2840 matches found
CVE-2026-41348 OpenClaw < 2026.3.31 - Group DM Channel Allowlist Bypass via Discord Slash Commands
OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions by invoking slash commands, allowing access to restricted...
CVE-2026-31192
Insufficient validation of Chrome extension identifiers in Raindrop.io Bookmark Manager Web App 5.6.76.0 allows attackers to obtain sensitive user data via a crafted request...
EUVD-2026-24373
Vulnerability in the Oracle Identity Manager Connector product of Oracle Fusion Middleware component: Core. The supported version that is affected is 12.2.1.4.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Identity Manager...
GHSA-65FP-7G2V-658R Bagisto affected by Cross-site Scripting
A vulnerability was determined in Bagisto up to 2.3.15. Affected by this vulnerability is an unknown functionality of the component Custom Scripts Handler. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may...
CVE-2026-40584
CVE-2026-40584 affects RansomLook. The vulnerability arises in the API at website/web/api/genericapi.py prior to version 1.9.0, where entries marked private are not properly filtered due to removing elements from a list while iterating. This can cause private location entries to be unintentionall...
CVE-2026-6624
A weakness has been identified in BichitroGan ISP Billing Software 2025.3.20. Affected is an unknown function of the file /?\route=pool/add of the component Pool List Interface. Executing a manipulation can lead to cross site scripting. The attack may be performed from remote. The exploit has bee...
CVE-2026-6622
A vulnerability was identified in BichitroGan ISP Billing Software 2025.3.20. This affects an unknown function of the file /?\route=customers/edit/ of the component Customer Handler. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit is publicly...
CVE-2026-6613
A vulnerability was identified in TransformerOptimus SuperAGI up to 0.0.14. Affected is the function deleteagent/stopschedule/getscheduledata of the file superagi/controllers/agent.py. The manipulation of the argument agentid leads to authorization bypass. The attack is possible to be carried out...
CVE-2026-6568 kodcloud KodExplorer Public Share share.class.php initShareOld path traversal
A vulnerability was determined in kodcloud KodExplorer up to 4.52. This affects the function share.class.php::initShareOld of the file /app/controller/share.class.php of the component Public Share Handler. This manipulation of the argument path causes path traversal. The attack can be initiated...
OMRON UPS (Uninterruptible Power Supply) management application may insecurely load Dynamic Link Libraries
Overview The UPS Uninterruptible Power Supply management application provided by OMRON Corporation may insecurely load Dynamic Link Libraries due to an issue with uncontrolled search path element CWE-427, CVE-2026-5397. OMRON Corporation reported this vulnerability to JPCERT/CC to notify users of...
PT-2026-33533
ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the public API login endpoint /api/public/user/login returns distinguishable HTTP response codes based on whether a username exists: 404 for non-existent users and 401 for valid users with incorrect passwords. An...
GROWI vulnerable to stored cross-site scripting
Overview GROWI provided by GROWI, Inc. contains the following vulnerability. Stored cross-site scripting CWE-79 - CVE-2026-26291 Norihide Saito reported this vulnerability to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership. Impact An arbitrary...
CVE-2026-5754
Radware Alteon vADC load-balancer, version 34.5.4.0, contains a reflected XSS in the ReturnTo parameter of the /protected/login route due to lack of input sanitization. An attacker can craft a link that injects JavaScript, which is reflected in the victim’s browser, enabling actions such as steal...
EUVD-2025-209310
D-Link DI-8300 v16.07.26A1 was discovered to contain a buffer overflow via the fx parameter in the jingxasp function. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted input...
CVE-2026-39562
Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through = 20.8.10...
CVE-2026-39617 WordPress Bluestreet theme <= 1.7.3 - Cross Site Request Forgery (CSRF) to Arbitrary Plugin Installation vulnerability
Cross-Site Request Forgery CSRF vulnerability in priyanshumittal Bluestreet bluestreet allows Cross Site Request Forgery.This issue affects Bluestreet: from n/a through = 1.7.3...
PT-2026-31552
Name of the Vulnerable Software and Affected Versions PHPGurukul Online Course Registration version 3.1 Description A security issue exists in PHPGurukul Online Course Registration 3.1 related to the processing of the /admin/check availability.php file. Manipulation of the regno argument can lead...
EUVD-2026-19701
An issue that could allow access to Explorer groups from outside of the authorized organization scope has been resolved. This is an instance of CWE-863: Incorrect Authorization, and has an estimated CVSS score of CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:L/A:L 4.4 Medium. This issue was fixed in...
CVE-2026-30613
An information disclosure vulnerability exists in AZIOT 1 Node Smart Switch 16amp- WiFi/Bluetooth Enabled Software Version: 1.1.9 due to improper access control on the UART debug interface. An attacker with physical access can connect to the UART interface and obtain sensitive information from th...
EUVD-2026-19480
Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the getClientIP function in lib/admin/session.ts trusted the first leftmost entry of the X-Forwarded-For header, which is fully controlled by the client. An attacker could forge their source IP address to...