CVEs from 2026
Total
13,682
critical
critical 1,199
high
high 4,384
medium
medium 4,286
low
low 468
% Critical
8.8%
% with KEV
0.4%
% with exploit
0.8%
Top products
- chrome 503
- firepower_threat_defense 298
- firepower_threat_defense_software 295
- gcp 229
- openclaw 172
- commerce 104
- commerce_b2b 89
- saml_sso_-_service_provider 77
Top packages
| CVE | Severity | CVSS | Risk | Flags | OS | Vendor | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-42565 | medium | 4.3 | 4.3 | 21d ago | @workos/authkit-session has an Open Redirect via state-derived redirect target | |||
| CVE-2026-34754 | medium | 4.3 | 4.3 | 21d ago | MantisBT has an Authorization Bypass that Allows Uploading Attachments to Private Issues via REST API | |||
| CVE-2026-44997 | medium | 4.3 | 4.3 | 21d ago | OpenClaw's ACP child sessions inherit subagent security envelope constraints | |||
| CVE-2026-42865 | medium | 4.3 | 4.3 | 21d ago | Inbox Zero is an AI personal assistant for email. Prior to 2.29.3, the cleaner email stream endpoint used a shared Redis subscription listener, which could deliver thread events for one authenticated… | |||
| CVE-2026-44198 | medium | 4.3 | 4.3 | 21d ago | Wagtail is an open source content management system built on Django. Prior to 7.0.7, 7.3.2, and 7.4, a CMS user without the ability to edit a page could still access the history report for the page, … | |||
| CVE-2026-39869 | medium | 4.3 | 4.3 | 22d ago | The issue was addressed with improved memory handling. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, macOS Sequoia 15.7.7, macOS Sonoma 14.8.7, macOS Tahoe 26.5, tvOS… | |||
| CVE-2026-8195 | medium | 4.3 | 4.3 | 23d ago | A vulnerability was detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/C… | |||
| CVE-2026-8194 | medium | 4.3 | 4.3 | 23d ago | A security vulnerability has been detected in osTicket up to 1.18.3. Impacted is an unknown function of the file include/class.dispatcher.php of the component Dispatcher. The manipulation of the argu… | |||
| CVE-2026-6667 | medium | 4.3 | 4.3 | 24d ago | PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console (which itself requires authorization)… | |||
| CVE-2026-42456 | medium | 4.3 | 4.3 | 24d ago | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLL… | |||
| CVE-2026-42282 | medium | 4.3 | 4.3 | 24d ago | n8n-MCP: Sensitive MCP tool-call arguments logged on authenticated requests in HTTP mode | |||
| CVE-2026-44557 | medium | 4.3 | 4.3 | 24d ago | Open WebUI vulnerable to Global Knowledge Base Enumeration via knowledge-bases Meta-Collection | |||
| CVE-2026-42276 | medium | 4.3 | 4.3 | 25d ago | Onyx is an open-source AI platform. Prior to versions 3.0.9, 3.1.6, and 3.2.6, the POST /chat/stop-chat-session/{chat_session_id} endpoint lets any authenticated user stop any other user's active cha… | |||
| CVE-2026-8117 | medium | 4.3 | 4.3 | 25d ago | A security vulnerability has been detected in SourceCodester Pizzafy Ecommerce System 1.0. This issue affects some unknown processing of the file /admin/index.php. Such manipulation of the argument p… | |||
| CVE-2026-44263 | medium | 4.3 | 4.3 | 25d ago | Weblate Vulnerable to Private Translation Enumeration via Screenshot API | |||
| CVE-2026-41687 | medium | 4.3 | 4.3 | 25d ago | Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.8.1, the SSRF protection in endpoints/subscription/add.php (line 42) and endpoints/payments/add.php (line 40)… | |||
| CVE-2026-41685 | medium | 4.3 | 4.3 | 25d ago | Incus is a system container and virtual machine manager. Prior to version 7.0.0, uploads of large amount of data by authenticated users can run the Incus server out of disk space, potentially taking … | |||
| CVE-2026-27415 | medium | 4.3 | 4.3 | 25d ago | Cross-Site Request Forgery (CSRF) vulnerability in PluginUs.Net BEAR allows Cross Site Request Forgery. This issue affects BEAR: from n/a through 1.1.5. | |||
| CVE-2026-44264 | medium | 4.3 | 4.3 | 26d ago | Weblate vulnerable to XSS via crafted Markdown | |||
