CVE Catalog
Browse the latest Common Vulnerabilities and Exposures (CVEs) with CVSS scores, affected products, and next-gen risk scores.
OpenClaw Missing Authorization Vulnerability in Discord Moderation Actions
A missing authorization vulnerability has been identified in OpenClaw versions prior to 2026.6.9, specifically within Discord moderation actions. In these affected versions, lower-trust callers or configured input paths could execute moderation tasks that should have necessitated stronger authorization or policy checks. The actual impact of this vulnerability varies based on the operator's configuration and whether lower-trust input can access the vulnerable path.
OpenClaw Missing Authorization Vulnerability in MS Teams Message Actions
A missing authorization vulnerability has been identified in OpenClaw versions 2026.4.12-beta.1 prior to 2026.6.6. This vulnerability exists in the MS Teams message actions feature, where a lower-trust caller or a configured input path can perform actions that should have required stronger authorization or policy checks. The practical impact of this vulnerability depends on the operator's configuration and whether lower-trust input can access the affected path.
OpenClaw Environment Variable Injection Vulnerability in Host Exec
A vulnerability exists in OpenClaw versions prior to 2026.6.6, where the host execution environment variable filtering does not properly sanitize rustup startup variables. This flaw allows attackers with lower-trust caller access or configured input paths to execute or persist actions beyond their intended authorization level.
OpenClaw Privilege Escalation Vulnerability in Cron Jobs
A privilege escalation vulnerability has been identified in OpenClaw versions 2026.6.1 prior to 2026.6.9. This vulnerability exists within isolated cron jobs, allowing lower-trust callers to regain access to denied execution tools. By exploiting misconfigured input paths in the affected cron feature, attackers can execute or persist actions beyond their authorized permissions.
OpenClaw Network Policy Bypass Vulnerability in Exec-Server
A network policy bypass vulnerability has been identified in OpenClaw versions prior to 2026.6.6. This vulnerability resides in the sandbox exec-server, where lower-trust callers can send HTTP requests that bypass OpenClaw's network restrictions. As a result, these requests can access internal network resources that should have been blocked by the application's policy.
Wazuh Manager Denial-of-Service and Potential Heap Overflow Vulnerability
A size_t integer underflow vulnerability has been identified in Wazuh Manager versions 3.0.0 and above, prior to 4.14.5. The issue resides in the 'ReadSecMSG' function of 'os_crypto/shared/msgs.c', where the absence of a minimum-length guard allows enrolled Wazuh agents to send crafted messages that cause the 'wazuh-remoted' process to crash. This disconnection affects all agents connected to the manager. Additionally, the same underflow could lead to heap memory corruption, potentially allowing remote code execution as the 'wazuh' user, depending on the behavior of 'malloc(0)' and the runtime memory layout.
Wazuh Agent for Windows Heap-Based Buffer Overflow Vulnerability in Syscheck Component Allowing Local Privilege Escalation and Denial-of-Service
A heap-based buffer overflow vulnerability has been identified in the Wazuh agent for Windows, specifically in the syscheck component. This vulnerability affects Wazuh versions 4.6.0 and above, prior to 4.14.5. The issue arises when the agent expands registry paths containing wildcards, leading to an out-of-bounds write during string concatenation. A low-privileged local attacker can exploit this by creating a registry subkey with a maximum length of 255 characters inside a monitored path. Since the Wazuh agent runs with NT AUTHORITY\SYSTEM privileges, this vulnerability can cause a silent denial-of-service by crashing the agent or potentially allow local privilege escalation.
Smart Custom Fields WordPress Plugin Stored Cross-Site Scripting Vulnerability
A stored cross-site scripting vulnerability has been identified in the Smart Custom Fields plugin for WordPress, affecting versions 5.0.7 and earlier. The issue arises from inadequate input sanitization and output escaping of image attachment titles, allowing authenticated attackers with Author-level access or higher to inject arbitrary scripts into pages. These scripts would execute when a user accesses the compromised page.
