Latest CVE Feed

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

Score
Vulnerability
Published
7.5 HIGH
CVE-2026-15618 — mosaxiv clawlet exec Safety Guard tool_exec.go guardExecCommand protection mechanism

A security flaw has been discovered in mosaxiv clawlet up to 0.2.10. The affected element is the function guardExecCommand of the file tools/tool_exec.go of the component exec Safety Guard. The manip…

Remote | Misconfiguration
Jul 14, 2026 Jul 14, 2026
Jul 14, 2026
Jul 14, 2026
6.8 MEDIUM
CVE-2026-58489 — HedgeDoc: CSRF in GitHub Gist export callback

HedgeDoc is an open source, real-time collaborative markdown notes application. Prior to 1.11.0, the GitHub Gist export flow created an OAuth2  state  value but only checked that it was present rathe…

Remote | Cross-Site Request Forgery
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
8.3 HIGH
CVE-2026-58486 — HedgeDoc: Denial-of-service via YAML alias expansion in note frontmatter

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to version 1.11.0, HedgeDoc was vulnerable to a YAML alias bomb due to unsafe processing of the note frontmatte…

Remote | Denial of Service
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
0.0 NA
CVE-2026-58102 — Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow a heap out-of-bounds read via a…

Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow a heap out-of-bounds read via a long certificate extension OID in hv_exts. When building the extension hash (via extensions(), extensions_by…

| Memory Corruption
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
0.0 NA
CVE-2026-58101 — Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow denial of service via NULL poin…

Crypt::OpenSSL::X509 versions before 2.1.3 for Perl allow denial of service via NULL pointer dereference. X509V3_EXT_d2i(ext) returns NULL when an extension's DER value fails to parse. basicC, ia5st…

| Denial of Service
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
8.8 HIGH
CVE-2026-57856 — Cockpit CMS Path Traversal via Bucket Name in Bucket File Storage API

Cockpit CMS contains a path traversal vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php sanitizes the bucket name with preg…

Remote | Path Traversal
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
8.8 HIGH
CVE-2026-57855 — Cockpit CMS Missing Authorization in Bucket File Storage API

Cockpit CMS contains a missing authorization vulnerability in the Bucket file storage API (/system/buckets/api). The api() method in modules/System/Controller/Buckets.php executes bucket commands (ls…

Remote | Authorization
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
4.3 MEDIUM
CVE-2026-15607 — tanstack db Alias Path select.ts select prototype pollution

A vulnerability was detected in tanstack db up to 0.6.8. Affected by this vulnerability is the function select of the file src/query/compiler/select.ts of the component Alias Path Handler. The manipu…

Remote | Misconfiguration
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
3.1 LOW
CVE-2026-15605 — wandb Artifact Integrity Validation hashutil.py ArtifactManifestEntry.download weak hash

A security vulnerability has been detected in wandb 0.25.2.dev1. Affected is the function ArtifactManifestEntry.download in the library wandb/sdk/lib/hashutil.py of the component Artifact Integrity V…

Remote | Cryptography
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
7.5 HIGH
CVE-2026-62328 — 9Router 0.4.41 - Unauthenticated Information Disclosure via API Usage Endpoints

9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to access sensitive user data by sending requests to unprotected API endpoi…

Remote | Information Disclosure
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
9.1 CRITICAL
CVE-2026-62327 — 9Router 0.4.41 - Unauthenticated API Key Exposure via /api/usage/stats

9Router through version 0.4.41 contain an unauthenticated information disclosure vulnerability that allows remote attackers to retrieve plaintext API keys for all connected AI provider accounts by se…

Remote | Information Disclosure
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
8.6 HIGH
CVE-2026-62242 — Spring Boot Admin Server < 4.1.2 SSRF via Unauthenticated Instance Registration

Spring Boot Admin Server before 4.1.2 contains a server-side request forgery vulnerability that allows unauthenticated attackers to register instances with attacker-controlled healthUrl and managemen…

Remote | Server-Side Request Forgery
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
7.4 HIGH
CVE-2026-62240 — CrewAI < 1.15.1 SSRF Filter Bypass via HTTP Redirect in Scrape Tools

CrewAI before 1.15.1 contains a server-side request forgery vulnerability in the validate_url function that performs one-shot DNS resolution and blocklist checks before returning the original URL unc…

Remote | Server-Side Request Forgery
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
6.6 MEDIUM
CVE-2026-62239 — FlashAttention Symlink Attack via tarfile.extractall in hopper/setup.py

FlashAttention through 2.8.3.post1, fixed in commit 0816ef1, contains a symlink attack vulnerability in the download_and_copy() function within hopper/setup.py that extracts NVIDIA toolchain archives…

| Misconfiguration
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
8.8 HIGH
CVE-2026-62200 — OpenClaw < 2026.6.6 Authentication Bypass via Git ext transport

OpenClaw versions before 2026.6.1 contain a flaw in host exec environment filtering that could allow Git ext transport to be abused. When the affected feature is enabled and reachable, a lower-trust …

Remote | Authorization
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
8.8 HIGH
CVE-2026-62199 — OpenClaw < 2026.6.6 Authentication Bypass via Environment Filtering

OpenClaw versions before 2026.6.6 contain a flaw in host exec environment filtering that can miss interpreter startup variables. When the affected feature is enabled and reachable, a lower-trust call…

Remote | Injection
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
4.3 MEDIUM
CVE-2026-62198 — OpenClaw 2026.5.28 < 2026.6.6 Authorization Bypass via Web Search

OpenClaw versions 2026.5.28 before 2026.6.6 contain an authorization bypass vulnerability in native web search that allows lower-trust callers to perform actions requiring stronger policy checks. Att…

Remote | Authorization
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
8.5 HIGH
CVE-2026-62197 — OpenClaw < 2026.6.6 Policy Bypass via CDP Discovery

OpenClaw before 2026.6.6 contains a policy bypass vulnerability in browser CDP discovery that accepts blocked WebSocket URLs. Attackers with lower-trust access can reach network destinations that sho…

Remote | Misconfiguration
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
8.3 HIGH
CVE-2026-62196 — OpenClaw 2026.3.22 < 2026.6.6 Authorization Bypass via WhatsApp Group IDs

OpenClaw versions 2026.3.22 before 2026.6.6 contain an authorization bypass vulnerability where WhatsApp group IDs can satisfy elevated sender allowlists. Attackers with lower-trust access can perfor…

Remote | Authorization
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
8.3 HIGH
CVE-2026-62195 — OpenClaw 2026.5.20 < 2026.6.6 Authorization Bypass via MCP loopback

OpenClaw versions 2026.5.20 before 2026.6.6 contain an authorization bypass vulnerability in the MCP loopback feature that allows lower-trust callers to execute owner-only tools. Attackers can bypass…

Remote | Authorization
Jul 13, 2026 Jul 13, 2026
Jul 13, 2026
Jul 13, 2026
Showing 20 of 7431 Results