| CVE-2026-44111 | medium | 4.3 | 4.3 | 26d ago | OpenClaw before 2026.4.15 contains an arbitrary file read vulnerability in the QMD backend memory_get function that allows callers to read any Markdown files within the workspace root. Attackers with… | |||
| CVE-2026-8014 | medium | 4.3 | 4.3 | 26d ago | Inappropriate implementation in Preload in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | |||
| CVE-2026-8013 | medium | 4.3 | 4.3 | 26d ago | Insufficient validation of untrusted input in FedCM in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: L… | |||
| CVE-2026-8011 | medium | 4.3 | 4.3 | 26d ago | Insufficient policy enforcement in Search in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low) | |||
| CVE-2026-8005 | medium | 4.3 | 4.3 | 26d ago | Insufficient validation of untrusted input in Cast in Google Chrome prior to 148.0.7778.96 allowed an attacker on the local network segment to bypass same origin policy via malicious network traffic.… | |||
| CVE-2026-8004 | medium | 4.3 | 4.3 | 26d ago | Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted C… | |||
| CVE-2026-7999 | medium | 4.3 | 4.3 | 26d ago | Inappropriate implementation in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium… | |||
| CVE-2026-7986 | medium | 4.3 | 4.3 | 26d ago | Insufficient policy enforcement in Autofill in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-7983 | medium | 4.3 | 4.3 | 26d ago | Out of bounds read in Dawn in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-7979 | medium | 4.3 | 4.3 | 26d ago | Inappropriate implementation in Media in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-7972 | medium | 4.3 | 4.3 | 26d ago | Uninitialized Use in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium securi… | |||
| CVE-2026-7969 | medium | 4.3 | 4.3 | 26d ago | Integer overflow in Network in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. (Chromium … | |||
| CVE-2026-7961 | medium | 4.3 | 4.3 | 26d ago | Insufficient validation of untrusted input in Permissions in Google Chrome prior to 148.0.7778.96 allowed an attacker on the local network segment to leak cross-origin data via malicious network traf… | |||
| CVE-2026-7946 | medium | 4.3 | 4.3 | 26d ago | Insufficient policy enforcement in WebUI in Google Chrome on Linux, Mac, Windows, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site iso… | |||
| CVE-2026-7942 | medium | 4.3 | 4.3 | 26d ago | Integer overflow in ANGLE in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-7936 | medium | 4.3 | 4.3 | 26d ago | Object lifecycle issue in V8 in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium) | |||
| CVE-2026-7933 | medium | 4.3 | 4.3 | 26d ago | Out of bounds read in WebCodecs in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform an out of bounds memory read via a crafted video file. (Chromium security severity: Medium) | |||
| CVE-2026-7915 | medium | 4.3 | 4.3 | 26d ago | Insufficient data validation in DevTools in Google Chrome on Android prior to 148.0.7778.96 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security sev… | |||
| CVE-2026-7904 | medium | 4.3 | 4.3 | 26d ago | Out of bounds read in Fonts in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High) | |||
| CVE-2026-20193 | medium | 4.3 | 4.3 | 26d ago | A vulnerability in the RADIUS Policy API endpoints of Cisco ISE could allow an authenticated, remote attacker with read-only Administrator privileges to gain unauthorized access to sensitive inf… | |||
| CVE-2026-20189 | medium | 4.3 | 4.3 | 26d ago | A vulnerability in the log file download functionality of Cisco Prime Infrastructure could allow an authenticated, remote attacker to download arbitrary log files from the server. This vulner… | |||
| CVE-2026-20172 | medium | 4.3 | 4.3 | 26d ago | A vulnerability in the Lite Agent feature of Cisco Enterprise Chat and Email (ECE) could allow an authenticated, remote attacker to conduct browser-based attacks. To exploit this vulnerability, the a… | |||
| CVE-2026-8027 | medium | 4.3 | 4.3 | 26d ago | A weakness has been identified in FlowiseAI Flowise up to 3.0.12. Affected by this vulnerability is an unknown functionality of the component User Controller Handler. This manipulation of the argumen… | |||
