CVE-2026-12105

Improper access control in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to access attachments via folder duplication with inherited permissions...

CVE-2026-12117

Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to enumerate social login entry metadata to which they are not authorized via a crafted API request...

CVE-2026-10303

In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can...

CVE-2026-53864

OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious...

CVE-2026-12117

Improper access control in the social login connection endpoint in Devolutions Server 2026.2.5 allows an authenticated vault member to enumerate social login entry metadata to which they are not authorized via a crafted API request...

CVE-2026-10303

CVE-2026-10303 affects ServerCo getssl up to version 2.49. The ACME challenge token returned to clients was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attac...

CVE-2026-11890

Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve account discovery scan results...

CVE-2026-11890

The CVE-2026-11890 entry concerns Devolutions Server versions 2026.1.21 and 2026.2.5, where improper access control in PAM account discovery allows an authenticated user to retrieve account discovery scan results. The connected documents confirm affected software and the root cause (in PAM accoun...

CVE-2026-53864 OpenClaw < 2026.5.26 - Insufficient Environment Variable Sanitization in Node.js Control Variables

OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious...

CVE-2026-53863

OpenClaw before 2026.4.25 exposes an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. When a group ID is supplied to the policy resolver, it can lead to incorrect group-policy decisions for tool invocations, potentially bypassing intended access contr...

CVE-2026-53864 OpenClaw < 2026.5.26 - Insufficient Environment Variable Sanitization in Node.js Control Variables

OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious...

CVE-2026-53864

OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer. This allows Node.js control variables to bypass validation when provided via workspace .env files, tool environment overrides, or skill environment blocks, potentially influencing chil...

CVE-2026-46331

A flaw was found in the Linux kernel's traffic control packet editing pedit subsystem. In tcfpeditact, the copy-on-write COW range for skbensurewritable is computed once before iterating over edit keys, but the calculation does not account for runtime header offsets added by typed keys. This can...

Langflow: IDOR/BOLA in Monitor API — Missing Ownership Enforcement on 7 Endpoints

Summary Langflow's /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources — messages, sessions, build artifacts, and LLM transaction logs — without verifying that the authenticated requester owns the targeted resource. Any authenticated...

CVE-2026-10831 Improper Authorization of Break Signal Commands in Devices

A denial-of-service vulnerability exists in NPort devices because of improper access control on the command port. The command interface does not properly validate whether a sender is associated with a valid data port session before accepting break signal commands. A remote attacker with network...

HPLIP: HPLIP: Privilege escalation and arbitrary code execution via operating system command injection

A flaw was found in the HP Linux Imaging and Printing Software HPLIP. This vulnerability may allow a local attacker to achieve escalation of privileges and/or arbitrary code execution through operating system command injection. This could lead to an attacker gaining unauthorized control over the...

BIT-PARSE-2026-53726 Parse Server: Relation `$relatedTo` query bypasses `protectedFields` and owning-object ACL

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.80 and 9.9.1, a relation query using the $relatedTo operator could read the membership of a Relation field even when that field was hidden from the requesting client by...

CISA Adds One Known Exploited Vulnerability to Catalog

CISA has added one new vulnerability to its Known Exploited Vulnerabilities KEV Catalog, based on evidence of active exploitation. CVE-2026-48907link is external Widget Factory Joomla Content Editor Improper Access Control Vulnerability This type of vulnerability is a frequent attack vector for...

HPLIP: HPLIP: Privilege escalation and arbitrary code execution via operating system command injection

A flaw was found in the HP Linux Imaging and Printing Software HPLIP. This vulnerability may allow a local attacker to achieve escalation of privileges and/or arbitrary code execution through operating system command injection. This could lead to an attacker gaining unauthorized control over the...

CVE-2026-52714

Unauthenticated Broken Access Control in SEO Plugin by Squirrly SEO = 12.4.16 versions...