{"sector":{"id":"government","name":"Government & Public Sector","sector":"government","description":"Federal/state agencies, defense contractors, and public-sector IT.\nSensitive to nation-state activity, classified data exposure and identity\nsystems.","visibility":"public"},"top_24h":[{"id":"baa220cf-8f89-4f83-be0a-a124fecb3295","threat_type":"cve","title":"OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a priv","summary":"OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin account. This issue has been fixed in version 6.9.13. As a workaround, the default admin can be disabled using the `APP__ADMIN__EXTERNALLY_MANAGED` configuration.","severity":"critical","cvss_score":9.8,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-05T19:16:21.380000Z","last_modified_at":"2026-05-05T19:46:45.181090Z","external_id":"CVE-2026-27960","description":"OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin account. This issue has been fixed in version 6.9.13. As a workaround, the default admin can be disabled using the `APP__ADMIN__EXTERNALLY_MANAGED` configuration.","affected_products":[],"references":["https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-6vvv-vmfr-xhrx"],"sources":["nvd"],"score":35.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-287"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":9.8,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":35,"final_score":35.0},"calculated_at":"2026-05-06T02:00:15.955429Z"},{"id":"14ec7f38-462e-4d09-b598-e85a3be6f8cf","threat_type":"cve","title":"In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of deleg","summary":"In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).","severity":"high","cvss_score":8.6,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-05T16:16:18.480000Z","last_modified_at":"2026-05-05T19:46:44.918923Z","external_id":"CVE-2026-7412","description":"In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).","affected_products":[],"references":["https://gitlab.eclipse.org/security/cve-assignment/-/issues/103","https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423"],"sources":["nvd"],"score":35.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-918"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":8.6,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":35,"final_score":35.0},"calculated_at":"2026-05-06T02:00:15.564111Z"},{"id":"3c8f8c4e-3e8d-4414-a88a-44f743a92733","threat_type":"cve","title":"In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticate","summary":"In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise.","severity":"critical","cvss_score":10.0,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-05T16:16:18.360000Z","last_modified_at":"2026-05-05T19:46:44.895742Z","external_id":"CVE-2026-7411","description":"In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise.","affected_products":[],"references":["https://gitlab.eclipse.org/security/cve-assignment/-/issues/102","https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423"],"sources":["nvd"],"score":35.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-22"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":10.0,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":35,"final_score":35.0},"calculated_at":"2026-05-06T02:00:15.515359Z"},{"id":"566a2b3f-59db-43f8-96c2-b495cca26d76","threat_type":"cve","title":"In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix interlaced plain identification for encoded extents\n\nOnly plain data w","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix interlaced plain identification for encoded extents\n\nOnly plain data whose start position and on-disk physical length are\nboth aligned to the block size should be classified as interlaced\nplain extents. Otherwise, it must be treated as shifted plain extents.\n\nThis issue was found by syzbot using a crafted compressed image\ncontaining plain extents with unaligned physical lengths, which can\ncause OOB read in z_erofs_transform_plain().","severity":"unknown","cvss_score":null,"cvss_vector":null,"cvss_version":null,"tags":["nvd"],"published_at":"2026-05-06T12:16:34.800000Z","last_modified_at":"2026-05-06T14:04:53.646599Z","external_id":"CVE-2026-43166","description":"In the Linux kernel, the following vulnerability has been resolved:\n\nerofs: fix interlaced plain identification for encoded extents\n\nOnly plain data whose start position and on-disk physical length are\nboth aligned to the block size should be classified as interlaced\nplain extents. Otherwise, it must be treated as shifted plain extents.\n\nThis issue was found by syzbot using a crafted compressed image\ncontaining plain extents with unaligned physical lengths, which can\ncause OOB read in z_erofs_transform_plain().","affected_products":[],"references":["https://git.kernel.org/stable/c/4a2d046e4b13202a6301a993961f5b30ae4d7119","https://git.kernel.org/stable/c/9d5a97bc71ed5783687705c708454c4453aa91d1","https://git.kernel.org/stable/c/d3790f26d38606f020212486359b84632c19d08b"],"sources":["nvd"],"score":25.