CVE Schwachstellen
CVE-Datenbank angereichert mit CISA KEV und NVD Daten
| CVE ID | CVSS | Schweregrad | KEV | Sichtungen |
|---|---|---|---|---|
| CVE-2026-27008 OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a bug in `download` skill installation allowed `targetDir` values from skill frontmatter to resolve outside the per-skill tools directo... | 6.7 | MEDIUM | — | 0 |
| CVE-2026-27007 OpenClaw is a personal AI assistant. Prior to version 2026.2.15, `normalizeForHash` in `src/agents/sandbox/config-hash.ts` recursively sorted arrays that contained only primitive values. This made ord... | 3.3 | LOW | — | 0 |
| CVE-2026-27004 OpenClaw is a personal AI assistant. Prior to version 2026.2.15, in some shared-agent deployments, OpenClaw session tools (`sessions_list`, `sessions_history`, `sessions_send`) allowed broader session... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-27003 OpenClaw is a personal AI assistant. Telegram bot tokens can appear in error messages and stack traces (for example, when request URLs include `https://api.telegram.org/bot<token>/...`). Prior to vers... | 5.5 | MEDIUM | — | 0 |
| CVE-2026-27002 OpenClaw is a personal AI assistant. Prior to version 2026.2.15, a configuration injection issue in the Docker tool sandbox could allow dangerous Docker options (bind mounts, host networking, unconfin... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-27001 OpenClaw is a personal AI assistant. Prior to version 2026.2.15, OpenClaw embedded the current working directory (workspace path) into the agent system prompt without sanitization. If an attacker can ... | 7.8 | HIGH | — | 0 |
| CVE-2026-26972 OpenClaw is a personal AI assistant. In versions 2026.1.12 through 2026.2.12, OpenClaw browser download helpers accepted an unsanitized output path. When invoked via the browser control gateway routes... | 6.7 | MEDIUM | — | 0 |
| CVE-2026-26964 Windmill is an open-source developer platform for internal code: APIs, background jobs, workflows and UIs. Versions 1.634.6 and below allow non-admin users to obtain Slack OAuth client secrets, which... | 2.7 | LOW | — | 0 |
| CVE-2026-26963 Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Versions 1.18.0 through 1.18.5 will incorrectly permit traffic from Pods on other nodes when Native Routing, ... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-26959 ADB Explorer is a fluent UI for ADB on Windows. Versions 0.9.26020 and below fail to validate the integrity or authenticity of the ADB binary path specified in the ManualAdbPath setting before executi... | 7.8 | HIGH | — | 0 |
| CVE-2026-26957 Libredesk is a self-hosted customer support desk application. Versions prior to 1.0.2-0.20260215211005-727213631ce6 fail to validate destination URLs for webhooks, allowing an attacker posing as an au... | N/A | NONE | — | 0 |
| CVE-2026-26329 OpenClaw is a personal AI assistant. Prior to version 2026.2.14, authenticated attackers can read arbitrary files from the Gateway host by supplying absolute paths or path traversal sequences to the b... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-26328 OpenClaw is a personal AI assistant. Prior to version 2026.2.14, under iMessage `groupPolicy=allowlist`, group authorization could be satisfied by sender identities coming from the DM pairing store, b... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-1292 Tanium addressed an insertion of sensitive information into log file vulnerability in Trends. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-26958 filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid re... | N/A | NONE | — | 0 |
| CVE-2026-26953 Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-26952 Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.4 and below are vulnerable to stored HTML injection through th... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-26327 OpenClaw is a personal AI assistant. Discovery beacons (Bonjour/mDNS and DNS-SD) include TXT records such as `lanHost`, `tailnetDns`, `gatewayPort`, and `gatewayTlsSha256`. TXT records are unauthentic... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-26326 OpenClaw is a personal AI assistant. Prior to version 2026.2.14, `skills.status` could disclose secrets to `operator.read` clients by returning raw resolved config values in `configChecks` for skill `... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-26325 OpenClaw is a personal AI assistant. Prior to version 2026.2.14, a mismatch between `rawCommand` and `command[]` in the node host `system.run` handler could cause allowlist/approval evaluation to be p... | 7.2 | HIGH | — | 0 |
| CVE-2026-26324 OpenClaw is a personal AI assistant. Prior to version 2026.2.14, OpenClaw's SSRF protection could be bypassed using full-form IPv4-mapped IPv6 literals such as `0:0:0:0:0:ffff:7f00:1` (which is `127.0... | 7.5 | HIGH | — | 0 |
| CVE-2026-26323 OpenClaw is a personal AI assistant. Versions 2026.1.8 through 2026.2.13 have a command injection in the maintainer/dev script `scripts/update-clawtributors.ts`. The issue affects contributors/maintai... | 8.8 | HIGH | — | 0 |
| CVE-2026-26322 OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Gateway tool accepted a tool-supplied `gatewayUrl` without sufficient restrictions, which could cause the OpenClaw host to... | 7.6 | HIGH | — | 0 |
| CVE-2026-26321 OpenClaw is a personal AI assistant. Prior to OpenClaw version 2026.2.14, the Feishu extension previously allowed `sendMediaFeishu` to treat attacker-controlled `mediaUrl` values as local filesystem p... | 7.5 | HIGH | — | 0 |
