4.3
CVE-2026-27486 - OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup
OpenClaw is a personal AI assistant. In versions 2026.2.13 and below of the OpenClaw CLI, the process cleanup uses system-wide process enumeration and pattern matching to terminate processes without verifying if they are owned by the current OpenClaw process. On shared hosts, unrelated processes caβ¦
6.5
CVE-2025-14339 - weMail <= 2.0.7 - Missing Authorization to Unauthenticated Form Deletion
The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce`β¦
4.6
CVE-2026-27485 - OpenClaw affected by Stored XSS in Control UI via unsanitized assistant name/avatar in inline scripβ¦
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, skills/skill-creator/scripts/package_skill.py (a local helper script used when authors package skills) previously followed symlinks while building .skill archives. If an author runs this script on a crafted local skill directory β¦
2.3
CVE-2026-27484 - OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows
OpenClaw is a personal AI assistant. In versions 2026.2.17 and below, the Discord moderation action handling (timeout, kick, ban) uses sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context. In setups where Discord moderation actions are enabled and β¦
5.9
CVE-2026-27482 - Ray: Dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job dβ¦
Ray is an AI compute engine. In versions 2.53.0 and below, thedashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding oβ¦
5.3
CVE-2026-27480 - Static Web Server: Timing-Based Username Enumeration in Basic Authentication
Static Web Server (SWS) is a production-ready web server suitable for static web files or assets. In versions 2.1.0 through 2.40.1, a timing-based username enumeration vulnerability in Basic Authentication allows attackers to identify valid users by exploiting early responses for invalid usernames,β¦
7.7
CVE-2026-27479 - Wallos: SSRF via Redirect Bypass in Logo/Icon URL Fetch
Wallos is an open-source, self-hostable personal subscription tracker. Versions 4.6.0 and below contain a Server-Side Request Forgery (SSRF) vulnerability in the subscription and payment logo/icon upload functionality. The application validates the IP address of the provided URL before making the rβ¦
8.8
CVE-2026-27470 - ZoneMinder: Second-Order SQL Injection in `getNearEvents()` via Stored Event Name and Cause Fields
ZoneMinder is a free, open source closed-circuit television software application. In versions 1.36.37 and below and 1.37.61 through 1.38.0, there is a second-order SQL Injection vulnerability in the web/ajax/status.php file within the getNearEvents() function. Event field values (specifically Name β¦
7.7
CVE-2026-27464 - Metabase: Server-Side Template Injection via Notifications Endpoint Leads to RCE
Metabase is an open-source data analytics platform. In versions prior to 0.57.13 and versions 0.58.x through 0.58.6, authenticated users are able to retrieve sensitive information from a Metabase instance, including database access credentials. During testing, it was confirmed that a low-privilegedβ¦
6.9
CVE-2026-2865 - itsourcecode Agri-Trading Online Shopping System HTTP POST Request productcontroller.php sql injectβ¦
A vulnerability was found in itsourcecode Agri-Trading Online Shopping System 1.0. This impacts an unknown function of the file admin/productcontroller.php of the component HTTP POST Request Handler. Performing a manipulation of the argument Product results in sql injection. The attack may be initiβ¦