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":true,"matched":["classified"],"points":25},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":null,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":25,"final_score":25.0},"calculated_at":"2026-05-06T14:04:56.647072Z"},{"id":"81b751b5-289c-4537-bdfb-3d449bababa3","threat_type":"cve","title":"FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName\n before constructing file pa","summary":"FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName\n before constructing file paths, allowing an unauthenticated attacker to\n write arbitrary files outside the intended upload directory or read \nfiles from arbitrary locations on the server.\n\nThis issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.\n\nUsers are recommended to upgrade to version 10.9.0, which fixes the issue.","severity":"medium","cvss_score":6.5,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-06T10:16:26.163000Z","last_modified_at":"2026-05-06T15:05:39.151793Z","external_id":"CVE-2026-43975","description":"FolderUploadsFileManager in Apache Wicket does not validate or sanitize the uploadFieldId parameter or the clientFileName\n before constructing file paths, allowing an unauthenticated attacker to\n write arbitrary files outside the intended upload directory or read \nfiles from arbitrary locations on the server.\n\nThis issue affects Apache Wicket: from 8.0.0 through 8.17.0, from 9.0.0 through 9.22.0, from 10.0.0 through 10.8.0.\n\nUsers are recommended to upgrade to version 10.9.0, which fixes the issue.","affected_products":[],"references":["https://github.com/apache/wicket/pull/1432","https://lists.apache.org/thread/xp2jrdk6ppv1zcmxb4w1mk2lg1dw3hbr","http://www.openwall.com/lists/oss-security/2026/05/06/4"],"sources":["nvd"],"score":20.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-22"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":6.5,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":20,"final_score":20.0},"calculated_at":"2026-05-06T15:05:39.330677Z"},{"id":"4fac05e6-0722-4048-8e73-3a6bd7302e9f","threat_type":"cve","title":"There is a local privilege escalation vulnerability in the ZTE PROCESS Guard service of the cloud computer client, which may allow local arbitrary cod","summary":"There is a local privilege escalation vulnerability in the ZTE PROCESS Guard service of the cloud computer client, which may allow local arbitrary code execution, privilege escalation and path traversal bypass.","severity":"medium","cvss_score":5.2,"cvss_vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-06T10:16:19.950000Z","last_modified_at":"2026-05-06T11:01:38.717610Z","external_id":"CVE-2026-40001","description":"There is a local privilege escalation vulnerability in the ZTE PROCESS Guard service of the cloud computer client, which may allow local arbitrary code execution, privilege escalation and path traversal bypass.","affected_products":[],"references":["https://support.zte.com.cn/zte-iccp-isupport-webui/bulletin/detail/1477954674427011121"],"sources":["nvd"],"score":20.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-269"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":5.2,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":20,"final_score":20.0},"calculated_at":"2026-05-06T11:01:39.965473Z"},{"id":"121bf131-5b9f-4421-833e-c76d3eaf661c","threat_type":"cve","title":"The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path val","summary":"The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments() method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without verifying that the resolved path stays inside the WordPress uploads directory: a strpos() prefix check on the raw URL can be bypassed with traversal sequences, wp_normalize_path() does not resolve \".\\..\\\" segments, and file_exists() then resolves them at the kernel level. This makes it possible for authenticated attackers with administrator access to read arbitrary files readable by the web-server user — including wp-config.php with its database credentials and authentication salts — by submitting a form whose admin notification is configured to attach a file-upload field and supplying a crafted URL of the shape /../../ as the file-field value. The resolved file is attached to the outbound admin-notification email via wp_mail(). While the email can be triggered by unauthenticated users, the email recipient is not user-controlled.","severity":"medium","cvss_score":4.9,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-06T08:16:03.813000Z","last_modified_at":"2026-05-06T14:04:51.537318Z","external_id":"CVE-2026-6344","description":"The Fluent Forms plugin for WordPress is vulnerable to Arbitrary File Read in versions up to and including 6.2.1. This is due to insufficient path validation in the getAttachments() method of EmailNotificationActions, which resolves attacker-supplied file-upload URLs into filesystem paths without verifying that the resolved path stays inside the WordPress uploads directory: a strpos() prefix check on the raw URL can be bypassed with traversal sequences, wp_normalize_path() does not resolve \".