CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

RedhatCVE•added 3 hours ago•0 views

CVE-2026-41524

Brave CMS is an open-source CMS. Prior to commit 6c56603, page and article body content entered through the CKEditor rich-text editor is stored verbatim in the database and subsequently rendered with Laravel Blade's unescaped output directive !! !!. Any JavaScript or HTML injected by an editor-ro...

8.7CVSS0.00033EPSS

OSSF Malicious Packages•added 2026/05/21 8:17 a.m.•8 views

Malicious code in oh-langfuse (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector b94251e0353c83033676a5e7b3a5c2b039b3e79914adda00d48aea70750a25bf The package's documented oh-langfuse setup command defaults LANGFUSEBASEURL to the bare-IP plaintext endpoint http://120.46.221.227:3000 bin/cli.js...

6AI score

NVD•added 2026/05/15 7:17 p.m.•6 views

CVE-2026-44826

Vvveb is a powerful and easy to use CMS with page builder to build websites, blogs or ecommerce stores. Prior to 1.0.8.2, Vvveb CMS does not validate the sign of the quantity parameter on the cart-add endpoint. Submitting a negative integer is accepted by the server and treated as a normal positi...

7.5CVSS0.0005EPSS

Positive Technologies•added 2026/05/12 12:0 a.m.•7 views

PT-2026-40298

In PHP versions 8.2. before 8.2.31, 8.3. before 8.3.31, 8.4. before 8.4.21, and 8.5. before 8.5.6, when SoapServer is configured with SOAP PERSISTENCE SESSION, the handler object is persisted across requests via session storage. However, in the case SOAP requests results in an error, the...

9.8CVSS5.8AI score0.00073EPSS

RedhatCVE•added 2026/05/05 8:21 p.m.•2 views

CVE-2026-41686

Claude SDK for TypeScript provides access to the Claude API from server-side TypeScript or JavaScript applications. From version 0.79.0 to before version 0.91.1, the BetaLocalFilesystemMemoryTool in the Anthropic TypeScript SDK created memory files and directories using the Node.js default modes...

4.8CVSS5.7AI score0.00012EPSS

Snyk•added 2026/04/29 10:28 p.m.•2 views

Incorrect Permission Assignment for Critical Resource

Overview @anthropic-ai/sdk is a The official TypeScript library for the Anthropic API Affected versions of this package are vulnerable to Incorrect Permission Assignment for Critical Resource in the BetaLocalFilesystemMemoryTool that creates memory files and directories using the Node.js default...

6.9CVSS5.8AI score0.00012EPSS

Veracode•added 2026/04/04 5:35 a.m.•3 views

Insecure File Permissions

Claude SDK for Python is vulnerable to insecure file permissions. The vulnerability is due to the memory tool creating files with mode 0o666, where the files are world‑readable on systems with a standard umask and world‑writable in environments with a permissive umask, and a local attacker on a...

4.8CVSS5.9AI score0.00009EPSS

Exploits0References3Affected Software1

OSV•added 2026/04/03 9:42 p.m.•0 views

GHSA-GFMV-VH34-H2X5 Signal K Server: Unauthenticated Source Priorities Manipulation

Summary The SignalK Server exposes an unauthenticated HTTP endpoint that allows remote attackers to modify navigation data source priorities. This endpoint, accessible via PUT /signalk/v1/api/sourcePriorities, does not enforce authentication or authorization checks and directly assigns...

7.5CVSS5.9AI score0.00102EPSS

Exploits0References4

ATTACKERKB•added 2026/04/03 8:6 p.m.•1 views

CVE-2026-25726

Cloudreve is a self-hosted file management and sharing system. Prior to version 4.13.0, the application uses the weak pseudo-random number generator math/rand seeded with time.Now.UnixNano to generate critical security secrets, including the secretkey, and hashidsalt. These secrets are generated...

8.1CVSS5.8AI score0.00022EPSS

Exploits0References3Affected Software1

Snyk•added 2026/04/03 3:26 a.m.•1 views

Always-Incorrect Control Flow Implementation

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Always-Incorrect Control Flow Implementation via the onboarding process. An attacker can obtain gateway credentials by leveraging a scenario where a previously discovered endpoint persist...

6.9CVSS5.9AI score0.00036EPSS

EUVD•added 2026/03/29 3:30 p.m.•0 views

EUVD-2026-16999

OpenClaw before 2026.3.11 contains a session sandbox escape vulnerability in the sessionstatus tool that allows sandboxed subagents to access parent or sibling session state. Attackers can supply arbitrary sessionKey values to read or modify session data outside their sandbox scope, including...

NVD•added 2026/03/29 1:17 p.m.•2 views

CVE-2026-32918

9.2CVSS0.00015EPSS

CVE•added 2026/03/29 12:44 p.m.•5 views

CVE-2026-32918

OpenClaw is affected by a session sandbox escape in the session_status tool (CVE-2026-32918). The vulnerability allows sandboxed subagents to access parent or sibling session state by supplying arbitrary sessionKey values, enabling reading or modification of session data outside the sandbox, incl...

Exploits0References2Affected Software1

ATTACKERKB•added 2026/03/29 12:44 p.m.•0 views

CVE-2026-32918

Positive Technologies•added 2026/03/29 12:0 a.m.•4 views

PT-2026-28448

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.11 Description The software contains a session sandbox escape issue within the session status tool. This allows sandboxed subagents to access session state belonging to parent or sibling sessions. An attacker...

OSV•added 2026/03/18 9:4 p.m.•2 views

Exploits0References5

CVE-2026-32703 OpenProject's repository files are served with the MIME type allowing them to be used to bypass Content Security Policy

OpenProject is an open-source, web-based project management software. In versions prior to 16.6.9, 17.0.6, 17.1.3, and 17.2.1, the Repositories module did not properly escape filenames displayed from repositories. This allowed an attacker with push access into the repository to create commits wit...

9CVSS6AI score0.00045EPSS