| CVE-2026-2306 | medium | 4.3 | 4.3 | 27d ago | The Ninja Tables – Easy Data Table Builder plugin for WordPress is vulnerable to unauthorized database table creation due to missing authorization checks on the `createFluentCartTable` function in al… | |||
| CVE-2026-43882 | medium | 4.3 | 4.3 | 27d ago | AVideo: Unauthenticated CRLF/ICS Injection in Scheduler downloadICS.php Allows Calendar Event Spoofing | |||
| CVE-2026-3601 | medium | 4.3 | 4.3 | 27d ago | The User Registration & Membership plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `embed_form_action()` function in all versions up t… | |||
| CVE-2026-6701 | medium | 4.3 | 4.3 | 28d ago | The addfreespace plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.3. This is due to missing or incorrect nonce validation on a function. This… | |||
| CVE-2026-6700 | medium | 4.3 | 4.3 | 28d ago | The DX Sources plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.1. This is due to missing or incorrect nonce validation on the settings_page_… | |||
| CVE-2026-7781 | medium | 4.3 | 4.3 | 28d ago | A security vulnerability has been detected in Open5GS up to 2.7.7. Affected by this issue is the function udm_nudm_uecm_handle_amf_registration_update of the file /src/udm/nudm-handler.c of the compo… | |||
| CVE-2026-7780 | medium | 4.3 | 4.3 | 28d ago | A weakness has been identified in Open5GS up to 2.7.7. Affected by this vulnerability is the function udm_state_operational of the file /src/udm/udm-sm.c of the component smf-registrations Endpoint. … | |||
| CVE-2026-7779 | medium | 4.3 | 4.3 | 28d ago | A security flaw has been discovered in Open5GS up to 2.7.7. Affected is the function udm_nudr_dr_handle_subscription_authentication of the file /src/udm/nudr-handler.c of the component authentication… | |||
| CVE-2026-42051 | medium | 4.3 | 4.3 | 28d ago | Kirby CMS's system API endpoint leaks installed version and license data to authenticated users | |||
| CVE-2026-42174 | medium | 4.3 | 4.3 | 28d ago | Kirby CMS doesn't gate user avatar creation, replacement and deletion with user update permissions | |||
| CVE-2026-7708 | medium | 4.3 | 4.3 | 29d ago | A vulnerability was determined in Open5GS up to 2.7.7. The affected element is the function ogs_dbi_subscription_data in the library /lib/dbi/subscription.c of the component UDR. This manipulation of… | |||
| CVE-2026-7707 | medium | 4.3 | 4.3 | 29d ago | A vulnerability was found in Open5GS up to 2.7.7. Impacted is the function udr_nudr_dr_handle_subscription_context of the file /src/udr/nudr-handler.c of the component UDR. The manipulation of the ar… | |||
| CVE-2026-7706 | medium | 4.3 | 4.3 | 29d ago | A vulnerability has been found in Open5GS up to 2.7.7. This issue affects the function gmm_handle_service_request of the file /src/amf/gmm-handler.c of the component AMF. The manipulation leads to de… | |||
| CVE-2026-7704 | medium | 4.3 | 4.3 | 29d ago | A vulnerability has been found in AV Stumpfl Pixera Two Media Server up to 25.1 R2. The affected element is an unknown function of the component Service Port 1338. Such manipulation leads to path tra… | |||
| CVE-2026-7701 | medium | 4.3 | 4.3 | 29d ago | A security vulnerability has been detected in Telegram Desktop up to 6.7.5. This vulnerability affects the function RequestButton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the compon… | |||
| CVE-2026-7680 | medium | 4.3 | 4.3 | 1mo ago | A weakness has been identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file backend/webserver/api/datasets.py of the component Data Endpoint. Executing a manipu… | |||
| CVE-2026-7676 | medium | 4.3 | 4.3 | 1mo ago | A vulnerability was found in kerwincui FastBee up to 1.2.1. The affected element is the function ToolController.download of the file springboot/fastbee-open-api/src/main/java/com/fastbee/data/control… | |||
| CVE-2026-7643 | medium | 4.3 | 4.3 | 1mo ago | A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function of the file Next.js of the component API Endpoint. Executing a manipulation can lead to permissive cros… | |||