| CVE-2026-26320 OpenClaw is a personal AI assistant. OpenClaw macOS desktop client registers the `openclaw://` URL scheme. For `openclaw://agent` deep links without an unattended `key`, the app shows a confirmation d... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-26319 OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKe... | 7.5 | HIGH | — | 0 |
| CVE-2026-24122 Cosign provides code signing and transparency for containers and binaries. In versions 3.0.4 and below, an issuing certificate with a validity that expires before the leaf certificate will be consider... | 3.7 | LOW | — | 0 |
| CVE-2026-21535 Improper access control in Microsoft Teams allows an unauthorized attacker to disclose information over a network. | 8.2 | HIGH | — | 0 |
| CVE-2026-1658 User Interface (UI) Misrepresentation of Critical Information vulnerability in OpenText™ Directory Services allows Cache Poisoning. The vulnerability could be exploited by a bad actor to inject mani... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-9208 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Stored XSS. The vulnerability could execute mal... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-8055 Server-Side Request Forgery (SSRF) vulnerability in OpenText™ XM Fax allows Server Side Request Forgery. The vulnerability could allow an attacker to perform blind SSRF to other systems accessibl... | 5.3 | MEDIUM | — | 0 |
| CVE-2025-8054 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OpenText™ XM Fax allows Path Traversal. The vulnerability could allow an attacker to arbitrarily discl... | 7.5 | HIGH | — | 0 |
| CVE-2025-13672 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Reflected XSS. The vulnerability could allow in... | 5.4 | MEDIUM | — | 0 |
| CVE-2025-13671 Cross-Site Request Forgery (CSRF) vulnerability in OpenText™ Web Site Management Server allows Cross Site Request Forgery. The vulnerability could make a user, with active session inside the product, ... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-26744 A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for v... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-26317 OpenClaw is a personal AI assistant. Prior to 2026.2.14, browser-facing localhost mutation routes accepted cross-origin browser requests without explicit Origin/Referer validation. Loopback binding re... | 7.1 | HIGH | — | 0 |
| CVE-2026-26316 OpenClaw is a personal AI assistant. Prior to 2026.2.13, the optional BlueBubbles iMessage channel plugin could accept webhook requests as authenticated based only on the TCP peer address being loopba... | 7.5 | HIGH | — | 0 |
| CVE-2026-26315 go-ethereum (Geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, through a flaw in the ECIES cryptography implementation, an attacker may be able to ext... | 7.5 | HIGH | — | 0 |
| CVE-2026-26314 go-ethereum (geth) is a golang execution layer implementation of the Ethereum protocol. Prior to version 1.16.9, a vulnerable node can be forced to shutdown/crash using a specially crafted message. Th... | 7.5 | HIGH | — | 0 |
| CVE-2026-26275 httpsig-hyper is a hyper extension for http message signatures. An issue was discovered in `httpsig-hyper` prior to version 0.0.23 where Digest header verification could incorrectly succeed due to mis... | 7.5 | HIGH | — | 0 |
| CVE-2026-2738 Buffer overflow in ovpn‑dco‑win version 2.8.0 allows local attackers to cause a system crash by sending too large packets to the remote peer when the AEAD tag appears at the end of the encrypted packe... | N/A | NONE | — | 0 |
| CVE-2026-27476 RustFly 2.0.0 contains a command injection vulnerability in its remote UI control mechanism that accepts hex-encoded instructions over UDP port 5005 without proper sanitization. Attackers can send cra... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-27440 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in myCred mycred allows Stored XSS.This issue affects myCred: from n/a through 2.9.7.6. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-27387 Missing Authorization vulnerability in designinvento DirectoryPress directorypress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DirectoryPress: from n/a t... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-27368 Missing Authorization vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Exploiting Incorrectly Configured Access Control Security Levels.... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-27360 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.This issue affects Photo Gallery by 1... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-27343 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in VanKarWai Airtifact airtifact allows PHP Local File Inclusion.This issue affect... | 7.5 | HIGH | — | 0 |
| CVE-2026-27328 Missing Authorization vulnerability in DevsBlink EduBlink edublink allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EduBlink: from n/a through <= 2.0.7. | 5.3 | MEDIUM | — | 0 |
| CVE-2026-27327 Missing Authorization vulnerability in YayCommerce YayMail – WooCommerce Email Customizer yaymail allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YayMail – W... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-27114 NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, circular `NextOffset` chains cause an infinite loop in the ROMFS archive parser. Version 6.0.163... | 7.5 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.