Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
7.3 HIGH
CVE-2026-41390 — OpenClaw < 2026.3.28 - Exec Allowlist Bypass via Unregistered /usr/bin/script Wrapper

OpenClaw before 2026.3.28 contains an exec allowlist bypass vulnerability where allow-always persistence fails to unwrap /usr/bin/script and similar wrappers before storing trust decisions. Attackers…

| Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
6.5 MEDIUM
CVE-2026-41388 — OpenClaw < 2026.3.31 - Configuration Rehydration via Empty-Array Revocation Handling

OpenClaw before 2026.3.31 contains a configuration management vulnerability where startup migration treats empty-array settings as missing values. Attackers can restart the application to rehydrate r…

Remote | Misconfiguration
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
8.5 HIGH
CVE-2026-41387 — OpenClaw < 2026.3.22 - Supply Chain Redirection via Incomplete Host Environment Sanitizat…

OpenClaw before 2026.3.22 contains an incomplete host environment variable sanitization vulnerability in host-env-security-policy.json and host-env-security.ts that allows package-manager environment…

| Injection
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
9.1 CRITICAL
CVE-2026-41386 — OpenClaw < 2026.3.22 - Privilege Escalation via Unbound Bootstrap Setup Codes

OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during…

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
7.1 HIGH
CVE-2026-41385 — OpenClaw < 2026.3.31 - Nostr Private Key Exposure via config.get Redaction Bypass

OpenClaw before 2026.3.31 stores Nostr privateKey as plaintext in configuration, allowing exposure through config.get method calls that bypass redaction mechanisms. Attackers can retrieve unredacted …

Remote | Information Disclosure
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
8.5 HIGH
CVE-2026-41384 — OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend

OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configur…

| Injection
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
8.1 HIGH
CVE-2026-41383 — OpenClaw < 2026.4.2 - Arbitrary Remote Directory Deletion via Mis-scoped Mirror Mode Paths

OpenClaw before 2026.4.2 contains an arbitrary directory deletion vulnerability in mirror mode that allows attackers to delete remote directories by influencing remoteWorkspaceDir and remoteAgentWork…

Remote | Path Traversal
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
5.4 MEDIUM
CVE-2026-41382 — OpenClaw < 2026.3.31 - Discord Voice Ingress Authorization Bypass via Channel and Role Va…

OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord voice ingress that allows attackers to bypass channel and member allowlist restrictions. Attackers can exploit stal…

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
5.4 MEDIUM
CVE-2026-41381 — OpenClaw < 2026.3.31 - Access Control Bypass in Discord Voice Manager via Channel Allowli…

OpenClaw before 2026.3.31 contains an access control bypass vulnerability in the Discord voice manager that allows attackers to bypass channel-level member access allowlist restrictions. Attackers ca…

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
7.3 HIGH
CVE-2026-41380 — OpenClaw < 2026.3.28 - Arbitrary Execution Allowlist via Wrapper Carrier Executables

OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows allow-always persistence to trust wrapper carrier executables instead of invoked targ…

| Misconfiguration
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
7.1 HIGH
CVE-2026-41379 — OpenClaw < 2026.3.28 - Privilege Escalation via chat.send to Admin-Class Talk Voice Config

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Talk Voice configuration persistence. Attackers w…

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
8.8 HIGH
CVE-2026-41378 — OpenClaw < 2026.3.31 - Privilege Escalation to Remote Code Execution via Unrestricted nod…

OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestricted gateway-side tool access. Attacker…

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
5.1 MEDIUM
CVE-2026-41377 — OpenClaw < 2026.3.31 - Fail-Open Security Scan Bypass in Plugin Installation

OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install unt…

Remote | Misconfiguration
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
5.4 MEDIUM
CVE-2026-41376 — OpenClaw < 2026.3.31 - Matrix Thread Context Allowlist Bypass via Sender Validation

OpenClaw before 2026.3.31 contains an allowlist bypass vulnerability in Matrix thread root and reply context handling that fails to properly validate message senders. Attackers can fetch thread-root …

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
7.1 HIGH
CVE-2026-41375 — OpenClaw < 2026.3.28 - Authorization Bypass in /phone arm and /phone disarm Endpoints

OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the /phone arm and /phone disarm endpoints that fails to properly enforce operator.admin scope checks for external channels…

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
6.9 MEDIUM
CVE-2026-41374 — OpenClaw < 2026.3.31 - Resource Consumption via Discord Audio Preflight Before Member Aut…

OpenClaw before 2026.3.31 performs Discord audio preflight transcription before validating member authorization, allowing unauthenticated attackers to consume resources. Remote attackers can trigger …

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
6.1 MEDIUM
CVE-2026-41373 — OpenClaw < 2026.3.31 - Compiler Binary Substitution via Environment Variable Override in …

OpenClaw before 2026.3.31 contains an incomplete host-env-security-policy.json that fails to restrict compiler binary environment variables, allowing untrusted models to substitute CC, CXX, CARGO_BUI…

| Misconfiguration
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
9.4 CRITICAL
CVE-2026-3893 — Carlson Software VASCO-B GNSS Receiver Missing Authentication for Critical Function

The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, allowing an attacker with network access to directly access and modify its configuration and operational functions without needi…

Remote | Authentication
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
0.0 NA
CVE-2026-38949 — HTMLy XSS Vulnerability

Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user i…

| Cross-Site Scripting
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
6.3 MEDIUM
CVE-2026-24231 — NVIDIA NemoClaw SSRF

NVIDIA NemoClaw contains a vulnerability in the validateEndpointUrl() SSRF protection component, where an attacker could cause a server-side request forgery by supplying a crafted endpoint URL refere…

| Server-Side Request Forgery
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
Showing 20 of 5907 Results