Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
9.1 CRITICAL
CVE-2026-41386 — OpenClaw < 2026.3.22 - Privilege Escalation via Unbound Bootstrap Setup Codes

OpenClaw before 2026.3.22 contains a privilege escalation vulnerability where bootstrap setup codes are not bound to intended device roles and scopes during pairing. Attackers can exploit this during…

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
7.1 HIGH
CVE-2026-41385 — OpenClaw < 2026.3.31 - Nostr Private Key Exposure via config.get Redaction Bypass

OpenClaw before 2026.3.31 stores Nostr privateKey as plaintext in configuration, allowing exposure through config.get method calls that bypass redaction mechanisms. Attackers can retrieve unredacted …

Remote | Information Disclosure
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
8.5 HIGH
CVE-2026-41384 — OpenClaw < 2026.3.24 - Environment Variable Injection via Workspace Config in CLI Backend

OpenClaw before 2026.3.24 contains an environment variable injection vulnerability in the CLI backend runner that allows attackers to inject malicious environment variables through workspace configur…

| Injection
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
8.1 HIGH
CVE-2026-41383 — OpenClaw < 2026.4.2 - Arbitrary Remote Directory Deletion via Mis-scoped Mirror Mode Paths

OpenClaw before 2026.4.2 contains an arbitrary directory deletion vulnerability in mirror mode that allows attackers to delete remote directories by influencing remoteWorkspaceDir and remoteAgentWork…

Remote | Path Traversal
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
5.4 MEDIUM
CVE-2026-41382 — OpenClaw < 2026.3.31 - Discord Voice Ingress Authorization Bypass via Channel and Role Va…

OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord voice ingress that allows attackers to bypass channel and member allowlist restrictions. Attackers can exploit stal…

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
5.4 MEDIUM
CVE-2026-41381 — OpenClaw < 2026.3.31 - Access Control Bypass in Discord Voice Manager via Channel Allowli…

OpenClaw before 2026.3.31 contains an access control bypass vulnerability in the Discord voice manager that allows attackers to bypass channel-level member access allowlist restrictions. Attackers ca…

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
7.3 HIGH
CVE-2026-41380 — OpenClaw < 2026.3.28 - Arbitrary Execution Allowlist via Wrapper Carrier Executables

OpenClaw before 2026.3.28 contains an execution approval vulnerability in exec-approvals-allowlist.ts that allows allow-always persistence to trust wrapper carrier executables instead of invoked targ…

| Misconfiguration
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
7.1 HIGH
CVE-2026-41379 — OpenClaw < 2026.3.28 - Privilege Escalation via chat.send to Admin-Class Talk Voice Config

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Talk Voice configuration persistence. Attackers w…

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
8.8 HIGH
CVE-2026-41378 — OpenClaw < 2026.3.31 - Privilege Escalation to Remote Code Execution via Unrestricted nod…

OpenClaw before 2026.3.31 contains a privilege escalation vulnerability allowing paired nodes with role=node to dispatch node.event agent requests with unrestricted gateway-side tool access. Attacker…

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
5.1 MEDIUM
CVE-2026-41377 — OpenClaw < 2026.3.31 - Fail-Open Security Scan Bypass in Plugin Installation

OpenClaw before 2026.3.31 contains a fail-open vulnerability in the plugin installation flow where security scan failures do not block installation. Attackers can exploit scan failures to install unt…

Remote | Misconfiguration
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
5.4 MEDIUM
CVE-2026-41376 — OpenClaw < 2026.3.31 - Matrix Thread Context Allowlist Bypass via Sender Validation

OpenClaw before 2026.3.31 contains an allowlist bypass vulnerability in Matrix thread root and reply context handling that fails to properly validate message senders. Attackers can fetch thread-root …

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
7.1 HIGH
CVE-2026-41375 — OpenClaw < 2026.3.28 - Authorization Bypass in /phone arm and /phone disarm Endpoints

OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in the /phone arm and /phone disarm endpoints that fails to properly enforce operator.admin scope checks for external channels…

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
6.9 MEDIUM
CVE-2026-41374 — OpenClaw < 2026.3.31 - Resource Consumption via Discord Audio Preflight Before Member Aut…

OpenClaw before 2026.3.31 performs Discord audio preflight transcription before validating member authorization, allowing unauthenticated attackers to consume resources. Remote attackers can trigger …

Remote | Authorization
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
6.1 MEDIUM
CVE-2026-41373 — OpenClaw < 2026.3.31 - Compiler Binary Substitution via Environment Variable Override in …

OpenClaw before 2026.3.31 contains an incomplete host-env-security-policy.json that fails to restrict compiler binary environment variables, allowing untrusted models to substitute CC, CXX, CARGO_BUI…

| Misconfiguration
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
0.0 NA
CVE-2026-7294 — SourceCodester Pizzafy Ecommerce System index.php save_settings cross site scripting

A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. Affected by this vulnerability is the function save_settings of the file /admin/index.php?page=save_settings. This manipulation o…

| Cross-Site Scripting
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
6.3 MEDIUM
CVE-2026-24231 — NVIDIA NemoClaw SSRF

NVIDIA NemoClaw contains a vulnerability in the validateEndpointUrl() SSRF protection component, where an attacker could cause a server-side request forgery by supplying a crafted endpoint URL refere…

| Server-Side Request Forgery
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
8.6 HIGH
CVE-2026-24222 — NVIDIA NeMoClaw Information Disclosure Vulnerability

NVIDIA NeMoClaw contains a vulnerability in the sandbox environment initialization component, where a remote attacker could cause improper access control by sending prompt-injected content that cause…

Remote | Information Disclosure
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
6.5 MEDIUM
CVE-2026-24204 — NVIDIA Flare SDK Path Traversal Information Disclosure

NVIDIA Flare SDK contains a vulnerability where an Attacker may cause an Improper Input Validation by path traversing. A successful exploit of this vulnerability may lead to information disclosure.

Remote | Path Traversal
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
8.8 HIGH
CVE-2026-24186 — NVIDIA FLARE SDK Deserialization Code Execution Vulnerability

NVIDIA FLARE SDK contains a vulnerability in FOBS, where an attacker may cause deserialization of untrusted data by sending a malicious FOBS- encoded message. A successful exploit of this vulnerabil…

Remote | Injection
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
0.0 NA
CVE-2026-7293 — SourceCodester Pizzafy Ecommerce System ajax.php delete_category sql injection

A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Affected is the function delete_category of the file /admin/ajax.php?action=delete_category. The manipulation of the argum…

| Injection
Apr 28, 2026 Apr 28, 2026
Apr 28, 2026
Apr 28, 2026
Showing 20 of 5894 Results