CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

3515 matches found

Github Security Blog•added 2026/04/17 9:48 p.m.•6 views

OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events

Summary Heartbeat owner downgrade missed untrusted webhook wake events. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.7 = 2026.4.14 Impact Heartbeat owner downgrade logic could skip webhook wake events carrying untrusted content, preserving...

9.8CVSS5.9AI score0.00423EPSS

Exploits0References6Affected Software1

OSV•added 2026/04/17 9:48 p.m.•3 views

GHSA-G2HM-779G-VM32 OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events

9.1CVSS5.9AI score0.00423EPSS

Exploits0References6

CNNVD•added 2026/04/17 12:0 a.m.•3 views

monetr 安全漏洞

Monetr is an open-source personal budget management application developed by Monetr. Versions of Monetr 1.12.3 and earlier contained a security vulnerability. This vulnerability stemmed from the Stripe webhook endpoint, which buffered the entire request body in memory, potentially leading to...

8.2CVSS5.8AI score0.00446EPSS

Exploits1References2

Positive Technologies•added 2026/04/17 12:0 a.m.•5 views

PT-2026-37009

Name of the Vulnerable Software and Affected Versions OpenClaw version 2026.4.9 Description A denial of service issue exists in the voice-call realtime WebSocket path. The system accepts oversized frames without proper validation, allowing remote attackers to send these frames to cause service...

8.7CVSS5.8AI score0.00417EPSS

Exploits0References7

Positive Technologies•added 2026/04/17 12:0 a.m.•9 views

PT-2026-38242

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.15 Description An authentication bypass exists in the Feishu webhook and card-action validation. When the encryptKey configuration is missing or callback tokens are blank, the system fails open rather than...

9.8CVSS6AI score0.00718EPSS

Exploits1References14

Positive Technologies•added 2026/04/17 12:0 a.m.•7 views

PT-2026-37021

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.4.7 through 2026.4.13 Description A privilege escalation issue exists where the heartbeat owner downgrade logic fails to account for webhook wake events containing untrusted content. This allows attackers to send untrust...

9.8CVSS5.9AI score0.00423EPSS

Exploits0References10

SUSE CVE•added 2026/04/16 11:28 p.m.•2 views

SUSE CVE-2026-39845

Weblate is a web based localization tool. In versions prior to 5.17, the webhook add-on did not utilize existing SSRF protections. This issue has been fixed in version 5.17. If developers are unable to update immediately, they can disable the webhook add-on as a workaround...

4.1CVSS5.7AI score0.00275EPSS

Exploits0References3

Github Security Blog•added 2026/04/16 9:36 p.m.•4 views

Kyverno: ServiceAccount token leaked to external servers via apiCall service URL

Summary Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no validation — it can point anywhere, including attacker-controlled servers. Since the admission controller SA has permissions ...

9.1CVSS5.8AI score0.0056EPSS

Exploits1References6Affected Software1

OSV•added 2026/04/16 9:36 p.m.•3 views

GHSA-F9G8-6PPC-PQQ4 Kyverno: ServiceAccount token leaked to external servers via apiCall service URL

8.1CVSS5.8AI score0.0056EPSS

Exploits1References6

EUVD•added 2026/04/16 8:45 p.m.•3 views

EUVD-2026-23018

Weblate: SSRF via the webhook add-on using unprotected fetchurl...

4.1CVSS5.8AI score0.00275EPSS

Exploits0References3

Snyk•added 2026/04/16 8:45 p.m.•2 views

Server-side Request Forgery (SSRF)

Overview weblate is an A web-based continuous localization system with tight version control integration Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetchurl function in the webhook add-on. An attacker can access internal resources by supplying...

5.9CVSS5.7AI score0.00275EPSS

Exploits0References2

Github Security Blog•added 2026/04/16 8:45 p.m.•6 views

Weblate: SSRF via the webhook add-on using unprotected fetch_url()

Impact The webhook add-on did not utilize existing SSRF protection. Patches https://github.com/WeblateOrg/weblate/pull/18815 Workarounds Disabling the add-on would avoid misusing this. References Thanks to @Lihfdgjr for reporting this via GitHub...

4.1CVSS5.8AI score0.00275EPSS

Exploits0References5Affected Software1

OSV•added 2026/04/16 8:45 p.m.•2 views

GHSA-F8HV-G549-HWG2 Weblate: SSRF via the webhook add-on using unprotected fetch_url()

4.1CVSS5.8AI score0.00275EPSS

Exploits0References5

Wordfence Blog•added 2026/04/16 4:45 p.m.•9 views

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 6, 2026 to April 12, 2026)

Last week, there were 157 vulnerabilities disclosed in 141 WordPress Plugins and 23 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 79 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilitie...

6AI score

Exploits0