CVE Disclosures Security vulnerabilities I've reported and documented across various open‑source and commercial projects.
Each entry includes:
-
A link to the official CVE record (NVD/MITRE)
-
A short summary of the issue and its impact
-
A write‑up and PoC for reference
| CVE | Summary | Writeup and PoC |
|---|---|---|
| CVE‑2026‑22788 | WebErpMesV2 prior to 1.19 exposes multiple unauthenticated API endpoints, allowing remote attackers to read business‑critical data (companies, quotes, orders, tasks, whiteboards) and perform limited write actions such as creating companies and modifying collaboration whiteboards. | Report |
| CVE‑2026‑22789 | WebErpMesV2 prior to 1.19 contains a file upload validation bypass in multiple controllers, enabling authenticated users to upload arbitrary files (including PHP scripts) that can lead to Remote Code Execution (RCE). | Report |
| CVE‑2026‑23946 | Tendenci ≤ 15.3.11 uses unsafe deserialization in the Helpdesk module; use of pickle.loads() by authenticated staff users can trigger arbitrary code execution. |
Report |
| CVE‑2026‑27013 | fabric.js before 7.2.0 fails to escape user‑controlled strings in SVG attributes during export, leading to stored XSS when attacker‑controlled JSON is loaded and exported as SVG. | Report |
| CVE‑2026‑27203 | eBay API MCP Server’s updateEnvFile in src/auth/oauth.ts writes unvalidated input to .env, enabling environment variable injection that can overwrite configuration, cause denial of service, or enable RCE under certain conditions. |
Report |
| CVE‑2026‑31996 | OpenClaw prior to 2026.2.19 allows unintended filesystem operations via tools.exec.safeBins by abusing flags such as sort -o or grep -R, enabling write/read actions outside intended boundaries. |
Report |
| CVE‑2026‑32898 | Attackers can bypass interactive approval prompts for read-class operations by spoofing toolCall.kind metadata or using non-core read-like tool names, potentially leading to unauthorized data access. | Report |
| CVE‑2026‑4039 | OpenClaw 2026.2.19‑2 contains an issue in the Skill Env Handler (applySkillConfigenvOverrides) that can enable code injection; upgrading to 2026.2.21‑beta.1 or later mitigates the issue. |
Report |
| CVE‑2026‑4040 | OpenClaw up to 2026.2.17 exposes information via tools.exec.safeBins by relying on file‑existence checks that leak sensitive details through timing/response differences. |
Report |
This will be continuously updated as I discover new vulnerabilities.