\\..\\\" segments, and file_exists() then resolves them at the kernel level. This makes it possible for authenticated attackers with administrator access to read arbitrary files readable by the web-server user — including wp-config.php with its database credentials and authentication salts — by submitting a form whose admin notification is configured to attach a file-upload field and supplying a crafted URL of the shape /../../ as the file-field value. The resolved file is attached to the outbound admin-notification email via wp_mail(). While the email can be triggered by unauthenticated users, the email recipient is not user-controlled.","affected_products":[],"references":["https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Hooks/Ajax.php#L17","https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Modules/SubmissionHandler/SubmissionHandler.php#L17","https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L121","https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L130","https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L133","https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L135","https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L137","https://plugins.trac.wordpress.org/browser/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php#L151","https://plugins.trac.wordpress.org/changeset/3513845/fluentform/trunk/app/Services/FormBuilder/Notifications/EmailNotificationActions.php","https://www.wordfence.com/threat-intel/vulnerabilities/id/0101113b-70c2-4db4-b6b1-b2412f6e1214?source=cve"],"sources":["nvd"],"score":20.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-22"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":4.9,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":20,"final_score":20.0},"calculated_at":"2026-05-06T14:04:57.322115Z"},{"id":"f225734d-f978-4351-ae52-b46351c0c6ce","threat_type":"cve","title":"Vulnerability in the Oracle OCI CLI product of Oracle Open Source Projects. The supported versions that is affected is 3.77. Easily exploitable vulner","summary":"Vulnerability in the Oracle OCI CLI product of Oracle Open Source Projects. The supported versions that is affected is 3.77. Easily exploitable vulnerability allows unauthenticated attacker with network access to compromise Oracle OCI CLI. Successful attacks of this vulnerability can result in Oracle OCI CLI allowing users to place imported files outside the intended directory.","severity":"medium","cvss_score":6.1,"cvss_vector":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:L","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-06T08:16:03.697000Z","last_modified_at":"2026-05-06T15:05:39.107761Z","external_id":"CVE-2026-35254","description":"Vulnerability in the Oracle OCI CLI product of Oracle Open Source Projects. The supported versions that is affected is 3.77. Easily exploitable vulnerability allows unauthenticated attacker with network access to compromise Oracle OCI CLI. Successful attacks of this vulnerability can result in Oracle OCI CLI allowing users to place imported files outside the intended directory.","affected_products":[],"references":["https://www.oracle.com/security-alerts/all-oracle-cves-outside-other-oracle-public-documents.html"],"sources":["nvd"],"score":20.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-22"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":6.1,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":20,"final_score":20.0},"calculated_at":"2026-05-06T15:05:39.318362Z"},{"id":"83f1048d-29c7-4635-b012-e3bee2bfb6bf","threat_type":"cve","title":"OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the `/openmr","summary":"OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the `/openmrs/moduleResources/{moduleid}` endpoint is vulnerable to a path traversal attack. The ModuleResourcesServlet constructs a filesystem path from user-controlled input without performing path boundary validation — the getFile() method concatenates the user-supplied path into an absolute filesystem path without calling normalize() or checking that the result stays within the allowed module resources directory. Because this endpoint serves static resources required for rendering the login page, it is not protected by authentication filters, allowing unauthenticated exploitation.