2026-04-21
2026-04-21 01:16Z
HIGH

CVE-2026-39386 — M1k1o Neko: This results in a complete compromise of the instance.

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-39386

Neko is a a self-hosted virtual browser that runs in Docker and uses WebRTC In versions 3.0.0 through 3.0.10 and 3.1.0 through 3.1.1, any authenticated user can immediately obtain full administrative control of the entire Neko instance (member management, room settings, broadcast control, session termination, etc.). This results in a complete compromise of the instance. The vulnerability has been patched in v3.0.11 and v3.1.2. If upgrading is not immediately possible, the fol CVSSv3.1 8.8 (HIGH)

CWECWE 269CWECWE 639CWECWE 284CWECWE 20VNDM1k1oVNDNekoTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-21
2026-04-21 00:16Z
CRIT

CVE-2026-41329 — Openclaw Openclaw: before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-41329

OpenClaw before 2026.3.31 contains a sandbox bypass vulnerability allowing attackers to escalate privileges via heartbeat context inheritance and senderIsOwner parameter manipulation. Attackers can exploit improper context validation to bypass sandbox restrictions and achieve unauthorized privilege escalation. CVSSv3.1 9.9 (CRITICAL) · EPSS 13th percentile

CWECWE 648VNDOpenclawTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2026-04-21
2026-04-21 00:16Z
HIGH

CVE-2026-41303 — Openclaw Openclaw: before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-41303

OpenClaw before 2026.3.28 contains an authorization bypass vulnerability in Discord text approval commands that allows non-approvers to resolve pending exec approvals. Attackers can send Discord text commands to bypass the channels.discord.execApprovals.approvers allowlist and approve pending host execution requests. CVSSv3.1 8.8 (HIGH) · EPSS 20th percentile

CWECWE 863VNDOpenclawTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-21
2026-04-21 00:16Z
HIGH

CVE-2026-41296 — Openclaw Openclaw: before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-41296

OpenClaw before 2026.3.31 contains a time-of-check-time-of-use race condition in the remote filesystem bridge readFile function that allows sandbox escape. Attackers can exploit the separate path validation and file read operations to bypass sandbox restrictions and read arbitrary files. CVSSv3.1 8.2 (HIGH) · EPSS 8th percentile

CWECWE 367VNDOpenclawTYPVulnerability
8.2
CVSS v3.1
91
Edit Score
2026-04-21
2026-04-21 00:16Z
HIGH

CVE-2026-41294 — Openclaw Openclaw: before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-41294

OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment settings during OpenClaw startup. CVSSv3.1 8.6 (HIGH) · EPSS 3th percentile

CWECWE 15VNDOpenclawTYPVulnerability
8.6
CVSS v3.1
93
Edit Score
2026-04-21
2026-04-21 00:16Z
HIGH

CVE-2026-35587 — Nicolargo Glances: Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35587

Glances is an open-source system cross-platform monitoring tool. Prior to version 4.5.4, a Server-Side Request Forgery (SSRF) vulnerability exists in the Glances IP plugin due to improper validation of the public_api configuration parameter. The value of public_api is used directly in outbound HTTP requests without any scheme restriction or hostname/IP validation. An attacker who can modify the Glances configuration can force the application to send requests to arbitrary inte CVSSv3.1 8.8 (HIGH)

CWECWE 918VNDNicolargoVNDGlancesTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-21
2026-04-21 00:16Z
HIGH

CVE-2026-35570 — Gitlawb Openclaude: When the sandbox auto-allow feature is active and no explicit deny rule is configured

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35570

OpenClaude is an open-source coding-agent command line interface for cloud and local model providers. Versions prior to 0.5.1 have a logic flaw in `bashToolHasPermission()` inside `src/tools/BashTool/bashPermissions.ts`. When the sandbox auto-allow feature is active and no explicit deny rule is configured, the function returns an `allow` result immediately — before the path constraint filter (`checkPathConstraints`) is ever evaluated. This allows commands containing path trav CVSSv3.1 8.4 (HIGH)

CWECWE 284CWECWE 22VNDGitlawbVNDOpenclaudeTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-04-21
2026-04-21 00:00Z
CRIT

Void Dokkaebi Uses Fake Job Interview Lure to Spread Malware via Code Repositories

Trend Micro Research·trendmicro.comin the wild

Void Dokkaebi (Famous Chollima), a North Korea-aligned threat actor, has evolved a self-propagating supply chain worm that spreads malware through compromised developer repositories via two mechanisms: malicious VS Code task configurations (.vscode/tasks.json) and injected obfuscated JavaScript with git history tampering. Analysis identified over 750 infected repositories, 500+ malicious VS Code tasks, and compromises of major organizations including DataStax and Neutralinojs, with payloads staged on blockchain infrastructure (Tron, Aptos, BSC) and delivered as DEV#POPPER RAT variants.

