Security Report
Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability
Fortinet FortiClient EMS Improper Access Control Vulnerability
Daptin has Unauthenticated Path Traversal and Zip Slip
The `cloudstore.file.upload` action in `server/actions/action_cloudstore_file_upload.go` writes user-supplied filenames directly to disk without proper validation.
This allows unauthenticated attackers to perform path traversal and zip slip attacks, leading to arbitrary file write and p…
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass
An unauthenticated attacker can achieve full remote code execution on any network-accessible Paperclip instance running in `authenticated` mode with default configuration. No user interaction, no credentials, just the target's address. The entire chain is six API calls.
## Steps to Repr…
Juju: CloudSpec method leaking cloud credentials
If a user has login permission to a controller and knows the controller model UUID, they can call the CloudSpec method on the Controller facade and get cloud credentials used to bootstrap the controller.
The CloudSpec API is called by workers running in the controller to maintain connec…
CVE-2026-40175
Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain
## Summary
The Axios library is vulnerable to a specific "Gadget" attack chain that allows **Prototype Pollution** in any third-party dependency to be escalated into **Remote Code Execution (RCE)** or **…
PraisonAI has sandbox escape via exception frame traversal in `execute_code` (subprocess mode)
`execute_code()` in `praisonaiagents.tools.python_tools` defaults to
`sandbox_mode="sandbox"`, which runs user code in a subprocess wrapped with a
restricted `__builtins__` dict and an AST-based blocklist. The AST blocklist
embedded inside the subprocess wrapper (`blocked_attrs`, line 14…
CVE-2026-40089
CVE-2026-23696
PraisonAI has critical RCE via `type: job` workflow YAML
This supports:
– `run:` → shell command execution via `subprocess.run()`
– `script:` → inline Python execution via `exec()`
– `python:` → arbitrary Pyt…
PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading
The `AgentService.loadAgentFromFile` method uses the `js-yaml` library to parse YAML files without disabling dangerous tags (such as `!!js/function` and `!!js/undefined`). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An atta…
pgx contains memory-safety vulnerability
CVE-2026-35490
CVE-2026-4277
Add permissions on inline model instances were not validated on submission of
forged `POST` data in `GenericInlineModelAdmin`.
Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluat…
CVE-2026-1114
changedetection.io Vulnerable to Authentication Bypass via Decorator Ordering
On 13 routes across 5 blueprint files, the `@login_optionally_required` decorator is placed **before** (outer to) `@blueprint.route()` instead of after it. In Flask, `@route()` must be the outermost decorator because it registers the function it receives. When the order is reversed, `@r…
CVE-2026-34841
PraisonAI Vulnerable to OS Command Injection
—
## Description
PraisonAI's workflow system …
parisneo/lollms vulnerable to stored XSS in the social feature
@delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck-registered collections
All `/api/puck/*` CRUD endpoint handlers registered by `createPuckPlugin()` called Payload's local API with the default `overrideAccess: true`, bypassing all collection-level access control. The `access` option passed to `createPuckPlugin()` and any `access` rules defined on Puck-registe…
PraisonAI Vulnerable Untrusted Remote Template Code Execution
—
## Description
When a user installs a template from a remote source (e.g., GitHub), P…
gramps-webapi: Zip Slip Path Traversal in Media Archive Import
A path traversal vulnerability (Zip Slip) exists in the media archive import feature. An authenticated user with owner-level privileges can craft a malicious ZIP file with directory-traversal filenames to write arbitrary files outside the intended temporary extraction directory on the se…
nimiq-blockchain is missing a wall-clock upper bound on block timestamps
Block timestamp validation enforces that `timestamp >= parent.timestamp` for non-skip blocks and `timestamp == parent.timestamp + MIN_PRODUCER_TIMEOUT` for skip blocks, but there is no visible upper bound check against the wall clock. A malicious block-producing validator can set block t…
PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions
`praisonai browser start` exposes the browser bridge on `0.0.0.0` by default, and its `/ws` endpoint accepts websocket clients that omit the `Origin` header entirely. An unauthenticated network client can connect as a fake controller, send `start_session`, cause the server to forward `st…
LXD: VM lowlevel restriction bypass via raw.apparmor and raw.qemu.conf
The `isVMLowLevelOptionForbidden` function in `lxd/project/limits/permissions.go` is missing `raw.apparmor` and `raw.qemu.conf` from its hardcoded forbidden list. A user with `can_edit` permission on a VM instance in a restricted project can combine these two omissions to bridge the LXD …
LXD: Importing a crafted backup leads to project restriction bypass
LXD instance backup import validates project restrictions against `backup/index.yaml` embedded in the tar archive, but creates the actual instance from `backup/container/backup.yaml` extracted to the storage volume. Because these are separate, independently attacker-controlled files with…
LXD: Update of type field in restricted TLS certificate allows privilege escalation to cluster admin
A restricted TLS certificate user can escalate to cluster admin by changing their certificate type from `client` to `server` via PUT/PATCH to `/1.0/certificates/{fingerprint}`. The non-admin guard and reset block in `doCertificateUpdate` fail to validate or reset the `Type` field, allow…
Apache Tomcat: CLIENT_CERT authentication does not fail as expected
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Nativ…
CVE-2026-29145
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Nativ…
Apache Airflow: JWT token still valid after logout
CVE-2025-57735
CVE-2026-34179
CVE-2026-40035
SiYuan: Remote Code Execution in the Electron desktop client via stored XSS in synced table captions
A malicious note synced to another user can trigger remote code execution in the SiYuan Electron desktop client. The root cause is that table caption content is stored without safe escaping and later unescaped into rendered HTML, creating a stored XSS sink. Because the desktop renderer r…
Emmett has a path traversal in internal assets handler
An attacker can use `../` sequences (eg `/__emmett__/../rsgi/handlers.py`) to read arbitrary files outside the assets directory.
Emissary has GitHub Actions Shell Injection via Workflow Inputs
Three GitHub Actions workflow files contained **10 shell injection points** where
user-controlled `workflow_dispatch` inputs were interpolated directly into shell
commands via `${{ }}` expression syntax. An attacker with repository write access
could inject arbitrary shell commands, lead…
CVE-2026-28386
systems with AVX-512 and VAES support can trigger an out-of-bounds read
of up to 15 bytes when processing partial cipher blocks.
Impact summary: This out-of-bounds read may trigger a crash which leads to
Denial of Service for …
CVE-2026-35573
CVE-2026-35580
CVE-2026-35030
CVE-2026-34950
PraisonAI Vulnerable to Arbitrary File Write / Path Traversal in Action Orchestrator
goshs has a file-based ACL authorization bypass in goshs state-changing routes
goshs enforces the documented per-folder `.goshs` ACL/basic-auth mechanism for directory listings and file reads, but it does not enforce the same authorization checks for state-changing routes. An unauthenticated attacker can upload files with `PUT`, upload files with multipart `POST /u…
ajenti.plugin.core has password bypass when 2FA is activated
If the 2FA was activated, it was possible to bypass the password authentication
### Patches
This is fixed in the version 0.112. Users should upgrade to this version as soon as possible.
PraisonAI vulnerable to arbitrary file write via path traversal in `praisonai recipe unpack`
|—|—|
| Severity | Critical |
| Type | Path traversal — arbitrary file write via `tar.extract()` without member validation |
| Affected | `src/praisonai/praisonai/cli/features/recipe.py:1170-1172` |
## Summary
`cmd_unpack` in the recipe CLI extracts `.praison` tar archives u…
PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py)
The memory hooks executor in praisonaiagents passes a user-controlled command string
directly to subprocess.run() with shell=True at
src/praisonai-agents/praisonaiagents/memory/hooks.py lines 303 to 305.
