CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Cvelist•added 6 days ago•14 views

CVE-2026-48980 pam_usb: getenv() used in PAM context allows environment variable injection into local-check logic

6.3CVSS0.00127EPSS

NVD•added 2026/06/16 7:17 p.m.•9 views

CVE-2026-53858

OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATEDIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATEDIRECTORY variable to load runtime dependencies from unintended local paths, potentially...

7.1CVSS0.00124EPSS

NVD•added 2026/06/16 7:17 p.m.•10 views

CVE-2026-53842

OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDKPYTHON during Gmail setup gcloud execution. Attackers with repository access can manipulate the CLOUDSDKPYTHON variable to execute...

7.1CVSS0.00133EPSS

Positive Technologies•added 2026/06/16 12:0 a.m.•10 views

PT-2026-49775

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.5.2 Description An environment variable injection exists where the STATE DIRECTORY variable in a workspace .env file can influence bundled runtime dependency roots. This allows attackers to manipulate STATE...

7.1CVSS5.6AI score0.00124EPSS

Exploits0References5

Cvelist•added 2026/05/28 4:15 p.m.•29 views

CVE-2026-44463 Zed: Allowlist Bypass via Environment Variable Injection in Terminal Tool Permissions

Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed by prepending environment variable assignments to allowlisted commands, hijacking program behavior e.g., PAGER to execute arbitrary code. This vulnerability is fixed in 0.229.0...

8.6CVSS0.00232EPSS

Exploits1References1

Vulnrichment•added 2026/05/28 4:15 p.m.•7 views

CVE-2026-44463 Zed: Allowlist Bypass via Environment Variable Injection in Terminal Tool Permissions

8.6CVSS6.1AI score0.00232EPSS

Exploits1References1

RedhatCVE•added 2026/05/26 2:12 a.m.•14 views

CVE-2026-44992

OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAXAPIHOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers...

EUVD•added 2026/05/11 6:31 p.m.•10 views

Exploits0References1

EUVD-2026-29137

NVD•added 2026/05/11 6:16 p.m.•13 views

Exploits0References4

CVE-2026-44992

5CVSS0.00119EPSS

Vulnrichment•added 2026/05/11 4:46 p.m.•6 views

CVE-2026-44992 OpenClaw 2026.4.5 through 2026.4.19 - MiniMax API Host Override via Workspace dotenv

ATTACKERKB•added 2026/05/11 4:46 p.m.•3 views

CVE-2026-44992

Exploits0References4Affected Software1

CNNVD•added 2026/05/11 12:0 a.m.•7 views

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw from 2026.4.5 to 2026.4.20 contained a security vulnerability. This vulnerability was caused by environmental variable injection, which could lead to the dotenv workspace overriding...

Positive Technologies•added 2026/05/11 12:0 a.m.•10 views

Exploits0References1

PT-2026-39681

OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX API HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization header...

EUVD•added 2026/05/09 7:29 p.m.•5 views

Exploits0References4

EUVD-2026-28935

ArchiveBox is an open source self-hosted web archiving system. In versions 0.8.6rc0 and prior, the /add/ endpoint AddView in core/views.py accepts a config JSON field that gets merged into the crawl config without validation. This config is exported as environment variables when archive plugins...

9.3CVSS5.9AI score0.00404EPSS

Exploits1References1

NVD•added 2026/05/05 12:16 p.m.•3 views

CVE-2026-43531

OpenClaw before 2026.4.9 contains an environment variable injection vulnerability allowing malicious workspace .env files to set runtime-control variables. Attackers can inject variables affecting update sources, gateway URLs, ClawHub resolution, and browser executable paths to compromise...

8.8CVSS0.00203EPSS

EUVD•added 2026/05/05 11:25 a.m.•5 views

EUVD-2026-27273

7.3CVSS5.8AI score0.00203EPSS

Vulnrichment•added 2026/05/05 11:25 a.m.•4 views

CVE-2026-43531 OpenClaw < 2026.4.9 - Environment Variable Injection via Workspace .env File

7.3CVSS5.8AI score0.00203EPSS

CVE•added 2026/05/05 11:25 a.m.•12 views

CVE-2026-43531

OpenClaw is vulnerable prior to version 2026.4.9 due to an environment variable injection flaw that allows malicious workspace .env files to set runtime-control variables. This can alter update sources, gateway URLs, ClawHub resolution, and browser executable paths, potentially changing applicati...

8.8CVSS5.8AI score0.00203EPSS

Exploits0References3Affected Software1

Vulnrichment•added 2026/05/05 11:24 a.m.•5 views

CVE-2026-42435 OpenClaw 2026.2.22 < 2026.4.12 - Shell-Wrapper Detection Bypass via Environment Variable Assignment Injection

OpenClaw versions from 2026.2.22 before 2026.4.12 contain an insufficient shell-wrapper detection vulnerability allowing attackers to inject environment variable assignments at the argv level. Attackers can bypass exec preflight handling to manipulate high-risk shell variables like SHELLOPTS and...

8.8CVSS5.9AI score0.00407EPSS