Common Vulnerabilities and Exposures (CVE)

CVE-2026-27785

Apr 27, 2026 23:38:10 UTC

Specific firmware versions of Milesight AIOT camera firmware contain hard-coded credentials.

CVE-2026-40977

Apr 27, 2026 23:36:06 UTC

When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started. Affected: Spring Boot 4.0.0–4.0.5 (fi...

CVE-2026-40976

Apr 27, 2026 23:34:51 UTC

In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configurati...

CVE-2026-40975

Apr 27, 2026 23:32:58 UTC

Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range. Affected: Spring...

CVE-2026-28747

Apr 27, 2026 23:31:53 UTC

A weak key generation vulnerability exists in specific firmware versions of Milesight AIOT cameras allows authorization to be bypassed.

CVE-2026-40974

Apr 27, 2026 23:31:40 UTC

Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–...

CVE-2026-7200

Apr 27, 2026 23:30:17 UTC

A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this issue is some unknown functionality of the file /index.php?page=types. Executing a manipulation of the argument ID can lead to cross site scri...

CVE-2026-40973

Apr 27, 2026 23:29:51 UTC

A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this...

CVE-2026-41372

Apr 27, 2026 23:24:33 UTC

OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authentica...

CVE-2026-41371

Apr 27, 2026 23:24:32 UTC

OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in chat.send that allows write-scoped gateway callers to trigger admin-only session reset operations. Attackers can rotate target sessions, archive prior transcript sta...

CVE-2026-41370

Apr 27, 2026 23:24:32 UTC

OpenClaw before 2026.3.31 contains a path traversal vulnerability in ACP dispatch that allows attackers to read arbitrary files by manipulating inbound channel attachment paths. Remote attackers can bypass attachment-cache and root director...

CVE-2026-41369

Apr 27, 2026 23:24:31 UTC

OpenClaw before 2026.3.31 contains insufficient environment variable sanitization in host exec operations, failing to filter package, registry, Docker, compiler, and TLS override variables. Attackers can exploit this by injecting malicious ...

CVE-2026-41368

Apr 27, 2026 23:24:30 UTC

OpenClaw before 2026.3.28 contains an environment variable disclosure vulnerability in the jq safe-bin policy that fails to block the $ENV filter. Attackers can bypass safe-bin restrictions by using $ENV in jq programs to access sensitive e...

CVE-2026-41367

Apr 27, 2026 23:24:29 UTC

OpenClaw versions 2026.2.14 through 2026.3.24 fail to consistently apply guild and channel policy gates to Discord button and component interactions. Attackers can trigger privileged component actions from blocked contexts by bypassing chan...

CVE-2026-41366

Apr 27, 2026 23:24:29 UTC

OpenClaw before 2026.3.31 contains a local roots self-whitelisting vulnerability in appendLocalMediaParentRoots that allows model-initiated arbitrary host file read. Attackers can exploit improper media parent directory validation to exfilt...