Bricksforge WordPress Plugin Privilege Escalation Vulnerability
A privilege escalation vulnerability has been identified in the Bricksforge plugin for WordPress, affecting all versions through 3.1.8.6. The issue arises from inadequate validation of the fieldIds parameter in the Pro Forms registration action. This flaw allows unauthenticated attackers to manipulate field IDs and add them to a trusted form-field whitelist. Exploitation of this vulnerability enables attackers to register a new administrator account by sending a crafted request to a publicly accessible Bricksforge Pro Forms registration form. Successful exploitation requires the site to have a public Bricksforge Pro Forms element configured with the User Registration action.
h2o HTTP/2 State Amplification Vulnerability
A state amplification vulnerability has been identified in the h2o HTTP server, affecting versions prior to commit 9265bdd. This issue arises from a combination of HPACK decompression amplification and Slowloris-style stream stalling, which can lead to an excessive retention of decoded header state by stalled HTTP/2 streams. Depending on the server's configuration, additional limits may be required to manage the decoded header state and mitigate the risk of such an attack.
Wazuh Manager Unauthenticated Path Traversal Vulnerability in Enrollment and Synchronization Daemons
A logic flaw has been identified in Wazuh Manager versions 4.0.0 through 4.10.3 and 4.11.0 through 4.14.4. The vulnerability resides in the enrollment daemon (authd) and synchronization daemon (remoted). During the enrollment process, the authd daemon allows agents to specify a group but fails to properly sanitize the group name, enabling path traversal attacks. This unchecked group name is then used by the remoted daemon to access agent configuration files, inadvertently exposing sensitive data such as client.keys, ossec.conf, and internal certificates to the agent. This issue has been resolved in Wazuh versions 4.10.4 and 4.14.5.
Wazuh Heap Buffer Overflow Vulnerability in Analysis Engine Allows Denial-of-Service
A heap buffer overflow vulnerability has been identified in the Wazuh analysis daemon (wazuh-analysisd) in versions 1.0.0 and above, prior to 4.14.5. This vulnerability allows an unauthenticated remote attacker to crash the Wazuh manager's analysis engine, leading to a complete disruption of SIEM alert processing. The issue arises in the default configuration of Wazuh when deployed using Docker. Exploitation involves enrolling an agent without a password to obtain a valid agent ID and encryption key, then sending crafted rootcheck events that exceed 30 bytes, causing a heap corruption that crashes the analysis daemon.
Wazuh Unauthenticated Memory Exhaustion Vulnerability in Cluster Protocol Leading to Denial-of-Service
A denial-of-service vulnerability has been identified in Wazuh versions 3.9.0 and above, prior to 4.14.5. The issue allows remote attackers to cause memory exhaustion in the cluster protocol parser by sending a crafted message header with an excessively large payload length. This length is trusted before authentication or decryption, and is used directly to allocate memory, resulting in an unauthenticated denial-of-service condition for the cluster service.
Wazuh Rate Limit Bypass Vulnerability in Events Endpoint
A logic error has been identified in Wazuh versions 4.6.0 and above, prior to 4.14.5. The issue resides in the CheckRateLimitsMiddleware.dispatch() function, where the /events endpoint's rate check improperly overrides the general rate limit. As a result, when the global max_request_per_minute limit is surpassed, requests to /events can still be processed if the events-specific limit of 30 requests per minute has not been reached. This flaw enables event injection into analysisd, bypassing the globally configured rate limits.
h2o HTTP Server Denial-of-Service Vulnerability Due to Stack Overflow
A denial-of-service vulnerability has been identified in the h2o HTTP server, which supports HTTP/1.x, HTTP/2, and HTTP/3. The issue arises when the server allocates memory for file paths using the alloca function, potentially leading to stack overflow. This vulnerability affects h2o versions prior to the patch in commit 6b5370d. When the memory allocation exceeds the default pthread stack limit of 128KB in musl libc, the server crashes with a segmentation fault while accessing the guard page.
h2o HTTP Server Zero-Length SNI Extension Vulnerability Leading to Denial-of-Service
A denial-of-service vulnerability has been identified in the h2o HTTP server, which supports HTTP/1.x, HTTP/2, and HTTP/3. The issue arises when the server receives a ClientHello message over TLS or QUIC that includes a zero-length SNI extension. In this scenario, the server incorrectly processes the zero-length hostname, leading to a potential segmentation violation. This vulnerability is present in h2o commits prior to 8dc37cb and has been fixed in the mentioned commit.
