|
471
|
5.4 |
MEDIUM
Network
|
helpy.io
|
helpy
|
Helpy contains a stored cross-site scripting vulnerability in the knowledge base Doc rendering logic. An authenticated attacker with admin or agent editor privileges can persist arbitrary HTML or Jav…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-40230
|
2026-05-1 21:26 |
2026-04-30 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
472
|
5.4 |
MEDIUM
Network
|
helpy.io
|
helpy
|
Helpy contains a stored cross-site scripting vulnerability in the post author display logic. Any registered user can persist arbitrary HTML in their account name field and cause it to be rendered une…
Update
|
CWE-79
Cross-site Scripting
|
CVE-2026-40229
|
2026-05-1 21:25 |
2026-04-30 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
473
|
4.7 |
MEDIUM
Network
|
-
|
-
|
Open redirect vulnerability exists in Multiple laser printers and MFPs which implement Ricoh Web Image Monitor. When accessing a specially crafted URL, the user may be redirected to an arbitrary webs…
New
|
CWE-601
Open Redirect
|
CVE-2026-41226
|
2026-05-1 17:16 |
2026-04-30 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
474
|
- |
|
-
|
-
|
Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
New
|
-
|
CVE-2026-4178
|
2026-05-1 08:16 |
2026-05-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
475
|
9.6 |
CRITICAL
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains a sandbox escape vulnerability allowing attackers to traverse directory boundaries through symlink exploitation during file synchronization operations. Remote attac…
Update
|
CWE-59
Link Following
|
CVE-2026-41397
|
2026-05-1 05:54 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
476
|
7.8 |
HIGH
Local
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 allows workspace .env files to override the OPENCLAW_BUNDLED_PLUGINS_DIR environment variable, compromising plugin trust verification. Attackers with control over workspace …
Update
|
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
|
CVE-2026-41396
|
2026-05-1 05:50 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
477
|
7.5 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification that canonicalizes query ordering for signatures but hashes raw URLs for replay detection. Attacke…
Update
|
CWE-325
Missing Required Cryptographic Step
|
CVE-2026-41395
|
2026-05-1 05:45 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
478
|
8.2 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains an authentication bypass vulnerability where unauthenticated plugin-auth HTTP routes receive operator runtime write scopes. Attackers can access these routes withou…
Update
|
CWE-862
Missing Authorization
|
CVE-2026-41394
|
2026-05-1 05:45 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
479
|
4.8 |
MEDIUM
Adjacent
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains a wide-area discovery vulnerability allowing arbitrary tailnet peers to be accepted as DNS authorities. Attackers with same-tailnet position and CA-trusted endpoint…
Update
|
CWE-346
Origin Validation Error
|
CVE-2026-41393
|
2026-05-1 05:45 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
480
|
7.3 |
HIGH
Local
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains an exec allowlist bypass vulnerability allowing attackers to inherit allowlist trust via shell init-file wrapper invocations. Attackers can exploit shell options li…
Update
|
CWE-184
Incomplete Blacklist
|
CVE-2026-41392
|
2026-05-1 05:42 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