\n\nAn attacker can traverse directories and read arbitrary files from the server filesystem, including /etc/passwd and application configuration files containing database credentials. Successful exploitation requires the target deployment to run on Apache Tomcat versions prior to 8.5.31, where the ..; path parameter bypass is not mitigated by the container. Deployments on Tomcat 8.5.31 or later and Tomcat 9.0.10 or later are protected at the container level, though the underlying code defect remains. This issue has been fixed in versions after 2.7.8 (within the 2.7.x branch) and in version 2.8.6 and later.","severity":"unknown","cvss_score":null,"cvss_vector":null,"cvss_version":null,"tags":["nvd"],"published_at":"2026-05-05T22:16:00.520000Z","last_modified_at":"2026-05-05T22:49:38.059873Z","external_id":"CVE-2026-40075","description":"OpenMRS Core is an open source electronic medical record system platform. In versions 2.7.8 and earlier and versions 2.8.0 through 2.8.5, the `/openmrs/moduleResources/{moduleid}` endpoint is vulnerable to a path traversal attack. The ModuleResourcesServlet constructs a filesystem path from user-controlled input without performing path boundary validation — the getFile() method concatenates the user-supplied path into an absolute filesystem path without calling normalize() or checking that the result stays within the allowed module resources directory. Because this endpoint serves static resources required for rendering the login page, it is not protected by authentication filters, allowing unauthenticated exploitation.\n\nAn attacker can traverse directories and read arbitrary files from the server filesystem, including /etc/passwd and application configuration files containing database credentials. Successful exploitation requires the target deployment to run on Apache Tomcat versions prior to 8.5.31, where the ..; path parameter bypass is not mitigated by the container. Deployments on Tomcat 8.5.31 or later and Tomcat 9.0.10 or later are protected at the container level, though the underlying code defect remains. This issue has been fixed in versions after 2.7.8 (within the 2.7.x branch) and in version 2.8.6 and later.","affected_products":[],"references":["https://github.com/openmrs/openmrs-core/security/advisories/GHSA-jjgj-cx3q-pw4w"],"sources":["nvd"],"score":20.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-22"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":null,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":20,"final_score":20.0},"calculated_at":"2026-05-06T02:00:16.356081Z"},{"id":"4d451624-49ff-489d-91c7-e42e287bab1f","threat_type":"cve","title":"Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make ou","summary":"Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST requests to arbitrary internal or external destinations by supplying a crafted URL in the Gotenberg-Webhook-Url request header. The FilterDeadline function in filter.go is intended to gate outbound URLs, but when both the allow-list and deny-list are empty (the default configuration), it returns nil unconditionally and permits any URL. \n\nThis is a blind SSRF: Gotenberg POSTs the converted document to the webhook URL and only checks whether the response status code is an error, but never returns the target's response body to the attacker. An attacker can use this to probe internal network infrastructure by observing whether the error callback is invoked, force POST requests against internal services that perform side effects, and confirm reachability of cloud metadata endpoints. The retryable HTTP client issues up to 4 automatic retries per request, amplifying each probe.\n\nThis issue has been fixed in version 8.31.0. As a workaround, configure the GOTENBERG_API_WEBHOOK_ALLOW_LIST environment variable to restrict webhook URLs to known receivers, or set GOTENBERG_API_WEBHOOK_DENY_LIST to block RFC-1918 and link-local address ranges.","severity":"unknown","cvss_score":null,"cvss_vector":null,"cvss_version":null,"tags":["nvd"],"published_at":"2026-05-05T21:16:22.397000Z","last_modified_at":"2026-05-05T21:48:38.594383Z","external_id":"CVE-2026-39383","description":"Gotenberg is an API-based document conversion tool. In version 8.29.1, an unauthenticated attacker with network access can force the server to make outbound HTTP POST requests to arbitrary internal or external destinations by supplying a crafted URL in the Gotenberg-Webhook-Url request header. The FilterDeadline function in filter.go is intended to gate outbound URLs, but when both the allow-list and deny-list are empty (the default configuration), it returns nil unconditionally and permits any URL. \n\nThis is a blind SSRF: Gotenberg POSTs the converted document to the webhook URL and only checks whether the response status code is an error, but never returns the target's response body to the attacker. An attacker can use this to probe internal network infrastructure by observing whether the error callback is invoked, force POST requests against internal services that perform side effects, and confirm reachability of cloud metadata endpoints. The retryable HTTP client issues up to 4 automatic retries per request, amplifying each probe.\n\nThis issue has been fixed in version 8.31.0. As a workaround, configure the GOTENBERG_API_WEBHOOK_ALLOW_LIST environment variable to restrict webhook URLs to known receivers, or set GOTENBERG_API_WEBHOOK_DENY_LIST to block RFC-1918 and link-local address ranges.","affected_products":[],"references":["https://github.com/gotenberg/gotenberg/security/advisories/GHSA-5vh4-rgv7-p9g4"],"sources":["nvd"],"score":20.