Vulnerabilidades CVE

A continuación la lista de las últimas vulnerabilidades publicadas por el instituto NIST:

Borrar filtros
CVE ID Publicado Severidad CVSS Descripción
CVE-2026-41358 2026-04-23 MEDIUM 5.4 OpenClaw before 2026.4.2 fails to filter Slack thread context by sender allowlist, allowing non-allowlisted messages to enter agent context. Attackers can inject unauthorized thread messages through allowlisted user…
CVE-2026-41357 2026-04-23 LOW 3.3 OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by leveraging non-default SSH…
CVE-2026-41356 2026-04-23 MEDIUM 5.4 OpenClaw before 2026.3.31 fails to terminate active WebSocket sessions when rotating device tokens. Attackers with previously compromised credentials can maintain unauthorized access through existing WebSocket connections after token…
CVE-2026-41355 2026-04-23 HIGH 7.3 OpenShell before 2026.3.28 contains an arbitrary code execution vulnerability in mirror mode that converts untrusted sandbox files into workspace hooks. Attackers with mirror mode access can execute arbitrary…
CVE-2026-41354 2026-04-23 LOW 3.7 OpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit…
CVE-2026-41353 2026-04-23 HIGH 8.1 OpenClaw before 2026.3.22 contains an access control bypass vulnerability in the allowProfiles feature that allows attackers to circumvent profile restrictions through persistent profile mutation and runtime profile selection.…
CVE-2026-41352 2026-04-23 HIGH 8.8 OpenClaw before 2026.3.31 contains a remote code execution vulnerability where a device-paired node can bypass the node scope gate authentication mechanism. Attackers with device pairing credentials can execute…
CVE-2026-41351 2026-04-23 MEDIUM 5.3 OpenClaw before 2026.3.31 contains a replay detection bypass vulnerability in webhook signature handling that treats Base64 and Base64URL encoded signatures as distinct requests. Attackers can re-encode Telnyx webhook…
CVE-2026-41350 2026-04-23 MEDIUM 4.3 OpenClaw before 2026.3.31 contains a session visibility bypass vulnerability where the session_status function fails to enforce configured tools.sessions.visibility restrictions for unsandboxed invocations. Attackers can invoke session_status without sandbox…
CVE-2026-41349 2026-04-23 HIGH 8.8 OpenClaw before 2026.3.28 contains an agentic consent bypass vulnerability allowing LLM agents to silently disable execution approval via config.patch parameter. Remote attackers can exploit this to bypass security…
CVE-2026-41348 2026-04-23 MEDIUM 5.4 OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can…
CVE-2026-41347 2026-04-23 HIGH 7.1 OpenClaw before 2026.3.31 lacks browser-origin validation in HTTP operator endpoints when operating in trusted-proxy mode, allowing cross-site request forgery attacks. Attackers can exploit this by sending malicious requests…
CVE-2026-41346 2026-04-23 MEDIUM 5.3 OpenClaw 2026.2.26 before 2026.3.31 enforces pending pairing-request caps per channel file instead of per account, allowing attackers to exhaust the shared pending window. Remote attackers can submit pairing…
CVE-2026-41345 2026-04-23 MEDIUM 5.3 OpenClaw before 2026.3.31 contains a credential exposure vulnerability in media download functionality that forwards Authorization headers across cross-origin redirects. Attackers can exploit this by crafting malicious cross-origin redirect…
CVE-2026-41344 2026-04-23 MEDIUM 5.4 OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the chat.send endpoint that allows write-scoped gateway callers to persist admin-only verboseLevel session overrides. Attackers can exploit the /verbose…
CVE-2026-41343 2026-04-23 MEDIUM 5.3 OpenClaw before 2026.3.31 lacks a shared pre-auth concurrency budget on the public LINE webhook path, allowing attackers to cause transient availability loss. Remote attackers can flood the webhook…
CVE-2026-41342 2026-04-23 HIGH 7.3 OpenClaw before 2026.3.28 contains an authentication bypass vulnerability in the remote onboarding component that persists unauthenticated discovery endpoints without explicit trust confirmation. Attackers can spoof discovery endpoints to…
CVE-2026-41341 2026-04-23 MEDIUM 5.4 OpenClaw before 2026.3.31 contains a logic error in Discord component interaction routing that misclassifies group direct messages as direct messages in extensions/discord/src/monitor/agent-components-helpers.ts. Attackers can exploit this misclassification to…
CVE-2026-41340 2026-04-23 MEDIUM 6.5 OpenClaw before 2026.3.31 contains an authentication boundary vulnerability where Telegram legacy allowFrom migration incorrectly fans default-account trust into all named accounts. Attackers can exploit this trust propagation to…
CVE-2026-41339 2026-04-23 MEDIUM 4.3 OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths and deployment details, enabling…
CVE-2026-41338 2026-04-23 MEDIUM 5.0 OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operations that allows attackers to bypass fd-based defenses. Attackers can exploit check-then-act patterns in apply_patch, remove, and mkdir…
CVE-2026-41337 2026-04-23 MEDIUM 5.3 OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers with captured valid…
CVE-2026-41336 2026-04-23 HIGH 7.8 OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted default-on bundled hooks from untrusted…
CVE-2026-41335 2026-04-23 MEDIUM 5.3 OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitive fingerprinting information from…
CVE-2026-41334 2026-04-23 MEDIUM 6.5 OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image processing that fails to properly enforce pixel-limit guards on sips. Attackers can exploit this by uploading oversized images…