Quicly Connection State Corruption Vulnerability Leading to Denial-of-Service
A denial-of-service vulnerability has been identified in Quicly, an IETF QUIC protocol implementation primarily for the H2O HTTP server. The issue arises from connection state corruption due to improper handling of Connection IDs in QUIC version 1. While Quicly's CID buffers are limited to 20 bytes, the packet decoder accepts Connection IDs of up to 255 bytes to respond to unknown QUIC versions. This discrepancy allows QUIC v1 packets with oversized CIDs to be processed, leading to buffer overruns and assertion failures. The vulnerability exists in Quicly commits prior to 8b178e6.
H2O Quicly Assertion Failure Vulnerability Leading to Denial-of-Service
A denial-of-service vulnerability has been identified in H2O Quicly, an implementation of the IETF QUIC protocol. This issue arises from an assertion failure that occurs when the total number of valid handshake messages received over a CRYPTO stream within a single packet number space exceeds 32KB. The vulnerability is present in versions of Quicly prior to the commit 937d0e9.
Quicly QUIC Protocol Implementation Stateless Reset Injection Vulnerability
A vulnerability allowing stateless reset injection has been identified in Quicly, an IETF QUIC protocol implementation primarily used within the H2O HTTP server. This issue arises from inadequate validation of packet entries, enabling on-path attackers to reset QUIC connections managed by Quicly. The vulnerability affects Quicly versions prior to the commit dccf5d4.
H2O Quicly Library Denial-of-Service Vulnerability Due to Improper Flow Control Management
A denial-of-service vulnerability has been identified in the H2O HTTP server's Quicly library, prior to version 8b178e6. The issue arises from the library's flow control mechanism, which allows an adversarial peer to exploit the system by sending STREAM frames with minimal data. This manipulation can trick the application into allocating excessive memory to handle out-of-order data, leading to memory exhaustion. The problem is exacerbated by the default stream concurrency settings in H2O, which can quadruple the memory usage per connection.
Jupyter Enterprise Gateway Kubernetes Manifest Injection Vulnerability
A YAML injection vulnerability has been identified in Jupyter Enterprise Gateway versions prior to 3.3.0. The issue arises because the server interpolates untrusted environment variables into Kubernetes manifests without proper YAML-aware escaping. This flaw allows attackers to inject new fields, overwrite existing critical fields, and manipulate document boundaries to create multiple Kubernetes resources. Exploitation could lead to the creation of arbitrary resources, such as privileged pods.
Jupyter Enterprise Gateway Server Side Template Injection Vulnerability Leading to Remote Code Execution
A server side template injection vulnerability has been identified in Jupyter Enterprise Gateway versions 2.0.0rc2 and above, prior to 3.3.0. This vulnerability allows for remote code execution by injecting Jinja2 template expressions into environment variables used during the rendering of Kubernetes manifests. The executed code can access the Kubernetes service account token, potentially leading to a full compromise of the Kubernetes cluster by scheduling privileged pods or pods with hostPath volume mounts.
wger Privilege Escalation Vulnerability Allowing Unauthorized Access to Gym Management Functions
A privilege escalation vulnerability has been identified in wger, a workout and fitness management application, affecting versions prior to 2.6. This vulnerability allows gym trainers to escalate their privileges to that of a gym manager or general manager by exploiting the trainer-login endpoint. The issue arises because the permission check can be bypassed after a trainer logs in as a lower-privileged user, enabling unauthorized access to sensitive gym administration capabilities, such as member data, contract management, and personal information of other trainers and managers.
wger Workout Manager Insecure Direct Object Reference Vulnerability Allowing Unauthorized Access to Private User Data
An insecure direct object reference (IDOR) vulnerability has been identified in wger, a workout and fitness management application, in versions prior to 2.6. This vulnerability allows any authenticated user to access another user's private workout session notes, exercise history, and training statistics. The issue arises in the RoutineViewSet, where the /logs/ and /stats/ actions mistakenly grant access to the owner's private data from routines marked as public templates, regardless of ownership. This exploitation can lead to unauthorized access to sensitive health-related information, violating privacy regulations such as GDPR.
