Vulnerabilities
Aggregated CVE / GHSA / KEV / OSV — filter by tag and category.
| ID | Title | |
|---|---|---|
| CVE-2026-53865 |
|
Vulnerability in openclaw (CVE-2026-53865)
vulnerability in openclaw (CVE-2026-53865). Confidential information can be exposed externally. Exploitable via ``trash``. Mitigation: upgrade to `2026.5.2` or later.
|
| CVE-2026-53861 |
|
Vulnerability in openclaw (CVE-2026-53861)
vulnerability in openclaw (CVE-2026-53861). Confidential information can be exposed externally. Mitigation: upgrade to `2026.5.6` or later.
|
| CVE-2026-53864 |
|
OpenClaw: Host environment sanitizer missed two Node.js control variables
OpenClaw: Host environment sanitizer missed two Node.js control variables
|
| CVE-2026-53856 |
|
Vulnerability in openclaw (CVE-2026-53856)
vulnerability in openclaw (CVE-2026-53856). Confidential information can be exposed externally. Mitigation: upgrade to `2026.4.24` or later.
|
| CVE-2026-53857 |
|
OpenClaw: Zalo allowFrom could bind to mutable display names
OpenClaw: Zalo allowFrom could bind to mutable display names
|
| CVE-2026-53858 |
|
Vulnerability in openclaw (CVE-2026-53858)
vulnerability in openclaw (CVE-2026-53858). Confidential information can be exposed externally. Exploitable via ``STATE_DIRECTORY``. Mitigation: upgrade to `2026.5.2` or later.
|
| CVE-2026-53859 |
|
Vulnerability in openclaw (CVE-2026-53859)
vulnerability in openclaw (CVE-2026-53859). Confidential information can be exposed externally. Mitigation: upgrade to `2026.5.26` or later.
|
| CVE-2026-53860 |
|
Authorization Flaw in openclaw (CVE-2026-53860)
vulnerability in openclaw (CVE-2026-53860). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `2026.5.7` or later.
|
| CVE-2026-53855 |
|
OpenClaw: Shell positional parameters could weaken strict inline-eval checks
OpenClaw: Shell positional parameters could weaken strict inline-eval checks
|
| CVE-2026-53854 |
|
Authorization Flaw in openclaw (CVE-2026-53854)
vulnerability in openclaw (CVE-2026-53854). Data can be tampered with by attackers. Mitigation: upgrade to `2026.4.25` or later.
|
| CVE-2026-53853 |
|
OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns
OpenClaw: Linux and macOS exec allowlists skipped configured argument patterns
|
| CVE-2026-53851 |
|
Vulnerability in openclaw (CVE-2026-53851)
vulnerability in openclaw (CVE-2026-53851). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `2026.5.12` or later.
|
| CVE-2026-53850 |
|
Vulnerability in openclaw (CVE-2026-53850)
vulnerability in openclaw (CVE-2026-53850). Data can be tampered with by attackers. Mitigation: upgrade to `2026.4.25` or later.
|
| CVE-2026-53849 |
|
OpenClaw: Discord allowFrom could bind to mutable display names
OpenClaw: Discord allowFrom could bind to mutable display names
|
| CVE-2026-53842 |
|
Vulnerability in openclaw (CVE-2026-53842)
vulnerability in openclaw (CVE-2026-53842). Confidential information can be exposed externally. Exploitable via ``gcloud``. Mitigation: upgrade to `2026.5.2` or later.
|
| CVE-2026-53846 |
|
Vulnerability in openclaw (CVE-2026-53846)
vulnerability in openclaw (CVE-2026-53846). Confidential information can be exposed externally. Mitigation: upgrade to `2026.4.29` or later.
|
| CVE-2026-53848 |
|
OS Command Injection in openclaw (CVE-2026-53848)
OS command injection in openclaw (CVE-2026-53848). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `2026.5.26` or later.
|
| CVE-2026-53845 |
|
Vulnerability in openclaw (CVE-2026-53845)
vulnerability in openclaw (CVE-2026-53845). Risk of unauthorized operations or information disclosure. Exploitable via ``runBeforeToolCallHook``. Mitigation: upgrade to `2026.5.6` or later.
|
| CVE-2026-53844 |
|
Vulnerability in openclaw (CVE-2026-53844)
vulnerability in openclaw (CVE-2026-53844). Confidential information can be exposed externally. Mitigation: upgrade to `2026.4.29` or later.
|
| CVE-2026-53840 |
|
Vulnerability in openclaw (CVE-2026-53840)
vulnerability in openclaw (CVE-2026-53840). Confidential information can be exposed externally. Mitigation: upgrade to `2026.5.12` or later.
|
| CVE-2026-50656 |
|
Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in...