No sanitization, no shlex.quote(), no character filter, and no allowlist check
exists a…
Wasmtime with Winch compiler backend on aarch64 may allow a sandbox-escaping memory access
Wasmtime with its Winch (baseline) non-default compiler backend may allow properly constructed guest Wasm to access host memory outside of its linear-memory sandbox.
This vulnerability requires use of the Winch compiler (`-Ccompiler=winch`). By default, Wasmtime uses its Cranelift backe…
Wasmtime: Miscompiled guest heap access enables sandbox escape on aarch64 Cranelift
Wasmtime's Cranelift compilation backend contains a bug on aarch64 when performing a certain shape of heap accesses which means that the wrong address is accessed. When combined with explicit bounds checks a guest WebAssembly module this can create a situation where there are two divergi…
Axios has a NO_PROXY Hostname Normalization Bypass Leads to SSRF
Requests to loopback addresses like `localhost.` (with a trailing dot) or `[::1]` (IPv6 literal) skip `NO_PROXY` matching and go through the configured proxy.
This goes against what developers expect and lets att…
Marimo: Pre-Auth Remote Code Execution via Terminal WebSocket Authentication Bypass
Marimo (19.6k stars) has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint `/terminal/ws` lacks authentication validation, allowing an unauthenticated attacker to obtain a full PTY shell and execute arbitrary system commands.
Unlike other WebSocket endpoints (e.g., `/ws`) th…
Rack::Session::Cookie secrets: decrypt failure fallback enables secretless session forgery and Marshal deserialization
OpenIdentityPlatform OpenAM: Pre-Authentication Remote Code Execution via `jato.clientSession` Deserialization in OpenAM
OpenIdentityPlatform OpenAM 16.0.5 (and likely earlier versions) is vulnerable to pre-authentication Remote Code Execution (RCE) via unsafe Java deserialization of the `jato.clientSession` HTTP parameter. This bypasses the `WhitelistObjectInputStream` mitigation that was applied to the `…
PraisonAI Has Path Traversal in FileTools
The path validation has a critical logic bug: it checks for `..` AFTER `normpath()` has already collapsed all `..` sequences. This makes the check completely useless and allows trivial path traversal to any file on the system.
The path validation function also does not resolve…
mathjs Allows Improperly Controlled Modification of Dynamically-Determined Object Attributes
Two security vulnerabilities where detected that allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser.
### Patches
The problem is patc…
PraisonAI: Hardcoded `approval_mode="auto"` in Chainlit UI Overrides Administrator Configuration, Enabling Unapproved Shell Command Execution
The Chainlit UI modules (`chat.py` and `code.py`) hardcode `config.approval_mode = "auto"` after loading administrator configuration from the `PRAISON_APPROVAL_MODE` environment variable, silently overriding any "manual" or "scoped" approval setting. This defeats the human-in-the-loop ap…
Duplicate Advisory: OpenClaw Gateway: RCE and Privilege Escalation from operator.pairing to operator.admin via device.pair.approve
This advisory has been withdrawn because it is a duplicate of GHSA-hf68-49fm-59cq. This link is maintained to preserve external references.
### Original Description
OpenClaw before 2026.3.22 contains a privilege escalation vulnerability in the device.pair.approve method that …
CVE-2026-39911
CVE-2026-39891
AGiXT Vulnerable to Path Traversal in safe_join()
The safe_join() function in the essential_abilities extension fails to validate that resolved file paths remain within the designated agent workspace. An authenticated attacker can use directory traversal sequences to read, write, or delete arbitrary files on the server hosting the AGiXT…
PraisonAI has Template Injection in Agent Tool Definitions
Direct insertion of unescaped user input into template-rendering tools allows arbitrary code execution via specially crafted agent instructions.
## Details
The `create_agent_centric_tools()` function returns tools (like `acp_create_file`) that process file content using template rendering…
Apache Cassandra is vulnerable to privilege escalation in an mTLS environment using MutualTlsAuthenticator
Users are re…
CVE-2026-27314
including a superuser role, and authenticate as that role via ADD IDENTITY.
Users are re…
CVE-2026-35463
CVE-2026-34197
Apache ActiveMQ Classic exposes the Jolokia JMX-HTTP bridge at /api/jolokia/ on the web console. The default Jolokia access policy permits exec operations o…
CVE-2026-35044
CVE-2019-25671
CVE-2026-35554
When a produce batch expires due to delivery.timeout.ms while a network request containing that batch is still in flight, the batch’s ByteBuffer is…
CVE-2026-35408
PraisonAI Vulnerable to Code Injection and Protection Mechanism Failure
## Description
The `_execute_code_direct` function in `praisonaiagents/tools/python_tools.py` uses AST filtering to block dangerous Py…
basic-ftp has FTP Command Injection via CRLF
`basic-ftp` version `5.2.0` allows FTP command injection via CRLF sequences (`\r\n`) in file path parameters passed to high-level path APIs such as `cd()`, `remove()`, `rename()`, `uploadFrom()`, `downloadTo()`, `list()`, and `removeDir()`. The library's `protectWhitespace()` helper only…
CVE-2026-33752
SiYuan: Publish Reader Path Traversal Delete via `removeUnusedAttributeView`
A publish-service Reader context can call this endpoint because it is protected only by `CheckAuth`, and publish requests are forwarded upstream with a valid `RoleReader` JWT. The handler accepts attacker…
CVE-2026-5483
n8n-mcp has authenticated SSRF via instance-URL header in multi-tenant HTTP mode
An authenticated Server-Side Request Forgery in `n8n-mcp` allows a caller holding a valid `AUTH_TOKEN` to cause the server to issue HTTP requests to arbitrary URLs supplied through multi-tenant HTTP headers. Response bodies are reflected back through JSON-RPC, so an attacker can read the c…
PraisonAI Vulnerable to RCE via Automatic tools.py Import
A malicious tools.py placed in the process working directory is executed immediately, allowing arbitrary Python cod…
PraisonAI Vulnerable to Argument Injection into Cloud Run Environment Variables via Unsanitized Comma in gcloud –set-env-vars
deploy.py constructs a single comma-delimited string for the gcloud run
deploy –set-env-vars argument by directly interpolating openai_model,
openai_key, and openai_base without validating that these values do not
contain commas. gcloud uses a comma as the key-value pair separator for
…
Vikunja vulnerable to Privilege Escalation via Project Reparenting
A user with Write-level access to a project can escalate their permissions to Admin by moving the project under a project they own. After reparenting, the recursive permission CTE resolves ownership of the new parent as Admin on the moved project. The attacker can then delete the project…
Open Cluster Management (OCM): Cross-cluster privilege escalation via improper Kubernetes client certificate renewal validation
n8n-mcp has unauthenticated session termination and information disclosure in HTTP transport
Several HTTP transport endpoints in n8n-mcp lacked proper authentication, and the health check endpoint exposed sensitive operational metadata without credentials.
### Impact
An unauthenticated attacker with network access to the n8n-mcp HTTP server could disrupt active MCP sessions a…
basic-ftp: Incomplete CRLF Injection Protection Allows Arbitrary FTP Command Execution via Credentials and MKD Commands
basic-ftp's CRLF injection protection (added in commit 2ecc8e2 for GHSA-chqc-8p9q-pq6q) is incomplete. Two code paths bypass the `protectWhitespace()` control character check: (1) the `login()` method directly concatenates user-supplied credentials into USER/PASS FTP commands without any…
Saltcorn has an Unauthenticated Path Traversal in sync endpoints, allowing arbitrary file write and directory read
Two unauthenticated path traversal vulnerabilities exist in Saltcorn's mobile sync endpoints. The `POST /sync/offline_changes` endpoint allows an unauthenticated attacker to create arbitrary directories and write a `changes.json` file with attacker-controlled JSON content anywhere on th…
CVE-2026-39429
kcp's cache server is accessible without authentication or authorization checks
The cache server is directly exposed by the root shard and has no authentication or authorization in place.
