Total CVEs

141,272

Critical Severity

3,795

High Severity

13,729

Last 7 Days

1,855
Quick preset (or use dates below)
Clear Filters
Showing 8,841 - 8,860 of 14,204 CVEs
CVE-2026-1275 MEDIUM - 6.4

The Multi Post Carousel by Category plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'slides' shortcode attribute in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on the user-supplied 'slides' p...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1253 MEDIUM - 5.3

The Group Chat & Video Chat by AtomChat plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'atomchat_update_auth_ajax' and 'atomchat_update_layout_ajax' functions in all versions up to, and including, 1.1.7. This m...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1247 MEDIUM - 4.4

The Survey plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to...

Published: Mar 21, 2026
Source: NVD
CVE-2026-1093 MEDIUM - 6.4

The WPFAQBlockโ€“ FAQ & Accordion Plugin For Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'class' parameter of the 'wpfaqblock' shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping ...

Published: Mar 21, 2026
Source: NVD
CVE-2026-0609 MEDIUM - 6.4

The Logo Slider โ€“ Logo Carousel, Logo Showcase & Client Logo Slider Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the image alt text in all versions up to, and including, 4.9.0 due to insufficient input sanitization and output escaping in the 'logo-slider'...

Published: Mar 21, 2026
Source: NVD
CVE-2025-13910 MEDIUM - 6.1

The WP-WebAuthn plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting via the `wwa_auth` AJAX endpoint in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping on user supplied attributes logged by the plugin. This makes it po...

Vendor: axton
Product: WP-WebAuthn
Published: Mar 21, 2026
Source: NVD
CVE-2024-13785 MEDIUM - 5.6

The The Contact Form, Survey, Quiz & Popup Form Builder โ€“ ARForms plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.7.2. This is due to the software allowing users to execute an action that does not properly validate a value before runnin...

Vendor: reputeinfosystems
Product: Contact Form, Survey, Quiz & Popup Form Builder โ€“ ARForms
Published: Mar 21, 2026
Source: NVD
CVE-2026-32899 MEDIUM - 4.3

OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction_* and pin_* non-message events before adding them to system-event context. Attackers can bypass configured DM policies and channel user allowlists to inject unauthorized reaction and pin events from rest...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD
CVE-2026-32898 MEDIUM - 5.4

OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers can bypass interactive approval prompts for read-class operations by spoofing tool me...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD
CVE-2026-32896 MEDIUM - 4.8

OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy heur...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD
CVE-2026-32895 MEDIUM - 5.4

OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, allowing unauthorized events to be enqueued. Attackers can bypass Slack DM allowlists and per-channel user allowlists by sending system events from non-allowlisted senders t...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD
CVE-2026-32065 MEDIUM - 4.8

OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.run where rendered command text is used as approval identity while trimming argv token whitespace, but runtime execution uses raw argv. An attacker can craft a trailing-space executable token to execute...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD
CVE-2026-32057 MEDIUM - 5.9

OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node role websocket client can exploit this by using the control-ui cl...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD
CVE-2026-32054 MEDIUM - 6.5

OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling that allows local attackers to escape the managed temp root directory. An attacker with local access can create symlinks to route file writes outside the intended temp di...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD
CVE-2026-32053 MEDIUM - 6.5

OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state transiti...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD
CVE-2026-32052 MEDIUM - 6.4

OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary co...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD
CVE-2026-32046 MEDIUM - 5.3

OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that allows attackers to execute arbitrary code by exploiting renderer-side vulnerabilities without requiring a sandbox escape. Attackers can leverage the disabled OS-level sandbox protections in the Chromiu...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD
CVE-2026-32045 MEDIUM - 5.9

OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing bypass of token and password requirements. Attackers on trusted networks can exploit this misconfiguration to access HTTP gateway routes without proper authentication cre...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD
CVE-2026-32044 MEDIUM - 5.5

OpenClaw versions prior to 2026.3.2 contain an archive extraction vulnerability in the tar.bz2 installer path that bypasses safety checks enforced on other archive formats. Attackers can craft malicious tar.bz2 skill archives to bypass special-entry blocking and extracted-size guardrails, causing lo...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD
CVE-2026-32043 MEDIUM - 6.5

OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution where the cwd parameter is validated at approval time but resolved at execution time. Attackers can retarget a symlinked cwd between approval and execution to bypass command ...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 21, 2026
Source: NVD