New

CVE-2026-4495: atjiu pybbs CommentApiController.java create cross site scripting: A security flaw has been discovered in atjiu pybbs 6.0.0. This impacts the function create of the file src/main/java/co/yiiu/pybbs/controller/api/CommentApiController.java. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used f...

CVE-2026-32303: Cryptomator: Tampered vault configuration allows MITM attack on Hub API: Cryptomator encrypts data being stored on cloud infrastructure. Prior to version 1.19.1, an integrity check vulnerability allows an attacker to tamper with the vault configuration file leading to a man-in-the-middle vulnerability in Hub key loading mechanism. Before this fix, the client trusted endpoints from the vault con...

CVE-2026-31836: Mass Assignment Privilege Escalation in Checkmate: Checkmate is an open-source, self-hosted tool designed to track and monitor server hardware, uptime, response times, and incidents in real-time with beautiful visualizations. In versions from 3.5.1 and prior, a mass assignment vulnerability in Checkmate's user profile update endpoint allows any authenticated user to escalate their privileges to...

CVE-2026-4494: atjiu pybbs TopicApiController.java create cross site scripting: A vulnerability was identified in atjiu pybbs 6.0.0. This affects the function create of the file src/main/java/co/yiiu/pybbs/controller/api/TopicApiController.java. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

CVE-2026-4493: Tenda A18 Pro MAC Filtering Configuration Endpoint setMacFilterCfg sub_423B50 stack-based overflow: A vulnerability was determined in Tenda A18 Pro 02.03.02.28. The impacted element is the function sub_423B50 of the file /goform/setMacFilterCfg of the component MAC Filtering Configuration Endpoint. Executing a manipulation of the argument deviceList can lead to stack-based buffer overflow. The ...

Updated

CVE-2025-2877: Event-driven-ansible: exposure inventory passwords in plain text when starting a rulebook activation with verbosity set to debug in eda: A flaw was found in the Ansible Automation Platform's Event-Driven Ansible. In configurations where verbosity is set to "debug", inventory passwords are exposed in plain text when starting a rulebook activation. This issue exists for any "debug" action in a ru...

CVE-2026-32035: OpenClaw < 2026.3.2 - Missing Owner Flag Validation in Discord Voice Transcript Handler: OpenClaw versions prior to 2026.3.2 fail to pass the senderIsOwner flag when processing Discord voice transcripts in agentCommand, causing the flag to default to true. Non-owner voice participants can exploit this omission to access owner-only tools including gateway and cron functionality in mixed-trust ch...

CVE-2026-22209: thingino-firmware api.cgi Unauthenticated Command Injection in Captive Portal: thingino-firmware up to commit e3f6a41 (published on 2026-03-15) contains an unauthenticated os command injection vulnerability in the WiFi captive portal CGI script that allows remote attackers to execute arbitrary commands as root by injecting malicious code through unsanitized HTTP parameter names. Attackers can e...

CVE-2026-32844: XinLiangCoder / php_api_doc Reflected XSS via list_method.php: XinLiangCoder php_api_doc through commit 1ce5bbf contains a reflected cross-site scripting vulnerability in list_method.php that allows remote attackers to execute arbitrary JavaScript in a victim's browser by injecting malicious code through the f parameter. Attackers can craft a malicious URL with unsanitized input in the GET requ...

CVE-2026-32041: OpenClaw < 2026.3.1 - Unauthenticated Browser Control Access via Failed Auth Bootstrap: OpenClaw versions prior to 2026.3.1 fail to properly handle authentication bootstrap errors during startup, allowing browser-control routes to remain accessible without authentication. Local processes or loopback-reachable SSRF paths can exploit this to access browser-control routes including evaluate-capabl...

CISA Known Exploited Vulnerabilities

CVE-2025-43510 Apple Multiple Products: Apple watchOS, iOS, iPadOS, macOS, visionOS, and tvOS contain an improper locking vulnerability that could allow a malicious application to cause unexpected changes in memory shared between processes.

CVE-2025-32432 Craft CMS Craft CMS: Craft CMS contains a code injection vulnerability that allows a remote attacker to execute arbitrary code.

CVE-2025-43520 Apple Multiple Products: Apple watchOS, iOS, iPadOS, macOS, visionOS, tvOS, and iPadOS contain a classic buffer overflow vulnerability which could allow a malicious application to cause unexpected system termination or write kernel memory.

CVE-2025-54068 Laravel Livewire: Laravel Livewire contain a code injection vulnerability that could allow unauthenticated attackers to achieve remote command execution in specific scenarios.

CVE-2025-31277 Apple Multiple Products: Apple Safari, iOS, watchOS, visionOS, iPadOS, macOS, and tvOS contain a buffer overflow vulnerability that could allow the processing of maliciously crafted web content which may lead to memory corruption.