57 matches found
PT-2026-46178
Fixed AES-128-CBC keys inside the AcerConnect OTA application let attackers forge authorization credentials for arbitrary IMEI numbers. This allows unauthorized actors to list catalog items and extract protected binaries from pre-signed cloud links...
EUVD-2026-32860
Dlink DWR-X1820 router uses weak default password generated from its IMEI number and does not require users to change it. An attacker who knows how passwords are generated can easily crack the default password if they have the device IMEI number. This issue was fixed in version 1.00B16CP...
CVE-2026-4377
The CVE refers to the D-Link DWR-X1820 router, where a weak default password is generated from the IMEI and does not require change by the user. This vulnerability can allow an attacker who knows the password-generation method to crack the default password given the device IMEI. A fix is availabl...
PT-2026-44226
Dlink DWR-X1820 router uses weak default password generated from its IMEI number and does not require users to change it. An attacker who knows how passwords are generated can easily crack the default password if they have the device IMEI number. This issue was fixed in version 1.00B16CP...
Ivanti Endpoint Manager Mobile < 12.6.1.1 / 12.7 < 12.7.0.1 / 12.8 < 12.8.0.1 (May 2026)
The version of Ivanti Endpoint Manager Mobile, formerly MobileIron Core, running on the remote host is before 12.6.1.1, 12.7.x before 12.7.0.1, or 12.8.x before 12.8.0.1, and is therefore affected by multiple vulnerabilities. - An Improper Access Control vulnerability allows a remote authenticate...
EUVD-2026-28397
Improper certificate validation in Ivanti EPMM before versions 12.6.1.1, 12.7.0.1, and 12.8.0.1 allows a remote unauthenticated attacker to enroll a device belonging to a restricted set of unenrolled devices, leading to information disclosure about EPMM appliance and impacting on the integrity of...
CVE-2026-7821
Ivanti Endpoint Manager Mobile (EPMM) is affected by CVE-2026-7821 due to improper certificate validation. The vulnerability allows a remote unauthenticated attacker to enroll a device from a restricted set of unenrolled devices, causing information disclosure about the EPMM appliance and impacti...
PT-2026-38457
Name of the Vulnerable Software and Affected Versions Ivanti EPMM versions prior to 12.6.1.1 Ivanti EPMM versions prior to 12.7.0.1 Ivanti EPMM versions prior to 12.8.0.1 Description Improper certificate validation allows a remote unauthenticated attacker to enroll a device from a restricted set ...
Astra Linux - уязвимость в thunderbird
The Matrix JavaScript SDK is the Matrix Client-Server software development kit SDK for JavaScript. Prior to version 19.7.0, an attacker who cooperated with a malicious home server could interfere with the verification process between two users, substituting their own cross-signed user identity wi...
EUVD-2026-21132
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintai...
CVE-2026-35638
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintai...
CVE-2026-35638
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintai...
CVE-2026-35638
OpenClaw prior to 2026.3.22 exposes a privilege escalation in the Control UI. The vulnerability allows unauthenticated sessions to retain self-declared privileged scopes due to a device-less allow path in the trusted-proxy mechanism, bypassing device identity verification. Affected software compo...
CVE-2026-35638 OpenClaw < 2026.3.22 - Privilege Escalation via Self-Declared Scopes in Trusted-Proxy Control UI
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintai...
CVE-2026-35638 OpenClaw < 2026.3.22 - Privilege Escalation via Self-Declared Scopes in Trusted-Proxy Control UI
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the Control UI that allows unauthenticated sessions to retain self-declared privileged scopes without device identity verification. Attackers can exploit the device-less allow path in the trusted-proxy mechanism to maintai...
PT-2026-31773
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.22 Description OpenClaw contains a privilege escalation issue in the Control UI. Unauthenticated sessions can retain self-declared privileged scopes without device identity verification. Attackers can exploit...
Reliance on Untrusted Inputs in a Security Decision
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Reliance on Untrusted Inputs in a Security Decision in the trusted-proxy Control UI session handling process. An attacker can retain privileged scopes without device identity by accessing...
OpenClaw's Trusted-proxy Control UI sessions retain privileged scopes without device identity on device-less allow paths
Summary Trusted-proxy Control UI sessions without device identity could retain self-declared privileged scopes on the device-less allow path. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...
GHSA-48VW-M3QC-WR99 OpenClaw's Trusted-proxy Control UI sessions retain privileged scopes without device identity on device-less allow paths
Summary Trusted-proxy Control UI sessions without device identity could retain self-declared privileged scopes on the device-less allow path. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.3.22 - Latest released tag checked: v2026.3.23-2...
CVE-2026-32042
OpenClaw version set