Total
336347 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-28714 | 2026-03-06 | N/A | 4.8 MEDIUM | ||
|
Unnecessary transmission of sensitive cryptographic material. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
|
|||||
| CVE-2026-28713 | 2026-03-06 | N/A | 7.1 HIGH | ||
|
Default credentials set for local privileged user in Virtual Appliance. The following products are affected: Acronis Cyber Protect Cloud Agent (VMware) before build 36943, Acronis Cyber Protect 17 (VMware) before build 41186.
|
|||||
| CVE-2026-28712 | 2026-03-06 | N/A | 6.3 MEDIUM | ||
|
Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect 17 (Windows) before build 41186.
|
|||||
| CVE-2026-28711 | 2026-03-06 | N/A | 6.3 MEDIUM | ||
|
Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect 17 (Windows) before build 41186.
|
|||||
| CVE-2026-28710 | 2026-03-06 | N/A | 8.1 HIGH | ||
|
Sensitive information disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
|
|||||
| CVE-2026-28709 | 2026-03-06 | N/A | 4.3 MEDIUM | ||
|
Unauthorized resource manipulation due to improper authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
|
|||||
| CVE-2026-27778 | 2026-03-06 | N/A | 7.5 HIGH | ||
|
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
|
|||||
| CVE-2026-27770 | 2026-03-06 | N/A | 6.5 MEDIUM | ||
|
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
|
|||||
| CVE-2026-24912 | 2026-03-06 | N/A | 7.3 HIGH | ||
|
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable
a malicio ...
Show More |
|||||
| CVE-2026-22552 | 2026-03-06 | N/A | 9.4 CRITICAL | ||
|
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption o ...
Show More |
|||||
| CVE-2025-30415 | 2026-03-06 | N/A | 7.5 HIGH | ||
|
Denial of service due to improper handling of malformed input. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 40077, Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186.
|
|||||
| CVE-2025-30413 | 2026-03-06 | N/A | 4.4 MEDIUM | ||
|
Credentials are not deleted from Acronis Agent after plan revocation. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 40497, Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186.
|
|||||
| CVE-2025-30409 | 2026-03-06 | N/A | 5.5 MEDIUM | ||
|
Denial of service due to allocation of resources without limits. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 39904, Acronis Cyber Protect 17 (Windows) before build 41186.
|
|||||
| CVE-2025-11792 | 2026-03-06 | N/A | 7.3 HIGH | ||
|
Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis Cyber Protect Cloud Agent (Windows) before build 41124.
|
|||||
| CVE-2025-11791 | 2026-03-06 | N/A | 5.5 MEDIUM | ||
|
Sensitive information disclosure and manipulation due to insufficient authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186, Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 41124.
|
|||||
| CVE-2025-11790 | 2026-03-06 | N/A | 4.4 MEDIUM | ||
|
Credentials are not deleted from Acronis Agent after plan revocation. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 41124.
|
|||||
| CVE-2023-48684 | 2026-03-06 | N/A | 7.1 HIGH | ||
|
Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 37758, Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186.
|
|||||
| CVE-2023-45243 | 4 Acronis, Apple, Linux and 1 more | 4 Agent, Macos, Linux Kernel and 1 more | 2026-03-06 | N/A | 5.5 MEDIUM |
|
Sensitive information disclosure due to missing authorization. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 35739, Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186.
|
|||||
| CVE-2023-45242 | 4 Acronis, Apple, Linux and 1 more | 4 Agent, Macos, Linux Kernel and 1 more | 2026-03-06 | N/A | 5.5 MEDIUM |
|
Sensitive information disclosure due to missing authorization. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 35739, Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186.
|
|||||
| CVE-2023-44210 | 4 Acronis, Apple, Linux and 1 more | 4 Agent, Macos, Linux Kernel and 1 more | 2026-03-06 | N/A | 5.5 MEDIUM |
|
Sensitive information disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 29258, Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186.
|
|||||
| CVE-2023-44209 | 4 Acronis, Apple, Linux and 1 more | 4 Agent, Macos, Linux Kernel and 1 more | 2026-03-06 | N/A | 7.8 HIGH |
|
Local privilege escalation due to improper soft link handling. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 29051, Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186.
