| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-54018 | hig | 0.45 | — | 0.00 | Jun 17, 2026 | ### Summary The SafePlaywrightURLLoader implements a validate_url function to prevent SSRF attacks by checking the IP address of the user-provided URL. However, this validation is performed only on the initial URL. Since Playwright automatically follows HTTP redirects (301/302)… | ||
| CVE-2026-54017 | hig | 0.38 | — | 0.00 | Jun 17, 2026 | ### Summary The terminal-server reverse proxy in `backend/open_webui/routers/terminals.py` does not fully confine the user-controlled `path` segment before forwarding it to an admin-configured terminal server. An authenticated user who has been granted access to a terminal… | ||
| CVE-2026-54013 | hig | 0.38 | — | 0.00 | Jun 17, 2026 | # Stored XSS to Account Takeover via Model Profile Images in Open WebUI **Affected:** Open WebUI <= 0.9.5 **Bypass of:** GHSA-3wgj-c2hg-vm6q, GHSA-3856-3vxq-m6fc --- ## TL;DR Open WebUI patched SVG XSS in user profile images and webhook profile images but forgot to apply… | ||
| CVE-2026-54012 | hig | 0.45 | — | 0.00 | Jun 17, 2026 | ## Summary Open WebUI lets a user who can create, update, or import workspace models store arbitrary `meta.knowledge` entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats `meta.knowledge` entries of type `file` as an… | ||
| CVE-2026-54011 | hig | 0.45 | — | 0.00 | Jun 17, 2026 | ## Summary Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using `innerHTML`. Because Mermaid is configured with `securityLevel: 'loose'`, attacker-controlled Mermaid content can be rendered unsafely in… | ||
| CVE-2026-54010 | hig | 0.38 | — | 0.00 | Jun 17, 2026 | ## Summary Open WebUI `v0.9.5` lets an authenticated user attach arbitrary `file_id` values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, `has_access_to_file()`… | ||
| CVE-2026-54008 | hig | 0.38 | — | 0.00 | Jun 17, 2026 | ## Summary `backend/open_webui/utils/oauth.py::_process_picture_url` (v0.9.5, lines 1435-1470) calls `validate_url(picture_url)` on the initial URL only, then invokes `aiohttp.ClientSession.get(picture_url, ...)` without `allow_redirects=False`. aiohttp's default is… | ||
| CVE-2026-54007 | hig | 0.45 | — | 0.00 | Jun 17, 2026 | ### Summary The chat message listener allows non-same-origin `input:prompt` and `action:submit` messages, so an external site can set prompt text and trigger `submitPrompt()` in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted… | ||
| CVE-2026-54328 | hig | 0.39 | — | 0.00 | Jun 17, 2026 | # Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a… | ||
| CVE-2026-26231 | hig | 0.38 | — | — | Jun 16, 2026 | ## Summary Any authenticated low-privilege user with read access to a repository can push arbitrary commits directly to that repository, bypassing all write-access checks. ## Vulnerability Gitea's "Allow edits from maintainers" PR option can be abused via reverse-fork PRs: … | ||
| CVE-2026-28699 | hig | 0.38 | — | — | Jun 16, 2026 | ### Summary Gitea fails to enforce OAuth2 access token scopes when the token is submitted via HTTP Basic authentication instead of a Bearer token. An OAuth2 application granted only `read:user` can use the same token as `Authorization: Basic base64(:x-oauth-basic)` and… | ||
| CVE-2026-52797 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | **Vulnerability type:** Path Traversal **Impact:** DoS **Exploitation prerequisite:** authorized user **Description:** As an authorized user, an intruder can dictate the value which is passed to the `git diff` command which, together with bypassing the filtering of the passed… | ||
| CVE-2026-28744 | hig | 0.38 | — | — | Jun 16, 2026 | ### Summary Gitea v1.26.1 enforces repository-scoped access-token permissions on repository operations. In the Git Smart HTTP path, however, this check runs only when the token is presented via HTTP Basic authentication — `CheckRepoScopedToken()` returns early unless… | ||
| CVE-2026-54304 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ## Impact An authenticated user with permission to create or modify workflows and access to a SecurityScorecard credential with limited allowed domains could configure the SecurityScorecard node's report download operation to target an attacker-controlled URL. The node attached… | ||
| CVE-2026-54309 | hig | 0.45 | — | 0.00 | Jun 16, 2026 | ## Impact When `@n8n/mcp-browser` is run in HTTP transport mode, the MCP endpoint accepts session initialization and tool invocation requests without any authentication. Any network-reachable client, or any website visited by the user, can establish an MCP session and invoke… | ||