This allows anyone who can access the root shard to read and write to the cache server.
### Details
The cache server is routed in the pre-mux chain in the shard code.
The preHa…
CVE-2026-34045
CVE-2026-4740
CVE-2026-34982
DotNetNuke.Core has stored cross-site-scripting (XSS) via SVG upload
SiYuan: Publish Reader Can Arbitrarily Delete Attribute View Files via `/api/av/removeUnusedAttributeView`
An authenticated publish-service reader can invoke `/api/av/removeUnusedAttributeView` and cause persistent deletion of arbitrary attribute view (`AV`) definition files from the workspace.
The route is protected only by generic `CheckAuth`, which accepts publish `RoleReader` requests. T…
PraisonAI: Cross-Origin Agent Execution via Hardcoded Wildcard CORS and Missing Authentication on AGUI Endpoint
The AGUI endpoint (`POST /agui`) has no authentication and hardcodes `Access-Control-Allow-Origin: *` on all responses. Combined with Starlette/FastAPI's Content-Type-agnostic JSON parsing, any website a victim visits can silently trigger arbitrary agent execution against a locally-runni…
CVE-2021-47961
bsv-sdk and bsv-wallet persist unverified certifier signatures in acquire_certificate (direct and issuance paths)
## Affected packages
Both `bsv-sdk` and `bsv-wallet` are published from the [sgbett/bsv-ruby-sdk](https://github.com/sgbett/bsv-ruby-sdk) repository. The vulnerable code lives in `lib/bsv/wallet_interface/wallet_client.rb`, which…
RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests
Server functions exported from `"use server"` files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send `SameSite=Lax` cookies on…
File Browser: Proxy auth auto-provisioned users inherit Execute permission and Commands
The fix in commit `b6a4fb1` ("self-registered users don't get execute perms") stripped `Execute` permission and `Commands` from users created via the signup handler. The same fix was not applied to the proxy auth handler. Users auto-created on first successful proxy-auth login are grante…
CVE-2026-39371
PraisonAI Has Arbitrary File Write (Zip Slip) in Templates Extraction
PraisonAI: Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls
The gateway's `/api/approval/allow-list` endpoint permits unauthenticated modification of the tool approval allowlist when no `auth_token` is configured (the default). By adding dangerous tool names (e.g., `shell_exec`, `file_write`) to the allowlist, an attacker can cause the `ExecAppro…
PraisonAI Vulnerable to Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading
Fleet Affected by Local Privilege Escalation via Tcl Command Injection in Orbit
The Orbit agent's FileVault disk encryption key rotation flow on collects a local user's password via a GUI dialog and interpolates it directly into a Tcl/expect script executed via `exec.Command("expect", "-c", script)`. Because the password is inserted into Tcl brace-quoted `send {%s}`…
OpenEXR has a signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write
`internal_exr_undo_piz()` advances the working wavelet pointer with signed 32-bit arithmetic:
“`c
wavbuf += nx * ny * wcount;
“`
Because `nx`, `ny`, and `wcount` are `int`, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect add…
Local settings bypass config trust checks
`mise` loads trust-control settings from a local project `.mise.toml` before the trust check runs. An attacker who can place a malicious `.mise.toml` in a repository can make that same file appear trusted and then reach dangerous directives such as `[env] _.source`, templates, hooks, or…
CVE-2026-35021
goshs is Missing Write Protection for Parametric Data Values
The SFTP command rename sanitizes only the source path and not the destination, so it is possible to write outside of the root directory of the SFTP.
### Details
Here is the issue:
“`go
// helper.go:155-215
func cmdFile(root string, r *sftp.Request, ip string, sftpServer *SFTPServer)…
PraisonAIAgents has SSRF and Local File Read via Unvalidated URLs in web_crawl Tool
The `web_crawl()` function in `praisonaiagents/tools/web_crawl_tools.py` accepts arbitrary URLs from AI agents with zero validation. No scheme allowlisting, hostname/IP blocklisting, or private network checks are applied before fetching. This allows an attacker (or prompt injection in cr…
MONAI: Unsafe functions lead to pickle deserialization rce
The `algo_from_pickle` function in `monai/auto3dseg/utils.py` causes `pickle.loads(data_bytes)` to be executed, and it does not perform any validation on the input parameters. This ultimately leads to insecure deserialization and can result in code execution vulnerabilities.
### Details…
Ech0: Scoped admin access tokens can bypass least-privilege controls on privileged endpoints, including backup export
Ech0 scoped access tokens do not reliably enforce least privilege: multiple privileged admin routes omit scope checks, and the backup export handler strips token scope metadata entirely, allowing a low-scope admin access token to reach broader admin functionality than intended.
## Impac…
PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits
The `/media-stream` WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurre…
@vitejs/plugin-rsc has a Denial of Service with React Server Components
`@vitejs/plugin-rsc` vendors `react-server-dom-webpack`, which contained a vulnerability in versions prior to 19.2.4. See details in React repository's advisory https://github.com/facebook/react/security/advisories/GHSA-479c-33wc-g2pg
### Patches
Upgrade immediately to `@vitejs/plugin-…
Next.js has a Denial of Service with Server Components
React Server Components have a Denial of Service Vulnerability
A denial of service vulnerability exists in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack versions 19.0.0, 19.1.0 and 19.2.0. The vulnerability is triggered by sending specially crafted HTTP request…
Apache ActiveMQ: Denial of Service via Out of Memory vulnerability
ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes th…
CVE-2026-39304
ActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes th…
Spring Cloud Gateway's SSL bundle configuration silently bypassed
Note: The 4.2.x branch is no longer under open source support. If you are using Spring Cloud Gatew…
CVE-2026-22750
Note: The 4.2.x branch is no longer under open source support. If you are using Spring Cloud Gatew…
Apache Tomcat Missing Encryption of Sensitive Data vulnerability
This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the …
Apache Tomcat has an Improper Encoding or Escaping of Output vulnerability in the JsonAccessLogValve
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or…
Apache Tomcat vulnerable to Insertion of Sensitive Information into Log File
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.
Users…
Apache Tomcat: Configured cipher preference order not preserved
This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.
Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
Apache Tomcat: Padding Oracle vulnerability in EncryptInterceptor
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.
Users are recommen…
Apache Tomcat has an HTTP Request/Response Smuggling vulnerability
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, f…
bsv-sdk ARC broadcaster treats INVALID/MALFORMED/ORPHAN responses as successful broadcasts
## Summary
`BSV::Network::ARC`'s failure detection only recognises `REJECTED` and `DOUBLE_SPEND_ATTEMPTED`. ARC responses with `txStatus` values of `INVALID`, `MALFORMED`, `MINED_IN_STALE_BLOCK`, or any `ORPHAN`-containing `extraIn…
CVE-2026-34487
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116.
Users…
CVE-2026-34486
This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the …
CVE-2026-34483
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.40 through 9.0.116.
Users are recommended to upgrade to version 11.0.21, 10.1.54 or…
CVE-2026-29146
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.
Users are recommen…
CVE-2026-29129
This issue affects Apache Tomcat: from 11.0.16 through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through 9.0.115.
Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
CVE-2026-24880
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through 9.0.115, from 8.5.0 through 8.5.100, f…
Apache OpenMeetings Uses GET Request Method With Sensitive Query Strings
The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact
This issue affects Apache OpenMeetings: from 3.1.3 be…
Apache OpenMeetings Uses Hard-coded Cryptographic Key
The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logge…
CVE-2026-1584
CVE-2026-40046
The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versio…
CVE-2026-34020
The REST login endpoint uses HTTP GET method with username and password passed as query parameters. Please check references regarding possible impact
This issue affects Apache OpenMeetings: from 3.1.3 be…
CVE-2026-33266
The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a logge…
HashiCorp's go-getter library may allow arbitrary file reads
Apache DolphinScheduler vulnerable to sensitive information disclosure
This vulnerability may allow unauthorized actors to access sensitive information, including database credentials.
This issue affects Apache DolphinScheduler versions 3.1.*.
Users are r…
CVE-2025-62188
This vulnerability may allow unauthorized actors to access sensitive information, including database credentials.
This issue affects Apache DolphinScheduler versions 3.1.*.
Users are r…
Duplicate Advisory: Unfurl's unbounded zlib decompression allows decompression bomb DoS
This advisory has been withdrawn because it is a duplicate of GHSA-h5qv-qjv4-pc5m. This link is maintained to preserve external references.
### Original Description
Unfurl before 2026.04 contains an unbounded zlib decompression vulnerability in parse_compressed.py that allow…
CVE-2026-39863
CVE-2026-23869
mcp-from-openapi is Vulnerable to SSRF via $ref Dereferencing in Untrusted OpenAPI Specifications
The `mcp-from-openapi` library uses `@apidevtools/json-schema-ref-parser` to dereference `$ref` pointers in OpenAPI specifications without configuring any URL restrictions or custom resolvers. A malicious OpenAPI specification containing `$ref` values pointing to internal network address…
PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server
The create_a2u_routes() function registers the following endpoints with NO authentication checks:
– GET /a2u/inf…
LiquidJS: Root restriction bypass for partial and layout loading through symlinked templates
LiquidJS enforces partial and layout root restrictions using the resolved pathname string, but it does not resolve the canonical filesystem path before opening the file. A symlink placed inside an allowed partials or layouts directory can therefore point to a file outside that directory…
Drizzle ORM has SQL injection via improperly escaped SQL identifiers
Drizzle ORM improperly escaped quoted SQL identifiers in its dialect-specific `escapeName()` implementations. In affected versions, embedded identifier delimiters were not escaped before the identifier was wrapped in quotes or backticks.
As a result, applications that pass attacker-con…
FastFeedParser has an infinite redirect loop DoS via meta-refresh chain
When `parse()` fetches a URL that returns an HTML page containing a `<meta http-equiv="refresh">` tag, it recursively calls itself with the redirect URL — with no depth limit, no visited-URL deduplication, and no redirect count cap. An attacker-controlled server that returns an infinit…
Addressable has a Regular Expression Denial of Service in Addressable templates
Within the URI template implementation in Addressable, two classes of URI template generate regular expressions vulnerable to catastrophic backtracking:
1. Templates using the `*` (explode) modifier with any expansion operator (e.g., `{foo*}`, `{+var*}`, `{#var*}`, `{/var*}`, `{.var*}`,…
CVE-2026-28390
with KeyTransportRecipientInfo a NULL pointer dereference can happen.
Impact summary: Applications that process attacker-controlled CMS data may
crash before authentication or cryptographic operations occur resulting in
Denial …
CVE-2026-28389
with KeyAgreeRecipientInfo a NULL pointer dereference can happen.
Impact summary: Applications that process attacker-controlled CMS data may
crash before authentication or cryptographic operations occur resulting in
Denial of S…
CVE-2026-28388
is processed a NULL pointer dereference might happen if the required CRL
Number extension is missing.
Impact summary: A NULL pointer dereference can trigger a crash which
leads to a Denial of Service for an application.
…
GenieACS has an unauthenticated access vulnerability via the NBI API endpoint
OpenTelemetry-Go: multi-value `baggage` header extraction causes excessive allocations (remote dos amplification)
…
CVE-2026-35611
Django vulnerable to ASGI header spoofing via underscore/hyphen conflation
Earlier, unsupported Djan…
Django: SGI requests with a missing or understated `Content-Length` header could bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit
CVE-2026-3902
`ASGIRequest` allows a remote attacker to spoof headers by exploiting an ambiguous mapping of two header variants (with hyphens or with underscores) to a single version with underscores.
Earlier, unsupported Djang…
CVE-2026-35464
CVE-2026-33034
ASGI requests with a missing or understated `Content-Length` header could
bypass the `DATA_UPLOAD_MAX_MEMORY_SIZE` limit when reading
`HttpRequest.body`, allowing remote attackers to load an unbounded request bo…
CVE-2026-31842
strawberry-graphql: Denial of Service via unbounded WebSocket subscriptions
strawberry-graphql: Authentication bypass via legacy graphql-ws WebSocket subprotocol
Distribution: stale blob access resurrection via repo-scoped redis descriptor cache invalidation
distribution can restore read access in `repo a` after an explicit delete when `storage.cache.blobdescriptor: redis` and `storage.delete.enabled: true` are both enabled. the delete path clears the shared digest descriptor but leaves stale repo-scoped membership behind, so a later `Stat` …
Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm
commit: 40594bd98e6d6ed993b5c6021c93fdf96d2e5851 (as-of 2026-01-31)
contact: GitHub Security Advisory (https://github.com/distribution/distribution/security/advisories/new)
## summary
in pull-through cache mode, distribution discovers token auth endpoints by parsing `WWW-Authenticate` ch…
CVE-2026-34211
PraisonAIAgents: Environment Variable Secret Exfiltration via os.path.expandvars() Bypassing shell=False in Shell Tool
The `execute_command` function in `shell_tools.py` calls `os.path.expandvars()` on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using `shell=False` (line 88) for security. This allows exfiltration of secrets stored in envi…
CVE-2026-34727
Vikunja has TOTP Two-Factor Authentication Bypass via OIDC Login Path
The OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped.
## Details
The OIDC ca…
Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables
Upon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.
A subsequent reque…
CVE-2026-4158
CVE-2026-5974
CVE-2026-5973
CVE-2026-5971
CVE-2026-5970
CVE-2026-5741
PraisonAI recipe registry pull path traversal writes files outside the chosen output directory
PraisonAI's recipe registry pull flow extracts attacker-controlled `.praison` tar archives with `tar.extractall()` and does not validate archive member paths before extraction. A malicious publisher can upload a recipe bundle that contains `../` traversal entries and any user who later …
Authorizer: CQL/N1QL Injection in Cassandra and Couchbase Backends via fmt.Sprintf String Interpolation
**CWE:** CWE-943 – Improper Neutralization of Special Elements in Data Query Logic
All 66+ CQL queries in `internal/storage/db/cassandradb/` use `fmt.Sprintf` to interpolate user-controlled values directly into CQL query strings without parameterization.
