CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

112 matches found

ATTACKERKB•added 2026/05/11 9:30 a.m.•4 views

CVE-2025-8154

In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses. By exploiting this vulnerability, a malicious actor can inject or overwrite arbitrary HTTP...

5.3CVSS5.8AI score0.00055EPSS

Exploits0References2Affected Software6

Cvelist•added 2026/05/05 11:25 a.m.•26 views

CVE-2026-43530 OpenClaw 2026.2.23 < 2026.4.12 - Weakened Exec Approval Binding via busybox and toybox Applet Execution

OpenClaw versions 2026.2.23 before 2026.4.12 contain a weakened exec approval binding vulnerability in busybox and toybox applet execution that allows attackers to obscure which applet would actually run. Attackers can exploit opaque multi-call binaries to bypass exec approval mechanisms and weak...

8.8CVSS0.0006EPSS

Exploits0References3

EUVD•added 2026/04/24 12:31 a.m.•0 views

EUVD-2026-25334

OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the sessionstatus function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invocations. Attackers can invoke sessionstatus without sandbox constraints to bypass session-policy...

5.3CVSS5.8AI score0.00034EPSS

Exploits0References4

Vulnrichment•added 2026/04/23 9:58 p.m.•1 views

CVE-2026-41350 OpenClaw < 2026.3.31 - Session Visibility Bypass via session_status in Unsandboxed Invocations

5.3CVSS5.2AI score0.00034EPSS

Exploits0References3

CVE•added 2026/04/23 9:58 p.m.•6 views

CVE-2026-41350

CVE-2026-41350 affects OpenClaw prior to 2026.3.31, where the session_status function fails to enforce tools.sessions.visibility restrictions for unsandboxed invocations. This allows attackers to invoke session_status without sandbox constraints, bypassing session-policy controls and accessing re...

5.3CVSS5.8AI score0.00034EPSS

Exploits0References3Affected Software1

Github Security Blog•added 2026/04/07 6:11 p.m.•4 views

OpenClaw: `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations

Summary sessionstatus still bypasses configured tools.sessions.visibility for unsandboxed invocations Current Maintainer Triage - Status: narrow - Normalized severity: medium - Assessment: Real on shipped v2026.3.22: non-sandboxed sessionstatus skipped the shared visibility guard, but this is a...

5.9AI score

Exploits0References3Affected Software1

OSV•added 2026/04/07 6:11 p.m.•0 views

GHSA-FWJQ-XWFJ-GV75 OpenClaw: `session_status` still bypasses configured `tools.sessions.visibility` for unsandboxed invocations

6.3CVSS5.8AI score

Exploits0References3

ATTACKERKB•added 2026/04/01 12:30 a.m.•0 views

CVE-2025-71281

XenForo before 2.3.7 does not properly restrict methods callable from within templates. A loose prefix match was used instead of a stricter first-word match for methods accessible through callbacks and variable method calls in templates, potentially allowing unauthorized method invocations...

8.8CVSS5.8AI score0.00061EPSS

Exploits0References3Affected Software1

ATTACKERKB•added 2026/03/23 9:35 p.m.•1 views

CVE-2026-27183

OpenClaw versions prior to 2026.3.7 contain a shell approval gating bypass vulnerability in system.run dispatch-wrapper handling that allows attackers to skip shell wrapper approval requirements. The approval classifier and execution planner apply different depth-boundary rules, permitting exactl...

4.5CVSS6AI score0.00016EPSS

Exploits0References4

Positive Technologies•added 2026/03/09 12:0 a.m.•4 views

PT-2026-27222

OpenClaw's system.run dispatch-wrapper handling applied different depth-boundary rules to shell-wrapper approval detection and execution planning. With exactly four transparent dispatch wrappers such as repeated env invocations before /bin/sh -c, the approval classifier could stop treating the...

5CVSS6AI score0.00016EPSS

Exploits0References8

Packet Storm News•added 2026/03/06 12:0 a.m.•1 views

Targeted Bit-Flip Attacks on LLM-Based Agents

Targeted bit-flip attacks BFAs exploit hardware faults to manipulate model parameters, posing a significant security threat. While prior work targets single-step inference models e.g., image classifiers, LLM-based agents with multi-stage pipelines and external tools present new attack surfaces,...

5.8AI score

Exploits0

OSV•added 2026/01/05 10:29 a.m.•3 views

CLSA-2026-1767608985 libxml2: Fix of CVE-2025-9714

CVE-2025-9714: fix XPath depth check to work with recursive invocations...

6.2CVSS6.1AI score0.00011EPSS

Exploits0References1

EUVD•added 2025/10/31 12:30 a.m.•1 views

EUVD-2020-30816

Nagios XI versions prior to 5.6.14 contain an authenticated remote command execution vulnerability in the CCM commandtest.php script. Insufficient validation of the address parameter allows an authenticated user with access to the Core Config Manager to inject shell metacharacters that are...

9.4CVSS7.1AI score0.00262EPSS

Exploits0References4

EUVD•added 2025/10/07 12:30 a.m.•4 views

EUVD-2020-4224

Malware in sbrugna...

7.2CVSS4.8AI score0.00394EPSS

Exploits0References2

EUVD•added 2025/10/07 12:30 a.m.•4 views

EUVD-2013-4056

Malware in sbrugna...

6.4CVSS6.1AI score0.00688EPSS

Exploits0References12