|
2191
|
8.1 |
HIGH
Network
|
-
|
-
|
An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function
|
CWE-94
Code Injection
|
CVE-2026-36340
|
2026-05-1 03:16 |
2026-05-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2192
|
8.8 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains an incomplete scope-clearing vulnerability in trusted-proxy authentication mode that allows operator.admin privilege escalation. Attackers can exploit this by decla…
|
CWE-863
Incorrect Authorization
|
CVE-2026-41404
|
2026-05-1 02:41 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2193
|
4.0 |
MEDIUM
Local
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 misclassifies proxied remote requests as loopback connections in the diffs viewer when allowRemoteViewer is disabled, allowing unauthorized access. Attackers can bypass acce…
|
CWE-807
Reliance on Untrusted Inputs in a Security Decision
|
CVE-2026-41403
|
2026-05-1 02:40 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2194
|
5.4 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same mess…
|
CWE-706
Use of Incorrectly-Resolved Name or Reference
|
CVE-2026-41402
|
2026-05-1 02:27 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2195
|
7.5 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains an incomplete fix for CVE-2026-32062 where the voice-call component parses large WebSocket frames before start validation. Remote attackers can send oversized pre-s…
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-41400
|
2026-05-1 02:27 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2196
|
7.5 |
HIGH
Network
|
-
|
-
|
Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers t…
|
CWE-22
Path Traversal
|
CVE-2022-50992
|
2026-05-1 02:19 |
2026-05-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2197
|
9.8 |
CRITICAL
Network
|
-
|
-
|
Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload malicio…
|
CWE-434
Unrestricted Upload of File with Dangerous Type
|
CVE-2022-50993
|
2026-05-1 02:19 |
2026-05-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2198
|
8.8 |
HIGH
Network
|
-
|
-
|
A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF…
|
CWE-352
Origin Validation Error
|
CVE-2026-36960
|
2026-05-1 02:16 |
2026-05-1 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2199
|
7.5 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.28 accepts unbounded concurrent unauthenticated WebSocket upgrades without pre-authentication budget allocation. Unauthenticated network attackers can exhaust socket and worker…
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-41399
|
2026-05-1 01:57 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
2200
|
4.6 |
MEDIUM
Adjacent
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.2 contains an improper access control vulnerability in the iOS A2UI bridge that treats generic local-network pages as trusted origins. Attackers can inject unauthorized agent.r…
|
CWE-346
Origin Validation Error
|
CVE-2026-41398
|
2026-05-1 01:56 |
2026-04-29 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
