Lucene search
+L

489 matches found

euvd
euvd
added 2026/04/10 12:30 a.m.7 views

EUVD-2026-21112

OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages before enforcing sender and pairing policy validation. Attackers can trigger unauthorized pre-authentication computation by sending crafted DM messages, enabling denial of service through...

6.9CVSS5.9AI score0.00454EPSS
Exploits0References5
github
github
added 2026/04/10 12:30 a.m.9 views

Duplicate Advisory: OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mf5g-6r6f-ghhm. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token validation...

6.5CVSS5.7AI score0.00244EPSS
Exploits0References5Affected Software1
cve
cve
added 2026/04/09 5:16 p.m.85 views

CVE-2026-39987

CVE-2026-39987 — Marimo WebSocket terminal endpoint unauthenticated pre-auth RCE. The vulnerability resides in the terminal WebSocket at /terminal/ws, which accepts connections without authenticating, unlike the /ws endpoint that invokes validate_auth(). An unauthenticated client can obtain a ful...

9.8CVSS6.2AI score0.95645EPSS
In wildExploits11References5Affected Software1
osv
osv
added 2026/04/09 5:16 p.m.2 views

CVE-2026-39987 marimo Affected by Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass

marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands. Unlike other WebSock...

9.3CVSS7.5AI score0.95645EPSS
Exploits11References7
osv
osv
added 2026/04/07 6:8 p.m.4 views

CVE-2026-39337 ChurchCRM Affected by Unauthenticated RCE in Install Wizard

ChurchCRM is an open-source church management system. Prior to 7.1.0, critical pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server...

10CVSS6.7AI score0.00715EPSS
Exploits0References3
debiancve
debiancve
added 2026/04/03 3:28 a.m.7 views

CVE-2026-35537

An issue was discovered in Roundcube Webmail before 1.5.14 and 1.6.14. Unsafe deserialization in the redis/memcache session handler may lead to arbitrary file write operations by unauthenticated attackers via crafted session data...

7.5CVSS5.7AI score0.00475EPSS
Exploits0
github
github
added 2026/04/02 9:1 p.m.15 views

OpenClaw: LINE webhook handler lacks shared pre-auth concurrency budget before signature verification

Summary LINE webhook handler lacks shared pre-auth concurrency budget before signature verification Current Maintainer Triage - Status: open - Normalized severity: low - Assessment: Shipped v2026.3.28 lacks a shared pre-auth concurrency budget on the public LINE webhook path, but the effect is...

6.9CVSS5.9AI score0.00459EPSS
Exploits0References6Affected Software1
thn
thn
added 2026/04/02 12:45 p.m.10 views

ThreatsDay Bulletin: Pre-Auth Chains, Android Rootkits, CloudTrail Evasion & 10 More Stories

The latest ThreatsDay Bulletin is basically a cheat sheet for everything breaking on the internet right now. No corporate fluff or boring lectures here, just a quick and honest look at the messy reality of keeping systems safe this week. Things are moving fast. The list includes researchers...

9.8CVSS6.4AI score0.49424EPSS
Exploits1
github
github
added 2026/03/31 12:31 p.m.7 views

Duplicate Advisory: OpenClaw has Bypass in Webhook Rate Limiting via Pre-Authentication Secret Validation

Duplicate Advisory This advisory has been withdrawn because CVE-2026-34508 has been rejected as a duplicate of CVE-2026-34505. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.12 applies rate limiting only after webhook authentication succeeds,...

5.8AI score0.00056EPSS
Exploits0References4Affected Software1
vulnrichment
vulnrichment
added 2026/03/31 11:17 a.m.4 views

CVE-2026-34505 OpenClaw < 2026.3.12 - Webhook Rate Limiting Bypass via Pre-Authentication Secret Validation

OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit responses, enabling...

6.9CVSS5.9AI score0.00272EPSS
Exploits0References2
cve
cve
added 2026/03/30 9:42 p.m.27 views

CVE-2026-33952

FreeRDP prior to 3.24.2 is affected by CVE-2026-33952, where an unvalidated auth_length read from the network triggers a WINPR_ASSERT() failure in rts_read_auth_verifier_no_checks() and causes a client crash via RPC-over-HTTP gateway. The issue is mitigated by upgrading to FreeRDP 3.24.2 or later...

6.5CVSS5.8AI score0.00271EPSS
Exploits1References2Affected Software1
osv
osv
added 2026/03/29 3:50 p.m.4 views

GHSA-MF5G-6R6F-GHHM OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token

Summary Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Weak Webhook Token Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details...

6.3CVSS5.9AI score0.00244EPSS
Exploits0References5
github
github
added 2026/03/29 3:50 p.m.11 views

OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token

Summary Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Weak Webhook Token Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details...

6.5CVSS5.9AI score0.00244EPSS
Exploits0References5Affected Software1
osv
osv
added 2026/03/27 11:47 a.m.6 views

BIT-NATS-2026-27889 NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Starting in version 2.2.0 and prior to versions 2.11.14 and 2.12.5, a missing sanity check on a WebSockets frame could trigger a server panic in the nats-server. This happens before authentication, and...

7.5CVSS6AI score0.00582EPSS
Exploits0References9
osv
osv
added 2026/03/27 8:10 a.m.3 views

CVE-2026-27858

Attacker can send a specifically crafted message before authentication that causes managesieve to allocate large amount of memory. Attacker can force managesieve-login to be unavailable by repeatedly crashing the process. Protect access to managesieve protocol, or install fixed version. No public...

7.5CVSS5.9AI score0.0079EPSS
Exploits0References20
ubuntucve
ubuntucve
added 2026/03/27 12:0 a.m.5 views

CVE-2026-0394

When dovecot has been configured to use per-domain passwd files, and they are placed one path component above /etc, or slash has been added to allowed characters, path traversal can happen if the domain component is directory partial. This allows inadvertently reading /etc/passwd or some other pa...

5.3CVSS5.8AI score0.00427EPSS
Exploits1References3
osv
osv
added 2026/03/26 8:33 p.m.5 views

GO-2026-4841 NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead in github.com/nats-io/nats-server

NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead in github.com/nats-io/nats-server...

7.5CVSS5.9AI score0.00582EPSS
Exploits0References2
osv
osv
added 2026/03/26 7:50 p.m.8 views

GHSA-RM59-992W-X2MV OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling

Summary Voice Call webhook handling buffered request bodies before provider signature checks, enabling bounded unauthenticated resource exhaustion. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...

8.7CVSS5.9AI score0.00494EPSS
Exploits0References6
susecve
susecve
added 2026/03/26 2:43 p.m.6 views

SUSE CVE-2026-33218

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.15 and 2.12.6, a client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Versions 2.11.15 and 2.12.6 contain ...

7.5CVSS5.9AI score0.00616EPSS
Exploits0References4
osv
osv
added 2026/03/25 8:16 p.m.2 views

DEBIAN-CVE-2026-29785

NATS-Server is a High-Performance server for NATS.io, a cloud and edge native messaging system. Prior to versions 2.11.14 and 2.12.5, if the nats-server has the "leafnode" configuration enabled not default, then anyone who can connect can crash the nats-server by triggering a panic. This happens...

7.5CVSS6AI score0.00658EPSS
Exploits0References1
Rows per page
Query Builder