4.3
CVE-2026-4799 - Open redirect vulnerability in Search Guard Kibana Plugin via manipulated requests
In Search Guard FLX up to version 4.0.1, it is possible to use specially crafted requests to redirect the user to an untrusted URL.
5.3
CVE-2026-34373 - Parse Server: GraphQL API endpoint ignores CORS origin restriction
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any website. This bypassβ¦
8.2
CVE-2026-34363 - Parse Server: LiveQuery protected field leak via shared mutable state across concurrent subscribers
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.65 and 9.7.0-alpha.9, when multiple clients subscribe to the same class via LiveQuery, the event handlers process each subscriber concurrently using shared mutable objects. β¦
9.6
CVE-2026-0596 - Command Injection in mlflow/mlflow
A command injection vulnerability exists in mlflow/mlflow when serving a model with `enable_mlserver=True`. The `model_uri` is embedded directly into a shell command executed via `bash -c` without proper sanitization. If the `model_uri` contains shell metacharacters, such as `$()` or backticks, it β¦
2.1
CVE-2026-34224 - Parse Server: MFA single-use token bypass via concurrent authData login requests
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticatβ¦
7.7
CVE-2026-34214 - Trino: Iceberg REST catalog static and vended credentials are accessible via query JSON
Trino is a distributed SQL query engine for big data analytics. From version 439 to before version 480, Iceberg connector REST catalog static credentials (access key) or vended credentials (temporary access key) are accessible to users that have write privilege on SQL level. This issue has been patβ¦
7.5
CVE-2026-34209 - mppx: Tempo has a session close voucher bypass vulnerability due to settled amount equality
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the tempo/session cooperative close handler validated the close voucher amount using "<" instead of "<=" against the on-chain settled amount. An attacker could submit a close voucher exactly equal to the settled β¦
6.9
CVE-2026-34504 - OpenClaw < 2026.3.28 - Server-Side Request Forgery via Unguarded Image Download in fal Provider
OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose internal service metadaβ¦
8.6
CVE-2026-34503 - OpenClaw < 2026.3.28 - Incomplete WebSocket Session Termination on Device Removal and Token Revocatβ¦
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.
7.1
CVE-2026-33581 - OpenClaw < 2026.3.24 - Arbitrary File Read via mediaUrl and fileUrl Parameters
OpenClaw before 2026.3.24 contains a sandbox bypass vulnerability in the message tool that allows attackers to read arbitrary local files by using mediaUrl and fileUrl alias parameters that bypass localRoots validation. Remote attackers can exploit this by routing file requests through unvalidated β¦