Bouncy Castle BC-LTS Out-of-Bounds Write Vulnerability on ARM Allowing Buffer Overflow
A vulnerability allowing out-of-bounds write operations has been identified in Legion of the Bouncy Castle Inc. BC-LTS bcprov-lts8on, specifically on ARM architectures. This vulnerability, which affects versions 2.73.0 prior to 2.73.12.1, allows for buffer overflow conditions. The issue arises in the SHA3 and SHAKE implementations, when these memoable states are accepted from potentially untrusted sources.
Microsoft SharePoint Spoofing Vulnerability via Cross-Site Scripting
A cross-site scripting vulnerability has been identified in Microsoft Office SharePoint, allowing an authorized attacker to perform spoofing over the network. This issue arises from improper neutralization of input during web page generation.
Microsoft Windows Terminal Integer Overflow Vulnerability Leading to Remote Code Execution
A remote code execution vulnerability has been identified in Windows Terminal, stemming from an integer overflow or wraparound issue. This vulnerability allows an unauthorized attacker to execute code on a client machine over the network. The exploitation requires the client to connect to a malicious server.
Microsoft Windows Admin Center Cross-Site Scripting Vulnerability Allowing Spoofing
A cross-site scripting vulnerability has been identified in Windows Admin Center. This issue arises from improper input neutralization during web page generation, allowing an unauthorized attacker to perform spoofing over the network. The vulnerability affects all versions of Windows Admin Center through 2511.
Microsoft Windows Backup Engine Race Condition Vulnerability Allowing Privilege Escalation
A race condition vulnerability has been identified in the Windows Backup Engine, allowing an authorized attacker to elevate privileges locally. This issue arises from concurrent execution using shared resources without proper synchronization.
YAML::Syck Out-of-Bounds Read Vulnerability in Newline Handling
A vulnerability allowing an out-of-bounds read has been identified in YAML::Syck versions prior to 1.47 for Perl. This issue arises from an unbounded newline scan in the 'newline_len' function, which is part of the bundled libsyck C library. During block-scalar lexing at a document boundary, the scan pointer can advance one byte beyond the allocated heap buffer, potentially leading to the reading of adjacent memory. This vulnerability is an incomplete fix of CVE-2025-11683, affecting the same lexer path that the earlier fix did not cover. The out-of-bounds read can be triggered by loading an untrusted document that contains a block scalar at the beginning or end of the file.
YAML::Syck Use-After-Free Vulnerability in Perl
A use-after-free vulnerability has been identified in YAML::Syck versions prior to 1.47 for Perl. The issue arises in the bundled libsyck C library, where an anchor name allocated by syck_strndup is improperly managed. The anchor name is stored as both a node's anchor and a key in the parser's anchors table. When the node is freed, the shared key is also released, leading to a dangling pointer. This vulnerability can be exploited by loading an untrusted YAML document that redefines an anchor, causing a read of freed memory.
YAML::Syck Out-of-Bounds Read Vulnerability in Base64 Decoder
A vulnerability allowing an out-of-bounds read has been identified in YAML::Syck versions prior to 1.47 for Perl. This issue arises in the base64 decoder of the bundled libsyck, where a signed-char lookup-table index is used to access a 256-entry static table. Any !!binary byte with a value of 0x80 or higher is sign-extended to a negative index, leading to a read before the table. The vulnerability can be triggered by the base64 decoder, which processes the raw bytes of any !!binary node on the default Load path, without the need for special flags. This flaw can be exploited by loading an untrusted document containing a !!binary scalar with a high-bit byte, causing the decoder to read adjacent memory and potentially leak data through the decoded result.
Zoom Improper Input Validation Vulnerability Allowing Account Takeover
A vulnerability exists in the Zoom Desktop Client for Windows and the Zoom VDI Client for Windows, prior to version 7.0.0 and 7.0.10, respectively, as well as versions 6.6.15 and 6.5.18 in their respective branches. This vulnerability arises from improper input validation, which may enable an unauthenticated user to perform an account takeover via network access.
Zoom Clients for Windows Privilege Escalation Vulnerability
A time-of-check to time-of-use (TOCTOU) race condition has been identified in the installation and uninstallation processes of certain Zoom Clients for Windows, prior to version 6.6.14. This vulnerability could allow an authenticated local user to escalate privileges.
