Total CVEs

142,027

Critical Severity

3,943

High Severity

14,108

Last 7 Days

1,765
Quick preset (or use dates below)
Clear Filters
Showing 10,461 - 10,480 of 14,604 CVEs
CVE-2026-28475 MEDIUM - 4.8

OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually re...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 05, 2026
Source: NVD
CVE-2026-28467 MEDIUM - 5.3

OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachment and media URL hydration that allows remote attackers to fetch arbitrary HTTP(S) URLs. Attackers who can influence media URLs through model-controlled sendAttachment or auto-reply mechanisms can trig...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 05, 2026
Source: NVD
CVE-2026-28459 MEDIUM - 6.5

OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. Attackers can supply a sessionFile path outside the sessions directory to create files and append data ...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 05, 2026
Source: NVD
CVE-2026-28457 MEDIUM - 5.3

OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring (must be enabled) that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with traversal sequences l...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 05, 2026
Source: NVD
CVE-2026-28452 MEDIUM - 5.5

OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource exha...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 05, 2026
Source: NVD
CVE-2026-28451 MEDIUM - 5.3

OpenClaw versions prior to 2026.2.14 contain server-side request forgery vulnerabilities in the Feishu extension that allow attackers to fetch attacker-controlled remote URLs without SSRF protections via sendMediaFeishu function and markdown image processing. Attackers can influence tool calls throu...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 05, 2026
Source: NVD
CVE-2026-28450 MEDIUM - 6.2

OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway authentication. Remote attacke...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 05, 2026
Source: NVD
CVE-2026-28448 MEDIUM - 5.6

OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be installed and enabled) in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can ment...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 05, 2026
Source: NVD
CVE-2026-28395 MEDIUM - 4.8

OpenClaw version 2026.1.14-1 prior to 2026.2.12 contain an improper network binding vulnerability in the Chrome extension (must be installed and enabled) relay server that treats wildcard hosts as loopback addresses, allowing the relay HTTP/WS server to bind to all interfaces when a wildcard cdpUrl ...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 05, 2026
Source: NVD
CVE-2026-28394 MEDIUM - 6.5

OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the web_fetch tool that allows attackers to crash the Gateway process through memory exhaustion by parsing oversized or deeply nested HTML responses. Remote attackers can social-engineer users into fetching malicious U...

Vendor: OpenClaw
Product: OpenClaw
Published: Mar 05, 2026
Source: NVD
CVE-2026-30227 MEDIUM - 5.3

MimeKit is a C# library which may be used for the creation and parsing of messages using the Multipurpose Internet Mail Extension (MIME), as defined by numerous IETF specifications. Prior to version 4.15.1, a CRLF injection vulnerability in MimeKit allows an attacker to embed \r\n into the SMTP enve...

Vendor: nuget
Product: MimeKit
Published: Mar 05, 2026
Source: GitHub
CVE-2026-29787 MEDIUM - 5.3

mcp-memory-service is an open-source memory backend for multi-agent systems. Prior to version 10.21.0, the /api/health/detailed endpoint returns detailed system information including OS version, Python version, CPU count, memory totals, disk usage, and the full database filesystem path. When MCP_ALL...

Vendor: pip
Product: mcp-memory-service
Published: Mar 05, 2026
Source: GitHub
CVE-2026-3419 MEDIUM - 5.3

Fastify incorrectly accepts malformed `Content-Type` headers containing trailing characters after the subtype token, in violation of RFC 9110 §8.3.1(https://httpwg.org/specs/rfc9110.html#field.content-type). For example, a request sent with Content-Type: application/json garbage passes validation an...

Vendor: npm
Product: fastify
Published: Mar 05, 2026
Source: GitHub
CVE-2026-30233 MEDIUM - 6.5

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authorization flaw in OliveTin allows authenticated users with view: false permission to enumerate action bindings and metadata via dashboard and API endpoints. Although execution (exec) may be co...

Vendor: go
Product: github.com/OliveTin/OliveTin
Published: Mar 05, 2026
Source: GitHub
CVE-2026-29081 MEDIUM - 6.5

Frappe is a full-stack web application framework. Prior to versions 14.100.1 and 15.100.0, an endpoint was vulnerable to SQL injection through specially crafted requests, which would allow a malicious actor to extract sensitive information. This issue has been patched in versions 14.100.1 and 15.100...

Vendor: frappe
Product: frappe
Published: Mar 05, 2026
Source: NVD
CVE-2026-22723 MEDIUM - 6.5

Inappropriate user token revocation due to a logic error in the token revocation endpoint implementation in Cloudfoundry UAA v77.30.0 to v78.7.0 and in Cloudfoundry Deployment v48.7.0 to v54.10.0.

Vendor: Cloudfoundry Foundation
Product: UAA
Published: Mar 05, 2026
Source: NVD
CVE-2026-30225 MEDIUM - 5.3

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, an authentication context confusion vulnerability in RestartAction allows a low‑privileged authenticated user to execute actions they are not permitted to run. RestartAction constructs a new internal...

Vendor: go
Product: github.com/OliveTin/OliveTin
Published: Mar 05, 2026
Source: GitHub
CVE-2026-30224 MEDIUM - 5.4

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year). ...

Vendor: go
Product: github.com/OliveTin/OliveTin
Published: Mar 05, 2026
Source: GitHub
CVE-2026-29795 MEDIUM - 4.0

stellar-xdr is a library and CLI containing types and functionality for working with Stellar XDR. Prior to version 25.0.1, StringM::from_str does not validate that the input length is within the declared maximum (MAX). Calling StringM::<N>::from_str(s) where s is longer than N bytes succeeds a...

Vendor: rust
Product: stellar-xdr
Published: Mar 05, 2026
Source: GitHub
CVE-2026-29084 MEDIUM - 4.6

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to version 2.2.3, the login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a sessi...

Vendor: go
Product: github.com/forceu/gokapi
Published: Mar 05, 2026
Source: GitHub