Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

1389 matches found

CVE
CVEadded 2026/04/07 12:28 p.m.12 views

CVE-2026-28808

CVE-2026-28808 is an incorrect authorization vulnerability in Erlang OTP (inets modules). The root cause is a script_alias path mismatch where mod_auth checks DocumentRoot-relative paths while mod_cgi executes ScriptAlias-resolved paths, allowing unauthenticated access to CGI scripts protected by...

9.8CVSS5.9AI score0.00495EPSS
Exploits0References6Affected Software2
Debian CVE
Debian CVEadded 2026/04/07 12:28 p.m.7 views

CVE-2026-28808

Incorrect Authorization vulnerability in Erlang OTP inets modules allows unauthenticated access to CGI scripts protected by directory rules when served via scriptalias. When scriptalias maps a URL prefix to a directory outside DocumentRoot, modauth evaluates directory-based access controls agains...

9.8CVSS5.3AI score0.00495EPSS
Exploits0
OSV
OSVadded 2026/04/07 12:28 p.m.2 views

EEF-CVE-2026-28808 ScriptAlias CGI targets bypass directory auth in inets httpd (mod_auth vs mod_cgi path mismatch)

Summary Incorrect Authorization vulnerability in Erlang OTP inets modules allows unauthenticated access to CGI scripts protected by directory rules when served via scriptalias. When scriptalias maps a URL prefix to a directory outside DocumentRoot, modauth evaluates directory-based access control...

8.3CVSS5.8AI score0.00495EPSS
Exploits0References5
Positive Technologies
Positive Technologiesadded 2026/04/07 12:0 a.m.1 views

PT-2026-30866

FTLDNS pihole-FTL provides an interactive API and also generates statistics for Pi-hole's Web interface. From 6.0 to before 6.6, the Pi-hole FTL engine contains a Remote Code Execution RCE vulnerability in the DNS CNAME records configuration parameter dns.cnameRecords. This vulnerability allows a...

8.8CVSS6.2AI score0.00686EPSS
Exploits1References2
Positive Technologies
Positive Technologiesadded 2026/04/07 12:0 a.m.5 views

PT-2026-30814

Name of the Vulnerable Software and Affected Versions Erlang OTP versions 17.0 through 28.4.2, 26.2.5.19, and 27.3.4.10 Description An incorrect authorization issue exists in Erlang OTP inets modules that allows unauthenticated access to CGI scripts protected by directory rules when served via...

9.8CVSS5.7AI score0.00495EPSS
Exploits0References41
Cvelist
Cvelistadded 2026/04/06 9:36 p.m.17 views

CVE-2026-35441 Directus Affected by GraphQL Alias Amplification Denial-of-Service Due to Missing Query Cost/Complexity Limits

Directus is a real-time API and App dashboard for managing SQL database content. Prior to 11.17.0, Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive...

6.5CVSS0.00361EPSS
Exploits0References1
CVE
CVEadded 2026/04/06 9:36 p.m.15 views

CVE-2026-35441

Directus CVE-2026-35441 affects Directus up to version 11.16.x, with the GraphQL endpoints /graphql and /graphql/system failing to deduplicate resolver invocations within a single request. The vulnerability allows an authenticated user to abuse GraphQL aliasing to trigger many expensive relationa...

6.5CVSS6AI score0.00361EPSS
Exploits0References1Affected Software1
Github Security Blog
Github Security Blogadded 2026/04/04 6:13 a.m.9 views

Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver

Summary The GraphQL specification permits a single query to repeat the same field multiple times using aliases, with each alias resolved independently by default. Directus did not deduplicate resolver invocations within a single request, meaning each alias triggered a full, independent execution ...

6AI score
Exploits0References2Affected Software1
OSV
OSVadded 2026/04/04 6:13 a.m.1 views

GHSA-6Q22-G298-GRJH Directus: Unauthenticated Denial of Service via GraphQL Alias Amplification of Expensive Health Check Resolver

Summary The GraphQL specification permits a single query to repeat the same field multiple times using aliases, with each alias resolved independently by default. Directus did not deduplicate resolver invocations within a single request, meaning each alias triggered a full, independent execution ...

7.5CVSS6AI score
Exploits0References2
OSV
OSVadded 2026/04/04 6:12 a.m.1 views

GHSA-PH52-67FQ-75WJ Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits

Summary Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large...

6.5CVSS6AI score0.00361EPSS
Exploits0References3
Github Security Blog
Github Security Blogadded 2026/04/04 6:12 a.m.6 views

Directus: GraphQL Alias Amplification Denial of Service Due to Missing Query Cost/Complexity Limits

Summary Directus' GraphQL endpoints /graphql and /graphql/system did not deduplicate resolver invocations within a single request. An authenticated user could exploit GraphQL aliasing to repeat an expensive relational query many times in a single request, forcing the server to execute a large...

6.5CVSS6AI score0.00361EPSS
Exploits0References3Affected Software1
RedhatCVE
RedhatCVEadded 2026/04/01 5:3 p.m.3 views

CVE-2026-33581

OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidate...

8.6CVSS6AI score0.00555EPSS
Exploits0References1
OSV
OSVadded 2026/03/31 11:54 p.m.3 views

GHSA-V8WV-JG3Q-QWPQ OpenClaw's message tool media parameter bypasses tool policy filesystem isolation

Summary The message tool accepted mediaUrl and fileUrl aliases without applying the same sandbox localRoots validation as the canonical media path handling. Impact A caller constrained to sandbox media roots could read arbitrary local files by routing them through the alias parameters. Affected...

7.1CVSS6AI score0.00555EPSS
Exploits0References5
Github Security Blog
Github Security Blogadded 2026/03/31 11:54 p.m.4 views

OpenClaw's message tool media parameter bypasses tool policy filesystem isolation

Summary The message tool accepted mediaUrl and fileUrl aliases without applying the same sandbox localRoots validation as the canonical media path handling. Impact A caller constrained to sandbox media roots could read arbitrary local files by routing them through the alias parameters. Affected...

8.6CVSS6AI score0.00555EPSS
Exploits0References5Affected Software1
EUVD
EUVDadded 2026/03/31 3:31 p.m.1 views

EUVD-2026-17441

OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidate...

7.1CVSS6AI score0.00555EPSS
Exploits0References4
NVD
NVDadded 2026/03/31 3:16 p.m.2 views

CVE-2026-33581

OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidate...

8.6CVSS0.00555EPSS
Exploits0References3
ATTACKERKB
ATTACKERKBadded 2026/03/31 2:10 p.m.0 views

CVE-2026-33581

OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidate...

7.1CVSS6AI score0.00555EPSS
Exploits0References4
Vulnrichment
Vulnrichmentadded 2026/03/31 2:10 p.m.1 views

CVE-2026-33581 OpenClaw < 2026.3.24 - Arbitrary File Read via mediaUrl and fileUrl Parameters

OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidate...

7.1CVSS6AI score0.00555EPSS
Exploits0References3
EUVD
EUVDadded 2026/03/31 12:31 p.m.1 views

EUVD-2026-17388

OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged writes where temporary file creation and population are not pinned to a verified parent directory. Attackers can exploit a race condition in parent-path alias changes to write attacker-controlled bytes...

7.5CVSS5.9AI score0.0008EPSS
Exploits0References3
NVD
NVDadded 2026/03/31 12:16 p.m.0 views

CVE-2026-32988

OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged writes where temporary file creation and population are not pinned to a verified parent directory. Attackers can exploit a race condition in parent-path alias changes to write attacker-controlled bytes...

7.5CVSS0.0008EPSS
Exploits0References2
Rows per page
Query Builder