devolutions Remote Desktop Manager 2026.2.5 through 2026.2.11 lets an authenticated user with write access to a shared workspace plant a custom PowerShell VPN editor entry whose display name collides with an existing VPN script link, causing the attacker's PowerShell to run in another user's context when that link is resolved. The flaw stems from incorrect link resolution by display name (CWE-706) rather than a stable identifier, yielding total compromise of the victim's session (C:H/I:H/A:H). There is no public exploit identified at time of analysis and it is not in CISA KEV; a vendor patch is available.

Information Disclosure Remote Desktop Manager
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Use of an incorrectly resolved name or reference in the pinget backend in Devolutions UniGetUI 2026.2.0 and earlier allows a WinGet community catalog contributor to cause an installed application to be correlated to an unrelated, attacker-controlled catalog package and to execute an attacker-controlled installer via a crafted catalog package whose normalized name is contained as a substring within the installed application name when a user applies the proposed update.

Information Disclosure Unigetui
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Private note disclosure in Open WebUI (≤0.8.10) allows any authenticated user to read the full contents of another user's private notes by exploiting a namespace collision in the Socket.IO collaborative editing subsystem. The ydoc:document:join handler enforces authorization only for document IDs prefixed with 'note:' (colon), but the YdocManager storage layer normalizes all IDs by substituting underscores for colons - making 'note:abc' and 'note_abc' identical storage keys. A fully functional public PoC exploit script is included in the GitHub Security Advisory. No KEV listing; fix is available in version 0.8.11.

Python Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Unauthorized CI data access in GitLab CE/EE allows an authenticated low-privileged user to read CI pipeline data from a ref type (branch, tag, or merge request ref) other than the one they are authorized to view, under certain unspecified conditions. All GitLab installations - both Community and Enterprise editions - running versions from 12.7 through the unpatched releases are affected. The vulnerability is classified as information disclosure with low confidentiality impact; no public exploit code has been identified at time of analysis and it is not listed in the CISA KEV catalog.

Gitlab Information Disclosure
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Authenticated admin users in pyLoad-ng can bypass the CVE-2026-33509 fix by setting the storage_folder to the Flask session directory (/tmp/pyLoad/flask), then downloading and reusing session files of other users via the /files/get/ endpoint to achieve account takeover. The original patch failed to block access to the session cache directory, leaving it accessible through the directory traversal protection bypass. Publicly available proof-of-concept code confirms the bypass is functional.

Authentication Bypass Python
NVD GitHub
EPSS 0% CVSS 2.3
LOW PATCH Monitor

OpenClaw before version 2026.3.31 allows authenticated attackers to bypass webhook replay protection through overly broad cache keying, enabling delivery of duplicate webhook messages to unintended sibling targets when the same messageId is reused. The vulnerability exploits insufficient scope isolation in the webhook replay cache deduplication mechanism, allowing message replay across organizational boundaries within a single authentication context.

Authentication Bypass Openclaw
NVD GitHub
EPSS 0% CVSS 4.0
MEDIUM PATCH This Month

Hickory DNS recursor versions 0.1 through 0.25.2 allow cross-zone DNS poisoning attacks due to cached DNS responses not being directly associated with the query that triggered them, enabling attackers to inject malicious DNS records across zone boundaries and potentially redirect traffic to attacker-controlled servers without user interaction or authentication.

Information Disclosure Hickory Dns
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy