CVSS: 5.8EPSS: %CPEs: 1EXPL: 0CVE-2026-22217 – OpenClaw 2026.2.22 < 2026.2.23 - Arbitrary Binary Execution via $SHELL Environment Variable Trusted Prefix Fallback
https://notcve.org/view.php?id=CVE-2026-22217
18 Mar 2026 — OpenClaw version 2026.2.22 prior to 2026.2.23 contain an arbitrary code execution vulnerability in shell-env that allows attackers to execute attacker-controlled binaries by exploiting trusted-prefix fallback logic for the $SHELL variable. An attacker can influence the $SHELL environment variable on systems with writable trusted-prefix directories such as /opt/homebrew/bin to execute arbitrary binaries in the OpenClaw process context. • https://www.vulncheck.com/advisories/openclaw-arbitrary-binary-execution-via-shell-environment-variable-trusted-prefix-fallback • CWE-829: Inclusion of Functionality from Untrusted Control Sphere •
CVSS: 6.9EPSS: %CPEs: 1EXPL: 0CVE-2026-22177 – OpenClaw < 2026.2.21 - Environment Variable Injection via Config env.vars
https://notcve.org/view.php?id=CVE-2026-22177
18 Mar 2026 — OpenClaw versions prior to 2026.2.21 fail to filter dangerous process-control environment variables from config env.vars, allowing startup-time code execution. Attackers can inject variables like NODE_OPTIONS or LD_* through configuration to execute arbitrary code in the OpenClaw gateway service runtime context. • https://github.com/openclaw/openclaw/commit/2cdbadee1f8fcaa93302d7debbfc529e19868ea4 • CWE-15: External Control of System or Configuration Setting •
CVSS: 4.8EPSS: %CPEs: 1EXPL: 1CVE-2026-4356 – itsourcecode University Management System add_result.php cross site scripting
https://notcve.org/view.php?id=CVE-2026-4356
18 Mar 2026 — A flaw has been found in itsourcecode University Management System 1.0. Affected is an unknown function of the file /add_result.php. Executing a manipulation of the argument vr can lead to cross site scripting. The attack may be launched remotely. The exploit has been published and may be used. • https://github.com/sulvant/Security/issues/2 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 7.2EPSS: %CPEs: 1EXPL: 0CVE-2026-28674 – xiaoheiFS Vulnerable to RCE via Arbitrary Payment Plugin Upload (Automatic Execution)
https://notcve.org/view.php?id=CVE-2026-28674
18 Mar 2026 — If it finds a new executable, it runs it immediately, resulting in RCE. Version 4.0.0 fixes the issue. • https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-hcj4-gfvq-qv4p • CWE-434: Unrestricted Upload of File with Dangerous Type CWE-798: Use of Hard-coded Credentials •
CVSS: 7.2EPSS: %CPEs: 1EXPL: 0CVE-2026-28673 – xiaoheiFS Vulnerable to RCE via Unrestricted Plugin Installation (Manifest Manipulation)
https://notcve.org/view.php?id=CVE-2026-28673
18 Mar 2026 — The server trusts the `binaries` field in the manifest and executes the specified file without any validation of its contents or behavior, leading to Remote Code Execution (RCE). Version 0.4.0 fixes the issue. • https://github.com/danvei233/xiaoheiFS/security/advisories/GHSA-4vw4-5wmh-7x4v • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 4.3EPSS: %CPEs: 1EXPL: 0CVE-2026-27895 – LAM has incorrect regular expression in PDF export component that allows user to upload files of any type
https://notcve.org/view.php?id=CVE-2026-27895
17 Mar 2026 — With GHSA-w7xq-vjr3-p9cf, an attacker can achieve remote code execution as the web server user. • https://github.com/LDAPAccountManager/lam/releases/tag/9.5 • CWE-185: Incorrect Regular Expression •
CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2026-27894 – LAM has Authenticated Local File Inclusion (LFI) in PDF export
https://notcve.org/view.php?id=CVE-2026-27894
17 Mar 2026 — Prior to version 9.5, a local file inclusion was detected in the PDF export that allows users to include local PHP files and this way execute code. In combination with GHSA-88hf-2cjm-m9g8 this allows to execute arbitrary code. • https://github.com/LDAPAccountManager/lam/releases/tag/9.5 • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') •
CVSS: 8.8EPSS: %CPEs: 1EXPL: 0CVE-2026-27811 – Roxy-WI has a Command Injection via diff parameter in config comparison allows authenticated RCE
https://notcve.org/view.php?id=CVE-2026-27811
17 Mar 2026 — Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system commands on the app host. • https://github.com/roxy-wi/roxy-wi/commit/a10ac7306c252014f97a7213db4a9470300fa064 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.1EPSS: %CPEs: 1EXPL: 1CVE-2026-4355 – Portabilis i-Educar Endpoint educar_servidor_curso_lst.php cross site scripting
https://notcve.org/view.php?id=CVE-2026-4355
17 Mar 2026 — A vulnerability was detected in Portabilis i-Educar 2.11. This impacts an unknown function of the file /intranet/educar_servidor_curso_lst.php of the component Endpoint. Performing a manipulation of the argument Name results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be used. • https://github.com/CVE-Hunters/CVE/blob/main/i-educar/XSS_educar_matricula_reclassificar_cad.php.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.1EPSS: %CPEs: -EXPL: 1CVE-2026-4354 – TRENDnet TEW-824DRU Web apply_sec.cgi sub_420A78 cross site scripting
https://notcve.org/view.php?id=CVE-2026-4354
17 Mar 2026 — A vulnerability was identified in TRENDnet TEW-824DRU 1.010B01/1.04B01. The impacted element is the function sub_420A78 of the file apply_sec.cgi of the component Web Interface. Such manipulation of the argument Language leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. • https://github.com/i-Corner/cve/issues/41 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-94: Improper Control of Generation of Code ('Code Injection') •