Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.5 MEDIUM
CVE-2026-35673 — OpenClaw < 2026.4.29 - SSRF Policy Bypass via Browser Debug/Export Routes

OpenClaw before 2026.4.29 contains an SSRF policy bypass vulnerability in browser debug and export routes that allows reuse of already-open blocked tabs. Attackers with access to these routes can byp…

openclaw | Remote | Server-Side Request Forgery
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
8.0 HIGH
CVE-2026-35630 — OpenClaw < 2026.5.18 - QQBot Missing Approver Identity Enforcement in Native Approval But…

OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval but…

openclaw | Remote | Authorization
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
5.4 MEDIUM
CVE-2026-34507 — OpenClaw < 2026.4.29 - Policy Bypass in QQBot Admin Commands via DM-only and allowFrom C…

OpenClaw before 2026.4.29 contains a policy bypass vulnerability in QQBot admin commands that allows authenticated senders to skip DM-only and allowFrom policy checks. Attackers can route admin comma…

openclaw | Remote | Authorization
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
2.3 LOW
CVE-2026-33386 — XSS in QuickCMS

QuickCMS is vulnerable to Cross-Site Scripting (XSS) through its insecure HTTP-based plugin‑fetching mechanism. A malicious attacker can perform a Man‑in‑the‑Middle (MITM) attack by impersonating the…

quick.cms | Cross-Site Scripting
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
4.8 MEDIUM
CVE-2026-33384 — Session Fixation in QuickCMS

QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID f…

quick.cms | Authentication
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
4.3 MEDIUM
CVE-2026-32906 — OpenClaw < 2026.5.12 - Privilege Escalation in Slack Plugin Approvals via Exec Approver G…

OpenClaw before 2026.5.12 contains a privilege escalation vulnerability in Slack plugin approvals that allows exec-authorized users to resolve plugin approvals through the exec approver gate. Attacke…

openclaw | Remote | Authorization
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
8.7 HIGH
CVE-2026-32905 — OpenClaw < 2026.5.4 - Unauthorized Device-Pairing Bootstrap Code Issuance via Chat Command

OpenClaw before 2026.5.4 contains an authorization bypass vulnerability in the bundled device-pair plugin that allows non-owner authorized chat senders to issue device-pairing bootstrap codes without…

openclaw | Remote | Authorization
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
6.3 MEDIUM
CVE-2026-10101 — Assisted-service: assisted-service: infraenv status leaks referenced pull-secret contents…

ACM/MCE assisted-service writes raw referenced pull-secret contents into `InfraEnv.status.conditions[].message` when pull-secret validation fails. A namespace principal with the stock `view` ClusterR…

multicluster_engine_for_kubernetes | Remote | Information Disclosure
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
5.1 MEDIUM
CVE-2026-10099 — XX-Net V5.16.6 WebSocket Frame Parsing Data Corruption via simple_http_server.py

XX-Net V5.16.6 contains a WebSocket frame parsing vulnerability in the WebSocket_receive_worker routine of simple_http_server.py that allows attackers to cause corrupted application data by sending u…

| Information Disclosure
May 29, 2026 Jun 01, 2026
May 29, 2026
Jun 01, 2026
8.7 HIGH
CVE-2026-10069 — Shibby Tomato miniupnpd resource consumption

A vulnerability has been found in Shibby Tomato 1.28. The impacted element is an unknown function of the file usr/sbin/miniupnpd. Such manipulation leads to resource consumption. The attack may be la…

tomato | Remote | Denial of Service
May 29, 2026 Jun 02, 2026
May 29, 2026
Jun 02, 2026
7.5 HIGH
CVE-2026-10068 — Shibby Tomato SUBSCRIBE Call miniupnpd send server-side request forgery

A flaw has been found in Shibby Tomato 1.28. The affected element is the function send of the file usr/sbin/miniupnpd of the component SUBSCRIBE Call Handler. This manipulation causes server-side req…

tomato | Remote | Server-Side Request Forgery
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
9.0 HIGH
CVE-2026-10067 — Shibby Tomato multimon.cgi sub_90F0 stack-based overflow

A vulnerability was detected in Shibby Tomato 1.28. Impacted is the function sub_90F0 of the file multimon.cgi. The manipulation results in stack-based buffer overflow. The attack can be launched rem…

tomato | Remote | Memory Corruption
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
9.0 HIGH
CVE-2026-10066 — Shibby Tomato UPS Service tomatoups.cgi sub_9068 stack-based overflow

A security vulnerability has been detected in Shibby Tomato up to 1.28. This issue affects the function sub_9068 of the file tomatoups.cgi of the component UPS Service. The manipulation leads to stac…

tomato | Remote | Memory Corruption
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
9.0 HIGH
CVE-2026-10065 — Shibby Tomato tomatodata.cgi get_ups_field stack-based overflow

A weakness has been identified in Shibby Tomato 1.28. This vulnerability affects the function get_ups_field of the file tomatodata.cgi. Executing a manipulation of the argument Date can lead to stack…

tomato | Remote | Memory Corruption
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
9.8 CRITICAL
CVE-2026-10064 — TRENDnet TEW-432BRP formSetPortTr stack-based overflow

A security flaw has been discovered in TRENDnet TEW-432BRP 3.10B20. This affects the function formSetPortTr of the file /goform/formSetPortTr. Performing a manipulation of the argument special_name r…

tew-432brp tew-432brp_firmware tew-432brp | Remote | Memory Corruption
May 29, 2026 Jun 03, 2026
May 29, 2026
Jun 03, 2026
8.8 HIGH
CVE-2018-25404 — The Open ISES Project 3.30A SQL Injection via add_facnote.php

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ticket_id parameter.…

Remote | Injection
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
8.8 HIGH
CVE-2018-25403 — The Open ISES Project 3.30A SQL Injection via city_graph.php

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attack…

Remote | Injection
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
8.8 HIGH
CVE-2018-25402 — The Open ISES Project 3.30A SQL Injection via inc_types_graph.php

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attack…

Remote | Injection
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
8.8 HIGH
CVE-2018-25401 — The Open ISES Project 3.30A SQL Injection via sever_graph.php

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attack…

Remote | Injection
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
8.8 HIGH
CVE-2018-25400 — The Open ISES Project 3.30A SQL Injection via form_post.php

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Atta…

Remote | Injection
May 29, 2026 May 29, 2026
May 29, 2026
May 29, 2026
Showing 20 of 7216 Results