|
981
|
5.4 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.4.2 fails to enforce write scopes on the POST /sessions/:sessionKey/kill endpoint in identity-bearing HTTP modes. Read-scoped callers can terminate running subagent sessions by s…
Update
|
CWE-862
Missing Authorization
|
CVE-2026-41298
|
2026-04-28 01:56 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
982
|
7.3 |
HIGH
Network
|
tenda
|
w30e_firmware
|
Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the do_ping_action function via the hostName parameter. This vulnerability allows attackers to execute arbitrary …
Update
|
CWE-77
Command Injection
|
CVE-2026-38834
|
2026-04-28 01:44 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
983
|
9.8 |
CRITICAL
Network
|
tenda
|
w30e_firmware
|
Tenda W30E V2.0 V16.01.0.21 was found to contain a command injection vulnerability in the formSetUSBPartitionUmount function via the usbPartitionName parameter. This vulnerability allows attackers to…
Update
|
CWE-77
Command Injection
|
CVE-2026-38835
|
2026-04-28 01:44 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
984
|
7.8 |
HIGH
Local
|
deepcool
|
deepcreative
|
Insecure Permissions vulnerability in DeepCool DeepCreative v.1.2.12 and before allows a local attacker to execute arbitrary code via a crafted file
Update
|
CWE-277
Insecure Inherited Permissions
|
CVE-2026-30266
|
2026-04-28 01:42 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
985
|
6.3 |
MEDIUM
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.31 contains a server-side request forgery vulnerability in the marketplace plugin download functionality that allows remote attackers to make arbitrary network requests. Attack…
Update
|
CWE-918
Server-Side Request Forgery (SSRF)
|
CVE-2026-41302
|
2026-04-28 00:26 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
986
|
9.9 |
CRITICAL
Network
|
doorman
|
doorman
|
Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/{username}. The `role` field is a…
Update
|
CWE-269
Improper Privilege Management
|
CVE-2026-30269
|
2026-04-28 00:24 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
987
|
8.2 |
HIGH
Network
|
ultradag
|
ultradag
|
UltraDAG is a minimal DAG-BFT blockchain in Rust. In version 0.1, a non-council attacker can submit a signed SmartOp::Vote transaction that passes signature, nonce, and balance prechecks, but fails a…
Update
|
CWE-460
CWE-696
Improper Cleanup on Thrown Exception
Incorrect Behavior Order
|
CVE-2026-40583
|
2026-04-28 00:23 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
988
|
8.8 |
HIGH
Network
|
openclaw
|
openclaw
|
OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approvers to resolve pending exec approvals. Attackers can send Discord text…
Update
|
CWE-863
Incorrect Authorization
|
CVE-2026-41303
|
2026-04-28 00:20 |
2026-04-21 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
989
|
- |
|
-
|
-
|
Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accid…
New
|
-
|
CVE-2026-6337
|
2026-04-28 00:16 |
2026-04-28 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
990
|
9.8 |
CRITICAL
Network
|
-
|
-
|
In the Linux kernel, the following vulnerability has been resolved:
mptcp: fix slab-use-after-free in __inet_lookup_established
The ehash table lookups are lockless and rely on
SLAB_TYPESAFE_BY_RCU…
Update
|
-
|
CVE-2026-31669
|
2026-04-28 00:16 |
2026-04-25 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