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-918"],"points":20},"cvss_threshold":{"hit":false,"threshold":7.0,"cvss_score":null,"points":0},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":20,"final_score":20.0},"calculated_at":"2026-05-06T02:00:16.266104Z"}],"top_7d":[{"id":"0da69b0c-abe3-484a-af6c-cc3bd2432dc7","threat_type":"cve","title":"cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to g","summary":"cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.","severity":"critical","cvss_score":9.8,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd","kev","actively-exploited","ransomware"],"published_at":"2026-04-29T22:17:34.339369Z","last_modified_at":"2026-05-06T15:23:37.677810Z","external_id":"CVE-2026-41940","description":"cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.","affected_products":["cpe:2.3:a:cpanel:cpanel:*:*:*:*:*:*:*:*","cpe:2.3:a:cpanel:whm:*:*:*:*:*:*:*:*","cpe:2.3:a:cpanel:wp_squared:*:*:*:*:*:wordpress:*:*"],"references":["https://docs.cpanel.net/release-notes/release-notes","https://docs.wpsquared.com/changelogs/versions/changelog/#13617","https://support.cpanel.net/hc/en-us/articles/40073787579671-cPanel-WHM-Security-Update-04-28-2026","https://www.namecheap.com/status-updates/ongoing-critical-security-vulnerability-in-cpanel-april-28-2026","https://www.vulncheck.com/advisories/cpanel-and-whm-authentication-bypass-via-login-flow","https://labs.watchtowr.com/the-internet-is-falling-down-falling-down-falling-down-cpanel-whm-authentication-bypass-cve-2026-41940/","https://www.bleepingcomputer.com/news/security/critrical-cpanel-flaw-mass-exploited-in-sorry-ransomware-attacks/","https://github.com/watchtowrlabs/watchTowr-vs-cPanel-WHM-AuthBypass-to-RCE.py","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-41940"],"sources":["nvd","cisa_kev"],"score":75.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":9.8,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":true,"points":25},"actively_exploited":{"hit":true,"points":15},"ransomware":{"hit":true,"points":15},"multi_source":{"hit":true,"source_count":2,"points":5},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":75,"final_score":75.0},"calculated_at":"2026-05-06T15:24:16.023863Z"},{"id":"4f1e1ccb-9a2d-4d4b-88d6-025408e35526","threat_type":"cve","title":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_aead - Revert to operating out-of-place\n\nThis mostly reverts commit","summary":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_aead - Revert to operating out-of-place\n\nThis mostly reverts commit 72548b093ee3 except for the copying of\nthe associated data.\n\nThere is no benefit in operating in-place in algif_aead since the\nsource and destination come from different mappings.  Get rid of\nall the complexity added for in-place operation and just copy the\nAD directly.","severity":"critical","cvss_score":7.8,"cvss_vector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd","kev","actively-exploited"],"published_at":"2026-04-29T22:17:30.493476Z","last_modified_at":"2026-05-06T15:23:37.653656Z","external_id":"CVE-2026-31431","description":"In the Linux kernel, the following vulnerability has been resolved:\n\ncrypto: algif_aead - Revert to operating out-of-place\n\nThis mostly reverts commit 72548b093ee3 except for the copying of\nthe associated data.\n\nThere is no benefit in operating in-place in algif_aead since the\nsource and destination come from different mappings.  Get rid of\nall the complexity added for in-place operation and just copy the\nAD directly.","affected_products":["cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc1:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc2:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc3:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc4:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc5:*:*:*:*:*:*","cpe:2.3:o:linux:linux_kernel:7.0:rc6:*:*:*:*:*:*","cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux:10.0:*:*:*:*:*:*:*","cpe:2.3:o:redhat:enterprise_linux:10.1:*:*:*:*:*:*:*","cpe:2.3:o:amazon:amazon_linux:-:*:*:*:*:*:*:*","cpe:2.3:o:canonical:ubuntu_linux:-:*:*:*:*:*:*:*","cpe:2.3:o:suse:suse_linux:-:*:*:*:*:*:*:*"],"references":["https://git.kernel.org/stable/c/19d43105a97be0810edbda875f2cd03f30dc130c","https://git.kernel.org/stable/c/3115af9644c342b356f3f07a4dd1c8905cd9a6fc","https://git.kernel.org/stable/c/893d22e0135fa394db81df88697fba6032747667","https://git.kernel.org/stable/c/8b88d99341f139e23bdeb1027a2a3ae10d341d82","https://git.kernel.org/stable/c/961cfa271a918ad4ae452420e7c303149002875b","https://git.kernel.org/stable/c/a664bf3d603dc3bdcf9ae47cc21e0daec706d7a5","https://git.kernel.org/stable/c/ce42ee423e58dffa5ec03524054c9d8bfd4f6237","https://git.kernel.org/stable/c/fafe0fa2995a0f7073c1c358d7d3145bcc9aedd8","http://www.openwall.com/lists/oss-security/2026/04/29/23","http://www.openwall.com/lists/oss-security/2026/04/29/25","http://www.openwall.com/lists/oss-security/2026/04/29/26","http://www.openwall.com/lists/oss-security/2026/04/30/10","http://www.openwall.com/lists/oss-security