Philip

#7159of 53,624
38.1Total CVSS
Vulnerabilities · 5
Medium
1
High
4
PT-2026-49766
8.1
2026-06-16
Openclaw · Openclaw · CVE-2026-53849
OpenClaw before 2026.5.7 contains a privilege escalation vulnerability where the allowFrom feature improperly validates Discord account identity using mutable display names instead of immutable user IDs. Attackers with Discord accounts can change their display name to match a policy entry and gain unauthorized agent access intended for another Discord identity.
PT-2026-49774
8.1
2026-06-16
Openclaw · Openclaw · CVE-2026-53857
OpenClaw before 2026.5.3 contains a policy enforcement vulnerability where Zalo contacts with mutable display metadata could match allowFrom policy entries through display name changes. Attackers with mutable display names could receive agent responses intended for different Zalo identities when the feature is enabled.
PT-2026-49027
8.1
2026-06-12
Openclaw · Openclaw · CVE-2026-53823
**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.3 **Description** A privilege escalation issue exists in the `allowFrom` feature, which binds to mutable Slack display names. Attackers with access to a Slack account can modify display name metadata to match policy entries, potentially gaining unauthorized agent access intended for other identities. **Recommendations** Update to version 2026.5.3.
PT-2026-48741
8.8
2026-06-11
Openclaw · Openclaw · CVE-2026-53811
**Name of the Vulnerable Software and Affected Versions** OpenClaw versions prior to 2026.5.7 **Description** A privilege escalation issue exists in the Matrix `allowFrom` feature. Authenticated accounts can match policy entries by manipulating mutable display name metadata. This allows attackers who can change their display names to obtain agent access intended for a different Matrix identity, which may lead to unauthorized permissions based on the operator configuration. **Recommendations** Update to version 2026.5.7 or later.
PT-2004-1394
5.0
2004-03-18
X Cart · X-Cart · CVE-2004-0240
**Name of the Vulnerable Software and Affected Versions** X-Cart version 3.4.3 **Description** A directory traversal issue allows remote attackers to view arbitrary files by including a .. (dot dot) in the `shop closed file` argument to "auth.php". **Recommendations** For X-Cart version 3.4.3, consider restricting access to the "auth.php" file until a patch is available, or apply a configuration change to prevent directory traversal attacks by properly sanitizing the `shop closed file` argument.