NVD CVEs — 本日公開 (49 件)
CVE-2026-33434 4.3 MEDIUM
Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 4.6.0 and above, prior to 4.14.5, a logic error in CheckRateLimitsMiddleware.dispatch() causes the /events endpoint rate check to unconditionally overwrite the general rate limit result. When th
CVE-2026-33754 6.5 MEDIUM
Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 3.9.0 and above, prior to 4.14.5, a remote attacker can trigger memory exhaustion in the cluster protocol parser by sending a crafted message header with an arbitrarily large payload length. The
CVE-2026-34150 7.5 HIGH
Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 1.0.0 and above, prior to 4.14.5, a heap buffer overflow in wazuh-analysisd allows an unauthenticated remote attacker to crash the Wazuh manager's analysis engine, causing complete loss of SIEM
CVE-2026-39359 7.5 HIGH
Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 4.0.0 through 4.10.3 and 4.11.0 through 4.14.4, a logic flaw affects the Wazuh Manager's enrollment daemon (authd) and synchronization daemon (remoted). The authd process allows agents to select
CVE-2026-54340 7.5 HIGH
h2o is an HTTP server with support for HTTP/1.x, HTTP/2 and HTTP/3. Prior to commit 9265bdd, there is an HTTP/2 state amplification issue that combines HPACK decompression amplification with Slowloris-style stream stalling. Amplified decoded header state can be retained by stalled HTTP/2 streams, an
CVE-2026-14956 9.8 CRITICAL
The Bricksforge plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.1.8.6. This is due to improper validation of the fieldIds parameter in the Pro Forms registration action, which allows attacker-supplied field IDs to be added to the trusted form-field
CVE-2026-2594 6.4 MEDIUM
The Smart Custom Fields plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.0.7. This is due to insufficient input sanitization and output escaping of uploaded image attachment titles. This makes it possible for authenticated attackers, with Author-l
CVE-2026-40106 4.7 MEDIUM
Wazuh is a free and open source platform used for threat prevention, detection, and response. Versions 4.6.0 and above prior to 4.14.5 contain a heap-based buffer overflow vulnerability in the syscheck component of the Wazuh agent for Windows. When expanding registry paths containing wildcards (* or
CVE-2026-44251 6.5 MEDIUM
Wazuh is a free and open source platform used for threat prevention, detection, and response. In versions 3.0.0 and above, prior to 4.14.5, a size_t integer underflow in os_crypto/shared/msgs.c:389 allows any enrolled Wazuh agent to crash the wazuh-remoted process on the manager, immediately disconn
CVE-2026-62201 7.7 HIGH
OpenClaw versions before 2026.6.6 contain a network policy bypass vulnerability in the sandbox exec-server that allows lower-trust callers to reach internal network destinations blocked by OpenClaw policy. Attackers can send HTTP requests through the exec-server to access network resources that shou
GitHub Security Advisories — 本日公開 (20 件)
GHSA-xrvw-c6vh-v4r5
CRITICAL
clawvet self-hosted API server (apps/api) before 0.7.5 hard-codes a fallback JWT secret ('clawvet...
GHSA-qrm9-ppgh-qwm9
HIGH
grav-plugin-api before 1.0.6 fails to validate super-admin status in createApiKey, generate2fa,...
GHSA-rw7h-h988-gfff
HIGH
OpenRemote before 1.26.0 contain an authenticated SQL injection vulnerability in the datapoint...
GHSA-6gqg-9qjp-56jm
MEDIUM
Grav before 2.0.4 contains a regular expression denial of service (ReDoS) vulnerability in the...
GHSA-f4c6-8fcq-j58x
LOW
grav-plugin-login before 3.8.11 contains a cross-site request forgery (CSRF) vulnerability in the...
GHSA-rv94-vqvr-wjjh
HIGH
Grav before 2.0.4 fails to restrict cURL protocols in webhook dispatch, allowing authenticated...
GHSA-cx27-6j8x-h4h6
HIGH
The Grav API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 accepts JWT access tokens...
GHSA-h4x5-fmw9-97f9
HIGH
The Grav API plugin (getgrav/grav-plugin-api) before 1.0.0-rc.16 shipped Access-Control-Allow...
GHSA-gv8p-326f-p8gj
LOW
Grav Flex-Objects before version 1.4.3 contains a broken access control vulnerability in the...
GHSA-fc43-vcvc-5qg7
MEDIUM
OpenClaw 2026.4.14 before 2026.5.26 contain a server-side request forgery vulnerability in...