Vulnerabilidades CVE
Base de dados CVE enriquecida com CISA KEV e NVD
| CVE ID | CVSS | Severidade | KEV | Avistamentos |
|---|---|---|---|---|
| CVE-2026-41346 OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-41347 OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by se... | 7.1 | HIGH | — | 0 |
| CVE-2026-41348 OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discor... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-41349 OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to b... | 8.8 | HIGH | — | 0 |
| CVE-2026-41350 OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invoca... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-41351 OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-enco... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-41352 OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials c... | 8.8 | HIGH | — | 0 |
| CVE-2026-41353 OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and ... | 8.1 | HIGH | — | 0 |
| CVE-2026-41354 OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can... | 3.7 | LOW | — | 0 |
| CVE-2026-41355 OpenShell before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute a... | 7.3 | HIGH | — | 0 |
| CVE-2026-41356 OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing ... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-41357 OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by lever... | 3.3 | LOW | — | 0 |
| CVE-2026-41358 OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through a... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-41359 OpenClaw before 2026.3.28 contains a privilege escalation vulnerability allowing authenticated operators with write permissions to access admin-class Telegram configuration and cron persistence settin... | 7.1 | HIGH | — | 0 |
| CVE-2026-41360 OpenClaw before 2026.4.2 contains an approval integrity vulnerability in pnpm dlx that fails to bind local script operands consistently with pnpm exec flows. Attackers can replace approved local scrip... | 6.7 | MEDIUM | — | 0 |
| CVE-2026-41361 OpenClaw before 2026.3.28 contains an SSRF guard bypass vulnerability that fails to block four IPv6 special-use ranges. Attackers can exploit this by crafting URLs targeting internal or non-routable I... | 7.1 | HIGH | — | 0 |
| CVE-2026-6732 A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference. An atta... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-1789 A vulnerability in the browser-based remote management interface may allow an administrator to access sensitive information on the device via crafted requests, affecting certain production printers an... | 4.9 | MEDIUM | — | 0 |
| CVE-2026-25720 A vulnerability exists in SenseLive X3050’s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requir... | 5.4 | MEDIUM | — | 0 |
| CVE-2026-25775 A vulnerability in SenseLive X3050’s remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-rel... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-27841 A vulnerability in SenseLive X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery (CSRF) protections. Because the application doe... | 8.1 | HIGH | — | 0 |
| CVE-2026-27843 A vulnerability exists in SenseLive X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentication or server-side validation. By applyi... | 9.1 | CRITICAL | — | 0 |
| CVE-2026-35064 A vulnerability in SenseLive X3050’s management ecosystem allows unauthenticated discovery of deployed units through the vendor’s management protocol, enabling identification of device presence, ident... | 7.5 | HIGH | — | 0 |
| CVE-2026-35503 A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rathe... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-39462 A vulnerability exists in SenseLive X3050’s web management interface in which password updates are not reliably applied due to improper handling of credential changes on the backend. After the device ... | 8.1 | HIGH | — | 0 |
| CVE-2026-40431 A vulnerability exists in SenseLive X3050’s web management interface due to its reliance on unencrypted HTTP for all administrative communication. Because management traffic, including authentication ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-40620 A vulnerability in SenseLive X3050’s embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config applic... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-40623 A vulnerability in SenseLive X3050's web management interface allows critical system and network configuration parameters to be modified without sufficient validation and safety controls. Due to inade... | 8.1 | HIGH | — | 0 |
| CVE-2026-40630 A vulnerability in SenseLive X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network acce... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-2028 The MaxiBlocks Builder plugin for WordPress is vulnerable to arbitrary media file deletion due to insufficient file ownership validation on the 'maxi_remove_custom_image_size' AJAX action in all versi... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-6393 The BetterDocs plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.3.11. This is due to a missing capability check in the generate_openai_content_callback() f... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-5347 The HM Books Gallery plugin for WordPress is vulnerable to Missing Authorization in versions up to and including 4.8.0. This is due to the absence of capability checks and nonce verification in the ad... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-5364 The Drag and Drop File Upload for Contact Form 7 plugin for WordPress is vulnerable to arbitrary file upload in versions up to, and including, 1.1.3. This is due to the plugin extracting the file exte... | 8.1 | HIGH | — | 0 |
| CVE-2026-5428 The Royal Elementor Addons plugin for WordPress is vulnerable to Stored Cross-Site Scripting via image captions in the Image Grid/Slider/Carousel widget in versions up to and including 1.7.1056. This ... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-1950 Delta Electronics AS320T has No checking of the length of the buffer with the file name vulnerability. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-1951 Delta Electronics AS320T has no checking of the length of the buffer with the directory name vulnerability. | 9.8 | CRITICAL | — | 0 |
| CVE-2026-1952 Delta Electronics AS320T has denial of service via the undocumented subfunction vulnerability. | 9.8 | CRITICAL | — | 0 |
| CVE-2025-11762 The HubSpot All-In-One Marketing - Forms, Popups, Live Chat plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 11.3.32 via the leadin/public/adm... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-3565 The Taqnix plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.3. This is due to a missing nonce verification in the taqnix_delete_my_account() f... | 4.3 | MEDIUM | — | 0 |
| CVE-2026-4078 The ITERAS plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple shortcodes (iteras-ordering, iteras-signup, iteras-paywall-login, iteras-selfservice) in all versions up to an... | 6.4 | MEDIUM | — | 0 |
| CVE-2026-21728 Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy. Mitigation can be done by setting max_result... | 7.5 | HIGH | — | 0 |
| CVE-2026-41043 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in Apache ActiveMQ, Apache ActiveMQ Web. An authenticated attacker can show malicious content when browsing... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-6043 P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate ... | N/A | NONE | — | 0 |
| CVE-2026-21515 Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network. | 9.9 | CRITICAL | — | 0 |
| CVE-2026-5265 When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP header's self-declared total lengt... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-5367 A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client ID length, could cau... | 8.6 | HIGH | — | 0 |
| CVE-2026-25660 CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with certain ... | N/A | NONE | — | 0 |
| CVE-2026-2503 The ElementCamp plugin for WordPress is vulnerable to time-based SQL Injection via the 'meta_query[compare]' parameter in the 'tcg_select2_search_post' AJAX action in all versions up to, and including... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-2720 The Hr Press Lite plugin for WordPress is vulnerable to unauthorized access of sensitive employee data due to a missing capability check on the `hrp-fetch-employees` AJAX action in all versions up to,... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-2723 The Post Snippits plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page handlers for ... | 6.1 | MEDIUM | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.