|
671
|
6.8 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains a sandbox escape vulnerability allowing attackers to traverse directory boundaries through symlink exploitation during file synchronization operations. Remote attac…
New
|
CWE-59
Link Following
|
CVE-2026-41397
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
672
|
7.5 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.3.31 parses MS Teams webhook request bodies before performing JWT validation, allowing unauthenticated attackers to trigger resource exhaustion. Remote attackers can send malicio…
New
|
CWE-408
Incorrect Behavior Order: Early Amplification
|
CVE-2026-41405
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
673
|
5.4 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains a sender allowlist bypass vulnerability that allows remote attackers to access restricted messages. Attackers can exploit fetched quoted, root, and thread context m…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-41406
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
674
|
3.7 |
LOW
Network
|
-
|
-
|
OpenClaw before 2026.4.2 contains a timing side channel vulnerability in shared-secret comparison call sites that use early length-mismatch checks instead of fixed-length comparison helpers. Attacker…
New
|
CWE-208
Information Exposure Through Timing Discrepancy
|
CVE-2026-41407
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
675
|
4.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.3.31 contains a resource exhaustion vulnerability in media downloads that bypasses core safety limits for file size, count, and cleanup operations. Attackers can exhaust disk spa…
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-41408
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
676
|
4.3 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.8 omits owner-only enforcement for cross-channel allowlist writes in the /allowlist endpoint. An authorized non-owner sender can bypass access controls to perform allowlist mod…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-41910
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
677
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.8 contains a filesystem policy bypass vulnerability in docx upload processing that allows local file reads outside workspace boundaries. Attackers can exploit upload_file and u…
New
|
CWE-22
Path Traversal
|
CVE-2026-41911
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
678
|
7.6 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.4.8 contains a server-side request forgery policy bypass vulnerability allowing attackers to trigger navigations bypassing normal SSRF checks. Attackers can exploit browser inter…
New
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41912
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
679
|
- |
|
-
|
-
|
A vulnerability affecting the detailed versions of Cryptobox allows a legitimate user to prevent another to login by triggering an account lockout via sending a specially crafted request.
New
|
CWE-694
Use of Multiple Resources with Duplicate Identifier
|
CVE-2026-5794
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
680
|
5.5 |
MEDIUM
Local
|
-
|
-
|
A vulnerability in GRASSMARLIN v3.2.1 allows crafted session data to
trigger improper handling of XML input, which may result in unintended
exposure of sensitive information. The flaw stems from in…
New
|
CWE-611
XXE
|
CVE-2026-6807
|
2026-04-29 05:10 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
