|
121
|
6.5 |
MEDIUM
Network
|
-
|
-
|
OpenClaw before 2026.4.24 contains a token revocation vulnerability allowing callers with revoked slash tokens to continue executing commands during monitor refresh windows. Attackers can exploit sta…
New
|
CWE-613
Insufficient Session Expiration
|
CVE-2026-53824
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
122
|
8.1 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.5.3 contains a privilege escalation vulnerability in the allowFrom feature that binds to mutable Slack display names. Attackers with Slack account access can change display name …
New
|
CWE-290
Authentication Bypass by Spoofing
|
CVE-2026-53823
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
123
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.5.18 contains a command injection vulnerability where shell wrapper argv could change between approval and execution. Attackers can rebuild command arguments after allowlist appr…
New
|
CWE-367
Time-of-check Time-of-use (TOCTOU) Race Condition
|
CVE-2026-53822
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
124
|
8.8 |
HIGH
Network
|
-
|
-
|
OpenClaw before 2026.5.18 accepts WebSocket client-declared operator scopes before binding to server-approved pairing or trusted-proxy authorization baseline. Unpaired or restricted trusted-proxy Con…
New
|
CWE-862
Missing Authorization
|
CVE-2026-53821
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
125
|
6.6 |
MEDIUM
Local
|
-
|
-
|
OpenClaw before 2026.5.12 contains an exec denylist bypass vulnerability in the bundle MCP loopback session-spawn path that allows authenticated callers to bypass intended command restrictions. Attac…
New
|
CWE-862
Missing Authorization
|
CVE-2026-53820
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
126
|
9.1 |
CRITICAL
Network
|
-
|
-
|
ApostropheCMS is an open-source Node.js content management system. In versions up to and including 4.30.0, `apos.util.set()` traverses dot-notation paths without sanitizing `__proto__`, allowing an a…
New
|
CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
|
CVE-2026-53609
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
127
|
8.7 |
HIGH
Network
|
-
|
-
|
ApostropheCMS is an open-source Node.js content management system. Versions up to and including 1.4.2 of the `@apostrophecms/seo` package injects the Google Analytics Tracking ID (`seoGoogleTrackingI…
New
|
CWE-79
Cross-site Scripting
|
CVE-2026-53608
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
128
|
6.8 |
MEDIUM
Network
|
-
|
-
|
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the getRedirectURL function in oauth2.go:22-29 constructs t…
New
|
CWE-601
Open Redirect
|
CVE-2026-53523
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
129
|
6.5 |
MEDIUM
Network
|
-
|
-
|
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 1.0.0 to before version 2.2.0, the Nezha dashboard exposes two endpoints that create long-…
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-53522
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
130
|
6.4 |
MEDIUM
Network
|
-
|
-
|
Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool. From version 2.0.14 to before version 2.1.0, PATCH /server/{id} accepts and persists nonexistent ddns_p…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-53521
|
2026-06-13 07:16 |
2026-06-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