| CVE-2026-54305 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ## Impact Three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope checks on the target workflow or credential. An authenticated user with no project membership or credential sharing… | ||
| CVE-2026-54307 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ## Impact A member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to cross-user credential access. This issue affects instances… | ||
| CVE-2026-54302 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ## Impact An authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious `webhookId`. When a logged-in user visited the chat URL, the injected code executed in the n8n origin with that user's… | ||
| CVE-2026-54312 | hig | 0.45 | — | 0.00 | Jun 16, 2026 | ## Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via the Microsoft SQL node by supplying a crafted value as the table parameter. This pollutes `Object.prototype` process-wide for the lifetime of the n8n server… | ||
| CVE-2026-54322 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ### Summary Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the target role by its identifier alone, without verifying the role belonged to that organization. An… | ||
| CVE-2026-52845 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ### Summary `forward_auth copy_headers` deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through `php_fastcgi`, Caddy normalizes HTTP headers into CGI variables by replacing `-` with `_`. … | ||
| CVE-2026-52844 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ### Summary On Windows, Caddy `path` matchers treat `/private\secret.txt` as outside `/private/*`, but `file_server` later resolves the same request path as `private\secret.txt` on disk. An unauthenticated remote client can request `/private%5csecret.txt` and bypass Caddy… | ||
| CVE-2026-50574 | hig | 0.39 | — | 0.00 | Jun 16, 2026 | ### Summary If aria2c is used as an external downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to… | ||
| CVE-2026-54321 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ### Summary Sandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached visibility state that was not invalidated when the sandbox's visibility changed. ### Impact When a sandbox… | ||
| CVE-2026-53622 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ## Summary There is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS… | ||
| CVE-2026-53755 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ### Summary The Docker API server applied its SSRF destination check to the crawl target URL only, not to the proxy address. An unauthenticated request could supply a proxy pointing at an internal IP and route the browser through it, reaching internal services and… | ||
| CVE-2026-53754 | hig | 0.38 | — | 0.00 | Jun 16, 2026 | ### Summary The Docker API server's SSRF protection (`validate_webhook_url` / `validate_url_destination` in `deploy/docker/utils.py`) used an explicit IPv4/IPv6 CIDR blocklist that missed several address families. An attacker could reach internal services and cloud metadata… | ||
| CVE-2026-50023 | hig | 0.39 | — | 0.01 | Jun 16, 2026 | ### Summary A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as `.desktop`, `.url`, `.webloc`) to the user's filesystem, bypassing the remediation for `CVE-2024-38519`. ### Details The fix for `CVE-2024-38519` enforced… | ||
| CVE-2026-47750 | Hig | 0.44 | 7.8 | 0.00 | Jun 16, 2026 | stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in… | ||
| CVE-2026-47747 | Hig | 0.44 | 7.8 | 0.00 | Jun 16, 2026 | stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in… | ||
| CVE-2026-22312 | — | Hig | 0.56 | 8.6 | 0.00 | Jun 16, 2026 | The device has a webserver that exposes a REST API authenticated with a constant token. The unauthenticated API can be used by an attacker to get access to system settings, modify the configuration and execute some commands (e.g. system reboot). | |
| CVE-2026-10303 | Hig | 0.41 | 7.4 | 0.01 | Jun 16, 2026 | In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An… | ||
| CVE-2026-53866 | Hig | 0.46 | 8.1 | 0.00 | Jun 16, 2026 | OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators to execute unapproved commands. A command request using shell inline-command forms could route through a parser case missing the expected… | ||
| CVE-2026-53865 | Hig | 0.39 | 7.1 | 0.00 | Jun 16, 2026 | OpenClaw before 2026.5.2 contains a path traversal vulnerability in maintenance task execution that allows workspace-derived service paths to influence trash command selection. Attackers can execute unintended local executables from operator-unintended paths during maintenance… | ||
