CVE Vulnerabilities
CVE vulnerability database enriched with CISA KEV and NVD data
| CVE ID | CVSS | Severity | KEV | Sightings |
|---|---|---|---|---|
| CVE-2026-34219 libp2p-rust is the official rust language Implementation of the libp2p networking stack. Prior to version 0.49.4, the Rust libp2p Gossipsub implementation contains a remotely reachable panic in backof... | 5.9 | MEDIUM | β | 0 |
| CVE-2026-34218 ClearanceKit intercepts file-system access events on macOS and enforces per-process access policies. Prior to version 4.2.14, two related startup defects created a window during which only the single ... | 5.5 | MEDIUM | β | 0 |
| CVE-2026-30284 An arbitrary file overwrite vulnerability in UXGROUP LLC Voice Recorder v10.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or ... | 8.6 | HIGH | β | 0 |
| CVE-2026-30281 An arbitrary file overwrite vulnerability in MaruNuri LLC v2.0.23 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-30276 An arbitrary file overwrite vulnerability in DeftPDF Document Translator v54.0 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-22569 An incorrect startup configuration of affected versions of Zscaler Client Connector on Windows may cause a limited amount of traffic from being inspected under rare circumstances. | 5.4 | MEDIUM | β | 0 |
| CVE-2026-22561 Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer... | 7.8 | HIGH | β | 0 |
| CVE-2026-4799 In Search Guard FLX up to version 4.0.1, it is possible to use specially crafted requests to redirect the user to an untrusted URL. | 4.3 | MEDIUM | β | 0 |
| CVE-2026-34532 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.67 and 9.7.0-alpha.11, an attacker can bypass Cloud Function validator acc... | 9.1 | CRITICAL | β | 0 |
| CVE-2026-34504 OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or c... | 8.3 | HIGH | β | 0 |
| CVE-2026-34503 OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through exis... | 8.1 | HIGH | β | 0 |
| CVE-2026-34377 ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error in Zebra's transaction verification cache could allow a malicious miner t... | 8.1 | HIGH | β | 0 |
| CVE-2026-34373 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allow... | 8.8 | HIGH | β | 0 |
| CVE-2026-34363 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class vi... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-34224 Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication pro... | 4.4 | MEDIUM | β | 0 |
| CVE-2026-34214 Trino is a distributed SQL query engine for big data analytics. From version 439 to before version 480, Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary ... | 7.7 | HIGH | β | 0 |
| CVE-2026-34210 mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating Payment... | 8.1 | HIGH | β | 0 |
| CVE-2026-34209 mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using "<" instead of "<=" against ... | 7.5 | HIGH | β | 0 |
| CVE-2026-34202 ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-chain version 6.0.1, a vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated at... | 7.5 | HIGH | β | 0 |
| CVE-2026-34200 Nhost is an open source Firebase alternative with GraphQL. Prior to version 1.41.0, The Nhost CLI MCP server, when explicitly configured to listen on a network port, applies no inbound authentication ... | 7.5 | HIGH | β | 0 |
| CVE-2026-34172 Giskard is an open-source Python library for testing and evaluating agentic systems. Prior to versions 0.3.4 and 1.0.2b1, ChatWorkflow.chat(message) passes its string argument directly as a Jinja2 tem... | 8.8 | HIGH | β | 0 |
| CVE-2026-34165 go-git is an extensible git implementation library written in pure Go. From version 5.0.0 to before version 5.17.1, a vulnerability has been identified in which a maliciously crafted .idx file can cau... | 5.0 | MEDIUM | β | 0 |
| CVE-2026-34163 FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept ... | 7.7 | HIGH | β | 0 |
| CVE-2026-34162 FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, the FastGPT HTTP tools testing endpoint (/api/core/app/httpTools/runTool) is exposed without any authentication. This endpoint acts... | 10.0 | CRITICAL | β | 0 |
| CVE-2026-33762 go-git is an extensible git implementation library written in pure Go. Prior to version 5.17.1, go-gitβs index decoder for format version 4 fails to validate the path name prefix length before applyin... | 2.8 | LOW | β | 0 |
| CVE-2026-33581 OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass loc... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33580 OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach ... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33579 OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privil... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-33578 OpenClaw before 2026.3.28 contains a sender policy bypass vulnerability in the Google Chat and Zalouser extensions where route-level group allowlist policies silently downgrade to open policy. Attacke... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-33577 OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers ... | 8.1 | HIGH | β | 0 |
| CVE-2026-33576 OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media stor... | 6.5 | MEDIUM | β | 0 |
| CVE-2026-33276 Stored cross-site scripting (XSS) in Checkmk 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-30314 Ridvay Code's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile reg... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-30312 DSAI-Cline's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on string-based... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-30311 Ridvay Code's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile reg... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-30309 InfCode's terminal auto-execution module contains a critical command filtering vulnerability that renders its blacklist security mechanism completely ineffective. The predefined blocklist fails to cov... | 7.8 | HIGH | β | 0 |
| CVE-2026-29870 A directory traversal vulnerability in the agentic-context-engine project versions up to 0.7.1 allows arbitrary file writes via the checkpoint_dir parameter in OfflineACE.run. The save_to_file method ... | 7.6 | HIGH | β | 0 |
| CVE-2026-20915 Stored cross-site scripting (XSS) in Checkmk version 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create pending changes to inject malicious JavaScript into the Pending Ch... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-0596 A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without pro... | N/A | NONE | β | 0 |
| CVE-2026-3308 An integer overflow vulnerability in 'pdf-image.c' in Artifex's MuPDF version 1.27.0 allows an attacker to maliciously craft a PDF that can trigger an integer overflow within the 'pdf_load_image_imp' ... | 7.8 | HIGH | β | 0 |
| CVE-2026-34156 NocoBase is an AI-powered no-code/low-code platform for building business applications and enterprise solutions. Prior to version 2.0.28, NocoBase's Workflow Script Node executes user-supplied JavaScr... | 9.9 | CRITICAL | β | 0 |
| CVE-2026-34155 RAUC controls the update process on embedded Linux systems. Prior to version 1.15.2, RAUC bundles using the 'plain' format exceeding a payload size of 2 GiB cause an integer overflow which results in ... | 5.3 | MEDIUM | β | 0 |
| CVE-2026-30310 In its design for automatic terminal command execution, Sixth offers two options: Execute safe commands and Execute all commands. The description for the former states that commands determined by the ... | 9.8 | CRITICAL | β | 0 |
| CVE-2026-5198 A vulnerability was determined in code-projects Student Membership System 1.0. The impacted element is an unknown function of the file /admin/index.php of the component Admin Login. This manipulation ... | 7.3 | HIGH | β | 0 |
| CVE-2026-4267 The Query Monitor β The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the β$_SERVER['REQUEST_URI']β parameter in all versions up to, and ... | 7.2 | HIGH | β | 0 |
| CVE-2026-3191 The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minify_html_... | 5.4 | MEDIUM | β | 0 |
| CVE-2026-3139 The User Profile Builder β Beautiful User Registration Forms, User Profiles & User Role Editor plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, ... | 4.3 | MEDIUM | β | 0 |
| CVE-2026-34509 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | N/A | NONE | β | 0 |
| CVE-2026-34508 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | N/A | NONE | β | 0 |
| CVE-2026-34506 OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel ro... | 4.3 | MEDIUM | β | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.