Microsoft is aware of an elevation of privilege in the Microsoft Malware Protection Engine in...
|
| CVE-2026-48775 |
|
Unsafe Deserialization in langgraph-checkpoint (CVE-2026-48775)
vulnerability in langgraph-checkpoint (CVE-2026-48775). Successful exploitation can lead to full system takeover. Exploitable via ``JsonPlusSerializer``. Mitigation: upgrade to `4.1.1` or later.
|
| CVE-2026-47964 |
|
DNG SDK versions 1.7.1 2536 and earlier are affected by a Heap-based Buffer Overflow...
DNG SDK versions 1.7.1 2536 and earlier are affected by a Heap-based Buffer Overflow...
|
| CVE-2026-47963 |
|
Out-of-Bounds Read in adobe (CVE-2026-47963)
vulnerability in adobe (CVE-2026-47963). Confidential information can be exposed externally.
|
| CVE-2026-47934 |
|
Out-of-Bounds Read in adobe (CVE-2026-47934)
vulnerability in adobe (CVE-2026-47934). Confidential information can be exposed externally.
|
| CVE-2026-47927 |
|
Out-of-Bounds Read in adobe (CVE-2026-47927)
vulnerability in adobe (CVE-2026-47927). Confidential information can be exposed externally.
|
| CVE-2026-47748 |
|
Out-of-Bounds Read in c (CVE-2026-47748)
vulnerability in c (CVE-2026-47748). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-47749 |
|
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to...
stable-diffusion.cpp is a pure C/C++ library for running diffusion model (Stable Diffusion, Flux, Wan, Qwen Image, Z-Image, and more) inference. Versions prior to master-584-0a7ae07 are vulnerable to heap buffer overflow in SHORT_BINUNICODE parsing for PyTorch checkpoint files. The pickle .ckpt pars...
|
| CVE-2026-10748 |
|
Unsafe Deserialization in CVE-2026-10748 (CVE-2026-10748)
vulnerability in CVE-2026-10748 (CVE-2026-10748). Risk of unauthorized operations or information disclosure.
|
| CVE-2026-49406 |
|
Path Traversal in deno (CVE-2026-49406)
path traversal in deno (CVE-2026-49406). Confidential information can be exposed externally. Exploitable via ``main``. Mitigation: upgrade to `2.7.12` or later.
|
| CVE-2026-49411 |
|
Vulnerability in deno (CVE-2026-49411)
vulnerability in deno (CVE-2026-49411). Confidential information can be exposed externally. Exploitable via ``Host``. Mitigation: upgrade to `2.8.0` or later.
|
| CVE-2026-49402 |
|
OS Command Injection in deno (CVE-2026-49402)
OS command injection in deno (CVE-2026-49402). Successful exploitation can lead to full system takeover. Exploitable via ``spawn``. Mitigation: upgrade to `2.7.10` or later.
|
| CVE-2026-49983 |
|
Authorization Flaw in deno (CVE-2026-49983)
vulnerability in deno (CVE-2026-49983). Risk of unauthorized operations or information disclosure. Exploitable via ``env``. Mitigation: upgrade to `2.8.1` or later.
|
| CVE-2026-49860 |
|
SSRF (Server-Side Request Forgery) in deno (CVE-2026-49860)
SSRF in deno (CVE-2026-49860). Risk of unauthorized operations or information disclosure. Exploitable via ``localhost``. Mitigation: upgrade to `2.8.1` or later.
|
| CVE-2026-49859 |
|
Vulnerability in deno (CVE-2026-49859)
vulnerability in deno (CVE-2026-49859). Risk of unauthorized operations or information disclosure. Exploitable via ``localhost``. Mitigation: upgrade to `2.8.1` or later.
