Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
8.8 HIGH
CVE-2026-62217 — OpenClaw 2026.5.14-beta.1 < 2026.5.27 Authentication Bypass via exec approvals

OpenClaw 2026.5.14-beta.1 before 2026.5.27 contain an authorization flaw in the QQBot exec approvals feature. When the feature is enabled and reachable, a lower-trust caller or configured input path …

Remote | Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
5.0 MEDIUM
CVE-2026-62216 — OpenClaw 2026.4.20 < 2026.5.28 Policy Bypass via Media Upload

OpenClaw 2026.4.20 before 2026.5.28 contain a policy bypass in the QQBot media upload feature. A lower-trust caller or configured input path could cause the media upload to reach network destinations…

Remote | Server-Side Request Forgery
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
8.0 HIGH
CVE-2026-62215 — OpenClaw < 2026.6.5 Authentication Bypass via HTTP Canvas

OpenClaw versions before 2026.6.5 contain an authentication bypass vulnerability in HTTP Canvas responses that allows lower-trust callers to forge trusted A2UI actions. Attackers can perform actions …

Remote | Authentication
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.5 MEDIUM
CVE-2026-62214 — OpenClaw < 2026.5.28 Bot Framework SSRF via serviceUrl Parameter Validation

OpenClaw versions before 2026.5.28 Bot Framework contains an improper input validation vulnerability that allows lower-trust callers to expose bot tokens and credentials by failing to properly valida…

Remote | Information Disclosure
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.5 MEDIUM
CVE-2026-62213 — OpenClaw < 2026.5.27 Token Leakage via MS Teams Outbound Requests

OpenClaw versions before 2026.5.27 contain a token leakage vulnerability in MS Teams outbound requests that allows lower-trust callers to expose Bot Framework tokens. Attackers can access configured …

Remote | Information Disclosure
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.1 HIGH
CVE-2026-62212 — OpenClaw < 2026.5.28 Authentication Bypass via safeFetch

OpenClaw before 2026.5.28 contains a race condition in the MS Teams safeFetch DNS rebinding check. When the affected feature is enabled and reachable, a lower-trust caller or configured input path co…

Remote | Race Condition
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
5.0 MEDIUM
CVE-2026-62211 — OpenClaw < 2026.6.1 Credential Redaction Bypass via Trajectory Export

OpenClaw versions before 2026.6.1 contain a credential redaction bypass vulnerability in the trajectory export feature that allows lower-trust callers to access data that should remain within trusted…

| Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.5 MEDIUM
CVE-2026-62210 — OpenClaw < 2026.6.1 Denial of Service via Remote Media URLs

OpenClaw versions before 2026.6.1 contain a denial of service vulnerability where remote media URLs can trigger slow-read attacks that exhaust gateway worker resources. Attackers with access to confi…

Remote | Denial of Service
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
8.1 HIGH
CVE-2026-62209 — OpenClaw 2026.5.10-beta.1 < 2026.6.5 Authorization Bypass via agent-mode dispatch

OpenClaw versions 2026.5.10-beta.1 before 2026.6.5 contain an authorization bypass in the ClickClack agent-mode dispatch feature, which could ignore the toolsAllow policy check. When the affected fea…

Remote | Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.5 MEDIUM
CVE-2026-62208 — OpenClaw < 2026.6.5 Authorization Header Forwarding via SSE

OpenClaw before 2026.6.5 could forward Authorization headers during MCP SSE redirects. When the affected feature is enabled and reachable, a lower-trust caller or configured input path could execute …

Remote | Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
8.8 HIGH
CVE-2026-62207 — OpenClaw < 2026.6.5 Authentication Bypass via Admin Tools

OpenClaw versions before 2026.6.5 contain an authentication bypass vulnerability that allows lower-trust callers to reach admin-scoped tools. Attackers can perform actions requiring stronger authoriz…

Remote | Authentication
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.1 HIGH
CVE-2026-62206 — OpenClaw < 2026.6.9 Authentication Bypass via Moderation Actions

OpenClaw versions before 2026.6.9 contain a missing authorization vulnerability in Discord moderation actions. In affected versions, a lower-trust caller or configured input path could perform modera…

Remote | Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.1 HIGH
CVE-2026-62205 — OpenClaw 2026.4.12-beta.1 < 2026.6.6 Authorization Bypass via message actions

OpenClaw versions 2026.4.12-beta.1 before 2026.6.6 contain a missing-authorization vulnerability in the MS Teams message actions feature. When the affected feature is enabled and reachable, a lower-t…

Remote | Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
8.8 HIGH
CVE-2026-62203 — OpenClaw < 2026.6.6 Environment Variable Injection via rustup

OpenClaw versions before 2026.6.6 contain an environment variable filtering vulnerability in host exec that fails to properly sanitize rustup startup variables. Attackers with lower-trust caller acce…

Remote | Authentication
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
8.8 HIGH
CVE-2026-62202 — OpenClaw 2026.6.1 < 2026.6.9 Privilege Escalation via Cron

OpenClaw versions 2026.6.1 before 2026.6.9 contain a privilege escalation vulnerability in isolated cron jobs that allows lower-trust callers to regain denied execution tools. Attackers can execute o…

Remote | Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
7.7 HIGH
CVE-2026-62201 — OpenClaw < 2026.6.6 Network Policy Bypass via exec-server

OpenClaw versions before 2026.6.6 contain a network policy bypass vulnerability in the sandbox exec-server that allows lower-trust callers to reach internal network destinations blocked by OpenClaw p…

Remote | Misconfiguration
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.5 MEDIUM
CVE-2026-44251 — Wazuh : size_t underflow in msgs.c ReadSecMSG causes wazuh-remoted DoS and potential heap…

Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 3.0.0 and above, prior to 4.14.5, a size_t integer underflow in os_crypto/shared/msgs.c:389 a…

Remote | Memory Corruption
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
4.7 MEDIUM
CVE-2026-40106 — Wazuh: Heap-based Buffer Overflow in syscheck Registry Wildcard Expansion (LPE / DoS)

Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.6.0 and above prior to 4.14.5 contain a heap-based buffer overflow vulnerability in the sysche…

| Memory Corruption
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
6.4 MEDIUM
CVE-2026-2594 — Smart Custom Fields <= 5.0.7 - Authenticated (Author+) Stored Cross-Site Scripting via At…

The Smart Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.0.7. This is due to insufficient input sanitization and output escaping o…

Remote | Cross-Site Scripting
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
9.8 CRITICAL
CVE-2026-14956 — Bricksforge <= 3.1.8.6 - Unauthenticated Privilege Escalation via Pro Forms fieldIds Para…

The Bricksforge plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.1.8.6. This is due to improper validation of the fieldIds parameter in the Pro Forms…

Remote | Authorization
Jul 17, 2026 Jul 17, 2026
Jul 17, 2026
Jul 17, 2026
Showing 20 of 8127 Results