Unauthenticated e…
CVE-2026-5577
CVE-2026-40242
Arcane has Unauthenticated SSRF with Conditional Response Reflection in Template Fetch Endpoint
The /api/templates/fetch endpoint accepts a caller-supplied url parameter and performs a server-side HTTP GET request to that URL without authentication and without URL scheme or host validation. The server's response is returned directly to the caller. type. This constitutes an unauthen…
PraisonAI Vulnerable to Server-Side Request Forgery via Unvalidated webhook_url in Jobs API
The `/api/v1/runs` endpoint accepts an arbitrary `webhook_url` in the request body with no URL validation. When a submitted job completes (success or failure), the server makes an HTTP POST request to this URL using `httpx.AsyncClient`. An unauthenticated attacker can use this to make th…
Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
The `Executrix` utility class constructed shell commands by concatenating
configuration-derived values — including the `PLACE_NAME` parameter — with
insufficient sanitization. Only spaces were replaced with underscores, allowing
shell metacharacters (`;`, `|`, `$`, “ ` “, `(`, `)`,…
Bugsink affected by authenticated arbitrary file write in artifactbundle/assemble
## Summary
An authenticated file write vulnerability was identified in Bugsink **2.1.0** in the artifact bundle assembly flow.
A user with a valid authentication token could cause the application to write attacker-controlled content…
CVE-2026-33704
CVE-2026-39976
Tmds.DBus: malicious D-Bus peers can spoof signals, exhaust file descriptor resources, and cause denial of service
PraisonAI recipe registry publish path traversal allows out-of-root file write
PraisonAI's recipe registry publish endpoint writes uploaded recipe bundles to a filesystem path derived from the bundle's internal `manifest.json` before it verifies that the manifest `name` and `version` match the HTTP route. A malicious publisher can place `../` traversal sequences i…
Duplicate Advisory: OpenClaw: Plivo V2 verified replay identity drifts on query-only variants
This advisory has been withdrawn because it is a duplicate of GHSA-cg6c-q2hx-69h7. This link is maintained to preserve external references.
### Original Description
OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allo…
Duplicate Advisory: OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects
This advisory has been withdrawn because it is a duplicate of GHSA-qx8j-g322-qj6m. This link is maintained to preserve external references.
### Original Description
OpenClaw before 2026.3.31 (patched in 2026.4.8) contains a request body replay vulnerability in fetchWithSsrFGu…
OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write
The DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated `rowBlock` backing store.
This bug is reachable from th…
PraisonAIAgents: SSRF via unvalidated URL in `web_crawl` httpx fallback
|—|—|
| Severity | High |
| Type | SSRF — unvalidated URL in `web_crawl` httpx fallback allows internal network access |
| Affected | `src/praisonai-agents/praisonaiagents/tools/web_crawl_tools.py:133-180` |
## Summary
`web_crawl`'s httpx fallback path passes user-supplied U…
SiYuan Affected by Zero-Click NTLM Hash Theft and Blind SSRF via Mermaid Diagram Rendering
@sveltejs/adapter-node has a BODY_SIZE_LIMIT bypass
Helm's plugin verification fails open when .prov is missing, allowing unsigned plugin install
### Impact
The bug allows plugin authors to omit provenance (signing) data from plugins, bypassing plugin …
Helm has a path traversal in plugin metadata version enables arbitrary file write outside Helm plugin directory
### Impact
A Helm user who installs or updates a plugin th…
OpenClaw: `fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects
`fetchWithSsrFGuard` replays unsafe request bodies across cross-origin redirects.
A guarded fetch could resend unsafe request bodies or headers when following cross-origin redirects.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and d…
OpenClaw: Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement
Node Pairing Reconnect Command Escalation Bypasses operator.admin Scope Requirement.
A previously paired node could reconnect with a broader command set, including exec-capable commands, without forcing the operator/admin re-pairing path.
OpenClaw is a user-controlled local assistant. T…
MinIO affected a DoS via Unbounded Memory Allocation in S3 Select CSV Parsing
_What kind of vulnerability is it? Who is impacted?_
MinIO's S3 Select feature is vulnerable to memory exhaustion when processing CSV
files containing lines longer than available memory. The CSV reader's `nextSplit()`
function calls `bufio.Reader.ReadBytes('\n')` with no size limit, b…
OpenClaw: HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class)
HGRCPATH, CARGO_BUILD_RUSTC_WRAPPER, RUSTC_WRAPPER, and MAKEFLAGS missing from exec env denylist — RCE via build tool env injection (GHSA-cm8v-2vh9-cxf3 class).
Missing denylist entries allowed hostile build-tool environment variables to influence host exec commands.
OpenClaw is a use…
OpenClaw: Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel
Authenticated `/hooks/wake` and mapped `wake` payloads are promoted into the trusted `System:` prompt channel.
An authenticated wake hook or mapped wake payload could be promoted into the trusted System prompt channel instead of an untrusted event.
OpenClaw is a user-controlled local as…
OpenClaw: Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade
Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade.
Lower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turn…
Pretext: Algorithmic Complexity (DoS) in the text analysis phase
mercure has Topic Selector Cache Key Collision
A cache key collision vulnerability in `TopicSelectorStore` allows an attacker to poison the match result cache, potentially causing private updates to be delivered to unauthorized subscribers or blocking delivery to authorized ones.
The cache key was constructed by concatenating the to…
opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking
The fix for GHSA-9h8m-3fm2-qjrq (CVE-2026-24051) changed the Darwin `ioreg` command to use an absolute path but left the BSD `kenv` command using a bare name, allowing the same PATH hijacking attack on BSD and Solaris platforms.
## Root Cause
`sdk/resource/host_id.go` line 42:
if …
stata-mcp has insufficient validation of user-supplied Stata do-file content that can lead to command execution
XWiki vulnerable to remote code execution with script right through unprotected Velocity scripting API
An improperly protected scripting API allows any user with script right to bypass the sandboxing of the Velocity scripting API and execute, e.g., arbitrary Python scripts, allowing full access to the XWiki instance and thereby compromising the confidentiality, integrity and availability o…
File Browser share links remain accessible after Share/Download permissions are revoked
File Browser has a Command Injection via Hook Runner
> **This feature has been disabled by default for all installations from v2.33.8 onwards, including for existent installations**. To exploit this vulnerability, the instance administrator must turn on a feature and ignore all the warnings about known vulnerabilities. We're publishing this …
LiteLLM: Password hash exposure and pass-the-hash authentication bypass
Three issues combine into a full authentication bypass chain:
1. Weak hashing: User passwords are stored as unsalted SHA-256 hashes, making them vulnerable to rainbow table attacks and trivially identifying users with identical passwords.
2. Hash exposure: Multiple API endpoints (/user/…
Java-SDK has a DNS Rebinding Vulnerability
The java-sdk contains a DNS rebinding vulnerability. This vulnerability allows an attacker to access a locally or network-private java-sdk MCP server via a victims browser that is either local, or network adjacent.
This allows an attacker to make any tool call to the server as if they …
Gotenberg has incomplete fix for ExifTool arbitrary file write: case-insensitive bypass and missing HardLink/SymLink tags
The fix for ExifTool arbitrary file write (commit `043b158`, released in v8.29.0) uses a case-sensitive blocklist to filter dangerous pseudo-tags. ExifTool processes tag names case-insensitively, so alternate casings bypass the filter. The blocklist also omits the `HardLink` and `SymLink…
Gotenberg Vulnerable to ReDoS via extraHttpHeaders scope feature
Gotenberg uses `dlclark/regexp2` to compile user-supplied scope patterns without setting a proper timeout. Users with access to features using this logic can hang workers indefinitely.
### Details
Gotenberg uses `dlclark/regexp2` to compile user-supplied scope patterns (gotenberg/pkg/m…
Lupa has a Sandbox escape and RCE due to incomplete attribute_filter enforcement in getattr / setattr
The `attribute_filter` in the Lupa library is intended to restrict access to sensitive Python attributes when exposing objects to Lua.