|
|||||
| CVE-2026-29612 | 2026-03-05 | N/A | 5.5 MEDIUM | ||
|
OpenClaw versions prior to 2026.2.14 decode base64-backed media inputs into buffers before enforcing decoded-size budget limits, allowing attackers to trigger large memory allocations. Remote attackers can supply oversized base64 payloads to cause memory pressure and denial of service.
|
|||||
| CVE-2026-29606 | 2026-03-05 | N/A | 4.8 MEDIUM | ||
|
OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attacker can send forged requests to the publicly reachable webhook endpoint without a valid X-Twilio-Signature header, resulting in unauthorized webhook event handling and potential request flooding attacks.
|
|||||
| CVE-2026-28486 | 2026-03-05 | N/A | 6.1 MEDIUM | ||
|
OpenClaw versions 2026.1.16-2 prior to 2026.2.14 contain a path traversal vulnerability in archive extraction during installation commands that allows arbitrary file writes outside the intended directory. Attackers can craft malicious archives that, when extracted via skills install, hooks install, plugins install, or signal install commands, write files to arbitrary locations enabling persistence or code execution.
|
|||||
| CVE-2026-28481 | 2026-03-05 | N/A | 5.3 MEDIUM | ||
|
OpenClaw versions 2026.1.30 and earlier, contain an information disclosure vulnerability, patched in 2026.2.1, in the MS Teams attachment downloader (optional extension must be enabled) that leaks bearer tokens to allowlisted suffix domains. When retrying downloads after receiving 401 or 403 responses, the application sends Authorization bearer tokens to untrusted hosts matching the permissive suffix-based allowlist, enabling token theft.
|
|||||
| CVE-2026-28480 | 2026-03-05 | N/A | 6.5 MEDIUM | ||
|
OpenClaw versions prior to 2026.2.14 contain an authorization bypass vulnerability where Telegram allowlist matching accepts mutable usernames instead of immutable numeric sender IDs. Attackers can spoof identity by obtaining recycled usernames to bypass allowlist restrictions and interact with bots as unauthorized senders.
|
|||||
| CVE-2026-28477 | 2026-03-05 | N/A | 5.9 MEDIUM | ||
|
OpenClaw versions prior to 2026.2.14 contain an oauth state validation bypass vulnerability in the manual Chutes login flow that allows attackers to bypass CSRF protection. An attacker can convince a user to paste attacker-controlled OAuth callback data, enabling credential substitution and token persistence for unauthorized accounts.
|
|||||
| CVE-2026-28475 | 2026-03-05 | N/A | 4.8 MEDIUM | ||
|
OpenClaw versions prior to 2026.2.13 use non-constant-time string comparison for hook token validation, allowing attackers to infer tokens through timing measurements. Remote attackers with network access to the hooks endpoint can exploit timing side-channels across multiple requests to gradually recover the authentication token.
|
|||||
| CVE-2026-28471 | 2026-03-05 | N/A | 3.7 LOW | ||
|
OpenClaw version 2026.1.14-1 prior to 2026.2.2, with the Matrix plugin installed and enabled, contain a vulnerability in which DM allowlist matching could be bypassed by exact-matching against sender display names and localparts without homeserver validation. Remote Matrix users can impersonate allowed identities by using attacker-controlled display names or matching localparts from different homeservers to reach the routing and agent pipeline.
|
|||||
| CVE-2026-28457 | 2026-03-05 | N/A | 5.3 MEDIUM | ||
|
OpenClaw versions prior to 2026.2.14 contain a path traversal vulnerability in sandbox skill mirroring (must be enabled) that uses the skill frontmatter name parameter unsanitized when copying skills into the sandbox workspace. Attackers who provide a crafted skill package with traversal sequences like ../ or absolute paths in the name field can write files outside the sandbox workspace root directory.