/2026/04/30/11","http://www.openwall.com/lists/oss-security/2026/04/30/12","http://www.openwall.com/lists/oss-security/2026/04/30/14","http://www.openwall.com/lists/oss-security/2026/04/30/15","http://www.openwall.com/lists/oss-security/2026/04/30/16","http://www.openwall.com/lists/oss-security/2026/04/30/17","http://www.openwall.com/lists/oss-security/2026/04/30/18","http://www.openwall.com/lists/oss-security/2026/04/30/2","http://www.openwall.com/lists/oss-security/2026/04/30/20","http://www.openwall.com/lists/oss-security/2026/04/30/5","http://www.openwall.com/lists/oss-security/2026/04/30/6","http://www.openwall.com/lists/oss-security/2026/05/01/10","http://www.openwall.com/lists/oss-security/2026/05/01/12","http://www.openwall.com/lists/oss-security/2026/05/01/15","http://www.openwall.com/lists/oss-security/2026/05/01/16","http://www.openwall.com/lists/oss-security/2026/05/01/17","http://www.openwall.com/lists/oss-security/2026/05/01/18","http://www.openwall.com/lists/oss-security/2026/05/01/2","http://www.openwall.com/lists/oss-security/2026/05/01/22","http://www.openwall.com/lists/oss-security/2026/05/01/23","http://www.openwall.com/lists/oss-security/2026/05/01/24","http://www.openwall.com/lists/oss-security/2026/05/01/3","http://www.openwall.com/lists/oss-security/2026/05/02/14","http://www.openwall.com/lists/oss-security/2026/05/02/15","http://www.openwall.com/lists/oss-security/2026/05/02/16","http://www.openwall.com/lists/oss-security/2026/05/02/17","http://www.openwall.com/lists/oss-security/2026/05/02/18","http://www.openwall.com/lists/oss-security/2026/05/02/19","http://www.openwall.com/lists/oss-security/2026/05/02/20","http://www.openwall.com/lists/oss-security/2026/05/02/21","http://www.openwall.com/lists/oss-security/2026/05/02/23","http://www.openwall.com/lists/oss-security/2026/05/02/24","http://www.openwall.com/lists/oss-security/2026/05/02/25","http://www.openwall.com/lists/oss-security/2026/05/02/4","http://www.openwall.com/lists/oss-security/2026/05/02/5","http://www.openwall.com/lists/oss-security/2026/05/02/6","http://www.openwall.com/lists/oss-security/2026/05/02/7","http://www.openwall.com/lists/oss-security/2026/05/02/8","http://www.openwall.com/lists/oss-security/2026/05/03/10","http://www.openwall.com/lists/oss-security/2026/05/03/12","http://www.openwall.com/lists/oss-security/2026/05/03/13","http://www.openwall.com/lists/oss-security/2026/05/03/3","http://www.openwall.com/lists/oss-security/2026/05/03/4","http://www.openwall.com/lists/oss-security/2026/05/03/5","http://www.openwall.com/lists/oss-security/2026/05/03/6","http://www.openwall.com/lists/oss-security/2026/05/04/1","http://www.openwall.com/lists/oss-security/2026/05/04/10","http://www.openwall.com/lists/oss-security/2026/05/04/11","http://www.openwall.com/lists/oss-security/2026/05/04/12","http://www.openwall.com/lists/oss-security/2026/05/04/13","http://www.openwall.com/lists/oss-security/2026/05/04/14","http://www.openwall.com/lists/oss-security/2026/05/04/2","http://www.openwall.com/lists/oss-security/2026/05/04/24","http://www.openwall.com/lists/oss-security/2026/05/04/27","http://www.openwall.com/lists/oss-security/2026/05/04/28","http://www.openwall.com/lists/oss-security/2026/05/04/29","http://www.openwall.com/lists/oss-security/2026/05/04/31","http://www.openwall.com/lists/oss-security/2026/05/04/8","http://www.openwall.com/lists/oss-security/2026/05/04/9","http://www.openwall.com/lists/oss-security/2026/05/06/5","https://copy.fail","https://websec.net/blog/cve-2026-31431-linux-algifaead-page-cache-write-to-root-69f38a4ccddd2db1f520f170","https://access.redhat.com/security/cve/cve-2026-31431#cve-details-mitigation","https://github.com/theori-io/copy-fail-CVE-2026-31431","https://lore.kernel.org/linux-cve-announce/2026042214-CVE-2026-31431-3d65@gregkh/","https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-31431","https://xint.io/blog/copy-fail-linux-distributions#the-fix-6"],"sources":["cisa_kev","nvd"],"score":60.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":false,"matched":[],"points":0},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.8,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":true,"points":25},"actively_exploited":{"hit":true,"points":15},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":true,"source_count":2,"points":5},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":60,"final_score":60.0},"calculated_at":"2026-05-06T15:24:16.017346Z"},{"id":"baa220cf-8f89-4f83-be0a-a124fecb3295","threat_type":"cve","title":"OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a priv","summary":"OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin account. This issue has been fixed in version 6.9.13. As a workaround, the default admin can be disabled using the `APP__ADMIN__EXTERNALLY_MANAGED` configuration.","severity":"critical","cvss_score":9.8,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-05T19:16:21.380000Z","last_modified_at":"2026-05-05T19:46:45.181090Z","external_id":"CVE-2026-27960","description":"OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. In versions 6.6.0 through 6.9.12, there is a privilege escalation vulnerability that can be exploited by unauthenticated attackers to query the API as any existing user, including the default admin account. This issue has been fixed in version 6.9.13. As a workaround, the default admin can be disabled using the `APP__ADMIN__EXTERNALLY_MANAGED` configuration.","affected_products":[],"references":["https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-6vvv-vmfr-xhrx"],"sources":["nvd"],"score":35.