| CVE-2026-7601 | medium | 4.3 | 4.3 | 1mo ago | A vulnerability has been found in Open5GS up to 2.7.6. Affected is an unknown function of the file src/amf/gmm-handler.c of the component AMF. The manipulation of the argument reg_type leads to denia… | |||
| CVE-2026-7596 | medium | 4.3 | 4.3 | 1mo ago | A vulnerability has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this issue is the function data.get of the file .claude/skills/design-system/scripts/generate-slide.py … | |||
| CVE-2026-7587 | medium | 4.3 | 4.3 | 1mo ago | A vulnerability has been found in Open5GS up to 2.7.7. This vulnerability affects the function amf_nsmf_pdusession_handle_update_sm_context of the file /src/amf/nsmf-handler.c of the component AMF. T… | |||
| CVE-2026-7586 | medium | 4.3 | 4.3 | 1mo ago | A weakness has been identified in Open5GS up to 2.7.7. Affected is the function ogs_id_get_value of the file /src/amf/nudm-handler.c of the component AMF. This manipulation causes denial of service. … | |||
| CVE-2026-7585 | medium | 4.3 | 4.3 | 1mo ago | A vulnerability was determined in Open5GS up to 2.7.7. The impacted element is the function amf_nudm_sdm_handle_provisioned of the file /src/amf/nudm-handler.c of the component AMF. Executing a manip… | |||
| CVE-2026-23866 | medium | 4.3 | 4.3 | 1mo ago | Incomplete validation of AI rich response messages for Instagram Reels in WhatsApp for iOS v2.25.8.0 to v2.26.15.72 and WhatsApp for Android v2.25.8.0 to v2.26.7.10 could have allowed a user to trigg… | |||
| CVE-2026-7583 | medium | 4.3 | 4.3 | 1mo ago | A flaw has been found in Open5GS up to 2.7.7. This issue affects the function bsf_sess_find_by_ipv6prefix of the file /src/bsf/context.c of the component BSF. This manipulation of the argument ipv6Pr… | |||
| CVE-2026-7581 | medium | 4.3 | 4.3 | 1mo ago | A security vulnerability has been detected in alexta69 MeTube up to 2026.04.09. This affects the function on_prepare of the file app/main.py of the component CORS Policy. The manipulation leads to pe… | |||
| CVE-2026-3140 | medium | 4.3 | 4.3 | 1mo ago | The Ultimate Dashboard plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.8.14. This is due to a flawed nonce validation conditional in the 'hand… | |||
| CVE-2026-7535 | medium | 4.3 | 4.3 | 1mo ago | A vulnerability was found in Open5GS up to 2.7.7. This affects the function amf_namf_comm_handle_registration_status_update_request in the library /lib/app/ogs-init.c of the file /namf-comm/v1/ue-con… | |||
| CVE-2026-7518 | medium | 4.3 | 4.3 | 1mo ago | A flaw has been found in Open5GS up to 2.7.7. This issue affects the function amf_namf_callback_handle_sdm_data_change_notify of the file /namf-callback/v1/{id}/sdmsubscription-notify of the componen… | |||
| CVE-2026-36757 | medium | 4.3 | 4.3 | 1mo ago | A Server-Side Request Forgery (SSRF) in the /plugins/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | |||
| CVE-2026-36758 | medium | 4.3 | 4.3 | 1mo ago | A Server-Side Request Forgery (SSRF) in the /themes/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | |||
| CVE-2026-7401 | medium | 4.3 | 4.3 | 1mo ago | A vulnerability was detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This vulnerability affects unknown code of the file /index.php?action=register of the com… | |||
| CVE-2026-6915 | medium | 4.3 | 4.3 | 1mo ago | An authorization flaw in the user management command could allow an authenticated user to make limited changes to authentication-related data associated with another user account. This could affect h… | |||
| CVE-2026-42525 | medium | 4.3 | 4.3 | 1mo ago | Jenkins Microsoft Entra ID (previously Azure AD) Plugin has an open redirect vulnerability | |||
| CVE-2026-42522 | medium | 4.3 | 4.3 | 1mo ago | Jenkins GitHub Branch Source Plugin: Missing permissions check allows attackers to perform a connection test | |||
| CVE-2026-42519 | medium | 4.3 | 4.3 | 1mo ago | Jenkins Script Security Plugin: Missing permission checks allow enumeration of pending and approved classpaths | |||
| CVE-2026-42648 | medium | 4.3 | 4.3 | 1mo ago | Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from … | |||