|
|||||
| CVE-2026-28452 | 2026-03-05 | N/A | 5.5 MEDIUM | ||
|
OpenClaw versions prior to 2026.2.14 contain a denial of service vulnerability in the extractArchive function within src/infra/archive.ts that allows attackers to consume excessive CPU, memory, and disk resources through high-expansion ZIP and TAR archives. Remote attackers can trigger resource exhaustion by providing maliciously crafted archive files during install or update operations, causing service degradation or system unavailability.
|
|||||
| CVE-2026-28448 | 2026-03-05 | N/A | 5.6 MEDIUM | ||
|
OpenClaw versions 2026.1.29 prior to 2026.2.1 contain a vulnerability in the Twitch plugin (must be installed and enabled) in which it fails to enforce the allowFrom allowlist when allowedRoles is unset or empty, allowing unauthorized Twitch users to trigger agent dispatch. Remote attackers can mention the bot in Twitch chat to bypass access control and invoke the agent pipeline, potentially causing unintended actions or resource exhaustion.
|
|||||
| CVE-2026-28395 | 2026-03-05 | N/A | 4.8 MEDIUM | ||
|
OpenClaw version 2026.1.14-1 prior to 2026.2.12 contain an improper network binding vulnerability in the Chrome extension (must be installed and enabled) relay server that treats wildcard hosts as loopback addresses, allowing the relay HTTP/WS server to bind to all interfaces when a wildcard cdpUrl is configured. Remote attackers can access relay HTTP endpoints off-host to leak service presence and port information, or conduct denial-of-service and brute-force attacks against the relay token hea ...
Show More |
|||||
| CVE-2026-28394 | 2026-03-05 | N/A | 6.5 MEDIUM | ||
|
OpenClaw versions prior to 2026.2.15 contain a denial of service vulnerability in the web_fetch tool that allows attackers to crash the Gateway process through memory exhaustion by parsing oversized or deeply nested HTML responses. Remote attackers can social-engineer users into fetching malicious URLs with pathological HTML structures to exhaust server memory and cause service unavailability.
|
|||||
| CVE-2026-27750 | 2026-03-05 | N/A | 7.8 HIGH | ||
|
Avira Internet Security contains a time-of-check time-of-use (TOCTOU) vulnerability in the Optimizer component. A privileged service running as SYSTEM identifies directories for cleanup during a scan phase and subsequently deletes them during a separate cleanup phase without revalidating the target path. A local attacker can replace a previously scanned directory with a junction or reparse point before deletion occurs, causing the privileged process to delete an unintended system location. This ...
Show More |
|||||
| CVE-2026-27749 | 2026-03-05 | N/A | 7.8 HIGH | ||
|
Avira Internet Security contains a deserialization of untrusted data vulnerability in the System Speedup component. The Avira.SystemSpeedup.RealTimeOptimizer.exe process, which runs with SYSTEM privileges, deserializes data from a file located in C:\\ProgramData using .NET BinaryFormatter without implementing input validation or deserialization safeguards. Because the file can be created or modified by a local user in default configurations, an attacker can supply a crafted serialized payload th ...
Show More |
|||||
| CVE-2026-27748 | 2026-03-05 | N/A | 7.8 HIGH | ||
|
Avira Internet Security contains an improper link resolution vulnerability in the Software Updater component. During the update process, a privileged service running as SYSTEM deletes a file under C:\\ProgramData without validating whether the path resolves through a symbolic link or reparse point. A local attacker can create a malicious link to redirect the delete operation to an arbitrary file, resulting in deletion of attacker-chosen files with SYSTEM privileges. This may lead to local privil ...
Show More |
|||||
| CVE-2026-26125 | 2026-03-05 | N/A | 8.6 HIGH | ||
|
Payment Orchestrator Service Elevation of Privilege Vulnerability
|
|||||
| CVE-2026-26124 | 2026-03-05 | N/A | 6.7 MEDIUM | ||
|
Microsoft ACI Confidential Containers Elevation of Privilege Vulnerability
|
|||||
| CVE-2026-26122 | 2026-03-05 | N/A | 6.5 MEDIUM | ||
|
Microsoft ACI Confidential Containers Information Disclosure Vulnerability
|
|||||