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-287"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":9.8,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":35,"final_score":35.0},"calculated_at":"2026-05-06T02:00:15.955429Z"},{"id":"14ec7f38-462e-4d09-b598-e85a3be6f8cf","threat_type":"cve","title":"In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of deleg","summary":"In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).","severity":"high","cvss_score":8.6,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-05T16:16:18.480000Z","last_modified_at":"2026-05-05T19:46:44.918923Z","external_id":"CVE-2026-7412","description":"In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, the Operation Delegation feature fails to validate the destination URI of delegated requests. An unauthenticated remote attacker can exploit this design flaw to force the BaSyx server to execute blind HTTP POST requests to arbitrary internal or external targets. This allows an attacker to bypass network segmentation and pivot into isolated internal IT/OT infrastructure or target Cloud Metadata services (IMDS).","affected_products":[],"references":["https://gitlab.eclipse.org/security/cve-assignment/-/issues/103","https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423"],"sources":["nvd"],"score":35.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-918"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":8.6,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":35,"final_score":35.0},"calculated_at":"2026-05-06T02:00:15.564111Z"},{"id":"3c8f8c4e-3e8d-4414-a88a-44f743a92733","threat_type":"cve","title":"In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticate","summary":"In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise.","severity":"critical","cvss_score":10.0,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-05T16:16:18.360000Z","last_modified_at":"2026-05-05T19:46:44.895742Z","external_id":"CVE-2026-7411","description":"In Eclipse BaSyx Java Server SDK versions prior to 2.0.0-milestone-10, inadequate path normalization in the Submodel HTTP API allows an unauthenticated remote attacker to perform a path traversal attack. By supplying a maliciously crafted fileName parameter during a file upload operation, an attacker can bypass intended storage boundaries and write arbitrary files to any location on the host filesystem accessible by the Java process. This can lead to Remote Code Execution (RCE) and complete system compromise.","affected_products":[],"references":["https://gitlab.eclipse.org/security/cve-assignment/-/issues/102","https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/423"],"sources":["nvd"],"score":35.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-22"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":10.0,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":35,"final_score":35.0},"calculated_at":"2026-05-06T02:00:15.515359Z"},{"id":"3d20bff5-a997-4367-a652-c7854e8de634","threat_type":"cve","title":"The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via t","summary":"The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.","severity":"critical","cvss_score":9.1,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-05T14:16:08.873000Z","last_modified_at":"2026-05-05T18:45:39.390891Z","external_id":"CVE-2026-36356","description":"The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.","affected_products":[],"references":["http://forgeslt711.com","http://meig.com","https://github.com/totekuh/CVE-2026-36356"],"sources":["nvd"],"score":35.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-78"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":9.1,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":35,"final_score":35.0},"calculated_at":"2026-05-06T02:00:15.164010Z"},{"id":"c15f5a92-d5ce-43a9-9087-aeda8eb39169","threat_type":"cve","title":"OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers","summary":"OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement.","severity":"high","cvss_score":7.7,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-05T12:16:21.163000Z","last_modified_at":"2026-05-05T19:46:44.554866Z","external_id":"CVE-2026-43573","description":"OpenClaw before 2026.4.10 contains a server-side request forgery policy bypass vulnerability in existing-session browser interaction routes. Attackers can bypass SSRF navigation guards to interact with or navigate to unauthorized targets without policy enforcement.","affected_products":[],"references":["https://github.com/openclaw/openclaw/commit/daeb74920d5ad986cb600625180037e23221e93a","https://github.com/openclaw/openclaw/security/advisories/GHSA-527m-976r-jf79","https://www.vulncheck.com/advisories/openclaw-ssrf-policy-bypass-in-existing-session-browser-interaction-routes"],"sources":["nvd"],"score":35.