|
| CVE-2026-48491 |
|
Vulnerability in Traefik (CVE-2026-48491)
vulnerability in Traefik (CVE-2026-48491). Confidential information can be exposed externally. Exploitable via ``SNICheck``. Mitigation: upgrade to `3.7.3` or later.
|
| CVE-2026-54306 |
|
Vulnerability in n8n (CVE-2026-54306)
vulnerability in n8n (CVE-2026-54306). Risk of unauthorized operations or information disclosure. Mitigation: upgrade to `2.25.7` or later.
|
| CVE-2026-54301 |
|
Cross-Site Scripting (XSS) in n8n (CVE-2026-54301)
cross-site scripting in n8n (CVE-2026-54301). Risk of unauthorized operations or information disclosure. Exploitable via ``NODES_EXCLUDE``. Mitigation: upgrade to `2.25.7` or later.
|
| CVE-2026-54308 |
|
Vulnerability in n8n (CVE-2026-54308)
vulnerability in n8n (CVE-2026-54308). Risk of unauthorized operations or information disclosure. Exploitable via ``MicrosoftAgent365Trigger``. Mitigation: upgrade to `2.25.7` or later.
|
| CVE-2026-54313 |
|
SQL Injection in n8n (CVE-2026-54313)
SQL injection in n8n (CVE-2026-54313). Data can be tampered with by attackers. Exploitable via ``NODES_EXCLUDE``. Mitigation: upgrade to `2.24.0` or later.
|
| CVE-2026-54310 |
|
SQL Injection in n8n (CVE-2026-54310)
SQL injection in n8n (CVE-2026-54310). Successful exploitation can lead to full system takeover. Exploitable via ``NODES_EXCLUDE``. Mitigation: upgrade to `2.25.7` or later.
|
| CVE-2026-49465 |
|
Path Traversal in n8n (CVE-2026-49465)
path traversal in n8n (CVE-2026-49465). Confidential information can be exposed externally. Exploitable via ``N8N_RESTRICT_FILE_ACCESS_TO``. Mitigation: upgrade to `2.21.8` or later.
|
| CVE-2026-49444 |
|
Vulnerability in n8n (CVE-2026-49444)
vulnerability in n8n (CVE-2026-49444). Confidential information can be exposed externally. Exploitable via ``NODES_EXCLUDE``. Mitigation: upgrade to `2.21.8` or later.
|
| CVE-2026-48746 |
|
Vulnerability in vllm (CVE-2026-48746)
vulnerability in vllm (CVE-2026-48746). Confidential information can be exposed externally. Exploitable via ``AuthenticationMiddleware``. Mitigation: upgrade to `0.22.0` or later.
|
| CVE-2026-48520 |
|
Vulnerability in langflow (CVE-2026-48520)
vulnerability in langflow (CVE-2026-48520). Confidential information can be exposed externally. Exploitable via ``files``. Mitigation: upgrade to `1.10.0` or later.
|
| CVE-2026-48519 |
|
Code Injection in langflow (CVE-2026-48519)
code injection in langflow (CVE-2026-48519). Successful exploitation can lead to full system takeover. Mitigation: upgrade to `1.9.2` or later.
|
| CVE-2026-42867 |
|
Path Traversal in langflow (CVE-2026-42867)
path traversal in langflow (CVE-2026-42867). Risk of unauthorized operations or information disclosure. Exploitable via `POST /api/v1/knowledge_bases`. Mitigation: upgrade to `1.9.0` or later.
|
| CVE-2026-41523 |
|
Code Injection in vllm (CVE-2026-41523)
code injection in vllm (CVE-2026-41523). Successful exploitation can lead to full system takeover. Exploitable via ``assert``. Mitigation: upgrade to `0.22.0` or later.
|
| CVE-2026-44932 |
|
OS Command Injection in CVE-2026-44932 (CVE-2026-44932)
OS command injection in CVE-2026-44932 (CVE-2026-44932). Successful exploitation can lead to full system takeover.
|
| CVE-2026-24228 |
|
Unsafe Deserialization in deserialization (CVE-2026-24228)
vulnerability in deserialization (CVE-2026-24228). Successful exploitation can lead to full system takeover.
|