However, the filter is not consistently applied when attributes are accessed through built-in functions like getattr and setattr. This allows an attacke…
Authorizer: Password reset token theft and full auth token redirect via unvalidated redirect_uri
I found that 6 endpoints in Authorizer accept a user-controlled `redirect_uri` and append sensitive tokens to it without validating the URL against `AllowedOrigins`. The OAuth `/app` handler validates redirect_uri at `http_handlers/app.go:46`, but the GraphQL mutations and verify_email handler …
OpenEXR has buffer overflow in PyOpenEXR_old's channels() and channel()
A memory safety bug in the legacy OpenEXR Python adapter (the deprecated OpenEXR.InputFile wrapper) allow crashes and likely code execution when opening attacker-controlled EXR files or when passing crafted Python objects.
Integer overflow and unchecked allocation in InputFile.channel(…
OpenEXR has use after free in PyObject_StealAttrString
There is a use-after-free in PyObject_StealAttrString of pyOpenEXR_old.cpp.
This bug was found with [ZeroPath](https://zeropath.com/?utm_source=joshua.hu).
### Details
The legacy adapter defines PyObject_StealAttrString that calls PyObject_GetAttrString to obtain a new reference, imme…
Duplicate Advisory: OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)
This advisory has been withdrawn because it is a duplicate of GHSA-rhfg-j8jq-7v2h. This link is maintained to preserve external references.
### Original Description
OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions t…
Duplicate Advisory: OpenClaw: Tlon cite expansion happens before channel and DM authorization is complete
This advisory has been withdrawn because it is a duplicate of GHSA-vfg3-pqpq-93m4. This link is maintained to preserve external references.
### Original Description
OpenClaw before 2026.3.22 performs cite expansion before completing channel and DM authorization checks, allowi…
FoundationAgents MetaGPT vulnerable to OS Command Injection in metagpt/utils/common.py
FoundationAgents MetaGPT vulnerable to os command injection via the Terminal.run_command
FoundationAgents MetaGPT vulnerable to OS Command Injection in metagpt/tools/libs/terminal.py
FoundationAgents MetaGPT vulnerable to eval injection
decolua 9router vulnerable to authorization bypass
api-lab-mcp vulnerable to SSRF
PowerJob's GroovyEvaluator.evaluate endpoint vulnerable to code injection
PowerJob vulnerable to SQL injection
Aiven Operator has cross-namespace secret exfiltration via ClickhouseUser connInfoSecretSource
A developer with create permission on ClickhouseUser CRDs in their own namespace can exfiltrate secrets from any other namespace — production database credentials, API keys, service tokens — with a single kubectl apply. The operator reads the victim's secret using its ClusterRole and …
CVE-2026-39961
pyload-ng: Authorization Bypass for SSL Certificate/Key Configuration Due to Option Name Mismatch in pyload-ng
The `ADMIN_ONLY_CORE_OPTIONS` authorization set in `set_config_value()` uses incorrect option names `ssl_cert` and `ssl_key`, while the actual configuration option names are `ssl_certfile` and `ssl_keyfile`. This name mismatch causes the admin-only check to always evaluate to False, allo…
CVE-2026-35586
CVE-2026-4837
CVE-2026-35197
Ech0 Scope Bypass: profile:read Access Token Can Change Admin Password and Escalate to Unrestricted Session
The `PUT /user` endpoint is protected by `RequireScopes("profile:read")`, which is a read-only scope. However, the endpoint performs write operations including password changes. An attacker who obtains an admin's restricted `profile:read` access token can change the admin's password, the…
Ech0: Missing authorization on dashboard log endpoints allows low-privilege users to access sensitive system logs
Ech0 allows any authenticated user to read historical system logs and subscribe to live log streams because the dashboard log endpoints validate only that a JWT is present and valid, but do not require an administrator role or privileged scope.
## Impact
Any valid user session can acce…
PraisonAI Vulnerable to Decompression Bomb DoS via Recipe Bundle Extraction Without Size Limits
The `_safe_extractall()` function in PraisonAI's recipe registry validates archive members against path traversal attacks but performs no checks on individual member sizes, cumulative extracted size, or member count before calling `tar.extractall()`. An attacker can publish a malicious r…
CVE-2026-35594
Vikunja has Algorithmic Complexity DoS in Repeating Task Handler
The `addRepeatIntervalToTime` function uses an O(n) loop that advances a date by the task's `RepeatAfter` duration until it exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker triggers billions of loop iterations, co…
Vikunja: Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
Link Share JWT tokens remain valid for 72 hours after share deletion or permission downgrade
## Description
Vikunja's link share authentication constructs authorization objects entirely from JWT claims without any server-side database validation. When a project owner deletes a link share …
CVE-2021-47960
Duplicate Advisory: OpenClaw: Nostr inbound DMs could trigger unauthenticated crypto work before sender policy enforcement
This advisory has been withdrawn because it is a duplicate of GHSA-65h8-27jh-q8wv. This link is maintained to preserve external references.
### Original Description
OpenClaw before 2026.3.22 performs cryptographic and dispatch operations on inbound Nostr direct messages befor…
CVE-2026-39848
Apache Tomcat: CLIENT_CERT authentication does not fail as expected
This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.
Users are recommended to upgrade to ver…
CVE-2026-34500
This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.
Users are recommended to upgrade to ver…
Apache Airflow has an authorization bypass in DagRun wait endpoint
CVE-2026-34538
OpenFGA: Unauthenticated playground endpoint discloses preshared API key in HTML response
When OpenFGA is configured to use preshared-key authentication with the built-in playground enabled, the local server includes the preshared API key in the HTML response of the /playground endpoint. The /playground endpoint is enabled by default and does not require authentication. I…
PraisonAI has Memory State Leakage and Path Traversal in MultiAgent Context Handling
The `MultiAgentLedger` and `MultiAgentMonitor` components in the provided code exhibit vulnerabilities that can lead to context leakage and arbitrary file operations. Specifically:
1. **Memory State Leakage via Agent ID Collision**: The `MultiAgentLedger` uses a dictionary to store ledger…
kubernetes-graphql-gateway: GraphQL Endpoint Vulnerable to Authenticated Denial-of-Service via Unrestricted Query Execution
CVE-2026-32588
Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue.
Django has potential DoS via MultiPartParser through crafted multipart uploads
Earlier, unsupported Django series (such a…
CVE-2026-33033
`MultiPartParser` allows remote attackers to degrade performance by submitting multipart uploads with `Content-Transfer-Encoding: base64` including excessive whitespace.
Earlier, unsupported Django series (such as…
HuggingFace Transformers allows for arbitrary code execution in the `Trainer` class
kedro-datasets has a path traversal vulnerability in PartitionedDataset that allows arbitrary file write
PartitionedDataset in kedro-datasets was vulnerable to path traversal. Partition IDs were concatenated directly with the dataset base path without validation. An attacker or malicious input containing .. components in a partition ID could cause files to be written outside the configured …
OpenEXR has heap-buffer-overflow via signed integer underflow in ImfContextInit.cpp
A heap-buffer-overflow (OOB read) occurs in the `istream_nonparallel_read` function in `ImfContextInit.cpp` when parsing a malformed EXR file through a memory-mapped `IStream`. A signed integer subtraction produces a negative value that is implicitly converted to `size_t`, resulting in a…
CVE-2025-57851
Agions taskflow-ai vulnerable to os command injection in src/mcp/server/handlers.ts
PraisonAIAgents: Arbitrary File Read via read_skill_file Missing Workspace Boundary and Approval Gate
`read_skill_file()` in `skill_tools.py` allows reading arbitrary files from the filesystem by accepting an unrestricted `skill_path` parameter. Unlike `file_tools.read_file` which enforces workspace boundary confinement, and unlike `run_skill_script` which requires critical-level approva…
PraisonAI has Unrestricted Upload Size in WSGI Recipe Registry Server that Enables Memory Exhaustion DoS
The WSGI-based recipe registry server (`server.py`) reads the entire HTTP request body into memory based on the client-supplied `Content-Length` header with no upper bound. Combined with authentication being disabled by default (no token configured), any local process can send arbitraril…
rfc3161-client Has Improper Certificate Validation
An Authorization Bypass vulnerability in `rfc3161-client`'s signature verification allows any attacker to impersonate a trusted TimeStamping Authority (TSA). By exploiting a logic flaw in how the library extracts the leaf certificate from an unordered PKCS#7 bag of certificates, an atta…
netavark has incorrect error handling for malformed tcp packets
A truncated TCP DNS query followed by a connection reset causes aardvark-dns to enter an unrecoverable infinite error loop at 100% CPU.
