CVE-2026-15625
A vulnerability was found in nextlevelbuilder GoClaw 3.11.3. Affected by this issue is the function ExecApprovalManager.CheckCommand of the
CVSS
6.3
Medium
EPSS
0.3%
p20
KEV
—
Exploit Today
6
0-100
Published: Jul 14, 2026 · Last modified: Jul 14, 2026 · CWE-183 · CWE-184
0.3%EPSS · 30 days0.3%
2026-07-142026-07-17
A vulnerability was found in nextlevelbuilder GoClaw 3.11.3. Affected by this issue is the function ExecApprovalManager.CheckCommand of the file internal/tools/exec_approval.go. The manipulation results in incomplete blacklist. The attack can be executed remotely. The exploit has been made public and could be used.
- github.comhttps://github.com/nextlevelbuilder/goclaw/
- github.comhttps://github.com/nextlevelbuilder/goclaw/issues/1200
- github.comhttps://github.com/nextlevelbuilder/goclaw/issues/1200#issuecomment-4760771866
- vuldb.comhttps://vuldb.com/cve/CVE-2026-15625
- vuldb.comhttps://vuldb.com/submit/855804
- vuldb.comhttps://vuldb.com/submit/855806
- vuldb.comhttps://vuldb.com/submit/855807
- vuldb.comhttps://vuldb.com/submit/855845
- vuldb.comhttps://vuldb.com/submit/855846
- vuldb.comhttps://vuldb.com/submit/855848
- vuldb.comhttps://vuldb.com/vuln/378127
- vuldb.comhttps://vuldb.com/vuln/378127/cti
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-344159.8 CRI88.1%
——26Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.3dCVE-2026-219156.7 MED80.9%
——24A Permissive List of Allowed Input vulnerability in the CLI of Juniper Networks Support Insights (JSI) Virtual Lightweight Collector (vLWC) allows a local, high privileged attacker to escalate their privileges to root.
The CLI menu accepts input without carefully validating it, which allows for shell command injection. These shell commands are executed with root permissions and can be used to gain complete control of the system.
This issue affects all JSI vLWC versions before 3.0.94.10dCVE-2026-545138.1 HIG48.9%
——15jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array's component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.16hCVE-2026-4986910.0 CRI48.4%
——15Kestra is an open-source, event-driven orchestration platform. Prior to 1.0.45 and 1.3.21, AuthenticationFilter in Kestra OSS uses request.getPath().endsWith("/configs") to whitelist the public configuration endpoint from Basic Auth. Because the check is a suffix match rather than an exact path match, any API path whose last segment is configs bypasses authentication entirely. An unauthenticated remote attacker can exploit this to create and execute arbitrary workflows without credentials. Because Kestra ships with script execution plugins (plugin-script-shell, plugin-script-python, etc.) enabled by default, this directly results in unauthenticated Remote Code Execution as root inside the Kestra worker container. This vulnerability is fixed in 1.0.45 and 1.3.21.17dCVE-2026-420437.2 HIG47.5%
——14Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range (other than 127.0.0.1) to completely bypass the NO_PROXY protection. This vulnerability is due to an incomplete for CVE-2025-62718, This vulnerability is fixed in 1.15.1 and 0.31.1.3dCVE-2025-71355—42.5%
——13Picklescan before 0.0.25 fails to detect unsafe global functions in the Numpy library, allowing attackers to bypass static analysis and execute arbitrary code during deserialization. Attackers can craft malicious pickle files using numpy.testing._private.utils.runstring within the reduce method to import dangerous libraries like os and execute arbitrary OS commands when the pickle file is loaded.16d