| CVE-2026-53864 | Hig | 0.46 | 8.1 | 0.00 | Jun 16, 2026 | OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can… | ||
| CVE-2026-53863 | Hig | 0.39 | 7.1 | 0.00 | Jun 16, 2026 | OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could trigger incorrect group-policy decisions for tool invocations, potentially… | ||
| CVE-2026-53858 | Hig | 0.39 | 7.1 | 0.00 | Jun 16, 2026 | OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime dependencies from unintended local… | ||
| CVE-2026-53857 | Hig | 0.46 | 8.1 | 0.00 | Jun 16, 2026 | OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different… | ||
| CVE-2026-53855 | Hig | 0.46 | 8.1 | 0.00 | Jun 16, 2026 | OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell… | ||
| CVE-2026-53853 | Hig | 0.47 | 8.3 | 0.00 | Jun 16, 2026 | OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured argPattern restrictions by directly… | ||
| CVE-2026-53849 | Hig | 0.46 | 8.1 | 0.00 | Jun 16, 2026 | OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a… | ||
| CVE-2026-53846 | Hig | 0.39 | 7.1 | 0.00 | Jun 16, 2026 | OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local… | ||
| CVE-2026-53843 | Hig | 0.50 | 8.8 | 0.00 | Jun 16, 2026 | OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval,… | ||
| CVE-2026-53842 | Hig | 0.39 | 7.1 | 0.00 | Jun 16, 2026 | OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDK_PYTHON during Gmail setup gcloud execution. Attackers with repository access can manipulate the CLOUDSDK_PYTHON… | ||
| CVE-2026-53840 | Hig | 0.39 | 7.1 | 0.00 | Jun 16, 2026 | OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate… | ||
| CVE-2026-50656 | Hig | 0.51 | 7.8 | 0.03 | Jun 16, 2026 | Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as "RoguePlanet ". We are working to provide a high quality security update that addresses this vulnerability. We will provide… | ||
| CVE-2026-47964 | Hig | 0.51 | 7.8 | 0.00 | Jun 16, 2026 | DNG SDK versions 1.7.1 2536 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file. | ||
| CVE-2026-47749 | Hig | 0.44 | 7.8 | 0.00 | Jun 16, 2026 | stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to heap buffer overflow in SHORT_BINUNICODE parsing for PyTorch checkpoint files.… | ||
| CVE-2026-10748 | Hig | 0.56 | — | 0.00 | Jun 16, 2026 | An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating system commands as the Nexus process user in Sonatype Nexus Repository 3 versions before 3.92.0. | ||
| CVE-2024-39575 | Hig | 0.48 | 7.4 | 0.00 | Jun 16, 2026 | update_disk_psu_baseline.sh requires password in plain text |
- risk 0.45cvss —epss 0.00
### Summary The SafePlaywrightURLLoader implements a validate_url function to prevent SSRF attacks by checking the IP address of the user-provided URL. However, this validation is performed only on the initial URL. Since Playwright automatically follows HTTP redirects (301/302)…
- risk 0.38cvss —epss 0.00
### Summary The terminal-server reverse proxy in `backend/open_webui/routers/terminals.py` does not fully confine the user-controlled `path` segment before forwarding it to an admin-configured terminal server. An authenticated user who has been granted access to a terminal…
- risk 0.38cvss —epss 0.00
# Stored XSS to Account Takeover via Model Profile Images in Open WebUI **Affected:** Open WebUI <= 0.9.5 **Bypass of:** GHSA-3wgj-c2hg-vm6q, GHSA-3856-3vxq-m6fc --- ## TL;DR Open WebUI patched SVG XSS in user profile images and webhook profile images but forgot to apply…
- risk 0.45cvss —epss 0.00
## Summary Open WebUI lets a user who can create, update, or import workspace models store arbitrary `meta.knowledge` entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats `meta.knowledge` entries of type `file` as an…
- risk 0.45cvss —epss 0.00
## Summary Open WebUI renders Mermaid blocks from Markdown files in the file preview panel and inserts the generated SVG into the DOM using `innerHTML`. Because Mermaid is configured with `securityLevel: 'loose'`, attacker-controlled Mermaid content can be rendered unsafely in…
- risk 0.38cvss —epss 0.00
## Summary Open WebUI `v0.9.5` lets an authenticated user attach arbitrary `file_id` values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, `has_access_to_file()`…
- risk 0.38cvss —epss 0.00
## Summary `backend/open_webui/utils/oauth.py::_process_picture_url` (v0.9.5, lines 1435-1470) calls `validate_url(picture_url)` on the initial URL only, then invokes `aiohttp.ClientSession.get(picture_url, ...)` without `allow_redirects=False`. aiohttp's default is…
- risk 0.45cvss —epss 0.00
### Summary The chat message listener allows non-same-origin `input:prompt` and `action:submit` messages, so an external site can set prompt text and trigger `submitPrompt()` in an authenticated victim session. I validated this with a cross-origin attacker page that auto-posted…
- risk 0.39cvss —epss 0.00
# Predictable temporary extension install paths allow local privilege escalation on shared Linux hosts Pi versions with temporary npm or git extension package installs used predictable paths under the operating system temporary directory. On Linux-based multi-user systems, a…
- risk 0.38cvss —epss —
## Summary Any authenticated low-privilege user with read access to a repository can push arbitrary commits directly to that repository, bypassing all write-access checks. ## Vulnerability Gitea's "Allow edits from maintainers" PR option can be abused via reverse-fork PRs: …
- risk 0.38cvss —epss —
### Summary Gitea fails to enforce OAuth2 access token scopes when the token is submitted via HTTP Basic authentication instead of a Bearer token. An OAuth2 application granted only `read:user` can use the same token as `Authorization: Basic base64(:x-oauth-basic)` and…
- risk 0.38cvss —epss 0.00
**Vulnerability type:** Path Traversal **Impact:** DoS **Exploitation prerequisite:** authorized user **Description:** As an authorized user, an intruder can dictate the value which is passed to the `git diff` command which, together with bypassing the filtering of the passed…
- risk 0.38cvss —epss —
### Summary Gitea v1.26.1 enforces repository-scoped access-token permissions on repository operations. In the Git Smart HTTP path, however, this check runs only when the token is presented via HTTP Basic authentication — `CheckRepoScopedToken()` returns early unless…
- risk 0.38cvss —epss 0.00
## Impact An authenticated user with permission to create or modify workflows and access to a SecurityScorecard credential with limited allowed domains could configure the SecurityScorecard node's report download operation to target an attacker-controlled URL. The node attached…
- risk 0.45cvss —epss 0.00
## Impact When `@n8n/mcp-browser` is run in HTTP transport mode, the MCP endpoint accepts session initialization and tool invocation requests without any authentication. Any network-reachable client, or any website visited by the user, can establish an MCP session and invoke…
- risk 0.38cvss —epss 0.00
## Impact Three EE endpoints used by the Dynamic Credentials feature accepted any authenticated n8n session without performing per-resource ownership or scope checks on the target workflow or credential. An authenticated user with no project membership or credential sharing…
- risk 0.38cvss —epss 0.00
## Impact A member-level user with editor access to a shared workflow could reference credentials they do not own via specific public API endpoints. Credential ownership checks were only enforced partially leading to cross-user credential access. This issue affects instances…
- risk 0.38cvss —epss 0.00
## Impact An authenticated user with workflow edit access could inject arbitrary JavaScript into the Chat Trigger's generated page by setting a malicious `webhookId`. When a logged-in user visited the chat URL, the injected code executed in the n8n origin with that user's…
- risk 0.45cvss —epss 0.00
## Impact An authenticated user with permission to create or modify workflows could achieve global prototype pollution via the Microsoft SQL node by supplying a crafted value as the table parameter. This pollutes `Object.prototype` process-wide for the lifetime of the n8n server…
- risk 0.38cvss —epss 0.00
### Summary Daytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the target role by its identifier alone, without verifying the role belonged to that organization. An…
- risk 0.38cvss —epss 0.00
### Summary `forward_auth copy_headers` deletes the exact client-supplied identity header before copying the trusted value from the auth gateway. But when the request later goes through `php_fastcgi`, Caddy normalizes HTTP headers into CGI variables by replacing `-` with `_`. …
- risk 0.38cvss —epss 0.00
### Summary On Windows, Caddy `path` matchers treat `/private\secret.txt` as outside `/private/*`, but `file_server` later resolves the same request path as `private\secret.txt` on disk. An unauthenticated remote client can request `/private%5csecret.txt` and bypass Caddy…
- risk 0.39cvss —epss 0.00
### Summary If aria2c is used as an external downloader for a fragmented manifest format (such as an HLS/DASH stream), yt-dlp passes insufficiently sanitized input to aria2c that allows an attacker to perform an arbitrary file write. On Windows platforms, this can lead to…
- risk 0.38cvss —epss 0.00
### Summary Sandbox previews that were switched from public to private could remain reachable without authentication for a short period after the change, due to a cached visibility state that was not invalidated when the sandbox's visibility changed. ### Impact When a sandbox…
- risk 0.38cvss —epss 0.00
## Summary There is a critical vulnerability in Traefik's HTTP/3 (QUIC) TLS configuration selection that allows unauthenticated clients to bypass router-specific mTLS enforcement. When HTTP/3 is enabled on an entrypoint, the TLS handshake selects the applicable TLS…
- risk 0.38cvss —epss 0.00
### Summary The Docker API server applied its SSRF destination check to the crawl target URL only, not to the proxy address. An unauthenticated request could supply a proxy pointing at an internal IP and route the browser through it, reaching internal services and…
- risk 0.38cvss —epss 0.00
### Summary The Docker API server's SSRF protection (`validate_webhook_url` / `validate_url_destination` in `deploy/docker/utils.py`) used an explicit IPv4/IPv6 CIDR blocklist that missed several address families. An attacker could reach internal services and cloud metadata…
- risk 0.39cvss —epss 0.01
### Summary A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files (such as `.desktop`, `.url`, `.webloc`) to the user's filesystem, bypassing the remediation for `CVE-2024-38519`. ### Details The fix for `CVE-2024-38519` enforced…
- risk 0.44cvss 7.8epss 0.00
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in…
- risk 0.44cvss 7.8epss 0.00
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. In versions prior to master-584-0a7ae07, the pickle .ckpt parser in src/model.cpp contained a heap buffer overflow vulnerability in…
- risk 0.56cvss 8.6epss 0.00
The device has a webserver that exposes a REST API authenticated with a constant token. The unauthenticated API can be used by an attacker to get access to system settings, modify the configuration and execute some commands (e.g. system reboot).
- risk 0.41cvss 7.4epss 0.01
In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An…
- risk 0.46cvss 8.1epss 0.00
OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators to execute unapproved commands. A command request using shell inline-command forms could route through a parser case missing the expected…
- risk 0.39cvss 7.1epss 0.00
OpenClaw before 2026.5.2 contains a path traversal vulnerability in maintenance task execution that allows workspace-derived service paths to influence trash command selection. Attackers can execute unintended local executables from operator-unintended paths during maintenance…
- risk 0.46cvss 8.1epss 0.00
OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can…
- risk 0.39cvss 7.1epss 0.00
OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could trigger incorrect group-policy decisions for tool invocations, potentially…
- risk 0.39cvss 7.1epss 0.00
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime dependencies from unintended local…
- risk 0.46cvss 8.1epss 0.00
OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different…
- risk 0.46cvss 8.1epss 0.00
OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell…
- risk 0.47cvss 8.3epss 0.00
OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured argPattern restrictions by directly…
- risk 0.46cvss 8.1epss 0.00
OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a…
- risk 0.39cvss 7.1epss 0.00
OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local…
- risk 0.50cvss 8.8epss 0.00
OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval,…
- risk 0.39cvss 7.1epss 0.00
OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDK_PYTHON during Gmail setup gcloud execution. Attackers with repository access can manipulate the CLOUDSDK_PYTHON…
- risk 0.39cvss 7.1epss 0.00
OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate…
- risk 0.51cvss 7.8epss 0.03
Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as "RoguePlanet ". We are working to provide a high quality security update that addresses this vulnerability. We will provide…
- risk 0.51cvss 7.8epss 0.00
DNG SDK versions 1.7.1 2536 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
- risk 0.44cvss 7.8epss 0.00
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to heap buffer overflow in SHORT_BINUNICODE parsing for PyTorch checkpoint files.…
- risk 0.56cvss —epss 0.00
An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating system commands as the Nexus process user in Sonatype Nexus Repository 3 versions before 3.92.0.
- risk 0.48cvss 7.4epss 0.00
update_disk_psu_baseline.sh requires password in plain text