Lucene search
+L

1199 matches found

CNNVD
CNNVD
added 2026/05/18 12:0 a.m.12 views

Summarize 安全漏洞

Summarize is a multi-source rapid summarization tool developed by Peter Steinberger. Versions of Summarize prior to 0.15.1 contain security vulnerabilities. These vulnerabilities stem from an authorization flaw in the content script’s window.postMessage bridging mechanism, which could allow...

6.1CVSS5.9AI score0.00195EPSS
Exploits1References1
CVE
CVE
added 2026/05/11 8:37 p.m.14 views

CVE-2026-43880

CVE-2026-43880 involves WWBN AVideo’s endpoint objects/sendEmail.json.php, where unauthenticated calls can send emails using the site’s SMTP and the site’s From/Reply-To identity. When contactForm is omitted, an attacker-supplied email becomes the recipient, while the message From/Reply-To uses t...

5.3CVSS5.9AI score0.00229EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/06 9:31 p.m.15 views

EUVD-2026-28201

OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata...

8.5CVSS5.8AI score0.00112EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/05/06 7:49 p.m.6 views

CVE-2026-44118

OpenClaw before 2026.4.22 derives loopback MCP owner context from spoofable server-issued bearer tokens in request headers. Non-owner loopback clients can present themselves as owner to bypass owner-gated operations by manipulating the sender-owner header metadata...

8.5CVSS5.8AI score0.00112EPSS
Exploits0References4
CVE
CVE
added 2026/05/06 7:49 p.m.29 views

CVE-2026-44118

OpenClaw is affected by CVE-2026-44118 prior to version 2026.4.22. The vulnerability arises because loopback MCP owner context is derived from spoofable server-issued bearer tokens in request headers. This allows non-owner loopback clients to impersonate the owner by manipulating the sender-owner...

8.5CVSS5.8AI score0.00112EPSS
Exploits0References3Affected Software1
CVE
CVE
added 2026/05/06 7:49 p.m.25 views

CVE-2026-44110

OpenClaw is affected by CVE-2026-44110, with vulnerability present in versions before 2026.4.15. The issue is an authorization bypass in Matrix room control-command authorization that trusts DM pairing-store entries. Attackers with DM-paired sender IDs can execute room control commands without be...

8.8CVSS5.9AI score0.00288EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/05/05 9:56 p.m.7 views

Improper Verification of Source of a Communication Channel

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Improper Verification of Source of a Communication Channel in the sendEmail.json.php process. An attacker can send emails appearing to originate from the site's...

6.9CVSS5.9AI score0.00229EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/05 9:56 p.m.10 views

AVideo: Unauthenticated Arbitrary Email Sending via sendEmail.json.php Enables Phishing from the Site’s Legitimate From Address

Summary objects/sendEmail.json.php exposes two branches depending on whether contactForm=1 is submitted. When the parameter is omitted, the endpoint sets $sendTo to an attacker-supplied email and, for unauthenticated callers, uses the site's own contact email as the message From:/Reply-To:. The...

5.3CVSS5.9AI score0.00229EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/05/05 1:35 p.m.13 views

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization via the Microsoft Teams SSO invoke handler. An attacker can gain unauthorized access to Teams SSO signin functionality by sending specially crafted SSO invoke reques...

6.3CVSS5.8AI score0.00231EPSS
Exploits0References2
NVD
NVD
added 2026/05/05 12:16 p.m.11 views

CVE-2026-42438

OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthorized local file disclosure. Attackers with denied read access via toolsBySender or group policy can trigger host-media attachment loading ...

7.7CVSS0.00236EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/05 11:25 a.m.8 views

CVE-2026-43572 OpenClaw 2026.4.10 < 2026.4.14 - Missing Sender Authorization in Microsoft Teams SSO Invoke Handler

OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers can bypass sender authorization by sending SSO invoke requests that are processed without proper validation,...

6.3CVSS5.8AI score0.00231EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/05/05 11:25 a.m.7 views

CVE-2026-43572

OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers can bypass sender authorization by sending SSO invoke requests that are processed without proper validation,...

6.3CVSS5.8AI score0.00231EPSS
Exploits0References4Affected Software1
Cvelist
Cvelist
added 2026/05/05 11:25 a.m.51 views

CVE-2026-43572 OpenClaw 2026.4.10 < 2026.4.14 - Missing Sender Authorization in Microsoft Teams SSO Invoke Handler

OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers can bypass sender authorization by sending SSO invoke requests that are processed without proper validation,...

6.3CVSS0.00231EPSS
Exploits0References3
CVE
CVE
added 2026/05/05 11:25 a.m.36 views

CVE-2026-43572

OpenClaw 2026.4.10

6.3CVSS5.8AI score0.00231EPSS
Exploits0References3Affected Software1
OSV
OSV
added 2026/05/05 11:25 a.m.4 views

CVE-2026-43572 OpenClaw 2026.4.10 < 2026.4.14 - Missing Sender Authorization in Microsoft Teams SSO Invoke Handler

OpenClaw versions 2026.4.10 before 2026.4.14 contain a missing authorization vulnerability in the Microsoft Teams SSO invoke handler that fails to apply sender allowlist checks. Attackers can bypass sender authorization by sending SSO invoke requests that are processed without proper validation,...

6.3CVSS6AI score0.00231EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/05/05 11:25 a.m.4 views

CVE-2026-43535

OpenClaw before 2026.4.14 contains an authorization context reuse vulnerability in collect-mode queue batches that allows messages from different senders to inherit the final sender's authorization context. Attackers can exploit this by sending multiple queued messages to drain batches using a mo...

7.6CVSS5.9AI score0.0022EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/05/05 11:24 a.m.35 views

CVE-2026-42438 OpenClaw 2026.4.9 < 2026.4.10 - Sender Policy Bypass in Host Media Attachment Reads

OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthorized local file disclosure. Attackers with denied read access via toolsBySender or group policy can trigger host-media attachment loading ...

7.7CVSS0.00236EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/05 11:24 a.m.5 views

CVE-2026-42438 OpenClaw 2026.4.9 < 2026.4.10 - Sender Policy Bypass in Host Media Attachment Reads

OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthorized local file disclosure. Attackers with denied read access via toolsBySender or group policy can trigger host-media attachment loading ...

7.7CVSS5.8AI score0.00236EPSS
Exploits0References3
EUVD
EUVD
added 2026/05/05 11:24 a.m.6 views

EUVD-2026-27259

OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthorized local file disclosure. Attackers with denied read access via toolsBySender or group policy can trigger host-media attachment loading ...

7.7CVSS5.8AI score0.00236EPSS
Exploits0References3
CVE
CVE
added 2026/05/05 11:24 a.m.18 views

CVE-2026-42438

OpenClaw version 2026.4.9 and older is affected by a sender policy bypass in the outbound host-media attachment read helper, enabling unauthorized local file disclosure when an attacker has denied read access via toolsBySender or group policy. The bypass can circumvent sender and group-scoped aut...

7.7CVSS5.8AI score0.00236EPSS
Exploits0References3Affected Software1
Rows per page
Query Builder