Security Vulnerabilities - CVEs Published In 2026
Improper access control in Samsung DeX prior to SMR Apr-2026 Release 1 allows physical attackers to access to hidden notification contents.
CVSS Score
4.7
EPSS Score
0.0
Published
2026-04-13
Improper check for exceptional conditions in Device Care prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Knox Guard.
CVSS Score
4.4
EPSS Score
0.0
Published
2026-04-13
Exposure of sensitive information in S Share prior to SMR Apr-2026 Release 1 allows adjacent attacker to access sensitive information.
CVSS Score
5.1
EPSS Score
0.0
Published
2026-04-13
Improper input validation in Retail Mode prior to SMR Apr-2026 Release 1 allows local attackers to trigger privileged functions.
CVSS Score
6.6
EPSS Score
0.0
Published
2026-04-13
Incorrect privilege assignment in Bluetooth in Maintenance mode prior to SMR Apr-2026 Release 1 allows physical attackers to bypass Extend Unlock.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-04-13
External control of file name in AODManager prior to SMR Apr-2026 Release 1 allows privileged local attacker to create file with system privilege.
CVSS Score
6.8
EPSS Score
0.0
Published
2026-04-13
CVE-2026-34621
Acrobat Reader versions 24.001.30356, 26.001.21367 and earlier are affected by an Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.
Known exploited
CVSS Score
8.6
EPSS Score
0.0
Published
2026-04-11
OpenClaw before 2026.3.24 contains a path traversal vulnerability in sandbox enforcement allowing sandboxed agents to read arbitrary files from other agents' workspaces via unnormalized mediaUrl or fileUrl parameter keys. Attackers can exploit incomplete parameter validation in normalizeSandboxMediaParams and missing mediaLocalRoots context to access sensitive files including API keys and configuration data outside designated sandbox roots.
CVSS Score
7.1
EPSS Score
0.001
Published
2026-04-10
OpenClaw before 2026.3.25 contains a privilege escalation vulnerability in gateway-authenticated plugin HTTP routes that incorrectly mint operator.admin runtime scope regardless of caller-granted scopes. Attackers can exploit this scope boundary bypass to gain elevated privileges and perform unauthorized administrative actions.
CVSS Score
8.7
EPSS Score
0.0
Published
2026-04-10
OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that allows attackers to rebind chat replies to unintended users by exploiting mutable username matching instead of stable numeric user identifiers. Attackers can manipulate username changes to redirect webhook-triggered replies to different users, bypassing the intended recipient binding recorded in webhook events.
CVSS Score
6.0
EPSS Score
0.001
Published
2026-04-10
Page 1