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-918"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.7,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":35,"final_score":35.0},"calculated_at":"2026-05-06T02:00:15.039643Z"},{"id":"b5b9c626-156f-4450-ab75-3afe9985fcbf","threat_type":"cve","title":"OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by defaul","summary":"OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests.","severity":"high","cvss_score":7.7,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-05T12:16:18.777000Z","last_modified_at":"2026-05-05T19:46:44.200252Z","external_id":"CVE-2026-43527","description":"OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests.","affected_products":[],"references":["https://github.com/openclaw/openclaw/commit/024f4614a1a1831406e763adc40ef226e3d5e9ed","https://github.com/openclaw/openclaw/commit/1dabfef28db523e7de81edeb3dd689e9171236a2","https://github.com/openclaw/openclaw/commit/213c36cf51121ef6c05cfccd78037371f968f31a","https://github.com/openclaw/openclaw/commit/7eecfa411df3d12e6b810e6ca5df47254fc3db3f","https://github.com/openclaw/openclaw/security/advisories/GHSA-53vx-pmqw-863c","https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-private-network-navigation"],"sources":["nvd"],"score":35.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-918"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.7,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":35,"final_score":35.0},"calculated_at":"2026-05-06T02:00:15.002448Z"},{"id":"058512c7-0d21-4ef0-a1c7-ddd6f1eb9e18","threat_type":"cve","title":"OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitr","summary":"OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded through the channel.","severity":"high","cvss_score":8.2,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-05T12:16:18.640000Z","last_modified_at":"2026-05-05T19:46:44.176119Z","external_id":"CVE-2026-43526","description":"OpenClaw before 2026.4.12 contains a server-side request forgery vulnerability in QQBot reply media URL handling that allows attackers to fetch arbitrary content. Attackers can exploit this by providing malicious media URLs that trigger SSRF requests, with fetched bytes subsequently re-uploaded through the channel.","affected_products":[],"references":["https://github.com/openclaw/openclaw/commit/08ae021d1f4f02e0ca5fd8a3b9659291c1ecf95a","https://github.com/openclaw/openclaw/commit/ddb7a8dd80b8d5dd04aafa44ce7a4354b568bb2d","https://github.com/openclaw/openclaw/security/advisories/GHSA-2767-2q9v-9326","https://www.vulncheck.com/advisories/openclaw-server-side-request-forgery-via-qqbot-reply-media-url-handling"],"sources":["nvd"],"score":35.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-918"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":8.2,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":35,"final_score":35.0},"calculated_at":"2026-05-06T02:00:14.848939Z"},{"id":"79a01124-4cfb-4650-9241-fa074ab546e9","threat_type":"cve","title":"Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in ","summary":"Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.","severity":"high","cvss_score":7.3,"cvss_vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","cvss_version":"3.1","tags":["nvd"],"published_at":"2026-05-05T09:16:04.340000Z","last_modified_at":"2026-05-06T16:06:39.390672Z","external_id":"CVE-2026-43870","description":"Origin Validation Error, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting'), Uncontrolled Resource Consumption vulnerability in Apache Thrift.\n\nThis issue affects Apache Thrift: before 0.23.0.\n\nUsers are recommended to upgrade to version 0.23.0, which fixes the issue.","affected_products":[],"references":["https://lists.apache.org/thread/pgtfq44ltc9t63kxcbqmwqzt45pnhqdy","http://www.openwall.com/lists/oss-security/2026/05/05/4"],"sources":["nvd"],"score":35.0,"score_breakdown":{"technology_match":{"hit":false,"matched":[],"points":0},"keyword_match":{"hit":false,"matched":[],"points":0},"cwe_match":{"hit":true,"matched":["CWE-22"],"points":20},"cvss_threshold":{"hit":true,"threshold":7.0,"cvss_score":7.3,"points":15},"priority_boost":{"hit":false,"matched":[],"points":0},"excluded":{"hit":false,"matched":[],"points":0},"kev":{"hit":false,"points":0},"actively_exploited":{"hit":false,"points":0},"ransomware":{"hit":false,"points":0},"multi_source":{"hit":false,"source_count":1,"points":0},"package_match":{"hit":false,"matched":[],"points":0},"raw_total":35,"final_score":35.0},"calculated_at":"2026-05-06T16:06:39.947111Z"}],"stats":{"total_threats":28771,"critical_count":146,"high_count":0,"average_score":10.27,"sources_active":["nvd","cisa_kev"]}}