### Patches
https://github.com/containers/aardvark-dns/commit/3b49ea7b38bdea134b7f03256f2e13f44ce73bb1
### Workarounds
None
### Credits
Thanks to @d…
go-ipld-prime: DAG-CBOR decoder unbounded memory allocation from CBOR headers
A CBOR map or list header can…
go.etcd.io/bbolt affected by index out-of-range vulnerability
Apache Tomcat has an Open Redirect vulnerability
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100.
Other, unsu…
Unhead has a hasDangerousProtocol() bypass via leading-zero padded HTML entities in useHeadSafe()
<img width="1900" height="855" alt="Screenshot_2026-03-25_090729" src="https://github.com/user-attachments/assets/3da93464-1caf-46ca-818f-46f8fe32ab50" />
<img width="1919" height="947" alt="Screenshot_2026-03-25_090715" src="https://github.com/user-attachments/assets/b27b1fc3-fa89-4864-…
CVE-2026-25854
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from 8.5.30 through 8.5.100.
Other, unsu…
CVE-2026-39315
Vikunja Vulnerable to TOTP Brute-Force Due to Non-Functional Account Lockout
The TOTP failed-attempt lockout mechanism is non-functional due to a database transaction handling bug. The account lock is written to the same database session that the login handler always rolls back on TOTP failure, so the lockout is triggered but never persisted. This allows unlimite…
Axios HTTP/2 Session Cleanup State Corruption Vulnerability
Axios HTTP/2 session cleanup logic contains a state corruption bug that allows a malicious server to crash the client process through concurrent session closures. This denial-of-service vulnerability affects axios versions prior to 1.13.2 when HTTP/2 is enabled.
### Details
The vulner…
CVE-2026-39865
NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows
The upload filename sanitization introduced in GHSA-9ffm-fxg3-xrhh uses `PurePosixPath(filename).name` to strip path components. Since `PurePosixPath` only recognizes forward slashes (`/`) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (`\`)…
Denial of Service due to Panic in AWS SDK for Go v2 SDK EventStream Decoder
**CVSSv3.1 Score**: [5.9]
**CVSSv3.1 Vector String**: [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H]
## Summary and Impact
An issue exists in the the EventStream header decoder in AWS SDK for Go v2 in versions predating [2026-03-23](https://github.com/aws/aws-sdk-go-v2…
rdiscount has an Out-of-bounds Read
A signed length truncation bug causes an out-of-bounds read in the default Markdown parse path. Inputs larger than `INT_MAX` are truncated to a signed `int` before entering the native parser, allowing the parser to read past the end of the supplied buffer and crash the process
### Deta…
CVE-2026-34380
monetr: Protected Transactions Deletable via PUT
A transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transactions through the transaction update endpoint, despite the application explicitly blocking deletion of those transactions via the normal `DELETE` path. This bypass undermines the inte…
LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`
**Severity:** Medium (CVSS ~5.6)
**Status:** Fixed in 0.5.18
—
## Summary
The LangSmith JavaScript/TypeScript SDK (`langsmith`) contains an incomplete prototype pollution fix in its internally ven…
CVE-2026-40190
Ech0 has SSRF via DNS Resolution Bypass in Webhook URL Validation
The `validateWebhookURL` function in `webhook_setting_service.go` attempts to block webhooks targeting private/internal IP addresses, but only checks literal IP strings via `net.ParseIP()`. Hostnames that DNS-resolve to private IPs (e.g., `169.254.169.254.nip.io`, `10.0.0.1.nip.io`) bypa…
Ech0 Comment Panel Endpoints Missing RequireScopes Middleware — Scoped Access Token Bypass
All 9 comment panel admin endpoints (`/api/panel/comments/*`) are missing `RequireScopes()` middleware, while every other admin endpoint in the application enforces scope-based authorization on access tokens. An admin-issued access token scoped to minimal permissions (e.g., `echo:read` o…
PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands
The approval system in PraisonAI Agents caches tool approval decisions by tool name only, not by invocation arguments. Once a user approves `execute_command` for any command (e.g., `ls -la`), all subsequent `execute_command` calls in that execution context bypass the approval prompt enti…
PraisonAI Vulnerable to Sensitive Environment Variable Exposure via Untrusted MCP Subprocess Execution
CVE-2026-35477
CVE-2026-27315
Users are recommended to upgrade to version 4.0.20, which fixes this issue.
—
Description…
PraisonAI Vulnerable to Stored XSS via Unsanitized Agent Output in HTML Rendering (nh3 Not a Required Dependency)
The Flask API endpoint in `src/praisonai/api.py` renders agent output as HTML without effective sanitization. The `_sanitize_html` function relies on the `nh3` library, which is not listed as a required or optional dependency in `pyproject.toml`. When `nh3` is absent (the default install…
Vikunja has File Size Limit Bypass via Vikunja Import
The Vikunja file import endpoint uses the attacker-controlled `Size` field from the JSON metadata inside the import zip instead of the actual decompressed file content length for the file size enforcement check. By setting `Size` to 0 in the JSON while including large compressed file ent…
Vikunja has HTML Injection via Task Titles in Overdue Email Notifications
Task titles are embedded directly into Markdown link syntax in overdue email notifications without escaping Markdown special characters. When rendered by goldmark and sanitized by bluemonday (which allows `<a>` and `<img>` tags), injected Markdown constructs produce phishing links and tr…
CVE-2026-40112
Apache ActiveMQ, Apache ActiveMQ All, Apache ActiveMQ MQTT vulnerable to Integer Overflow or Wraparound
The fix for "CVE-2025-66168: MQTT control packet remaining length field is not properly validated" was only applied to 5.19.2 (and future 5.19.x) releases but was missed for all 6.0.0+ versio…
CVE-2026-35207
pyload-ng has a WebUI JSON permission mismatch that lets ADD/DELETE users invoke MODIFY-only actions
Several WebUI JSON endpoints enforce weaker permissions than the core API methods they invoke. This allows authenticated low-privileged users to execute `MODIFY` operations that should be denied by pyLoad's own permission model.
Confirmed mismatches:
– `ADD` user can reorder packages/fi…
CVE-2026-3691
Rembg has a Path Traversal via Custom Model Loading
A **path traversal vulnerability** in the rembg HTTP server allows unauthenticated remote attackers to read arbitrary files from the server's filesystem. By sending a crafted request with a malicious `model_path` parameter, an attacker can force the server to attempt loading any file as …
xrootd has path traversal in directory listing that allows access to the parent directory via trailing ".." pattern
A path traversal vulnerability in XRootD allows users to escape the exported directory scope and enumerate the contents of the parent directory by appending `/..` (specifically without trailing slash) to an exported path in `xrdfs ls` or `HTTP PROPFIND` requests.
