Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

296 matches found

NVD
NVDadded last week9 views

CVE-2026-53862

OpenClaw before 2026.5.12 contains a bootstrap token replay vulnerability allowing callers with pending token access to reuse tokens with broader requested scopes. Attackers can replay bootstrap tokens before approval to escalate pairing authority beyond intended scope limits...

5.4CVSS0.00088EPSS
Exploits0References2
Positive Technologies
Positive Technologiesadded 2026/06/16 12:0 a.m.9 views

PT-2026-49779

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.12 Description A bootstrap token replay issue allows callers with access to a pending bootstrap token to reuse it before approval with a broader requested scope. This can lead to the escalation of pairing...

5.4CVSS5.2AI score0.00088EPSS
Exploits0References5
EUVD
EUVDadded 2026/06/13 12:34 a.m.10 views

EUVD-2026-36609

OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization baseline. Unpaired or restricted trusted-proxy Control UI clients can obtain cached operator.admin authority on live WebSocket connections to execut...

8.8CVSS5.4AI score0.00283EPSS
Exploits0References3
Positive Technologies
Positive Technologiesadded 2026/06/12 12:0 a.m.10 views

PT-2026-49025

OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization baseline. Unpaired or restricted trusted-proxy Control UI clients can obtain cached operator.admin authority on live WebSocket connections to execut...

8.8CVSS5.5AI score0.00283EPSS
Exploits0References5
RedhatCVE
RedhatCVEadded 2026/06/07 12:43 a.m.9 views

CVE-2026-6241

An authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improperly passed to formatting functions without adequate sanitization. An attacker can inject format specifiers into ONVIF scope parameters to manipulate memory...

6.8CVSS5.5AI score0.00163EPSS
Exploits0References1
ATTACKERKB
ATTACKERKBadded 2026/06/05 11:52 p.m.7 views

CVE-2026-6241

An authenticated format string vulnerability is present in the ONVIF AddScopes in Tapo C520WS v2, where user-controlled input is improperly passed to formatting functions without adequate sanitization. An attacker can inject format specifiers into ONVIF scope parameters to manipulate memory...

6.8CVSS5.5AI score0.00163EPSS
Exploits0References4
Positive Technologies
Positive Technologiesadded 2026/06/05 12:0 a.m.7 views

PT-2026-46999

Summary A user in one workspace could exercise another workspace's integration through the testConnection endpoint by supplying its ID, because the integration was fetched in a bypass scope and the caller's permission check matched any base in any workspace. Details The connection-test endpoint...

6.9CVSS5.5AI score0.00098EPSS
Exploits0References4
Microsoft Secure
Microsoft Secureadded 2026/05/30 12:6 a.m.26 views

Malicious npm packages abuse dependency confusion to profile developer environments

In this article 1. Attack chain overview 2. Threat actor attribution 3. Mitigation and protection guidance 4. Indicators of Compromise IOC 5. References 6. Learn more Microsoft Threat Intelligence has uncovered an active supply chain attack involving malicious npm packages registered under...

6.3AI score
Exploits0
Microsoft Secure
Microsoft Secureadded 2026/05/30 12:6 a.m.9 views

Malicious npm packages abuse dependency confusion to profile developer environments

In this article 1. Attack chain overview 2. Threat actor attribution 3. Mitigation and protection guidance 4. Indicators of Compromise IOC 5. References 6. Learn more Microsoft Threat Intelligence has uncovered an active supply chain attack involving malicious npm packages registered under...

6.2AI score
Exploits0
RedhatCVE
RedhatCVEadded 2026/05/28 3:49 a.m.10 views

CVE-2026-9795

A flaw was found in Keycloak's Fine-Grained Admin Permissions FGAPv2 feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security...

7.3CVSS5.7AI score0.00223EPSS
Exploits0References3
OSSF Malicious Packages
OSSF Malicious Packagesadded 2026/05/28 12:0 a.m.15 views

Malicious code in @cloudplatform-single-spa/ml-foundation-models (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packagesadded 2026/05/28 12:0 a.m.11 views

Malicious code in @cloudplatform-single-spa/base-static-page (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

5.8AI score
Exploits0References2
OSV
OSVadded 2026/05/28 12:0 a.m.8 views

MAL-2026-4908 Malicious code in @cloudplatform-single-spa/dataplatform-flink (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packagesadded 2026/05/28 12:0 a.m.16 views

Malicious code in @cloudplatform-single-spa/svp-vm-migration (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packagesadded 2026/05/28 12:0 a.m.11 views

Malicious code in @car-loans/general-analytics (npm)

Part of a dependency confusion attack campaign targeting the @car-loans, @fb-deposit, and @debit-ib npm scopes. The attacker npm user pik-libs published 25 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version resolution,...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packagesadded 2026/05/28 12:0 a.m.8 views

Malicious code in @mlspace/file-manager (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

5.8AI score
Exploits0References1
OSV
OSVadded 2026/05/28 12:0 a.m.7 views

MAL-2026-4879 Malicious code in @car-loans/save (npm)

Part of a dependency confusion attack campaign targeting the @car-loans, @fb-deposit, and @debit-ib npm scopes. The attacker npm user pik-libs published 25 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version resolution,...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packagesadded 2026/05/28 12:0 a.m.12 views

Malicious code in @car-loans/deal (npm)

Part of a dependency confusion attack campaign targeting the @car-loans, @fb-deposit, and @debit-ib npm scopes. The attacker npm user pik-libs published 25 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version resolution,...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packagesadded 2026/05/28 12:0 a.m.15 views

Malicious code in @cloudplatform-single-spa/svp-managed-kubernetes (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

5.8AI score
Exploits0References1
OSSF Malicious Packages
OSSF Malicious Packagesadded 2026/05/28 12:0 a.m.11 views

Malicious code in @cloudplatform-single-spa/observability (npm)

Part of a dependency confusion attack campaign targeting the @cloudplatform-single-spa and @mlspace npm scopes. The attacker npm user mr.4nd3r50n published 139 scoped packages at the inflated version 99.99.99, which resolves ahead of any private registry version via npm's default version...

5.8AI score
Exploits0References1
Rows per page
Query Builder