Kirby Cross-Site Scripting Vulnerability via Untrusted Links in KirbyTags and Image Blocks
A cross-site scripting (XSS) vulnerability has been identified in Kirby, an open-source content management system, affecting versions prior to 4.9.1 and 5.4.1. The issue arises in the KirbyTags and image blocks components, where the URL methods failed to filter out malicious URLs that could be executed as scripts. This vulnerability impacts four first-party Kirby renderers that create links from user-supplied content: the 'link' KirbyTag, the 'link' parameter of the 'image' KirbyTag (when it doesn't point to a known file or 'self'), the 'link' field in the built-in image block, and the HTML importer for blocks. The vulnerability is triggered when content is authored by users who may not be fully trusted, allowing for the injection of harmful scripts that could be executed in the site frontend or through a compromised Panel session.
Kirby Content Management System User Information Disclosure Vulnerability via Content Locks
A vulnerability exists in Kirby, an open-source content management system, in versions prior to 4.9.1 and 5.4.1. The issue arises from the content-locking feature, which fails to verify a user's access permissions before disclosing lock information. This feature is designed to prevent conflicting edits by multiple users by indicating who is currently editing a model. However, the system inadvertently exposes the email addresses and identifiers of users, including those with administrative privileges, to low-privilege authenticated Panel users whose roles restrict access to user information. This flaw could be exploited to enumerate admin accounts, facilitate phishing attacks, and conduct credential-stuffing attacks against the affected Kirby installation or other sites.
Jupyter Enterprise Gateway UID and GID Bypass Vulnerability Allowing Root Kernel Execution
A vulnerability in Jupyter Enterprise Gateway versions 2.0.0rc1 and above prior to 3.3.0 allows users to bypass restrictions that prevent launching Jupyter Notebook kernels as root. This vulnerability arises from improper validation of user ID (UID) and group ID (GID) values. By default, the gateway prohibits UID or GID values of 0, which corresponds to the root user and group. However, this restriction can be circumvented by sending specially crafted KERNEL_UID or KERNEL_GID values that include whitespace, effectively tricking the validation process. Exploiting this vulnerability enables kernels to be executed with root privileges, increasing the risk of container escapes and compromising the underlying worker node and its workloads. In a Kubernetes environment, such exploitation could jeopardize the entire cluster.
Kirby Path Traversal and Arbitrary PHP File Inclusion Vulnerability
A path traversal vulnerability allowing arbitrary PHP file inclusion has been identified in Kirby, an open-source content management system. This issue affects versions 5.3.0 prior to 5.4.1. The vulnerability arises because the user ID provided during lookup was not properly validated, enabling attackers to traverse directories and include PHP files, such as plugin files, which could be executed on the server. The flaw is present in the authentication API, the users API, and any functionality that uses the $users->find() method to retrieve user information by email or ID. Additionally, the vulnerability allows for probing the existence of arbitrary directories on the server, which could be used to gather information about the server and site setup, including installed plugins and content structure.
Kirby CMS Pages Access Permission Bypass Vulnerability in Draft Rendering
A vulnerability exists in Kirby CMS versions prior to 4.9.1 and 5.4.1, where the `pages.access` permission is not enforced during the rendering of page drafts. This flaw allows authenticated users to access drafts of pages they should not have permission to view. The issue arises because the path resolver for the CMS router fails to properly check access rights, enabling unauthorized access to sensitive information through rendered frontend pages.
Kirby Cross-Site Scripting Vulnerability in List Field
A cross-site scripting (XSS) vulnerability has been identified in Kirby, an open-source content management system, affecting versions prior to 4.9.1 and 5.4.1. The issue arises in the list field, which stores content as HTML. Unlike other field types, HTML special characters in the list field cannot be escaped without losing formatting. This vulnerability allows attackers to inject malicious HTML that is saved unsanitized and executed on the site frontend, impacting visitors and logged-in users.
Kirby Arbitrary Method Call Vulnerability via REST API Endpoints
A vulnerability allowing arbitrary method calls has been identified in Kirby, an open-source content management system. This issue affects Kirby versions 4.0.0 through 4.9.0 and 5.0.0 through 5.4.0. The vulnerability arises because the application did not properly validate model attributes used in collection queries. As a result, authenticated users could exploit this flaw to invoke arbitrary model methods through the REST API, potentially leading to the disclosure of sensitive information or unauthorized actions. Methods that could be called include password() and root(), which reveal the password hash and absolute filesystem path, respectively, as well as loginPasswordless(), which could escalate privileges to another user, and delete(), which could remove all queried models if the user had the necessary permissions.
