NVD CVEs — 本日公開 (44 件)
CVE-2026-27785 8.8 HIGH
Specific firmware versions of Milesight AIOT camera firmware contain hard-coded credentials.
CVE-2026-40972 7.5 HIGH
An attacker on the same network as the remote application may be able to utilize a timing attack to discover information about the remote secret. In extreme circumstances this could result in the attacker determining the secret and uploading changed classes, thereby achieving remote code execution i
CVE-2026-40973 7.0 HIGH
A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hija
CVE-2026-40974 5.0 MEDIUM
Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); Cassandra SS
CVE-2026-40975 4.8 MEDIUM
Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.
CVE-2026-40976 9.1 CRITICAL
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter ch
CVE-2026-40977 4.7 MEDIUM
When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.1
CVE-2026-41362 4.3 MEDIUM
OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one authenticated Zalo webhook path in multi-account deployments can suppress legitima
CVE-2026-41363 5.3 MEDIUM
OpenClaw versions 2026.2.6 through 2026.3.24 contain a path traversal vulnerability in the Feishu extension resolveUploadInput function that bypasses file-system sandbox restrictions. Attackers can exploit improper path resolution during upload_image operations to read arbitrary files outside config
CVE-2026-41364 8.1 HIGH
OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files. Attackers can exploit this by uploading tar archives containing symlinks to escape the sandbox and overwrite files on the remote host.
GitHub Security Advisories — 本日公開 (20 件)
GHSA-7577-x67h-phhq
MEDIUM
A security vulnerability has been detected in Deepractice PromptX up to 2.4.0. The affected...
GHSA-cwqh-g98f-v98j
HIGH
A post-authentication command injection vulnerability in the “DomainName” parameter of the DHCP...
GHSA-qf53-r63m-hjj3
MEDIUM
A weakness has been identified in donchelo processing-claude-mcp-bridge up to...
GHSA-r8vp-xqcm-q2g5
MEDIUM
A vulnerability was identified in eghuzefa engineer-your-data up to 0.1.3. This vulnerability...
GHSA-76r7-mj3f-42m5
HIGH
A vulnerability was detected in Totolink N300RT 3.4.0-B20250430. The impacted element is the...
GHSA-2jm6-mf4v-38fj
MEDIUM
A vulnerability was detected in ef10007 MLOps_MCP 1.0.0. This impacts an unknown function of the...
GHSA-7qfw-j73x-42p7
MEDIUM
A security flaw has been discovered in egtai gmx-vmd-mcp up to 0.1.0. This issue affects the...
GHSA-8358-7fqv-7hg5
MEDIUM
A post-authentication command injection vulnerability in the EasyMesh-related APIs of Zyxel...
GHSA-4j28-22qp-rjcf
MEDIUM
A security flaw has been discovered in dubydu sqlite-mcp up to 0.1.0. The affected element is the...
GHSA-qxpx-v5ff-pgxq
HIGH
A vulnerability was determined in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the...