25 matches found
CVE-2026-28472
OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting t...
CVE-2026-28472
OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting t...
EUVD-2026-9918
OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting t...
CVE-2026-28472
OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting t...
CVE-2026-28472 OpenClaw < 2026.2.2 - Device Identity Check Bypass in Gateway WebSocket Connect Handshake
OpenClaw versions prior to 2026.2.2 contain a vulnerability in the gateway WebSocket connect handshake in which it allows skipping device identity checks when auth.token is present but not validated. Attackers can connect to the gateway without providing device identity or pairing by exploiting t...
CVE-2026-28472
OpenClaw CVE-2026-28472 affects the gateway WebSocket connect handshake. The vulnerability allows bypassing device-identity checks when an auth.token is present but not validated, enabling attackers to connect to the gateway without device identity or pairing and potentially gain operator access ...
CVE-2022-35503
Improper verification of a user input in Open Source MANO v7-v12 allows an authenticated attacker to execute arbitrary code within the LCM module container via a Virtual Network Function VNF descriptor. An attacker may be able execute code to change the normal execution of the OSM components,...
CVE-2025-63210
The Newtec Celox UHD models: CELOXA504, CELOXA820 running firmware version celox-21.6.13 is vulnerable to an authentication bypass. An attacker can exploit this issue by modifying intercepted responses from the /celoxservice endpoint. By injecting a forged response body during the loginWithUserNa...
EUVD-2018-7637
Malware in sbrugna...
Arbitrary Code Injection
Overview Affected versions of this package are vulnerable to Arbitrary Code Injection via the audit subsystem when manipulating log prefixes. An attacker can execute unauthorized code and gain network access by bypassing intended restrictions on privileged API operators. Note: This is exploitable...
Exploit for Cross-site Scripting in Livehelperchat Live_Helper_Chat
Exploit Title: LiveHelperChat 5. Save th...
CVE-2022-43553
A remote code execution vulnerability in EdgeRouters Version 2.0.9-hotfix.4 and earlier allows a malicious actor with an operator account to run arbitrary administrator commands.This vulnerability is fixed in Version 2.0.9-hotfix.5 and later...
Upgraded Q -> M from 9 [1659036743700]
Judge has assessed an item in Issue 9 as Medium risk. The relevant finding follows: Centralized risk The operator address can mint arbitrary amount of tokens. In addition, operator can also burn tokens from third-party accounts. If the private key of the owner or minter address is compromised, th...
PT-2022-16704 · Zoho · Zoho Manageengine Admanager Plus
Name of the Vulnerable Software and Affected Versions: Zoho ManageEngine Key Manager Plus versions prior to 6200 Description: An issue was discovered in the application where a service allows a user with the level Operator to access stored SSL certificates and associated key pairs during export...
CVE-2022-24446
An issue was discovered in Zoho ManageEngine Key Manager Plus 6.1.6. A user, with the level Operator, can see all SSH servers and user information even if no SSH server or user is associated to the operator...
PT-2022-16703 · Zoho · Zoho Manageengine Admanager Plus
Name of the Vulnerable Software and Affected Versions: Zoho ManageEngine Key Manager Plus version 6.1.6 Description: An issue was discovered where a user with the level Operator can see all SSH servers and user information, even if no SSH server or user is associated with the operator...
CVE-2020-16096
In Gallagher Command Centre versions 8.10 prior to 8.10.1134MR4, 8.00 prior to 8.00.1161MR5, 7.90 prior to 7.90.991MR5, 7.80 prior to 7.80.960MR2, 7.70 and earlier, any operator account has access to all data that would be replicated if the system were to be or is attached to a multi-server...
CVE-2019-17112
An issue was discovered in Zoho ManageEngine DataSecurity Plus before 5.0.1 5012. An exposed service allows a basic user "Operator" access level to access the configuration file of the mail server except for the password...
CVE-2019-17112
An issue was discovered in Zoho ManageEngine DataSecurity Plus before 5.0.1 5012. An exposed service allows a basic user "Operator" access level to access the configuration file of the mail server except for the password...
Design/Logic Flaw
An issue was discovered in Zoho ManageEngine DataSecurity Plus before 5.0.1 5012. An exposed service allows a basic user "Operator" access level to access the configuration file of the mail server except for the password...