CVE-2026-32916 - OpenClaw versions 2026.3.7 before 2026.3.11 contain an authorization bypass vulnerability where plugin subagent routes execute gateway methods through a synthetic operator client with broad administrative scopes. Remote unauthenticated requests to... read CVE-2026-32916
Published: March 31, 2026; 8:16:28 AM -0400

V3.1: 9.8 CRITICAL

CVE-2026-32917 - OpenClaw before 2026.3.13 contains a remote command injection vulnerability in the iMessage attachment staging flow that allows attackers to execute arbitrary commands on configured remote hosts. The vulnerability exists because unsanitized remote... read CVE-2026-32917
Published: March 31, 2026; 8:16:28 AM -0400

V3.1: 9.8 CRITICAL

CVE-2026-1668 - The web interface on multiple Omada switches does not adequately validate certain external inputs, which may lead to out-of-bound memory access when processing crafted requests. Under specific conditions, this flaw may result in unintended comman... read CVE-2026-1668
Published: March 13, 2026; 3:53:58 PM -0400

V3.1: 9.8 CRITICAL

CVE-2026-32745 - In JetBrains Datalore before 2026.1 session hijacking was possible due to missing secure attribute for cookie settings
Published: March 13, 2026; 3:55:09 PM -0400

V3.1: 5.7 MEDIUM

CVE-2026-32920 - OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including crafted workspace plugins in c... read CVE-2026-32920
Published: March 31, 2026; 8:16:28 AM -0400

V3.1: 8.8 HIGH

CVE-2025-71264 - Mumble before 1.6.870 is prone to an out-of-bounds array access, which may result in denial of service (client crash).
Published: March 16, 2026; 10:18:02 AM -0400

V3.1: 5.3 MEDIUM

CVE-2026-32921 - OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file ... read CVE-2026-32921
Published: March 31, 2026; 8:16:28 AM -0400

V3.1: 5.0 MEDIUM

CVE-2026-0849 - Malformed ATAES132A responses with an oversized length field overflow a 52-byte stack buffer in the Zephyr crypto driver, allowing a compromised device or bus attacker to corrupt kernel memory and potentially hijack execution.
Published: March 16, 2026; 10:18:07 AM -0400

V3.1: 6.8 MEDIUM

CVE-2026-32970 - OpenClaw before 2026.3.11 contains a credential fallback vulnerability where unavailable local gateway.auth.token and gateway.auth.password SecretRefs are treated as unset, allowing fallback to remote credentials in local mode. Attackers can explo... read CVE-2026-32970
Published: March 31, 2026; 8:16:29 AM -0400

V3.1: 3.3 LOW

CVE-2026-32971 - OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays extracted shell payloads instead of the executed argv. Attackers can place wrapper binaries and induce wrapper-shaped commands t... read CVE-2026-32971
Published: March 31, 2026; 8:16:29 AM -0400

V3.1: 8.0 HIGH

CVE-2026-32976 - OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing channel commands to mutate protected sibling-account configuration despite configWrites restrictions. Attackers with authorized access on one account can execute cha... read CVE-2026-32976
Published: March 31, 2026; 8:16:29 AM -0400

V3.1: 6.5 MEDIUM

CVE-2026-0977 - IBM CICS Transaction Gateway for Multiplatforms 9.3 and 10.1 could allow a user to transfer or view files due to improper access controls.
Published: March 16, 2026; 10:18:07 AM -0400

V3.1: 7.1 HIGH

CVE-2026-26130 - Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.
Published: March 10, 2026; 2:18:42 PM -0400

V3.1: 7.5 HIGH

CVE-2026-27825 - MCP Atlassian is a Model Context Protocol (MCP) server for Atlassian products (Confluence and Jira). Prior to version 0.17.0, the `confluence_download_attachment` MCP tool accepts a `download_path` parameter that is written to without any director... read CVE-2026-27825
Published: March 10, 2026; 4:16:37 PM -0400

V3.1: 8.0 HIGH

CVE-2026-5281 - Use after free in Dawn in Google Chrome prior to 146.0.7680.178 allowed a remote attacker who had compromised the renderer process to execute arbitrary code via a crafted HTML page. (Chromium security severity: High)
Published: April 01, 2026; 1:16:01 AM -0400

CVE-2026-32977 - OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that uses an unanchored container path during the final move operation. An attacker can exploit a time-of-check-time-of-use race cond... read CVE-2026-32977
Published: March 31, 2026; 8:16:29 AM -0400

V3.1: 6.3 MEDIUM

CVE-2026-2713 - IBM Trusteer Rapport installer 3.5.2309.290 IBM Trusteer Rapport could allow a local attacker to execute arbitrary code on the system, caused by DLL uncontrolled search path element vulnerability. By placing a specially crafted file in a compromis... read CVE-2026-2713
Published: March 10, 2026; 4:16:39 PM -0400

V3.1: 7.8 HIGH

CVE-2026-32982 - OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes Telegram bot tokens in error messages. When media downloads fail, the original Telegram file URLs containing bot tokens are em... read CVE-2026-32982
Published: March 31, 2026; 8:16:29 AM -0400

V3.1: 7.5 HIGH

CVE-2025-70027 - An issue pertaining to CWE-918: Server-Side Request Forgery was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. This allows attackers to obtain sensitive information
Published: March 11, 2026; 11:16:21 AM -0400

CVE-2026-32229 - In JetBrains Hub before 2026.1 possible on sign-in account mismatch with non-SSO auth and 2FA disabled
Published: March 11, 2026; 11:16:31 AM -0400

V3.1: 6.8 MEDIUM