CVE-2026-53821 OpenClaw < 2026.5.18 - Scope Elevation in trusted-proxy Control UI WebSocket

OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization baseline. Unpaired or restricted trusted-proxy Control UI clients can obtain cached operator.admin authority on live WebSocket connections to execut...

CVE-2026-27671

Due to improper RFC protocol validation in the SAP Kernel used by the Application Server ABAP of SAP NetWeaver and ABAP Platform, an unauthenticated attacker can send a crafted RFC request that exploits logical errors in memory management, leading to memory corruption. This could lead to a high...

VulnCheck KEV: CVE-2026-10795

The UpdraftPlus: WP Backup & Migration Plugin plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.26.4 via the UpdraftPlusRemoteCommunicationsV2::wploaded function. This is due to insufficient validation of the remote communications message format,...

CVE-2026-40983

In Micrometer, it is possible for a user to provide specially crafted gRPC requests that may cause a denial-of-service DoS condition. Affected versions: Micrometer 1.16.0 through 1.16.5; 1.15.0 through 1.15.11...

CVE-2026-40983

CVE-2026-40983 affects Micrometer’s gRPC server instrumentation. The issue allows a user to send specially crafted gRPC requests that may cause a denial-of-service (DoS) condition. Affected versions are Micrometer 1.16.0–1.16.5 and 1.15.0–1.15.11. The CVSSv3.1 base score is 7.5 (HIGH), with netwo...

PT-2026-47597

It was discovered that Transmission had a clickjacking weakness in the browser-facing WebUI and RPC response paths. An attacker could possibly use this issue to trick users into performing unintended actions...

CVE-2026-38978

Transmission 4.1.1 and earlier is affected by a clickjacking weakness in its browser-facing WebUI and RPC response paths. The CVE entry CVE-2026-38978 records a MEDIUM severity with CVSS v3.1 metrics: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, base score 5.3. Connected sources confirm vulnerable compon...

EUVD-2026-30375

Fleet is open source device management software. Prior to version 4.81.0, Fleet contained a denial-of-service DoS issue in the gRPC Launcher PublishLogs endpoint. In affected versions, certain unexpected input values were not handled gracefully, which could cause the Fleet server process to...

GHSA-QHMP-Q7XH-99RH CoreDNS has TSIG authentication bypass on DoT, DoH, DoH3, DoQ, and gRPC

Summary CoreDNS' tsig plugin can be bypassed on non-plain-DNS transports because it trusts the transport writer's TsigStatus instead of performing verification itself. In the attached PoC, plain DNS/TCP correctly rejects an invalid TSIG NOTAUTH, while the same invalid-TSIG request is accepted ove...

GHSA-37W2-Q6VH-45V6 Spring gRPC AuthenticationException messages are reflected to remote client

The raw message of every server-side AuthenticationException is returned to the unauthenticated remote caller in the gRPC status description. This allows an attacker to obtain information about the authentication failure, which may be useful for further attacks. Affected versions: Spring gRPC:...

[SECURITY] Fedora 44 Update: qt6-qtgrpc-6.10.3-1.fc44

Protocol Buffers Protobuf is a cross-platform data format used to serialize structured data. gRPC provides a remote procedure call framework based on Protobuf. Qt provides tooling and classes to use these technologies...

API Security Testing and Vulnerability Assessment

APIs now carry more sensitive data than traditional web interfaces. Payment details, health records, authentication tokens, and customer databases all flow through API endpoints that attackers can probe without ever touching a browser. A single misconfigured endpoint can expose millions of record...

Contemporary Controls BASC 20T

RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to enumerate the functionality of each component associated with the PLC, reconfigure, rename, delete, perform file transfers, and make remote procedure calls. 2. RECOMMENDED PRACTICES CISA recommends users...

CLEANSTART-2026-IW23933 gRPC-Go is the Go language implementation of gRPC

Multiple security vulnerabilities affect the istio-fips package. gRPC-Go is the Go language implementation of gRPC. See references for individual vulnerability details...

PT-2026-31709

Name of the Vulnerable Software and Affected Versions Contemporary Controls BASC 20T affected versions not specified Description An attacker can forge packets by obtaining data from network traffic to make arbitrary requests to the device. This allows for device reconfiguration, file manipulation...

GO-2026-4897 Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency (CVE-2026-33186) in github.com/traefik/traefik

Traefik: Deny Rule Bypass via Unauthenticated Malicious gRPC Requests in gRPC-Go Dependency CVE-2026-33186 in github.com/traefik/traefik...

CVE-2026-4851

GRID::Machine versions through 0.127 for Perl allows arbitrary code execution via unsafe deserialization. GRID::Machine provides Remote Procedure Calls RPC over SSH for Perl. The client connects to remote hosts to execute code on them. A compromised or malicious remote host can execute arbitrary...

CVE-2026-4064

Missing authorization checks on multiple gRPC service endpoints in PowerShell Universal before 2026.1.4 allows an authenticated user with any valid token to bypass role-based access controls and perform privileged operations — including reading sensitive data, creating or deleting resources, and...

CVE-2026-33413 etcd: Authorization bypasses in multiple APIs

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted...

CVE-2026-33413 etcd: Authorization bypasses in multiple APIs

etcd is a distributed key-value store for the data of a distributed system. Prior to versions 3.4.42, 3.5.28, and 3.6.9, unauthorized users may bypass authentication or authorization checks and call certain etcd functions in clusters that expose the gRPC API to untrusted or partially trusted...