CVE-2026-42433

OpenClaw before 2026.4.10 contains an authorization bypass vulnerability allowing operator.write message-tool paths to access Matrix profile persistence requiring admin-level authority. Attackers can exploit insufficient access controls to mutate persistent profile configuration through non-owner...

GHSA-V3C2-39FM-JQ4H Duplicate Advisory: OpenClaw: Gateway `operator.write` can reach admin-only persisted `verboseLevel` via `chat.send` `/verbose`

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5h2w-qmfp-ggp6. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows...

CVE-2026-34512

OpenClaw before 2026.3.25 exposes an improper access control in the HTTP endpoint /sessions/:sessionKey/kill that lets any bearer-authenticated user invoke admin-level session termination via the killSubagentRunAdmin function, bypassing ownership/operator scope restrictions. The vulnerability ena...

CVE-2026-34512 OpenClaw < 2026.3.25 - Improper Access Control in /sessions/:sessionKey/kill Endpoint

OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allows any bearer-authenticated user to invoke admin-level session termination functions without proper scope validation. Attackers can exploit this by sending authenticat...

GO-2026-4566 WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level in github.com/h44z/wg-portal

WireGuard Portal is Vulnerable to Privilege Escalation via User Self-Update to Admin Level in github.com/h44z/wg-portal. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive...

CVE-2025-55948

This vulnerability fundamentally arises from yzcheng90 X-SpringBoot 6.0's implementation of role-based access control RBAC through dual dependency on frontend menu systems and backend permission tables, without enforcing atomic synchronization between these components. The critical flaw manifests...

CVE-2025-55948

This vulnerability fundamentally arises from yzcheng90 X-SpringBoot 6.0's implementation of role-based access control RBAC through dual dependency on frontend menu systems and backend permission tables, without enforcing atomic synchronization between these components. The critical flaw manifests...

CVE-2025-11889 AIO Forms <= 1.3.18 - Authenticated (Admin+) Arbitrary File Upload via Zip Import

The AIO Forms – Craft Complex Forms Easily plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the import functionality in all versions up to, and including, 1.3.18. This makes it possible for authenticated attackers, with Administrator-level access...

EUVD-2018-4990

Malware in sbrugna...

EUVD-2006-5967

Malware in sbrugna...

EUVD-2025-28372

Malicious code in bioql PyPI...

EUVD-2022-29614

Malicious code in bioql PyPI...

EUVD-2023-32757

Malicious code in bioql PyPI...

EUVD-2022-25031

Malicious code in bioql PyPI...

CVE-2025-9515

The CVE-2025-9515 entry concerns the WordPress plugin Multi Step Form . Affected versions are all prior to and including 1.7.25 . The root cause is missing file-type validation in the import functionality, allowing authenticated users with Administrator-level access to upload arbitrary files on t...

Withdrawn Advisory: JHipster allows privilege escalation via a modified authorities parameter

Withdrawn Advisory This advisory has been withdrawn because the original report was found to be invalid. This link is maintained to preserve external references. For more information, see https://groups.google.com/g/jhipster-dev/c/ATSlWkEjw2w. Original Description JHipster before v.8.9.0 allows...

CVE-2023-45083

An Improper Privilege Management vulnerability exists in HyperCloud that will impact the ability for a user to authenticate against the management plane. An authenticated admin-level user may be able to delete the "admin" or "serveradmin" users, which prevents authentication from subsequently...

CVE-2022-2463

Rockwell Automation ISaGRAF Workbench software versions 6.0 through 6.6.9 are affected by a Path Traversal vulnerability. A crafted malicious .7z exchange file may allow an attacker to gain the privileges of the ISaGRAF Workbench software when opened. If the software is running at the SYSTEM leve...

CVE-2021-32811

Zope is an open-source web application server. Zope versions prior to versions 4.6.3 and 5.3 have a remote code execution security issue. In order to be affected, one must use Python 3 for one's Zope deployment, run Zope 4 below version 4.6.3 or Zope 5 below version 5.3, and have the optional...

CVE-2020-24984

An issue was discovered in Quadbase EspressReports ES 7 Update 9. It allows CSRF, whereby an attacker may be able to trick an authenticated admin level user into uploading malicious files to the web server...