CVE-2026-41333 2026-04-23 LOW 3.7 OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can exploit the mixed WebSocket…
CVE-2026-41332 2026-04-23 MEDIUM 5.3 OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not blocked in the host-env blocklist. Attackers can exploit approved exec requests to redirect…
CVE-2026-40630 2026-04-24 CRITICAL 9.8 A vulnerability in  SenseLive X3050’s web management interface allows unauthorized access to certain configuration endpoints due to improper access control enforcement. An attacker with network access to the…
CVE-2026-40623 2026-04-24 HIGH 8.1 A vulnerability in SenseLive X3050's web management interface allows critical system and network configuration parameters to be modified without sufficient validation and safety controls. Due to inadequate enforcement of constraints…
CVE-2026-40620 2026-04-24 CRITICAL 9.8 A vulnerability in SenseLive X3050’s embedded management service allows full administrative control to be established without any form of authentication or authorization on the SenseLive config application. The service accepts…
CVE-2026-40431 2026-04-24 MEDIUM 5.3 A vulnerability exists in SenseLive X3050’s web management interface due to its reliance on unencrypted HTTP for all administrative communication. Because management traffic, including authentication attempts and configuration data, is…
CVE-2026-39462 2026-04-24 HIGH 8.1 A vulnerability exists in SenseLive X3050’s web management interface in which password updates are not reliably applied due to improper handling of credential changes on the backend. After the…
CVE-2026-35503 2026-04-24 CRITICAL 9.8 A vulnerability in SenseLive X3050’s web management interface allows authentication logic to be performed entirely on the client side, relying on hardcoded values within browser-executed scripts rather than server-side…
CVE-2026-35064 2026-04-24 HIGH 7.5 A vulnerability in SenseLive X3050’s management ecosystem allows unauthenticated discovery of deployed units through the vendor’s management protocol, enabling identification of device presence, identifiers, and management interfaces without requiring credentials.…
CVE-2026-27843 2026-04-24 CRITICAL 9.1 A vulnerability exists in SenseLive X3050's web management interface that allows critical configuration parameters to be modified without sufficient authentication or server-side validation. By applying unsupported or disruptive values…
CVE-2026-27841 2026-04-24 HIGH 8.1 A vulnerability in SenseLive X3050's web management interface allows state-changing operations to be triggered without proper Cross-Site Request Forgery (CSRF) protections. Because the application does not enforce server-side validation of…
CVE-2026-25775 2026-04-24 CRITICAL 9.8 A vulnerability in SenseLive X3050’s remote management service allows firmware retrieval and update operations to be performed without authentication or authorization. The service accepts firmware-related requests from any reachable host…
CVE-2026-25720 2026-04-24 MEDIUM 5.4 A vulnerability exists in SenseLive X3050’s web management interface due to improper session lifetime enforcement, allowing authenticated sessions to remain active for extended periods without requiring re-authentication. An attacker…
CVE-2026-1789 2026-04-24 MEDIUM 4.9 A vulnerability in the browser-based remote management interface may allow an administrator to access sensitive information on the device via crafted requests, affecting certain production printers and office/small…
CVE-2026-6732 2026-04-23 MEDIUM 6.5 A flaw was found in libxml2. This vulnerability occurs when the library processes a specially crafted XML Schema Definition (XSD) validated document that includes an internal entity reference.…
CVE-2026-25660 2026-04-24 N/A 0.0 CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy. Authentication bypass occurs when the URL ends with Authentication with…
CVE-2026-5367 2026-04-24 HIGH 8.6 A flaw was found in OVN (Open Virtual Network). A remote attacker, by sending crafted DHCPv6 (Dynamic Host Configuration Protocol for IPv6) SOLICIT packets with an inflated Client…
CVE-2026-5265 2026-04-24 MEDIUM 6.5 When generating an ICMP Destination Unreachable or Packet Too Big response, the handler copies a portion of the original packet into the ICMP error body using the IP…
CVE-2026-21515 2026-04-24 CRITICAL 9.9 Exposure of sensitive information to an unauthorized actor in Azure IOT Central allows an authorized attacker to elevate privileges over a network.
CVE-2026-6043 2026-04-24 N/A 0.0 P4 Server versions prior to 2026.1 are configured with insecure default settings that, when exposed to untrusted networks, allow unauthenticated attackers to create arbitrary user accounts, enumerate existing…
CVE-2026-4313 2026-04-24 N/A 0.0 AdaptiveGRC is vulnerable to Stored XSS via text type fields across the forms. Authenticated attacker can replace the value of the text field in the HTTP POST request.…
CVE-2026-6272 2026-04-24 N/A 0.0 A client holding only a read JWT scope can still register itself as a signal provider through the production kuksa.val.v2 OpenProviderStream API by sending ProvideSignalRequest. 1. Obtain any…
CVE-2026-21728 2026-04-24 HIGH 7.5 Tempo queries with large limits can cause large memory allocations which can impact the availability of the service, depending on its deployment strategy. Mitigation can be done by…
CVE-2026-1952 2026-04-24 CRITICAL 9.8 Delta Electronics AS320T has denial of service via the undocumented subfunction vulnerability.
CVE-2026-1951 2026-04-24 CRITICAL 9.8 Delta Electronics AS320T has no checking of the length of the buffer with the directory name vulnerability.
« Anterior Página 263 de 4465 Siguiente »