|
1291
|
4.3 |
MEDIUM
Network
|
google
|
chrome
|
Uninitialized Use in GPU in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium securi…
|
CWE-457
Use of Uninitialized Variable
|
CVE-2026-7972
|
2026-05-7 11:01 |
2026-05-7 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1292
|
7.7 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw versions 2026.4.9 before 2026.4.10 contain a sender policy bypass vulnerability in the outbound host-media attachment read helper that allows unauthorized local file disclosure. Attackers wi…
|
CWE-863
Incorrect Authorization
|
CVE-2026-42438
|
2026-05-7 10:59 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1293
|
8.5 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in the browser tabs action select and close routes. Attackers can bypass configured browser SSRF policy pr…
|
CWE-862
CWE-918
Missing Authorization
Server-Side Request Forgery (SSRF)
|
CVE-2026-42439
|
2026-05-7 10:59 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1294
|
9.3 |
CRITICAL
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by provid…
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-43526
|
2026-05-7 10:57 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1295
|
6.5 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.14 contains a redaction bypass vulnerability that allows authenticated gateway clients to receive unredacted secrets through sourceConfig and runtimeConfig alias fields. Attack…
|
CWE-212
Improper Removal of Sensitive Information Before Storage or Transfer
|
CVE-2026-43528
|
2026-05-7 10:54 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1296
|
2.5 |
LOW
Local
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.10 contains a time-of-check-time-of-use vulnerability in the validateScriptFileForShellBleed function that allows local attackers to bypass workspace boundary checks. An attack…
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-43529
|
2026-05-7 10:54 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1297
|
7.7 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw versions 2026.4.7 before 2026.4.10 fail to normalize Discord event cover image parameters in sandbox media processing. Attackers can bypass media normalization to inject host-local media ref…
|
CWE-184
Incomplete Blacklist
|
CVE-2026-43532
|
2026-05-7 10:54 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1298
|
8.6 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.10 contains an arbitrary file read vulnerability in QQBot media tags that allows attackers to reference host-local paths outside the intended media storage boundary. Attackers …
|
CWE-23
Relative Path Traversal
|
CVE-2026-43533
|
2026-05-7 10:53 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1299
|
9.8 |
CRITICAL
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.10 contains an input validation vulnerability that allows external hook metadata to be enqueued as trusted system events. Attackers can supply malicious hook names to escalate …
|
CWE-345
Insufficient Verification of Data Authenticity
|
CVE-2026-43534
|
2026-05-7 10:53 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1300
|
9.8 |
CRITICAL
Network
|
openclaw
|
openclaw
|
OpenClaw versions 2026.4.7 before 2026.4.14 contain a privilege escalation vulnerability where heartbeat owner downgrade logic skips webhook wake events carrying untrusted content. Attackers can expl…
|
CWE-184
Incomplete Blacklist
|
CVE-2026-43566
|
2026-05-7 10:53 |
2026-05-5 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
