| CVE ID | Title | Vendor | Product | Severity | CVSS Score | Published At | AI Analysis |
|---|---|---|---|---|---|---|---|
| CVE-2026-41299 | OpenClaw < 2026.3.28 - Client Identity Spoofing in chat.send Gateway Provenance Guard | OpenClaw | OpenClaw | High | 7.1 | 2026-04-20 23:08:13 | Deep Dive |
| CVE-2026-41298 | OpenClaw < 2026.4.2 - Authorization Bypass in Session Termination Endpoint | OpenClaw | OpenClaw | Medium | 5.4 | 2026-04-20 23:08:12 | Deep Dive |
| CVE-2026-41297 | OpenClaw < 2026.3.31 - Server-Side Request Forgery via Marketplace Plugin Download Redirect | OpenClaw | OpenClaw | High | 7.6 | 2026-04-20 23:08:11 | Deep Dive |
| CVE-2026-41296 | OpenClaw < 2026.3.31 - Sandbox Escape via TOCTOU Race in Remote FS Bridge readFile | OpenClaw | OpenClaw | High | 8.2 | 2026-04-20 23:08:10 | Deep Dive |
| CVE-2026-41295 | OpenClaw < 2026.4.2 - Untrusted Workspace Channel Shadow Code Execution during Built-in Channel Setup | OpenClaw | OpenClaw | High | 7.8 | 2026-04-20 23:08:10 | Deep Dive |
| CVE-2026-41294 | OpenClaw < 2026.3.28 - Environment Variable Injection via CWD .env File | OpenClaw | OpenClaw | High | 8.6 | 2026-04-20 23:08:09 | Deep Dive |
| CVE-2026-40045 | OpenClaw < 2026.4.2 - Cleartext Credential Transmission via Unencrypted WebSocket Gateway Endpoints | OpenClaw | OpenClaw | Medium | 5.7 | 2026-04-20 23:08:08 | Deep Dive |
| CVE-2026-34082 | Dify has IDOR in deleting someone else's chat conversation | langgenius | dify | - | - | 2026-04-20 23:03:18 | Deep Dive |
| CVE-2026-5721 | wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin <= 6.5.0.4 - Unauthenticated Stored Cross-Site Scripting via CSV/Excel Data Import | wpdatatables | wpDataTables – WordPress Data Table, Dynamic Tables & Table Charts Plugin | Medium | 4.7 | 2026-04-20 22:25:27 | Deep Dive |
| CVE-2026-6729 | HKUDS OpenHarness Session Key Collision Privilege Escalation | HKUDS | OpenHarness | Medium | 6.3 | 2026-04-20 22:01:39 | Deep Dive |
| CVE-2026-0930 | Potential wolfSSHd Buffer out-of-bounds Read on Windows Handling Terminal Resize | wolfSSL | wolfSSH | - | - | 2026-04-20 21:28:33 | Deep Dive |
| CVE-2026-22051 | NetApp StorageGRID 安全漏洞 | NETAPP | StorageGRID (formerly StorageGRID Webscale) | - | - | 2026-04-20 21:27:37 | Deep Dive |
| CVE-2026-5450 | scanf %mc off-by-one heap buffer overflow | The GNU C Library | glibc | - | - | 2026-04-20 20:55:41 | Deep Dive |
| CVE-2026-5928 | Static buffer overflow in deprecated nis_local_principal | The GNU C Library | glibc | - | - | 2026-04-20 20:37:32 | Deep Dive |
| CVE-2026-33626 | LMDeploy Vulnerable to Server-Side Request Forgery (SSRF) via Vision-Language Image Loading | InternLM | lmdeploy | High | 7.5 | 2026-04-20 20:29:20 | Deep Dive |
| CVE-2026-4852 | Image Source Control Lite – Show Image Credits and Captions <= 3.9.1 - Authenticated (Author+) Stored Cross-Site Scripting via 'Image Source' Field | webzunft | Image Source Control Lite – Show Image Credits and Captions | Medium | 6.4 | 2026-04-20 20:26:53 | Deep Dive |
| CVE-2026-33432 | Roxy-WI has Pre-Authentication LDAP Injection that Leads to Authentication Bypass | roxy-wi | roxy-wi | - | - | 2026-04-20 20:26:52 | Deep Dive |
| CVE-2026-33431 | Roxy-WI Vulnerable to Authenticated Arbitrary File Read via Path Traversal in Config Version Viewer | roxy-wi | roxy-wi | - | - | 2026-04-20 20:24:15 | Deep Dive |
| CVE-2026-34403 | Nginx-UI vulnerable to Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints | 0xJacky | nginx-ui | - | - | 2026-04-20 20:16:48 | Deep Dive |
| CVE-2026-33031 | Nginx-UI: Disabled users retain full API access through previously issued bearer tokens | 0xJacky | nginx-ui | - | - | 2026-04-20 20:12:08 | Deep Dive |