Vulnerabilidades CVE
Base de dados CVE enriquecida com CISA KEV e NVD
| CVE ID | CVSS | Severidade | KEV | Avistamentos |
|---|---|---|---|---|
| CVE-2024-52446 Cross-Site Request Forgery (CSRF) vulnerability in Buying Buddy Buying Buddy IDX CRM buying-buddy-idx-crm allows Object Injection.This issue affects Buying Buddy IDX CRM: from n/a through <= 1.2.8. | 8.8 | HIGH | — | 0 |
| CVE-2024-52447 Path Traversal: '.../...//' vulnerability in corporatezen222 Contact Page With Google Map contact-page-with-google-map allows Path Traversal.This issue affects Contact Page With Google Map: from n/a t... | 8.6 | HIGH | — | 0 |
| CVE-2024-52448 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in webcodingplace Ultimate Classified Listings ultimate-classified-listings allows PHP Local File Inclusion... | 7.5 | HIGH | — | 0 |
| CVE-2024-52450 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in officialprocoders nBlocks nblocks allows PHP Local File Inclusion.This issue af... | 7.5 | HIGH | — | 0 |
| CVE-2024-52451 Cross-Site Request Forgery (CSRF) vulnerability in aaronrobbins Post Ideas post-ideas allows SQL Injection.This issue affects Post Ideas: from n/a through <= 2. | 8.2 | HIGH | — | 0 |
| CVE-2024-52470 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in brainvireinfo Dynamic URL SEO dynamic-url-seo allows Reflected XSS.This issue affects Dynamic URL ... | 7.1 | HIGH | — | 0 |
| CVE-2024-52472 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Weather Atlas Weather Atlas Widget weather-atlas allows Reflected XSS.This issue affects Weather A... | 7.1 | HIGH | — | 0 |
| CVE-2024-52473 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Sandeep Verma HTML5 Lyrics Karaoke Player html5-lyrics-karaoke-player allows Reflected XSS.This is... | 7.1 | HIGH | — | 0 |
| CVE-2024-11402 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in kubiq Block Editor Bootstrap Blocks block-editor-bootstrap-blocks allows Reflected XSS.This issue ... | 7.1 | HIGH | — | 0 |
| CVE-2024-52475 Authentication Bypass Using an Alternate Path or Channel vulnerability in Information Technology Wawp automation-web-platform allows Authentication Bypass.This issue affects Wawp: from n/a through < 3... | 9.8 | CRITICAL | — | 0 |
| CVE-2024-52490 Unrestricted Upload of File with Dangerous Type vulnerability in pathomation Pathomation pathomation allows Upload a Web Shell to a Web Server.This issue affects Pathomation: from n/a through <= 2.5.1... | 10.0 | CRITICAL | — | 0 |
| CVE-2024-52495 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in enituretechnology Distance Based Shipping Calculator distance-based-shipping-calculator allows SQL... | 8.5 | HIGH | — | 0 |
| CVE-2024-52496 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AbsolutePlugins Absolute Addons For Elementor absolute-addons allows Local Code... | 7.5 | HIGH | — | 0 |
| CVE-2024-52497 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in quomodosoft Shopready shopready-elementor-addon allows PHP Local File Inclusion... | 7.5 | HIGH | — | 0 |
| CVE-2024-52498 Path Traversal: '.../...//' vulnerability in softpulseinfotech SP Blog Designer sp-blog-designer allows PHP Local File Inclusion.This issue affects SP Blog Designer: from n/a through <= 1.0.0. | 7.5 | HIGH | — | 0 |
| CVE-2026-28454 OpenClaw versions prior to 2026.2.2 fail to validate webhook secrets in Telegram webhook mode (must be enabled), allowing unauthenticated HTTP POST requests to the webhook endpoint that trust attacker... | 7.5 | HIGH | — | 0 |
| CVE-2026-28456 OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import(), a... | 7.2 | HIGH | — | 0 |
| CVE-2026-26122 Initialization of a resource with an insecure default in Azure Compute Gallery allows an authorized attacker to disclose information over a network. | 6.5 | MEDIUM | — | 0 |
| CVE-2026-28457 OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring (must be enabled) that uses the skill frontmatter name parameter unsanitized when copying skills ... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-28458 OpenClaw version 2026.1.20 prior to 2026.2.1 contains a vulnerability in the Browser Relay (extension must be installed and enabled) /cdp WebSocket endpoint in which it does not require authentication... | 8.1 | HIGH | — | 0 |
| CVE-2026-28459 OpenClaw versions prior to 2026.2.12 fail to validate the sessionFile path parameter, allowing authenticated gateway clients to write transcript data to arbitrary locations on the host filesystem. Att... | 7.1 | HIGH | — | 0 |
| CVE-2026-28462 OpenClaw versions prior to 2026.2.13 contain a vulnerability in the browser control API in which it accepts user-supplied output paths for trace and download files without consistently constraining wr... | 7.5 | HIGH | — | 0 |
| CVE-2013-5150 The history-clearing feature in Safari in Apple iOS before 7 does not clear the back/forward history of an open tab, which allows physically proximate attackers to obtain sensitive information by leve... | N/A | NONE | — | 0 |
