Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
0.0 NA
CVE-2024-14031 — Sereal::Encoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer …

Sereal::Encoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library. Sereal::Encoder embeds a version of the Zstandard (zstd) library tha…

| Race Condition
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2024-14030 — Sereal::Decoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer …

Sereal::Decoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library. Sereal::Decoder embeds a version of the Zstandard (zstd) library tha…

| Race Condition
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-4267 — Query Monitor <= 3.20.3 - Reflected Cross-Site Scripting via Request URI

The Query Monitor – The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘$_SERVER['REQUEST_URI']’ parameter in all versions up to, and…

| Cross-Site Scripting
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-3191 — Minify HTML <= 2.1.12 - Cross-Site Request Forgery to Plugin Settings Update

The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minify_html…

| Cross-Site Request Forgery
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
0.0 NA
CVE-2026-3139 — User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Edito…

The User Profile Builder – Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including,…

| Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
7.5 HIGH
CVE-2026-34509 — OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowli…

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel r…

Remote | Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
6.5 MEDIUM
CVE-2026-34508 — OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validat…

OpenClaw before 2026.3.12 applies rate limiting only after webhook authentication succeeds, allowing attackers to bypass rate limits and brute-force webhook secrets without triggering 429 responses. …

Remote | Authentication
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
7.5 HIGH
CVE-2026-34506 — OpenClaw < 2026.3.8 - Sender Allowlist Bypass in Microsoft Teams Plugin via Route Allowli…

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel r…

Remote | Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
9.8 CRITICAL
CVE-2026-34505 — OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validat…

OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated a…

Remote | Authentication
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
7.5 HIGH
CVE-2026-32988 — OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unvalidated Temporary File Creation

OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged writes where temporary file creation and population are not pinned to a verified parent directory. Attac…

| Race Condition
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
8.7 HIGH
CVE-2026-32982 — OpenClaw < 2026.3.13 - Telegram Bot Token Exposure in Media Fetch Error Logs

OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes Telegram bot tokens in error messages. When media downloads fail, the original…

Remote | Information Disclosure
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
6.3 MEDIUM
CVE-2026-32977 — OpenClaw < 2026.3.11 - Sandbox Boundary Bypass via Unanchored writeFile Commit Path

OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that uses an unanchored container path during the final move operation. An attacker c…

| Race Condition
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
7.1 HIGH
CVE-2026-32976 — OpenClaw < 2026.3.11 - Account-Scoped configWrites Policy Bypass via Channel Commands

OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing channel commands to mutate protected sibling-account configuration despite configWrites restrictions. Attackers with …

Remote | Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
7.3 HIGH
CVE-2026-32971 — OpenClaw < 2026.3.11 - Node-Host Approval UI Mismatch Allows Execution of Unintended Comm…

OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays extracted shell payloads instead of the executed argv. Attackers can place wrapp…

Remote | Misconfiguration
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
2.5 LOW
CVE-2026-32970 — OpenClaw < 2026.3.11 - Credential Fallback Logic Bypass via Unavailable Local Auth Secret…

OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are treated as unset, allowing fallback to remot…

| Authentication
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
6.3 MEDIUM
CVE-2026-32921 — OpenClaw < 2026.3.8 - Script Content Modification via Mutable Operand Binding in system.r…

OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for sc…

Remote | Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
9.8 CRITICAL
CVE-2026-32920 — OpenClaw < 2026.3.12 - Arbitrary Code Execution via Auto-Discovery of Workspace Plugins

OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious …

Remote | Supply Chain
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
9.8 CRITICAL
CVE-2026-32917 — OpenClaw < 2026.3.13 - Remote Command Injection via Unsanitized iMessage Attachment Paths…

OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary commands on configured remote hosts. The…

Remote | Injection
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
9.2 CRITICAL
CVE-2026-32916 — OpenClaw 2026.3.7 < 2026.3.11 - Authorization Bypass in Plugin Subagent Routes via Synthe…

OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administr…

Remote | Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
7.0 HIGH
CVE-2026-4400 — Multiple vulnerabilities in 1millionbot Millie chatbot

Insecure Direct Object Reference (IDOR) vulnerability in 1millionbot Millie chat that allows private conversations of other users being viewed by simply changing the conversation ID. The vulnerabilit…

Remote | Authorization
Mar 31, 2026 Mar 31, 2026
Mar 31, 2026
Mar 31, 2026
Showing 20 of 6045 Results