Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
CVE Intelligence

Vulnerabilities published in the last 30 days. Filter by severity, exploit status, or attack vector.

All Critical Actively Exploited Remotely Exploitable
Last Updated Published CVSS Score
Score
Vulnerability
Published
6.4 MEDIUM
CVE-2026-1093 — WPFAQBlock– FAQ & Accordion Plugin For Gutenberg <= 1.1 - Authenticated (Contributor+) St…

The WPFAQBlock– FAQ & Accordion Plugin For Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter of the 'wpfaqblock' shortcode in all versions up to, a…

Remote | Cross-Site Scripting
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.4 MEDIUM
CVE-2026-0609 — Logo Slider <= 4.9.0 - Authenticated (Author+) Stored Cross-Site Scripting via 'logo-slid…

The Logo Slider – Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt text in all versions up to, and includin…

Remote | Cross-Site Scripting
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
8.1 HIGH
CVE-2025-14037 — Invelity Products Feeds <= 1.2.6 - Cross-Site Request Forgery to Arbitrary File Deletion

The Invelity Product Feeds plugin for WordPress is vulnerable to arbitrary file deletion via path traversal in all versions up to, and including, 1.2.6. This is due to missing validation and sanitiza…

Remote | Path Traversal
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.1 MEDIUM
CVE-2025-13910 — WP-WebAuthn <= 1.3.4 - Unauthenticated Stored Cross-Site Scripting

The WP-WebAuthn plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the `wwa_auth` AJAX endpoint in all versions up to, and including, 1.3.4 due to insufficient inpu…

Remote | Cross-Site Scripting
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
5.6 MEDIUM
CVE-2024-13785 — Contact Form, Survey, Quiz & Popup Form Builder – ARForms <= 1.7.2 - Unauthenticated Blin…

The The Contact Form, Survey, Quiz & Popup Form Builder – ARForms plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.2. This is due to the s…

Remote | Injection
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
7.2 HIGH
CVE-2026-4302 — WowOptin: Next-Gen Popup Maker <= 1.4.29 - Unauthenticated Server-Side Request Forgery vi…

The WowOptin: Next-Gen Popup Maker plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.4.29. This is due to the plugin exposing a publicly access…

Remote | Server-Side Request Forgery
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
5.3 MEDIUM
CVE-2026-32899 — OpenClaw < 2026.2.25 - Sender Policy Bypass in Slack Reaction and Pin Event Handlers

OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction_* and pin_* non-message events before adding them to system-event context. Attackers can bypass config…

Remote | Authorization
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
5.4 MEDIUM
CVE-2026-32898 — OpenClaw < 2026.2.23 - ACP Permission Auto-Approval Bypass via Untrusted Tool Metadata

OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuris…

Remote | Authorization
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.3 MEDIUM
CVE-2026-32897 — OpenClaw < 2026.2.22 - Authentication Token Reuse in Owner ID Prompt Hashing Fallback

OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is un…

Remote | Authentication
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.3 MEDIUM
CVE-2026-32896 — OpenClaw < 2026.2.21 - Unauthenticated Webhook Access via Passwordless Fallback in BlueBu…

OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local rout…

Remote | Authentication
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
5.4 MEDIUM
CVE-2026-32895 — OpenClaw < 2026.2.26 - Sender Authorization Bypass in Slack System Event Handlers

OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, allowing unauthorized events to be enqueued. Attackers can bypass Slack …

Remote | Authorization
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
3.7 LOW
CVE-2026-32067 — OpenClaw < 2026.2.26 - Cross-Account Authorization Bypass in DM Pairing Store

OpenClaw versions prior to 2026.2.26 contains an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approv…

Remote | Authorization
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
5.7 MEDIUM
CVE-2026-32065 — OpenClaw < 2026.2.25 - Approval Identity Mismatch in system.run Command Execution

OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.run where rendered command text is used as approval identity while trimming argv token whitespace, bu…

Remote | Injection
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
8.5 HIGH
CVE-2026-32064 — OpenClaw < 2026.2.21 - Missing VNC Authentication in Sandbox Browser noVNC Observer

OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attack…

| Authentication
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
2.6 LOW
CVE-2026-32058 — OpenClaw < 2026.2.26 - Approval Context-Binding Weakness in system.run via host=node

OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environm…

Remote | Authorization
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.0 MEDIUM
CVE-2026-32057 — OpenClaw < 2026.2.25 - Authentication Bypass via Control UI client.id Parameter

OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity …

Remote | Authentication
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
7.7 HIGH
CVE-2026-32056 — OpenClaw < 2026.2.22 - Remote Code Execution via Shell Startup Environment Variable Injec…

OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remo…

Remote | Injection
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
7.6 HIGH
CVE-2026-32055 — OpenClaw < 2026.2.26 - Workspace Path Boundary Bypass via Non-existent Symlink

OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary validation that allows attackers to write files outside the workspace through in-workspace symlinks p…

Remote | Path Traversal
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.5 MEDIUM
CVE-2026-32054 — OpenClaw < 2026.2.25 - Symlink Traversal in Browser Trace/Download Path Handling

OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling that allows local attackers to escape the managed temp root directory…

| Path Traversal
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
6.9 MEDIUM
CVE-2026-32053 — OpenClaw < 2026.2.23 - Twilio Webhook Replay Bypass via Randomized Event ID Normalization

OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe…

Remote | Misconfiguration
Mar 21, 2026 Mar 21, 2026
Mar 21, 2026
Mar 21, 2026
Showing 20 of 5812 Results