Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.6 HIGH
CVE-2026-41302 — OpenClaw < 2026.3.31 - Server-Side Request Forgery via Unguarded fetch() in Marketplace P…

OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows remote attackers to make arbitrary network requests. Attack…

Remote | Server-Side Request Forgery
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
6.9 MEDIUM
CVE-2026-41301 — OpenClaw 2026.3.22 < 2026.3.31 - Forged Nostr DM Pairing State Creation via Signature Ver…

OpenClaw versions 2026.3.22 before 2026.3.31 contain a signature verification bypass vulnerability in the Nostr DM ingress path that allows pairing challenges to be issued before event signature vali…

Remote | Authentication
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
6.9 MEDIUM
CVE-2026-41300 — OpenClaw < 2026.3.31 - Attacker-Discovered Endpoint Preservation in Remote Onboarding

OpenClaw before 2026.3.31 contains a trust-decline vulnerability that preserves attacker-discovered endpoints in remote onboarding flows. Attackers can route gateway credentials to malicious endpoint…

Remote | Misconfiguration
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
7.1 HIGH
CVE-2026-41299 — OpenClaw < 2026.3.28 - Client Identity Spoofing in chat.send Gateway Provenance Guard

OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the chat.send gateway method where ACP-only provenance fields are gated by self-declared client metadata from WebSocket han…

Remote | Authorization
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
5.4 MEDIUM
CVE-2026-41298 — OpenClaw < 2026.4.2 - Authorization Bypass in Session Termination Endpoint

OpenClaw before 2026.4.2 fails to enforce write scopes on the POST /sessions/:sessionKey/kill endpoint in identity-bearing HTTP modes. Read-scoped callers can terminate running subagent sessions by s…

Remote | Authorization
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
7.6 HIGH
CVE-2026-41297 — OpenClaw < 2026.3.31 - Server-Side Request Forgery via Marketplace Plugin Download Redire…

OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows attackers to access internal resources by following unvalid…

Remote | Server-Side Request Forgery
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
8.8 HIGH
CVE-2026-41296 — OpenClaw < 2026.3.31 - Sandbox Escape via TOCTOU Race in Remote FS Bridge readFile

OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path val…

Remote | Race Condition
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
8.5 HIGH
CVE-2026-41295 — OpenClaw < 2026.4.2 - Untrusted Workspace Channel Shadow Code Execution during Built-in C…

OpenClaw before 2026.4.2 contains an improper trust boundary vulnerability allowing untrusted workspace channel shadows to execute during built-in channel setup and login. Attackers can clone a works…

| Misconfiguration
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
8.6 HIGH
CVE-2026-41294 — OpenClaw < 2026.3.28 - Environment Variable Injection via CWD .env File

OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a…

| Misconfiguration
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
4.3 MEDIUM
CVE-2026-41285 — OpenBSD slaacd and rad Infinite Loop ICMPv6 Neighbor Discovery Vulnerability

In OpenBSD through 7.8, the slaacd and rad daemons have an infinite loop when they receive a crafted ICMPv6 Neighbor Discovery (ND) option (over a local network) with length zero, because of an "nd_o…

| Denial of Service
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
5.9 MEDIUM
CVE-2026-40045 — OpenClaw < 2026.4.2 - Cleartext Credential Transmission via Unencrypted WebSocket Gateway…

OpenClaw before 2026.4.2 accepts non-loopback cleartext ws:// gateway endpoints and transmits stored gateway credentials over unencrypted connections. Attackers can forge discovery results or craft s…

| Misconfiguration
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
6.3 MEDIUM
CVE-2026-35588 — Glances has CQL Injection in its Cassandra Export Module via Unsanitized Config Values

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Cassandra export module (`glances/exports/glances_cassandra/__init__.py`) interpolates `keyspace`, `table`…

| Injection
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
7.3 HIGH
CVE-2026-35587 — Glances IP Plugin has SSRF via public_api that leads to credential leakage

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation …

Remote | Server-Side Request Forgery
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
8.4 HIGH
CVE-2026-35570 — OpenClaude has Sandbox Bypass via Early-Exit Logic Flaw that Allows Path Traversal

OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside `src/tools/BashTool…

| Path Traversal
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
7.7 HIGH
CVE-2026-34839 — Glances Vulnerable to Cross-Origin Information Disclosure via Unauthenticated REST API (/…

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, the Glances web server exposes a REST API (`/api/4/*`) that is accessible without authentication and allows cr…

Remote | Information Disclosure
Apr 21, 2026 Apr 21, 2026
Apr 21, 2026
Apr 21, 2026
4.7 MEDIUM
CVE-2026-5721 — wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin <= 6.5.0.4 - Un…

The wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 6.5.0.4. This is …

Remote | Cross-Site Scripting
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
5.3 MEDIUM
CVE-2026-34082 — Dify has IDOR in deleting someone else's chat conversation

Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps/<appId>/conversations/<conversationId>` has poor authorization checking and allows…

Remote | Authorization
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
6.3 MEDIUM
CVE-2026-6729 — HKUDS OpenHarness Session Key Collision Privilege Escalation

HKUDS OpenHarness prior to PR #159 remediation contains a session key derivation vulnerability that allows authenticated participants in shared chats or threads to hijack other users' sessions by exp…

Remote | Authentication
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
0.0 NA
CVE-2026-29643 — XiangShan RISC-V Processor CSR Subsystem Improper Exceptional-Condition Handling Vulnerab…

XiangShan (Open-source high-performance RISC-V processor) commit edb1dfaf7d290ae99724594507dc46c2c2125384 (2024-11-28) contains an improper exceptional-condition handling flaw in its CSR subsystem (N…

| Denial of Service
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
2.3 LOW
CVE-2026-22051 — StorageGRID Information Disclosure Vulnerability

StorageGRID (formerly StorageGRID Webscale) versions prior to 11.9.0.13 and 12.0.0.6 are susceptible to a Information Disclosure vulnerability. Successful exploit could allow an authenticated attacke…

Remote | Information Disclosure
Apr 20, 2026 Apr 20, 2026
Apr 20, 2026
Apr 20, 2026
Showing 20 of 6042 Results