MITRE ATT&CK CVE list for this attack path. Use risk scores and timeline to decide what to patch first and what to track next.
| CVE | Description | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|
| CVE-2026-11890 | Improper access control in PAM account discovery results in Devolutions Server 2026.2.5, 2026.1.21 allows an authenticated user to retrieve account discovery scan results. | N/A | N/A | 2026-06-16 | 2026-06-16 |
| CVE-2026-10303 | In ServerCo getssl version 2.49 and prior, the ACME challenge token returned to the client was not strictly validated against RFC 8555 before being used in challenge-file handling, allowing a maliciously crafted token to influence local path/filename usage during validation. An attacker who can supply ACME challenge responses to getssl (for example, a malicious or compromised CA endpoint, or an on-path adversary able to tamper with that response path) could exploit this to achieve unauthorized f | 7.4 | N/A | 2026-06-16 | 2026-06-16 |
| CVE-2026-53864 | OpenClaw before 2026.5.26 contains an insufficient sanitization vulnerability in the host environment sanitizer that allows Node.js control variables to bypass validation. Attackers with access to workspace .env files, tool environment overrides, or skill environment blocks can pass malicious Node.js control variables to influence child processes or coverage output paths. | 7.6 | N/A | 2026-06-16 | 2026-06-16 |
| CVE-2026-53862 | OpenClaw before 2026.5.12 contains a bootstrap token replay vulnerability allowing callers with pending token access to reuse tokens with broader requested scopes. Attackers can replay bootstrap tokens before approval to escalate pairing authority beyond intended scope limits. | 2.3 | N/A | 2026-06-16 | 2026-06-16 |
| CVE-2026-53861 | OpenClaw before 2026.5.6 contains an allowlist bypass vulnerability in the macOS Swift exec feature that misses combined POSIX inline-command flags. Attackers can execute shell content outside the intended allowlist check by using combined flag forms, potentially allowing unauthorized command execution depending on operator configuration. | 5.3 | N/A | 2026-06-16 | 2026-06-16 |
| CVE-2026-53859 | OpenClaw before 2026.5.26 contains a hostname validation vulnerability allowing attackers to bypass blocklist comparisons using trailing-dot notation in model or workspace-derived URLs. Attackers can exploit inconsistent hostname checks to reach destinations that operators intended to block through hostname policies. | 6.0 | N/A | 2026-06-16 | 2026-06-16 |
| CVE-2026-53855 | OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell carriers outside intended allowlist rules, enabling execution of unapproved shell-provided content. | 7.6 | N/A | 2026-06-16 | 2026-06-16 |
| CVE-2026-53853 | OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowed arguments for allowlisted executables on Linux and macOS systems. Attackers can bypass configured argPattern restrictions by directly invoking allowlisted executables with unrestricted arguments, potentially enabling unauthorized file access, network access, or command execution. | 7.6 | N/A | 2026-06-16 | 2026-06-16 |
| CVE-2026-53848 | OpenClaw before 2026.5.26 contains an exec allowlist bypass vulnerability allowing authenticated operators to execute wrapper-level side effects outside allowlisted command intent. Attackers can craft command requests that bypass allowlist validation by leveraging transparent command wrappers to perform unintended operations. | 2.3 | N/A | 2026-06-16 | 2026-06-16 |
| CVE-2026-53845 | OpenClaw before 2026.5.6 contains a hook bypass vulnerability where skill commands routed through the affected dispatch path skip before-tool-call hook coverage. Attackers can exploit this by sending skill commands through the vulnerable dispatch path to bypass hook-based auditing and policy enforcement mechanisms. | 2.3 | N/A | 2026-06-16 | 2026-06-16 |
| CVE-2026-53841 | OpenClaw before 2026.5.12 contains a cross-site scripting vulnerability in exported session HTML that preserves unsafe javascript: and data: links in generated content. Attackers can execute browser-side scripts if a trusted operator opens the exported file and activates a malicious link. | 2.1 | N/A | 2026-06-16 | 2026-06-16 |
| CVE-2026-9307 | A sensitive information disclosure security issue exists within the affected CompactLogix controllers. The controller's web server exposes CIP Connection IDs on the diagnostics webpage, which are accessible to any unauthenticated user on the network. This information can be leveraged by an attacker to construct malicious packets, leading to Denial-of-Service. | 6.3 | N/A | 2026-06-16 | 2026-06-16 |
| CVE-2026-0646 | A denial-of-service security issue exists within the 1794-AENTR adapter due to improper memory handling of CIP protocol requests. This vulnerability can result in the adapter faulting and losing connection to its associated I/O modules, requiring a manual reset to recover. | 8.7 | N/A | 2026-06-16 | 2026-06-16 |
| CVE-2025-11694 | A security issue exists within 1769 CompactLogix controllers due to the missing validation of sequence numbers and source IP addresses in the CIP protocol. This allows attacker to abuse the exposed Connection ID’s visible on the web interface to perform denial-of-service attacks, resulting in a minor fault. | 8.7 | N/A | 2026-06-16 | 2026-06-16 |
| CVE-2026-53900 | Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument, allowing a malicious site to inject arbitrary cookies into requests to an unrelated target domain. This vulnerability was fixed in Firefox for iOS 152.0. | 4.3 | N/A | 2026-06-16 | 2026-06-16 |
| CVE-2026-12323 | Spoofing issue in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152 and Thunderbird 152. | 5.4 | N/A | 2026-06-16 | 2026-06-16 |
| CVE-2026-54197 | Unauthenticated Sensitive Data Exposure in GetGenie <= 4.4.1 versions. | 6.5 | 0.35% | 2026-06-16 | 2026-06-16 |
| CVE-2026-10825 | A denial-of-service vulnerability exists in the WebSocket API due to insufficient validation and handling of JSON-based requests. A low-privileged authenticated attacker can send a specially crafted request that causes service disruption and may result in an unexpected device reboot. | 7.1 | 0.31% | 2026-06-16 | 2026-06-16 |
| CVE-2026-50255 | Incorrect default permissions issue exists in Optical Disc Archive Software for Windows 5.5.3 and earlier. If this vulnerability is exploited, arbitrary code may be executed with SYSTEM privileges. | 5.4 | 0.09% | 2026-06-16 | 2026-06-16 |
| CVE-2026-42014 | A flaw was found in GnuTLS. The `gnutls_pkcs11_token_set_pin` function, used for changing the Security Officer PIN, can lead to a use-after-free vulnerability. This occurs when an attacker attempts to change the PIN with a NULL old PIN for a token that lacks a protected authentication path. | 6.6 | 0.19% | 2026-06-16 | 2026-06-16 |