Lucene search
K

87063 matches found

CNVD
CNVD
added 2026/04/10 12:0 a.m.3 views

OpenClaw has an unspecified vulnerability (CNVD-2026-17183)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. A security vulnerability exists in OpenClaw that stems from a plug-in subagent routing that executes a gateway method via a synthetic operator client with broad administrative scope, which can be exploited by an attacker to...

9.8CVSS5.7AI score0.00461EPSS
Exploits0
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.5 views

PT-2026-32002

Name of the Vulnerable Software and Affected Versions Chamilo LMS versions prior to 2.0.0-RC.3 Description Chamilo LMS, a learning management system, contains a Reflected Cross-Site Scripting XSS issue in the exercise question list admin panel. The vulnerability occurs because the pagination code...

5.4CVSS6.1AI score0.00141EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/04/10 12:0 a.m.7 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.25 contained security vulnerabilities. These vulnerabilities stemmed from the HTTP routing plugin for gateway authentication, which incorrectly granted the operator.admin runtim...

8.8CVSS5.8AI score0.00298EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.3 views

PT-2026-31971

OpenClaw before 2026.3.23 contains an insufficient access control vulnerability in the Gateway agent /reset endpoint that allows callers with operator.write permission to reset admin sessions. Attackers with operator.write privileges can invoke /reset or /new messages with an explicit sessionKey ...

8.1CVSS5.9AI score0.00272EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/04/10 12:0 a.m.9 views

Code-Projects Simple IT Discussion Forum 代码注入漏洞

Code-Projects Simple IT Discussion Forum is a simple forum developed by Code-Projects as open source. Version 1.0 of Code-Projects Simple IT Discussion Forum has a code injection vulnerability. This vulnerability arises from incorrect handling of the parameter fname in the file admin/user.php,...

4.8CVSS5.6AI score0.00202EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/04/10 12:0 a.m.7 views

PT-2026-31851

UsersWP – Front-end login form, User Registration, User Profile & Members Directory plugin for WordPress versions up to and including 1.2.58 The plugin is susceptible to Improper Access Control due to insufficient field-level permission validation within the upload file remove AJAX handler. The...

4.3CVSS5.7AI score0.00297EPSS
Exploits0References12
NVD
NVD
added 2026/04/09 10:16 p.m.10 views

CVE-2026-35645

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to execute privilege...

8.8CVSS0.0028EPSS
Exploits0References3
NVD
NVD
added 2026/04/09 10:16 p.m.16 views

CVE-2026-35639

OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve pending device requests with broader operator scopes than the approver actually holds. Attackers can exploit insufficient scope validation ...

8.8CVSS0.00458EPSS
Exploits0References4
NVD
NVD
added 2026/04/09 10:16 p.m.5 views

CVE-2026-35631

OpenClaw before 2026.3.22 fails to enforce operator.admin scope on mutating internal ACP chat commands, allowing unauthorized modifications. Attackers without admin privileges can execute mutating control-plane actions by directly invoking affected ACP commands to bypass authorization gates...

7.1CVSS0.00225EPSS
Exploits0References4
NVD
NVD
added 2026/04/09 10:16 p.m.4 views

CVE-2026-35625

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability where silent local shared-auth reconnects auto-approve scope-upgrade requests, widening paired device permissions from operator.read to operator.admin. Attackers can exploit this by triggering local reconnection to silently...

8.5CVSS0.00192EPSS
Exploits0References3
NVD
NVD
added 2026/04/09 10:16 p.m.4 views

CVE-2026-34512

OpenClaw before 2026.3.25 contains an improper access control vulnerability in the HTTP /sessions/:sessionKey/kill route that allows any bearer-authenticated user to invoke admin-level session termination functions without proper scope validation. Attackers can exploit this by sending authenticat...

8.1CVSS0.00346EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/09 9:44 p.m.1 views

CVE-2026-39848

Dockyard is a Docker container management app. Prior to 1.1.0, Docker container start and stop operations are performed through GET requests without CSRF protection. A remote attacker can cause a logged-in administrator's browser to request /apps/action.php?action=stop= or...

6.5CVSS6AI score0.00211EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/04/09 9:31 p.m.1 views

EUVD-2026-21035

OpenPLCV3 REST API endpoint checks for JWT presence but never verifies the caller's role. Any authenticated user with role=user can delete any other user, including administrators, by specifying their user ID or they can create new accounts with role=admin, escalating to full administrator access...

8.7CVSS5.9AI score0.0024EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/09 9:31 p.m.3 views

EUVD-2026-21043

V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the loginWithMailLink endpoint when the loginwithmaillinkenable feature is active. Unauthenticated attackers can POST to the loginWithMailLink endpoint with a known email address to receiv...

9.1CVSS6AI score0.00584EPSS
Exploits1References9
Cvelist
Cvelist
added 2026/04/09 9:27 p.m.16 views

CVE-2026-35645 OpenClaw < 2026.3.25 - Privilege Escalation via Synthetic operator.admin in deleteSession

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to execute privilege...

8.1CVSS0.0028EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/09 9:27 p.m.3 views

CVE-2026-35645

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to execute privilege...

8.1CVSS6AI score0.0028EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/09 9:27 p.m.1 views

CVE-2026-35645 OpenClaw < 2026.3.25 - Privilege Escalation via Synthetic operator.admin in deleteSession

OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function that uses a synthetic operator.admin runtime scope. Attackers can exploit this by triggering session deletion without a request-scoped client to execute privilege...

8.1CVSS5.9AI score0.0028EPSS
Exploits0References3
CVE
CVE
added 2026/04/09 9:27 p.m.15 views

CVE-2026-35645

OpenClaw is affected by a privilege escalation vulnerability in the gateway plugin subagent fallback deleteSession function, which uses a synthetic operator.admin runtime scope. OpenClaw versions before 2026.3.25 are vulnerable to triggering session deletion to execute privileged operations with ...

8.8CVSS6AI score0.0028EPSS
Exploits0References3Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/04/09 9:27 p.m.0 views

CVE-2026-35639

OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that allows an operator.pairing approver to approve pending device requests with broader operator scopes than the approver actually holds. Attackers can exploit insufficient scope validation ...

8.8CVSS6.5AI score0.00458EPSS
Exploits0References5
CVE
CVE
added 2026/04/09 9:27 p.m.19 views

CVE-2026-35639

CVE-2026-35639 affects OpenClaw prior to 2026.3.22. The vulnerability is in the device.pair.approve method, where an operator.pairing approver can approve pending device requests with broader operator scopes than the approver holds. This insufficient scope validation can escalate privileges to op...

8.8CVSS6.5AI score0.00458EPSS
Exploits0References4Affected Software1
Rows per page
Query Builder