| CVE-2026-42645 | medium | 4.3 | 4.3 | 1mo ago | Cross-Site Request Forgery (CSRF) vulnerability in Dmitry V. (CEO of "UKR Solution") Barcode Scanner with Inventory & Order Manager barcode-scanner-lite-pos-to-manage-products-inventory-and-orders al… | |||
| CVE-2026-23773 | medium | 4.3 | 4.3 | 1mo ago | Dell Disk Library for Mainframe, version(s) DLm 8700/2700 contain(s) a Server-Side Request Forgery (SSRF) vulnerability. A low privileged attacker with remote access could potentially exploit this vu… | |||
| CVE-2026-7340 | medium | 4.3 | 4.3 | 1mo ago | Integer overflow in ANGLE in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: M… | |||
| CVE-2026-41910 | medium | 4.3 | 4.3 | 1mo ago | OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes | |||
| CVE-2026-7309 | medium | 4.3 | 4.3 | 1mo ago | A flaw was found in the OpenShift Container Platform build system. A user with the `edit` ClusterRole can inject arbitrary environment variables, such as `LD_PRELOAD` or `http_proxy`, into `docker-bu… | |||
| CVE-2026-7230 | medium | 4.3 | 4.3 | 1mo ago | A vulnerability was found in SourceCodester Safety Anger Pad 1.0. The affected element is an unknown function. The manipulation of the argument angerDisplay results in cross site scripting. The attac… | |||
| CVE-2026-7200 | medium | 4.3 | 4.3 | 1mo ago | A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this issue is some unknown functionality of the file /index.php?page=types. Executing a manipulation of th… | |||
| CVE-2026-41362 | medium | 4.3 | 4.3 | 1mo ago | OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attacke… | |||
| CVE-2026-7144 | medium | 4.3 | 4.3 | 1mo ago | A security flaw has been discovered in 1000 Projects Portfolio Management System MCA 1.0. This impacts an unknown function of the file update_passwd_process.php. The manipulation of the argument temp… | |||
| CVE-2026-7129 | medium | 4.3 | 4.3 | 1mo ago | A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. Impacted is an unknown function of the file /index.php?page=categories. Performing a manipulation of the argume… | |||
| CVE-2026-7116 | medium | 4.3 | 4.3 | 1mo ago | A security flaw has been discovered in code-projects Employee Management System 1.0. This issue affects some unknown processing of the file 370project/mark.php. Performing a manipulation results in c… | |||
| CVE-2026-7108 | medium | 4.3 | 4.3 | 1mo ago | A security vulnerability has been detected in code-projects Invoice System in Laravel 1.0. This affects an unknown function. Such manipulation leads to cross-site request forgery. The attack may be p… | |||
| CVE-2026-7095 | medium | 4.3 | 4.3 | 1mo ago | A vulnerability was identified in code-projects Employee Management System 1.0. This affects an unknown part of the file 370project/edit.php. The manipulation of the argument ID leads to cross site s… | |||
| CVE-2026-7089 | medium | 4.3 | 4.3 | 1mo ago | A security vulnerability has been detected in code-projects Home Service System 1.0. The impacted element is an unknown function of the file /booking.php of the component Appointment Booking. The man… | |||
| CVE-2026-7086 | medium | 4.3 | 4.3 | 1mo ago | A vulnerability was identified in HBAI-Ltd Toonflow-app up to 1.1.1. This issue affects the function updateStoryboardUrl of the file replaceUrl.ts of the component Storyboard Export. Such manipulatio… | |||
| CVE-2026-33566 | medium | 4.3 | 4.3 | 1mo ago | There is a cypher injection issue in LogonTracer prior to v2.0.0. If specially crafted Windows event log data is loaded, the contents of the database may be altered. | |||
| CVE-2026-29197 | medium | 4.3 | 4.3 | 1mo ago | In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing… | |||
| CVE-2026-41350 | medium | 4.3 | 4.3 | 1mo ago | OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invoc… | |||
| CVE-2026-41339 | medium | 4.3 | 4.3 | 1mo ago | OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients | |||
| CVE-2026-6874 | medium | 4.3 | 4.3 | 1mo ago | copilot-api has Reliance on Reverse DNS Resolution for a Security-Critical Action | |||
| CVE-2026-42085 | medium | 4.3 | 4.3 | 1mo ago | OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames |