VYPR

CVEs

345,178 total · page 75 of 6,904

  • CVE-2026-35265Jun 16, 2026
    risk 0.00cvss epss 0.00

    Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: Security). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise…

  • CVE-2026-35263Jun 16, 2026
    risk 0.00cvss epss 0.00

    Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Core). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise WebLogic…

  • CVE-2026-35262Jun 16, 2026
    risk 0.00cvss epss 0.00

    Vulnerability in the Oracle Data Integrator product of Oracle Fusion Middleware (component: Market Place). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to…

  • CVE-2026-35261Jun 16, 2026
    risk 0.00cvss epss 0.00

    Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Authentication Engine). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP…

  • CVE-2026-35259Jun 16, 2026
    risk 0.00cvss epss 0.00

    Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise…

  • CVE-2026-35258Jun 16, 2026
    risk 0.00cvss epss 0.00

    Vulnerability in the WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected are 14.1.2.0.0 and 15.1.1.0.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise…

  • CVE-2026-50134Jun 16, 2026
    risk 0.00cvss epss 0.00

    **Commit:** [86fbb0f7a8](https://github.com/gohugoio/hugo/commit/86fbb0f7a8) — _security: Validate redirects against security.http.urls_ **Affected versions:** v0.91.0 (when `security.http.urls` was introduced) through v0.161.1. **Fixed in:** v0.162.0. **Severity:** Only…

  • CVE-2026-50133Jun 16, 2026
    risk 0.00cvss epss 0.00

    **Commit:** [e41a06447d](https://github.com/gohugoio/hugo/commit/e41a06447d) — _Disallow HTML content by default_ **Affected versions:** all Hugo versions prior to v0.162.0. **Fixed in:** v0.162.0. **Severity:** Low to Medium, depending on threat model. Not an issue if you…

  • CVE-2026-53866HigJun 16, 2026
    risk 0.46cvss 8.1epss 0.00

    OpenClaw before 2026.5.12 contains an allowlist bypass vulnerability in shell inline-command parsing that allows authenticated operators to execute unapproved commands. A command request using shell inline-command forms could route through a parser case missing the expected…

  • CVE-2026-53865HigJun 16, 2026
    risk 0.39cvss 7.1epss 0.00

    OpenClaw before 2026.5.2 contains a path traversal vulnerability in maintenance task execution that allows workspace-derived service paths to influence trash command selection. Attackers can execute unintended local executables from operator-unintended paths during maintenance…

  • CVE-2026-53864HigJun 16, 2026
    risk 0.46cvss 8.1epss 0.00

    OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can…

  • CVE-2026-53863HigJun 16, 2026
    risk 0.39cvss 7.1epss 0.00

    OpenClaw before 2026.4.25 contains an input validation vulnerability in tool group policy callers that accept unvalidated group IDs. Attackers who can supply a group ID to the policy resolver could trigger incorrect group-policy decisions for tool invocations, potentially…

  • CVE-2026-53862MedJun 16, 2026
    risk 0.20cvss 4.2epss 0.00

    OpenClaw before 2026.5.12 contains a bootstrap token replay vulnerability allowing callers with pending token access to reuse tokens with broader requested scopes. Attackers can replay bootstrap tokens before approval to escalate pairing authority beyond intended scope limits.

  • CVE-2026-53861MedJun 16, 2026
    risk 0.36cvss 6.6epss 0.00

    OpenClaw before 2026.5.6 contains an allowlist bypass vulnerability in the macOS Swift exec feature that misses combined POSIX inline-command flags. Attackers can execute shell content outside the intended allowlist check by using combined flag forms, potentially allowing…

  • CVE-2026-53860MedJun 16, 2026
    risk 0.20cvss 4.2epss 0.00

    OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries through conversation metadata rather than stable sender identity. Attackers can influence conversation-level identifiers to receive agent…

  • CVE-2026-53859MedJun 16, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to reach destinations that operators…

  • CVE-2026-53858HigJun 16, 2026
    risk 0.39cvss 7.1epss 0.00

    OpenClaw before 2026.5.2 contains an environment variable injection vulnerability where workspace .env STATE_DIRECTORY could influence bundled runtime dependency roots. Attackers can manipulate the STATE_DIRECTORY variable to load runtime dependencies from unintended local…

  • CVE-2026-53857HigJun 16, 2026
    risk 0.46cvss 8.1epss 0.00

    OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different…

  • CVE-2026-53856MedJun 16, 2026
    risk 0.29cvss 5.5epss 0.00

    OpenClaw before 2026.4.24 contains an insecure file permissions vulnerability in config recovery that restores OpenClaw.json with overly broad permissions. Local attackers on shared hosts can read sensitive configuration data by exploiting the recovery path to access the…

  • CVE-2026-53855HigJun 16, 2026
    risk 0.46cvss 8.1epss 0.00

    OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell…

  • CVE-2026-53854MedJun 16, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows senders to inherit wildcard ownerAllowFrom state across channel boundaries. Attackers can exploit this by sending commands on affected internal or…

  • CVE-2026-53853HigJun 16, 2026
    risk 0.47cvss 8.3epss 0.00

    OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured argPattern restrictions by directly…

  • CVE-2026-53852MedJun 16, 2026
    risk 0.28cvss 5.4epss 0.00

    OpenClaw before 2026.4.25 contains a scope containment bypass vulnerability in device re-pairing that allows authenticated operators to restore broader scopes than intended by submitting empty-scope re-pairing requests. Attackers can exploit this by sending re-pairing requests…

  • CVE-2026-53851MedJun 16, 2026
    risk 0.27cvss 5.3epss 0.00

    OpenClaw before 2026.5.12 contains a notification bypass vulnerability allowing Slack reaction events to enter the agent pipeline despite disabled reaction notifications. Attackers can trigger unintended agent processing by sending reaction events when the feature is enabled,…

  • CVE-2026-53850MedJun 16, 2026
    risk 0.29cvss 5.5epss 0.00

    OpenClaw before 2026.4.25 contains a control scope enforcement bypass vulnerability in the focus command that allows authenticated callers to execute the command without proper authorization checks. Attackers can trigger the focus command to change focus state outside intended…

  • CVE-2026-53849HigJun 16, 2026
    risk 0.46cvss 8.1epss 0.00

    OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a…

  • CVE-2026-53848MedJun 16, 2026
    risk 0.21cvss 4.3epss 0.00

    OpenClaw before 2026.5.26 contains an exec allowlist bypass vulnerability allowing authenticated operators to execute wrapper-level side effects outside allowlisted command intent. Attackers can craft command requests that bypass allowlist validation by leveraging transparent…

  • CVE-2026-53847MedJun 16, 2026
    risk 0.28cvss 5.4epss 0.00

    OpenClaw before 2026.5.6 contains a privilege escalation vulnerability in the Active Memory write scope that allows Gateway operators with operator.write access to modify global configuration without requiring operator.admin privileges. Attackers with operator.write access can…

  • CVE-2026-53846HigJun 16, 2026
    risk 0.39cvss 7.1epss 0.00

    OpenClaw before 2026.4.29 contains a path traversal vulnerability in the install helper that allows workspace .env files to override the npm_execpath configuration used for bundled runtime dependency installation. Attackers with workspace access can execute unintended local…

  • CVE-2026-53845MedJun 16, 2026
    risk 0.21cvss 4.3epss 0.00

    OpenClaw before 2026.5.6 contains a hook bypass vulnerability where skill commands routed through the affected dispatch path skip before-tool-call hook coverage. Attackers can exploit this by sending skill commands through the vulnerable dispatch path to bypass hook-based…

  • CVE-2026-53844MedJun 16, 2026
    risk 0.35cvss 6.5epss 0.00

    OpenClaw before 2026.4.29 contains a session visibility check bypass vulnerability in shared memory search that allows authenticated callers to access memory entries without proper authorization. Attackers can skip session visibility guards on the search path to retrieve memory…

  • CVE-2026-53843HigJun 16, 2026
    risk 0.50cvss 8.8epss 0.00

    OpenClaw before 2026.5.26 contains an authorization bypass vulnerability where a surviving pairing-scoped device session can re-establish node token authority after revocation. Attackers with a paired device can regain WebSocket node-level access without renewed approval,…

  • CVE-2026-53842HigJun 16, 2026
    risk 0.39cvss 7.1epss 0.00

    OpenClaw before 2026.5.2 contains an environment variable injection vulnerability allowing workspace .env files to influence Python runtime selection through CLOUDSDK_PYTHON during Gmail setup gcloud execution. Attackers with repository access can manipulate the CLOUDSDK_PYTHON…

  • CVE-2026-53841MedJun 16, 2026
    risk 0.33cvss 6.1epss 0.00

    OpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsafe javascript: and data: links in generated content. Attackers can execute browser-side scripts if a trusted operator opens the exported file and activates a…

  • CVE-2026-53840HigJun 16, 2026
    risk 0.39cvss 7.1epss 0.00

    OpenClaw before 2026.5.12 contains an information disclosure vulnerability in streamable-http MCP servers that forwards operator-configured custom headers during cross-origin redirects. Attackers controlling or compromising an MCP endpoint can redirect requests to exfiltrate…

  • CVE-2026-50656HigJun 16, 2026
    risk 0.51cvss 7.8epss 0.03

    Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in Microsoft Defender publicly referred to as "RoguePlanet ". We are working to provide a high quality security update that addresses this vulnerability. We will provide…

  • CVE-2026-4367MedJun 16, 2026
    risk 0.36cvss 5.5epss 0.00

    A flaw was found in libXpm. A local user with low privileges could exploit an Out-of-Bounds Read vulnerability in the `xpmNextWord()` function by processing a specially crafted or very small XPM (X PixMap) image file. This improper validation of file boundaries can cause an…

  • CVE-2026-48775MedJun 16, 2026
    risk 0.44cvss 6.8epss 0.00

    LangGraph SQLite Checkpoint is an implementation of LangGraph CheckpointSaver that uses SQLite DB (both sync and async, via aiosqlite). In versions 4.1.0 and prior, the JsonPlusSerializer can reconstruct Python objects from JSON checkpoint payloads. Under conditions where…

  • CVE-2026-47964HigJun 16, 2026
    risk 0.51cvss 7.8epss 0.00

    DNG SDK versions 1.7.1 2536 and earlier are affected by a Heap-based Buffer Overflow vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

  • CVE-2026-47963MedJun 16, 2026
    risk 0.36cvss 5.5epss 0.00

    DNG SDK versions 1.7.1 2536 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in…

  • CVE-2026-47934MedJun 16, 2026
    risk 0.36cvss 5.5epss 0.00

    DNG SDK versions 1.7.1 2536 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in…

  • CVE-2026-47927MedJun 16, 2026
    risk 0.36cvss 5.5epss 0.00

    DNG SDK versions 1.7.1 2536 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in…

  • CVE-2026-47749HigJun 16, 2026
    risk 0.44cvss 7.8epss 0.00

    stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to heap buffer overflow in SHORT_BINUNICODE parsing for PyTorch checkpoint files.…

  • CVE-2026-47748MedJun 16, 2026
    risk 0.29cvss 5.5epss 0.00

    stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to an out-of-bounds reads error through PyTorch checkpoint pickle opcode parsing.…

  • CVE-2026-10748HigJun 16, 2026
    risk 0.56cvss epss 0.00

    An authenticated user with the nx-licensing-create privilege can upload a specially crafted license file to execute arbitrary operating system commands as the Nexus process user in Sonatype Nexus Repository 3 versions before 3.92.0.

  • CVE-2024-39575HigJun 16, 2026
    risk 0.48cvss 7.4epss 0.00

    update_disk_psu_baseline.sh requires password in plain text

  • CVE-2026-49401Jun 16, 2026
    risk 0.00cvss epss 0.00

    ## Summary Deno's permission system enforces filesystem and execution restrictions by comparing the requested path against the path supplied to `--deny-read`, `--deny-write`, `--deny-run`, or `--deny-ffi`. On macOS, that comparison was done at the raw-byte level while the APFS…

  • CVE-2026-49406Jun 16, 2026
    risk 0.00cvss epss 0.00

    ## Summary When Deno was run in BYONM mode (`nodeModulesDir: "manual"`), the module resolver did not validate that a package's resolved entrypoint stayed within its `node_modules//` directory. A malicious `package.json` whose `main` field contained `..` segments was able…

  • CVE-2026-49411Jun 16, 2026
    risk 0.00cvss epss 0.00

    ## Summary Deno's network permission model is designed so that `--deny-net` rules apply to the **resolved IP address** of a destination, not just the literal string supplied by the caller. That means `--deny-net=127.0.0.1` (or `--deny-net=127.0.0.0/8`) is expected to block any…

  • CVE-2026-49440higJun 16, 2026
    risk 0.38cvss epss 0.00

    ## Summary `node:crypto.checkPrime(candidate[, options][, callback])` and `crypto.checkPrimeSync(candidate[, options])` ran no Miller-Rabin rounds at all when the caller left `options.checks` at its default of `0`. In that mode, the only test applied to the candidate was trial…