CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Positive Technologies•added 2 days ago•7 views

PT-2026-51630

Summary Git LFS storage is content-addressed by OID alone /// but per-repo authorization lives in the lfs object table keyed repo id, oid. serveUpload skips re-uploading when the OID file already exists on disk and inserts a new repo id, oid row pointing at it without verifying the request body...

7.1CVSS6AI score

Exploits0References7

NVD•added 2026/04/28 12:16 a.m.•4 views

CVE-2026-41362

OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one authenticated Zalo webhook path in multi-account deployments can suppress...

4.3CVSS0.00274EPSS

Cvelist•added 2026/04/27 11:24 p.m.•28 views

CVE-2026-41362 OpenClaw 2026.2.19 through 2026.3.30 - Webhook Replay Dedupe Cache Event Suppression via Shared Authentication

4.3CVSS0.00274EPSS

CVE•added 2026/04/27 11:24 p.m.•10 views

CVE-2026-41362

OpenClaw 2026.2.19 up to 2026.3.31 is affected by an improper cache isolation in the Zalo webhook replay-dedupe mechanism shared across authenticated webhook targets. An attacker controlling one authenticated Zalo webhook path in multi-account deployments can suppress legitimate events on other a...

4.3CVSS5.3AI score0.00274EPSS

Exploits0References4Affected Software1

ATTACKERKB•added 2026/04/27 11:24 p.m.•6 views

CVE-2026-41362

4.3CVSS5.3AI score0.00274EPSS

EUVD•added 2026/04/24 12:31 a.m.•4 views

EUVD-2026-25338

OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows...

OSV•added 2026/04/24 12:31 a.m.•1 views

GHSA-6477-WVJJ-47V6 Duplicate Advisory: OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rxmx-g7hr-8mx4. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows...

6.3CVSS5.7AI score0.00278EPSS

Exploits0References5

Github Security Blog•added 2026/04/24 12:31 a.m.•7 views

Duplicate Advisory: OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders

6.3CVSS5.7AI score0.00278EPSS

NVD•added 2026/04/23 10:16 p.m.•4 views

CVE-2026-41354

6.3CVSS0.00278EPSS

Exploits0References3

Cvelist•added 2026/04/23 9:58 p.m.•33 views

CVE-2026-41354 OpenClaw < 2026.4.2 - Insufficient Scope in Zalo Webhook Replay Dedupe Keys

6.3CVSS0.00278EPSS

Exploits0References3

ATTACKERKB•added 2026/04/23 9:58 p.m.•2 views

CVE-2026-41354

CVE•added 2026/04/23 9:58 p.m.•12 views

CVE-2026-41354

OpenClaw

Exploits0References3Affected Software1

Positive Technologies•added 2026/04/23 12:0 a.m.•5 views

PT-2026-34785

Github Security Blog•added 2026/04/07 6:15 p.m.•8 views

Exploits0References5

OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders

Summary Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates. Impact Cross-conversation or cross-sender collisions could cau...

6.3CVSS5.9AI score0.00278EPSS

OSV•added 2026/04/07 6:15 p.m.•4 views

GHSA-RXMX-G7HR-8MX4 OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders

OSV•added 2026/04/07 6:14 p.m.•2 views

Exploits0References5

GHSA-FQRJ-M88P-QF3V OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets

Summary Before OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account if eventname and messageid matched. Impact...

2.3CVSS5.8AI score

Github Security Blog•added 2026/04/07 6:14 p.m.•5 views

OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets

5.9AI score

Exploits0References4Affected Software1

RedhatCVE•added 2026/03/26 3:11 p.m.•2 views

CVE-2026-32053

OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state...

6.9CVSS5.8AI score0.00337EPSS

Exploits0References1

OSV•added 2026/03/21 3:31 a.m.•3 views

GHSA-3R78-RQG8-95GG Duplicate Advisory: OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vqx8-9xxw-f2m7. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized...

6.9CVSS5.7AI score0.00337EPSS