This bypass ignores the…
PraisonAIAgents: Path Traversal via Unvalidated Glob Pattern in list_files Bypasses Workspace Boundary
The `list_files()` tool in `FileTools` validates the `directory` parameter against workspace boundaries via `_validate_path()`, but passes the `pattern` parameter directly to `Path.glob()` without any validation. Since Python's `Path.glob()` supports `..` path segments, an attacker can u…
PraisonAI: Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS
The AgentOS deployment platform exposes a `GET /api/agents` endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application has no authentication middleware, no API key validation, and defa…
Zod jsVideoUrlParser vulnerable to ReDoS in util.js
Duplicate Advisory: OpenClaw: Remote media error responses could trigger unbounded memory allocation before failure
This advisory has been withdrawn because it is a duplicate of GHSA-4qwc-c7g9-4xcw. This link is maintained to preserve external references.
### Original Description
OpenClaw before 2026.3.22 contains an unbounded memory allocation vulnerability in remote media HTTP error hand…
Duplicate Advisory: OpenClaw: Feishu webhook reads and parses unauthenticated request bodies before signature validation
This advisory has been withdrawn because it is a duplicate of GHSA-3h52-cx59-c456. This link is maintained to preserve external references.
### Original Description
OpenClaw before 2026.3.25 parses JSON request bodies before validating webhook signatures, allowing unauthentic…
Duplicate Advisory: OpenClaw is vulnerable to unauthenticated resource exhaustion through its voice call webhook handling
This advisory has been withdrawn because it is a duplicate of GHSA-rm59-992w-x2mv. This link is maintained to preserve external references.
### Original Description
OpenClaw before 2026.3.22 contains an unauthenticated resource exhaustion vulnerability in voice call webhook h…
CVE-2026-5986
Apache Tomcat has an Improper Input Validation vulnerability
This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.
Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, …
CVE-2026-40087
CVE-2026-32990
This issue affects Apache Tomcat: from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from 9.0.113 through 9.0.115.
Users are recommended to upgrade to version 11.0.20, 10.1.53 or 9.0.116, …
fast-jwt: Stateful RegExp (/g or /y) causes non-deterministic allowed-claim validation (logical DoS)
Using certain modifiers on RegExp objects in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options in verify functions can cause certain unintended behaviours. This is because some modifiers are stateful and will cause failures in every second verification attempt re…
LangChain has incomplete f-string validation in prompt templates
First, some prompt template classes accepted f-string templates and formatted them without enforcing the same attribute-access validation as `PromptTemplate`. In particular, `DictPromptTemplate` and `ImagePromptTemplate…
opentelemetry-go: OTLP HTTP exporters read unbounded HTTP response bodies
this report shows that the otlp HTTP exporters (traces/metrics/logs) read the full HTTP response body into an in-memory `bytes.Buffer` without a size cap.
this is exploitable for memory exhaustion when the configured collector endpoint is attacker-controlled (or a network attacker can mit…
LiquidJS: ownPropertyOnly bypass via sort_natural filter — prototype property information disclosure through sorting side-channel
The `sort_natural` filter bypasses the `ownPropertyOnly` security option, allowing template authors to extract values of prototype-inherited properties through a sorting side-channel attack. Applications relying on `ownPropertyOnly: true` as a security boundary (e.g., multi-tenant templ…
Hono missing validation of cookie name on write path in setCookie()
Cookie names are not validated on the write path when using `setCookie()`, `serialize()`, or `serializeSigned()` to generate Set-Cookie headers.
While certain cookie attributes such as domain and path are validated, the cookie name itself may contain invalid characters.
This results in…
Hono: Middleware bypass via repeated slashes in serveStatic
A path handling inconsistency in `serveStatic` allows protected static files to be accessed by using repeated slashes (`//`) in the request path.
When route-based middleware (e.g., `/admin/*`) is used for authorization, the router may not match paths containing repeated slashes, while s…
@hono/node-server: Middleware bypass via repeated slashes in serveStatic
A path handling inconsistency in `serveStatic` allows protected static files to be accessed by using repeated slashes (`//`) in the request path.
When route-based middleware (e.g., `/admin/*`) is used for authorization, the router may not match paths containing repeated slashes, while `…
JWCrypto: JWE ZIP decompression bomb
The fix for GHSA-j857-7rvv-vj97 in v1.5.6 is weak in that it does not allow to fully control the amount of plaintext the receiver is willing to deal with and provides just a weak upper bound. The patch limits input token size to 250KB but does not validate the decompressed output size. A…
Emissary has a Path Traversal via Blacklist Bypass in Configuration API
The configuration API endpoint (`/api/configuration/{name}`) validated
configuration names using a blacklist approach that checked for `\`, `/`, `..`,
and trailing `.`. This could potentially be bypassed using URL-encoded variants,
double-encoding, or Unicode normalization to achieve pat…
pyload-ng: Incomplete Tar Path Traversal Fix in UnTar._safe_extractall via os.path.commonprefix Bypass
The `_safe_extractall()` function in `src/pyload/plugins/extractors/UnTar.py` uses `os.path.commonprefix()` for its path traversal check, which performs character-level string comparison rather than path-level comparison. This allows a specially crafted tar archive to write files outside…
OpenViking contains a missing authorization vulnerability in the task polling endpoints
CVE-2026-34899
Duplicate Advisory: OpenClaw: Gateway Canvas local-direct requests bypass Canvas HTTP and WebSocket authentication
This advisory has been withdrawn because it is a duplicate of GHSA-6mqc-jqh6-x8fc. This link is maintained to preserve external references.
### Original Description
OpenClaw before 2026.3.23 contains an authentication bypass vulnerability in the Canvas gateway where authorize…
coursevault-preview has a path traversal due to improper base-directory boundary validation
`coursevault-preview` versions prior to `0.1.1` contain a path traversal vulnerability in the `resolveSafe` utility. The boundary check used `String.prototype.startsWith(baseDir)` on a normalized path, which does not enforce a directory boundary. An attacker who controls the `relativePat…
LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header
The `webapi` authentication layer trusts a client-controlled `X-lobe-chat-auth` header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protect…
OpenFGA's BatchCheck within-request deduplication produces incorrect authorization decisions via list-value cache-key collision
In OpenFGA, under specific conditions, BatchCheck calls with multiple checks sent for the same object, relation, and user combination can result in improper policy enforcement.
### Am I affected?
You are affected if you meet the following preconditions:
1. You execute **BatchCheck…
Nodemailer Vulnerable to SMTP Command Injection via CRLF in Transport name Option (EHLO/HELO)
Nodemailer versions up to and including 8.0.4 are vulnerable to SMTP command injection via CRLF sequences in the transport `name` configuration option. The `name` value is used directly in the EHLO/HELO SMTP command without any sanitization for carriage return and line feed characters (…
Ech0 has Stored XSS via SVG Upload and Content-Type Validation Bypass in File Upload
The file upload endpoint validates Content-Type using only the client-supplied multipart header, with no server-side content inspection or file extension validation. Combined with an unauthenticated static file server that determines Content-Type from file extension, this allows an admin…
Duplicate Advisory: OpenClaw: Synology Chat Webhook Pre-Auth Rate-Limit Bypass Enables Brute-Force Guessing of Webhook Token
This advisory has been withdrawn because it is a duplicate of GHSA-mf5g-6r6f-ghhm. This link is maintained to preserve external references.
### