CVE-2026-41341
— OpenClaw < 2026.3.31 - Component Interaction Misclassification in Discord Extension
OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-component…
Remote
|
Misconfiguration
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
CVE-2026-41340
— OpenClaw < 2026.3.31 - Authentication Boundary Bypass via Telegram Legacy allowFrom Migra…
OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exp…
Remote
|
Authentication
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
CVE-2026-41339
— OpenClaw < 2026.4.2 - Information Disclosure via Gateway Connect Snapshot
OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths…
Remote
|
Information Disclosure
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
CVE-2026-41338
— OpenClaw < 2026.3.31 - Time-of-Check-Time-of-Use (TOCTOU) Vulnerability in Sandbox File O…
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operations that allows attackers to bypass fd-based defenses. Attackers can exploit check-then-act pattern…
|
Race Condition
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
CVE-2026-41337
— OpenClaw < 2026.3.31 - Callback Origin Mutation in Plivo Voice-call Replay
OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers wi…
Remote
|
Injection
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
CVE-2026-41336
— OpenClaw < 2026.3.31 - Arbitrary Hook Code Execution via OPENCLAW_BUNDLED_HOOKS_DIR Envir…
OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted…
|
Misconfiguration
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
CVE-2026-41335
— OpenClaw < 2026.3.31 - Information Disclosure via Control UI Bootstrap JSON
OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitiv…
Remote
|
Information Disclosure
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
CVE-2026-41334
— OpenClaw < 2026.3.31 - Decompression Bomb Denial of Service via Image Pixel-Limit Guard B…
OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image processing that fails to properly enforce pixel-limit guards on sips. Attackers can exploit this by uploading oversized …
Remote
|
Denial of Service
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
CVE-2026-41333
— OpenClaw < 2026.3.31 - Authentication Rate Limiting Bypass via Fake DeviceToken
OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can e…
Remote
|
Authentication
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
CVE-2026-41332
— OpenClaw < 2026.3.28 - Code Execution via Missing Environment Variable Blocklist
OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not blocked in the host-env blocklist. Attackers can exploit appro…
|
Misconfiguration
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
CVE-2026-2708
— Libsoup: libsoup: http request smuggling via duplicate content-length headers
A request smuggling vulnerability exists in libsoup's HTTP/1 header parsing logic. The soup_message_headers_append_common() function in libsoup/soup-message-headers.c unconditionally appends each hea…
Remote
|
Misconfiguration
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
CVE-2026-32172
— Microsoft Power Apps Remote Code Execution Vulnerability
None
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
CVE-2026-35431
— Microsoft Entra ID Entitlement Management Spoofing Vulnerability
None
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
CVE-2026-24303
— Microsoft Partner Center Elevation of Privilege Vulnerability
None
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
CVE-2026-26150
— Microsoft Purview eDiscovery Elevation of Privilege Vulnerability
None
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
None
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
CVE-2026-33102
— Microsoft 365 Copilot Elevation of Privilege Vulnerability
None
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
CVE-2026-32210
— Microsoft Dynamics 365 (online) Spoofing Vulnerability
None
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
CVE-2026-26210
— KTransformers Unsafe Deserialization RCE via balance_serve
KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balance_serve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authe…
Remote
|
Misconfiguration
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
CVE-2026-6942
— radare2-mcp <=1.6.0 OS Command Injection via Shell Metacharacter Bypass
radare2-mcp version 1.6.0 and earlier contains an os command injection vulnerability that allows remote attackers to execute arbitrary commands by bypassing the command filter through shell metachara…
Remote
|
Injection
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
Apr 23, 2026