Amelia WordPress Plugin SQL Injection Vulnerability in Customer Import Feature
A SQL injection vulnerability has been identified in the Booking for Appointments and Events Calendar – Amelia plugin for WordPress, affecting all versions up to and including 2.4.3. The issue arises in the Customer Import feature, where insufficient escaping of user-supplied parameters and inadequate preparation of the SQL query allow authenticated attackers with the wpamelia-manager role to inject additional SQL queries. This exploitation could lead to unauthorized access to sensitive information in the database.
YAML::Syck Use-After-Free and Double-Free Vulnerability in Perl
A use-after-free and double-free vulnerability has been identified in YAML::Syck versions prior to 1.47 for Perl. The issue arises in the bundled libsyck C library when an anchor node is redefined or removed. The functions syck_hdlr_add_anchor and syck_hdlr_remove_anchor free the node associated with the anchor name, but that node can still be live on the parser's value stack. This leads to a scenario where the node is freed twice, causing a crash in the interpreter. The vulnerability can be exploited by loading an untrusted document that redefines an anchor mid-parse, resulting in a denial-of-service condition.
AutomationDirect Productivity Suite Divide-By-Zero Vulnerability Allowing Denial-of-Service
A divide-by-zero vulnerability has been identified in AutomationDirect Productivity Suite versions through 4.6.2.2. This vulnerability allows a local attacker to cause a system crash by exploiting the division by zero error.
AutomationDirect Productivity Suite Out-of-Bounds Read Vulnerability Allowing Memory Disclosure and System Crash
A vulnerability allowing out-of-bounds read has been identified in AutomationDirect Productivity Suite versions through 4.6.2.2. This vulnerability allows a physical attacker to manipulate the length of data sent to a USB device, potentially leading to a system crash or unauthorized disclosure of kernel memory.
AutomationDirect Productivity Suite Out-of-Bounds Read Vulnerability Allowing Kernel Memory Corruption
A vulnerability allowing out-of-bounds read has been identified in AutomationDirect Productivity Suite versions through 4.6.2.2. This vulnerability allows a local attacker to send a crafted IOCTL request that triggers kernel memory corruption, potentially leading to limited information disclosure or disruption of the affected application.
WWBN AVideo OS Command Injection Vulnerability in FFmpeg Command Sanitization
A vulnerability allowing OS command injection has been identified in WWBN AVideo versions through 29.0. The issue arises because the fix for a previous vulnerability (CVE-2026-33482) was incomplete. The 'sanitizeFFmpegCommand' function failed to remove single '&' characters, which are used as command separators in the shell. This oversight allows attackers to execute arbitrary commands by chaining them with '&', exploiting the 'execAsync' function's 'sh -c' command execution sink.
Zoom Clients for Windows Privilege Escalation Vulnerability
A race condition vulnerability has been identified in the installation and uninstallation processes of certain Zoom Clients for Windows. This time-of-check to time-of-use (TOCTOU) race condition could allow an authenticated local user to escalate privileges. The vulnerability affects Zoom Workplace for Windows versions prior to 7.0.5, Zoom Workplace VDI Client for Windows versions prior to 6.5.17 and 6.6.14 in their respective branches, the Zoom Workplace VDI plugin for Windows in the same version ranges, Zoom Rooms for Windows prior to 7.0.5, and Remote Control for Zoom Contact Center for Windows before version 7.0.0.
Zoom Rooms for Windows Improper Privilege Management Vulnerability Allowing Privilege Escalation
A vulnerability exists in Zoom Rooms for Windows, prior to version 7.1.0, allowing an authenticated user to escalate privileges through local access. This issue arises from improper privilege management.
Docling Core Unsafe Remote Filename Resolution Vulnerability Allowing SSRF
A vulnerability in Docling Core versions 1.5.0 and above, prior to 2.74.1, allowed for unsafe resolution of server-provided Content-Disposition headers to local paths. This issue could be exploited in applications that accept untrusted URLs, leading to Server-Side Request Forgery (SSRF) attacks that target local files outside the user-defined cache directory.