SRFApplicationSRFOsTACTA0005TACTA0001TACTA0002TACTA0003TACTA0011SRFSupply Chain
92
Edit Score
2026-04-21
2026-04-21 00:00Z
HIGH

The Cost of Understanding: LLM-Driven Reverse Engineering vs Iterative LLM Obfuscation

Elastic Security Labs·elastic.co

Elastic Security Labs benchmarked Claude Opus 4.6's ability to reverse-engineer obfuscated binaries using Tigress, finding the model solved 40% of tasks with costs ranging $0.43–$6+ per attempt. The research then developed LLM-targeting obfuscation techniques exploiting context-window limitations, token budgets, and model shortcut biases, achieving cost/time multipliers up to 4.5x on previously-solved challenges.

SRFApplicationTACTA0005TYPResearchTYPTechniqueSTGDefense EvasionTECT1027TECT1027.001
76
Edit Score
2026-04-20
2026-04-20 21:16Z
CRIT

CVE-2026-5450 — Gnu Glibc: Calling the scanf family of functions with a %mc (malloc'd character match) in the

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5450

Calling the scanf family of functions with a %mc (malloc'd character match) in the GNU C Library version 2.7 to version 2.43 with a format width specifier with an explicit width greater than 1024 could result in a one byte heap buffer overflow. CVSSv3.1 9.8 (CRITICAL)

CWECWE 787CWECWE 122VNDGnuVNDCallingTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-20
2026-04-20 21:16Z
CRIT

CVE-2026-33432 — Roxy-wi Roxy-wi: An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-33432

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to retur CVSSv3.1 9.1 (CRITICAL) · EPSS 34th percentile

CWECWE 287VNDRoxy WiVNDRoxyTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-20
2026-04-20 21:16Z
CRIT

CVE-2026-32613 — Linuxfoundation Spinnaker: This enabled a user to use arbitrary java classes which allow deep access to

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32613

Spinnaker is an open source, multi-cloud continuous delivery platform. Echo like some other services, uses SPeL (Spring Expression Language) to process information - specifically around expected artifacts. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, unlike orca, it was NOT restricting that context to a set of trusted classes, but allowing FULL JVM access. This enabled a user to use arbitrary java classes which allow deep access to the system. This enabled CVSSv3.1 9.9 (CRITICAL)

CWECWE 94VNDLinuxfoundationVNDSpinnakerTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2026-04-20
2026-04-20 21:16Z
CRIT

CVE-2026-32604 — Linuxfoundation Spinnaker: In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32604

Spinnaker is an open source, multi-cloud continuous delivery platform. In versions prior to 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2, a bad actor can execute arbitrary commands very simply on the clouddriver pods. This can expose credentials, remove files, or inject resources easily. Versions 2026.1.0, 2026.0.1, 2025.4.2, and 2025.3.2 contain a patch. As a workaround, disable the gitrepo artifact types. CVSSv3.1 9.9 (CRITICAL)

CWECWE 20VNDLinuxfoundationVNDSpinnakerTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2026-04-20
2026-04-20 20:16Z
CRIT

CVE-2026-32311 — Reconurge Flowsint: allows a user to create investigations, which are used to manage sketches and

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-32311

Flowsint is an open-source OSINT graph exploration tool designed for cybersecurity investigation, transparency, and verification. Flowsint allows a user to create investigations, which are used to manage sketches and analyses. Sketches have controllable graphs, which are comprised of nodes and relationships. The sketches contain information on an OSINT target (usernames, websites, etc) within these nodes and relationships. The nodes can have automated processes execute on the CVSSv3.1 9.8 (CRITICAL)

CWECWE 78VNDReconurgeVNDFlowsintTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-20
2026-04-20 20:16Z
CRIT

CVE-2026-29649 — Xiangshan Nemu: This can lead to incorrect enforcement of virtualization configuration and may cause unexpected traps

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-29649

NEMU contains an implementation flaw in its RISC-V Hypervisor CSR handling where henvcfg[7:4] (CBIE/CBCFE/CBZE-related fields) is incorrectly masked/updated based on menvcfg[7:4], so a machine-mode write to menvcfg can implicitly modify the hypervisor's environment configuration. This can lead to incorrect enforcement of virtualization configuration and may cause unexpected traps or denial of service when executing cache-block management instructions in virtualized contexts ( CVSSv3.1 9.8 (CRITICAL) · EPSS 5th percentile

CWECWE 693VNDXiangshanVNDNemuTYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-20
2026-04-20 18:39Z
LOW

v9.0.2-rc2

BloodHound releases·github.comCVE-2026-33815CVE-2026-33816

BloodHound v9.0.2-rc2 release candidate published with routine maintenance updates including PFC checks, OpenHound collector link addition, and a pgx dependency upgrade to remediate two CVEs (CVE-2026-33815 and CVE-2026-33816).

