CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added yesterday•7 views

CVE-2026-53808 OpenClaw < 2026.5.6 - Approval Policy Bypass in Skill Workshop Apply Flow

OpenClaw before 2026.5.6 contains an approval policy bypass vulnerability in the Skill Workshop apply flow that allows agent tool calls to set apply: true despite approvalPolicy: pending configuration. Attackers can exploit this by reaching the affected apply path to apply workshop changes before...

6.5CVSS

RedhatCVE•added last week•5 views

CVE-2026-6145

The User Registration & Membership plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 5.1.5. This is due to the isadmincreationprocess method relying solely on the presence of action=createuser in the $REQUEST superglobal without performing any...

5.3CVSS5.5AI score0.0018EPSS

Exploits1References1

RedhatCVE•added 2026/06/02 4:3 a.m.•8 views

CVE-2026-32906

OpenClaw before 2026.5.12 contains a privilege escalation vulnerability in Slack plugin approvals that allows exec-authorized users to resolve plugin approvals through the exec approver gate. Attackers with limited exec approval permissions can bypass intended approval splits to approve plugin...

Snyk•added 2026/05/29 5:22 p.m.•9 views

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the exec approver gate process. An attacker can gain unauthorized approval capabilities by leveraging limited exec approval permissions to bypass intended...

ATTACKERKB•added 2026/05/29 3:9 p.m.•5 views

CVE-2026-32906

Positive Technologies•added 2026/05/29 12:0 a.m.•7 views

Exploits0References3

PT-2026-44892

Positive Technologies•added 2026/05/29 12:0 a.m.•6 views

Exploits0References3

PT-2026-44896

OpenClaw before 2026.5.18 contains an authorization bypass vulnerability in QQBot native approval buttons that fails to enforce configured approver identity. Non-approver users can click approval buttons to resolve pending exec or plugin approval requests without proper authorization...

8CVSS5.8AI score0.00041EPSS

Exploits0References3

CVE•added 2026/05/28 5:32 p.m.•16 views

CVE-2026-45311

The CVE concerns the DeepSeek-TUI run_tests tool, where versions 0.3.0–0.8.23 auto-run cargo test without user approval, enabling execution of arbitrary code via test code and build scripts. The root cause is that tests are auto-approved, allowing attacker-controlled test code in a malicious repo...

9.6CVSS6.2AI score0.00047EPSS

Cvelist•added 2026/05/28 5:32 p.m.•28 views

CVE-2026-45311 CodeWhale: run_tests Tool Enables RCE via Malicious Repository Without Approval

CodeWhale is a DeepSeek + MiMo coding agent in terminal. From 0.3.0 to 0.8.23, the runtests tool executes cargo test in the workspace with ApprovalRequirement::Auto, meaning it runs without any user approval prompt. cargo test compiles and executes arbitrary code: test binaries, build.rs build...

9.6CVSS0.00047EPSS

EUVD•added 2026/05/28 5:26 p.m.•6 views

EUVD-2026-32962

CodeWhale is a DeepSeek + MiMo coding agent in terminal. Prior to 0.8.26, the taskcreate tool spawns durable sub-agents that inherit two insecure defaults, allowshell defaults to true config.rs:1499: self.allowshell.unwraportrue and autoapprove defaults to true taskmanager.rs:297: autoapprove:...

9.6CVSS5.8AI score0.00045EPSS

Vulnrichment•added 2026/05/22 3:29 p.m.•7 views

CVE-2026-9251

Missing authorization in the entry status management feature in Devolutions Server allows a non-administrator authenticated user to bypass the administrator-enforced Pending Approval flow and gain access to an entry's data via a crafted status change request. This issue affects : Devolutions Serv...

5.8AI score0.0003EPSS

CNNVD•added 2026/05/22 12:0 a.m.•7 views

Devolutions Server 安全漏洞

Devolutions Server is an application system developed by the Canadian company Devolutions. It provides a fully functional solution for shared accounts and password management. Versions of Devolutions Server from 2026.1.6.0 to 2026.1.16.0, as well as versions prior to 2025.3.20.0, have security...

5.4CVSS5.8AI score0.0003EPSS

Cvelist•added 2026/05/18 6:57 p.m.•23 views

CVE-2026-45244 Summarize < 0.15.1 Unapproved Browser Automation Execution

Summarize prior to 0.15.1 contains a missing authorization vulnerability that allows attackers to execute browser automation actions without per-call user approval when the extension automation feature is enabled. Attackers can influence the agent through malicious page or summary content to invo...

5.4CVSS0.00027EPSS

Exploits1References4

CNNVD•added 2026/05/18 12:0 a.m.•5 views

Summarize 安全漏洞

Summarize is a multi-source rapid summarization tool developed by Peter Steinberger. Versions of Summarize prior to 0.15.1 contain security vulnerabilities. These vulnerabilities stem from an issue with authorization deficiencies, which could allow attackers to execute browser automation operatio...

5.4CVSS5.9AI score0.00027EPSS

Exploits1References1

Cvelist•added 2026/05/14 8:24 a.m.•36 views

CVE-2026-6145 User Registration & Membership <= 5.1.5 - Unauthenticated Missing Authorization to Admin Approval Bypass via 'action' Parameter

5.3CVSS0.0018EPSS

EUVD•added 2026/05/14 8:24 a.m.•7 views

EUVD-2026-30257

CVE•added 2026/05/14 8:24 a.m.•16 views

CVE-2026-6145

CVE-2026-6145 affects the WordPress plugin “User Registration & Membership” (versions up to 5.1.5). The vulnerability arises from is_admin_creation_process() relying solely on the presence of action=createuser in $_REQUEST, with no authentication or capability checks. This allows unauthenticated ...

Vulnrichment•added 2026/05/14 8:24 a.m.•7 views

CVE-2026-6145 User Registration & Membership <= 5.1.5 - Unauthenticated Missing Authorization to Admin Approval Bypass via 'action' Parameter

ATTACKERKB•added 2026/05/14 8:24 a.m.•6 views

CVE-2026-6145