Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.9 MEDIUM
CVE-2026-41331 — OpenClaw < 2026.3.31 - Resource Consumption via Unauthorized Telegram Audio Preflight Tra…

OpenClaw before 2026.3.31 contains a resource consumption vulnerability in Telegram audio preflight transcription that allows unauthorized group senders to trigger transcription processing. Attackers…

Remote | Denial of Service
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
4.4 MEDIUM
CVE-2026-41330 — OpenClaw < 2026.3.31 - Environment Variable Override via Host Exec Policy

OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. Attackers can bypass sec…

| Misconfiguration
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
9.9 CRITICAL
CVE-2026-41329 — OpenClaw < 2026.3.31 - Sandbox Bypass via Heartbeat Context Inheritance and senderIsOwner…

OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can e…

Remote | Authorization
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
8.8 HIGH
CVE-2026-41303 — OpenClaw < 2026.3.28 - Authorization Bypass in Discord Text Approval Commands

OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approvers to resolve pending exec approvals. Attackers can send Discord text…

Remote | Authorization
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
7.6 HIGH
CVE-2026-41302 — OpenClaw < 2026.3.31 - Server-Side Request Forgery via Unguarded fetch() in Marketplace P…

OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows remote attackers to make arbitrary network requests. Attack…

Remote | Server-Side Request Forgery
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
6.9 MEDIUM
CVE-2026-41301 — OpenClaw 2026.3.22 < 2026.3.31 - Forged Nostr DM Pairing State Creation via Signature Ver…

OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature vali…

Remote | Authentication
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
6.9 MEDIUM
CVE-2026-41300 — OpenClaw < 2026.3.31 - Attacker-Discovered Endpoint Preservation in Remote Onboarding

OpenClaw before 2026.3.31 contains a trust-decline vulnerability that preserves attacker-discovered endpoints in remote onboarding flows. Attackers can route gateway credentials to malicious endpoint…

Remote | Misconfiguration
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
7.1 HIGH
CVE-2026-41299 — OpenClaw < 2026.3.28 - Client Identity Spoofing in chat.send Gateway Provenance Guard

OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the chat.send gateway method where ACP-only provenance fields are gated by self-declared client metadata from WebSocket han…

Remote | Authorization
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
5.4 MEDIUM
CVE-2026-41298 — OpenClaw < 2026.4.2 - Authorization Bypass in Session Termination Endpoint

OpenClaw before 2026.4.2 fails to enforce write scopes on the POST /sessions/:sessionKey/kill endpoint in identity-bearing HTTP modes. Read-scoped callers can terminate running subagent sessions by s…

Remote | Authorization
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
7.6 HIGH
CVE-2026-41297 — OpenClaw < 2026.3.31 - Server-Side Request Forgery via Marketplace Plugin Download Redire…

OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access internal resources by following unvalid…

Remote | Server-Side Request Forgery
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
8.8 HIGH
CVE-2026-41296 — OpenClaw < 2026.3.31 - Sandbox Escape via TOCTOU Race in Remote FS Bridge readFile

OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path val…

Remote | Race Condition
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
8.5 HIGH
CVE-2026-41295 — OpenClaw < 2026.4.2 - Untrusted Workspace Channel Shadow Code Execution during Built-in C…

OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a works…

| Misconfiguration
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
8.6 HIGH
CVE-2026-41294 — OpenClaw < 2026.3.28 - Environment Variable Injection via CWD .env File

OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a…

| Misconfiguration
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
4.3 MEDIUM
CVE-2026-41285 — OpenBSD slaacd and rad Infinite Loop ICMPv6 Neighbor Discovery Vulnerability

In OpenBSD through 7.8, the slaacd and rad daemons have an infinite loop when they receive a crafted ICMPv6 Neighbor Discovery (ND) option (over a local network) with length zero, because of an "nd_o…

| Denial of Service
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
5.9 MEDIUM
CVE-2026-40045 — OpenClaw < 2026.4.2 - Cleartext Credential Transmission via Unencrypted WebSocket Gateway…

OpenClaw before 2026.4.2 accepts non-loopback cleartext ws:// gateway endpoints and transmits stored gateway credentials over unencrypted connections. Attackers can forge discovery results or craft s…

| Misconfiguration
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
6.3 MEDIUM
CVE-2026-35588 — Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (`glances/exports/glances_cassandra/__init__.py`) interpolates `keyspace`, `table`…

| Injection
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
7.3 HIGH
CVE-2026-35587 — Glances IP Plugin has SSRF via public_api that leads to credential leakage

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation …

Remote | Server-Side Request Forgery
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
8.4 HIGH
CVE-2026-35570 — OpenClaude has Sandbox Bypass via Early-Exit Logic Flaw that Allows Path Traversal

OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside `src/tools/BashTool…

| Path Traversal
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
7.7 HIGH
CVE-2026-34839 — Glances Vulnerable to Cross-Origin Information Disclosure via Unauthenticated REST API (/…

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cr…

Remote | Information Disclosure
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
4.7 MEDIUM
CVE-2026-5721 — wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin <= 6.5.0.4 - Un…

The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.5.0.4. This is …

Remote | Cross-Site Scripting
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
Showing 20 of 6035 Results