SRFApplicationVNDBloodhoundVNDSpecter OpsTYPToolTYPVulnerability
9.8
CVSS v3.1
25
Edit Score
2026-04-20
2026-04-20 17:16Z
HIGH

CVE-2026-40488 — Openmage Magento: Files are stored in the publicly accessible `media/custom_options/quote/` directory, which lacks server-side execution restrictions

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-40488

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, the product custom option file upload in OpenMage LTS uses an incomplete blocklist (`forbidden_extensions = php,exe`) to prevent dangerous file uploads. This blocklist can be trivially bypassed by using alternative PHP-executable extensions such as `.phtml` CVSSv3.1 8.8 (HIGH)

CWECWE 434VNDMagentoVNDOpenmageTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-20
2026-04-20 17:16Z
CRIT

CVE-2026-30269 — Doorman Doorman: Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-30269

Improper access control in Doorman v0.1.0 and v1.0.2 allows any authenticated user to update their own account role to a non-admin privileged role via /platform/user/{username}. The `role` field is accepted by the update model without a manage_users permission check for self-updates, enabling privilege escalation to high-privileged roles. CVSSv3.1 9.9 (CRITICAL) · EPSS 13th percentile

CWECWE 269VNDDoormanTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
2026-04-20
2026-04-20 17:16Z
HIGH

CVE-2026-25524 — Openmage Magento: Prior to version 20.17.0, PHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` can trigger

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-25524

Magento Long Term Support (LTS) is an unofficial, community-driven project provides an alternative to the Magento Community Edition e-commerce platform with a high level of backward compatibility. Prior to version 20.17.0, PHP functions such as `getimagesize()`, `file_exists()`, and `is_readable()` can trigger deserialization when processing `phar://` stream wrapper paths. OpenMage LTS uses these functions with potentially controllable file paths during image validation and m CVSSv3.1 8.1 (HIGH)

CWECWE 502VNDMagentoVNDOpenmageTYPVulnerability
8.1
CVSS v3.1
91
Edit Score
2026-04-20
2026-04-20 16:16Z
HIGH

CVE-2026-26944 — Dell Powerprotect_dp_series_appliance: PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-26944

Dell PowerProtect Data Domain, versions 7.7.1.0 through 8.6, LTS2025 release version 8.3.1.0 through 8.3.1.20, LTS2024 release versions 7.13.1.0 through 7.13.1.60 contain a missing authentication for critical function vulnerability. An unauthenticated attacker with remote access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. Exploitation requires an authenticated user to perform a specific action. CVSSv3.1 8.8 (HIGH)

CWECWE 306VNDDellTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-20
2026-04-20 16:16Z
CRIT

CVE-2026-24467 — Filigran Openaev: Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-24467

OpenAEV is an open source platform allowing organizations to plan, schedule and conduct cyber adversary simulation campaign and tests. Starting in version 1.0.0 and prior to version 2.0.13, OpenAEV's password reset implementation contains multiple security weaknesses that together allow reliable account takeover. The primary issue is that password reset tokens do not expire. Once a token is generated, it remains valid indefinitely, even if significant time has passed or if ne CVSSv3.1 9.0 (CRITICAL) · EPSS 73th percentile

CWECWE 640VNDOpenaevVNDFiligranTYPVulnerability
9.0
CVSS v3.1
95
Edit Score
2026-04-20
2026-04-20 14:16Z
CRIT

CVE-2026-5760 — SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-5760

SGLang's reranking endpoint (/v1/rerank) achieves Remote Code Execution (RCE) when a model file containing a malcious tokenizer.chat_template is loaded, as the Jinja2 chat templates are rendered using an unsandboxed jinja2.Environment(). CVSSv3.1 9.8 (CRITICAL) · EPSS 59th percentile

CWECWE 94TYPVulnerability
9.8
CVSS v3.1
99
Edit Score
2026-04-20
2026-04-20 14:16Z
HIGH

CVE-2026-4048 — Progress Connection_manager_for_objectscale: OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-4048

OS Command Injection Remote Code Execution Vulnerability in UI in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in a custom WAF rule file during the file upload process. CVSSv3.1 8.4 (HIGH) · EPSS 23th percentile

CWECWE 77VNDProgressVNDCommandTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2026-04-20
2026-04-20 14:16Z
HIGH

CVE-2026-3519 — Progress Connection_manager_for_objectscale: OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-3519

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “VS Administration” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'aclcontrol' command CVSSv3.1 8.4 (HIGH) · EPSS 23th percentile

CWECWE 77VNDProgressVNDCommandTYPVulnerability
8.4
CVSS v3.1
92
Edit Score
2026-04-20
2026-04-20 14:16Z
HIGH

CVE-2026-3518 — Progress Connection_manager_for_objectscale: OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-3518

OS Command Injection Remote Code Execution Vulnerability in API in Progress ADC Products allows an authenticated attacker with “All” permissions to execute arbitrary commands on the LoadMaster appliance by exploiting unsanitized input in the 'killsession' command CVSSv3.1 8.4 (HIGH) · EPSS 23th percentile

CWECWE 77VNDProgressVNDCommandTYPVulnerability
8.4
CVSS v3.1
92
Edit Score