Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.9 MEDIUM
CVE-2026-25720 — SenseLive X3050 Insufficient session expiration

A vulnerability exists in SenseLive X3050’s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requi…

Remote | Authentication
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
9.8 CRITICAL
CVE-2026-40630 — SenseLive X3050 Authentication bypass using an alternate path or channel

A vulnerability in  SenseLive X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network acc…

Remote | Authorization
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
6.9 MEDIUM
CVE-2026-1789 — Xerox Printer Information Disclosure Vulnerability

A vulnerability in the browser-based remote management interface may allow an administrator to access sensitive information on the device via crafted requests, affecting certain production printers a…

Remote | Information Disclosure
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
0.0 NA
CVE-2026-29197 — Apache Apps Engine Log Information Disclosure Vulnerability

In versions <8.4.0, <8.3.2, <8.2.2, <8.1.3, <8.0.4, <7.13.6, <7.12.7, <7.11.7, and <7.10.10, the endpoints /api/apps/logs and /api/apps/:id/logs have a typo in the required permission check, allowing…

| Authorization
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
6.5 MEDIUM
CVE-2026-6732 — Libxml2: libxml2: denial of service via crafted xsd-validated document

A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An att…

| Denial of Service
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.1 HIGH
CVE-2026-41361 — OpenClaw < 2026.3.28 - SSRF Guard Bypass via IPv6 Special-Use Ranges

OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable …

Remote | Server-Side Request Forgery
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
6.7 MEDIUM
CVE-2026-41360 — OpenClaw < 2026.4.2 - Approval Integrity Bypass in pnpm dlx Local Script Binding

OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can replace approved local scri…

| Misconfiguration
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.1 HIGH
CVE-2026-41359 — OpenClaw < 2026.3.28 - Privilege Escalation via operator.write to Admin-Class Telegram Co…

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence setti…

Remote | Authorization
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
5.4 MEDIUM
CVE-2026-41358 — OpenClaw < 2026.4.2 - Sender Allowlist Bypass via Slack Thread Context

OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through …

Remote | Injection
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
3.3 LOW
CVE-2026-41357 — OpenClaw < 2026.3.31 - Unsanitized Environment Variable Leakage in SSH Sandbox Backends

OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by leve…

| Information Disclosure
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
5.4 MEDIUM
CVE-2026-41356 — OpenClaw < 2026.3.31 - Incomplete WebSocket Session Termination in device.token.rotate

OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing…

Remote | Authentication
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.3 HIGH
CVE-2026-41355 — OpenShell < 2026.3.28 - Arbitrary Code Execution via Mirror Mode Sandbox File Conversion

OpenShell before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute …

| Misconfiguration
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
6.3 MEDIUM
CVE-2026-41354 — OpenClaw < 2026.4.2 - Insufficient Scope in Zalo Webhook Replay Dedupe Keys

OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers ca…

Remote | Misconfiguration
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.1 HIGH
CVE-2026-41353 — OpenClaw < 2026.3.22 - allowProfiles Bypass via Profile Mutation and Runtime Selection

OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and…

Remote | Authorization
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.8 HIGH
CVE-2026-41352 — OpenClaw < 2026.3.31 - Remote Code Execution via Node Scope Gate Bypass

OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials …

Remote | Authentication
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
6.3 MEDIUM
CVE-2026-41351 — OpenClaw < 2026.3.31 - Webhook Replay Detection Bypass via Base64 Signature Re-encoding

OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-enc…

Remote | Authentication
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
5.3 MEDIUM
CVE-2026-41350 — OpenClaw < 2026.3.31 - Session Visibility Bypass via session_status in Unsandboxed Invoca…

OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invoc…

Remote | Authorization
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
8.8 HIGH
CVE-2026-41349 — OpenClaw < 2026.3.28 - Agentic Consent Bypass via config.patch

OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to …

Remote | Authorization
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
5.4 MEDIUM
CVE-2026-41348 — OpenClaw < 2026.3.31 - Group DM Channel Allowlist Bypass via Discord Slash Commands

OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Disco…

Remote | Authorization
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
7.1 HIGH
CVE-2026-41347 — OpenClaw < 2026.3.31 - Cross-Site Request Forgery via Missing Browser-Origin Validation i…

OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by s…

Remote | Cross-Site Request Forgery
Apr 23, 2026 Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Showing 20 of 6369 Results