|
501
|
10.0 |
CRITICAL
Network
|
-
|
-
|
Deserialization of untrusted data in Microsoft Bing allows an unauthorized attacker to execute code over a network.
New
|
CWE-502
Deserialization of Untrusted Data
|
CVE-2026-33819
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
502
|
10.0 |
CRITICAL
Network
|
-
|
-
|
Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to perform spoofing over a network.
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-35431
|
2026-04-24 23:41 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
503
|
5.3 |
MEDIUM
Local
|
-
|
-
|
OpenClaw before 2026.3.28 contains an environment variable sanitization vulnerability where GIT_TEMPLATE_DIR and AWS_CONFIG_FILE are not blocked in the host-env blocklist. Attackers can exploit appro…
New
|
CWE-184
Incomplete Blacklist
|
CVE-2026-41332
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
504
|
3.7 |
LOW
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains an authentication rate limiting bypass vulnerability that allows attackers to circumvent shared authentication protections using fake device tokens. Attackers can e…
New
|
CWE-799
Improper Control of Interaction Frequency
|
CVE-2026-41333
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
505
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains a decompression bomb vulnerability in image processing that fails to properly enforce pixel-limit guards on sips. Attackers can exploit this by uploading oversized …
New
|
CWE-636
Not Failing Securely ('Failing Open')
|
CVE-2026-41334
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
506
|
5.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitiv…
New
|
CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
|
CVE-2026-41335
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
507
|
7.8 |
HIGH
Local
|
-
|
-
|
OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_HOOKS_DIR environment variable, enabling loading of attacker-controlled hook code. Attackers can replace trusted…
New
|
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-41336
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
508
|
5.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains a callback origin mutation vulnerability in Plivo voice-call replay that allows attackers to mutate in-process callback origin before replay rejection. Attackers wi…
New
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-41337
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
509
|
5.0 |
MEDIUM
Local
|
-
|
-
|
OpenClaw before 2026.3.31 contains a time-of-check-time-of-use vulnerability in sandbox file operations that allows attackers to bypass fd-based defenses. Attackers can exploit check-then-act pattern…
New
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-41338
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
510
|
4.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.2 exposes configPath and stateDir metadata in Gateway connect success snapshots to non-admin authenticated clients. Non-admin clients can recover host-specific filesystem paths…
New
|
CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
|
CVE-2026-41339
|
2026-04-24 23:40 |
2026-04-24 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