| CVE-2026-28464 OpenClaw versions prior to 2026.2.12 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network ac... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-28465 OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untruste... | 5.9 | MEDIUM | — | 0 |
| CVE-2026-28466 OpenClaw versions prior to 2026.2.14 contain a vulnerability in the gateway in which it fails to sanitize internal approval fields in node.invoke parameters, allowing authenticated clients to bypass e... | 9.9 | CRITICAL | — | 0 |
| CVE-2026-28467 OpenClaw versions prior to 2026.2.2 contain a server-side request forgery vulnerability in attachment and media URL hydration that allows remote attackers to fetch arbitrary HTTP(S) URLs. Attackers wh... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-28468 OpenClaw versions 2026.1.29-beta.1 prior to 2026.2.14 contain a vulnerability in the sandbox browser bridge server in which it accepts requests without requiring gateway authentication, allowing local... | 7.7 | HIGH | — | 0 |
| CVE-2026-28469 OpenClaw versions prior to 2026.2.14 contain a webhook routing vulnerability in the Google Chat monitor component that allows cross-account policy context misrouting when multiple webhook targets shar... | 7.5 | HIGH | — | 0 |
| CVE-2026-26124 '.../...//' in Azure Compute Gallery allows an authorized attacker to elevate privileges locally. | 6.7 | MEDIUM | — | 0 |
| CVE-2013-5151 Mobile Safari in Apple iOS before 7 does not prevent HTML interpretation of a document served with a text/plain content type, which allows remote attackers to conduct cross-site scripting (XSS) attack... | N/A | NONE | — | 0 |
| CVE-2026-28471 OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed and enabled, contain a vulnerability in which DM allowlist matching could be bypassed by exact-matching against sender ... | 5.3 | MEDIUM | — | 0 |
| CVE-2026-28472 OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. ... | 8.1 | HIGH | — | 0 |
| CVE-2026-28473 OpenClaw versions prior to 2026.2.2 contain an authorization bypass vulnerability where clients with operator.write scope can approve or deny exec approval requests by sending the /approve chat comman... | 8.1 | HIGH | — | 0 |
| CVE-2026-28474 OpenClaw's Nextcloud Talk plugin versions prior to 2026.2.6 accept equality matching on the mutable actor.name display name field for allowlist validation, allowing attackers to bypass DM and room all... | 9.8 | CRITICAL | — | 0 |
| CVE-2026-28475 OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network ac... | 4.8 | MEDIUM | — | 0 |
| CVE-2026-26125 Payment Orchestrator Service Elevation of Privilege Vulnerability | 8.6 | HIGH | — | 0 |
| CVE-2026-28477 OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a ... | 7.1 | HIGH | — | 0 |
| CVE-2026-28478 OpenClaw versions prior to 2026.2.13 contain a denial of service vulnerability in webhook handlers that buffer request bodies without strict byte or time limits. Remote unauthenticated attackers can s... | 7.5 | HIGH | — | 0 |
| CVE-2026-28479 OpenClaw versions prior to 2026.2.15 use SHA-1 to hash sandbox identifier cache keys for Docker and browser sandbox configurations, which is deprecated and vulnerable to collision attacks. An attacker... | 7.5 | HIGH | — | 0 |
| CVE-2026-28480 OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can sp... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-28481 OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bea... | 6.5 | MEDIUM | — | 0 |
| CVE-2013-5152 Mobile Safari in Apple iOS before 7 allows remote attackers to spoof the URL bar via a crafted web site. | N/A | NONE | — | 0 |
| CVE-2026-28484 Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority. | N/A | NONE | — | 0 |
| CVE-2026-28485 OpenClaw versions 2026.1.5 prior to 2026.2.12 fail to enforce mandatory authentication on the /agent/act browser-control HTTP route, allowing unauthorized local callers to invoke privileged operations... | 8.4 | HIGH | — | 0 |
| CVE-2026-28486 OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive extraction during installation commands that allows arbitrary file writes outside the intended direct... | 6.1 | MEDIUM | — | 0 |
| CVE-2026-29606 OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass o... | 6.5 | MEDIUM | — | 0 |
| CVE-2026-29609 OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the fetchWithGuard function that allocates entire response payloads in memory before enforcing maxBytes limits. Remote... | 7.5 | HIGH | — | 0 |
| CVE-2026-29610 OpenClaw versions prior to 2026.2.14 contain a command hijacking vulnerability that allows attackers to execute unintended binaries by manipulating PATH environment variables through node-host executi... | 8.8 | HIGH | — | 0 |
| CVE-2026-27778 The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by... | 7.5 | HIGH | — | 0 |
This product uses data from the NVD API but is not endorsed or certified by the NVD.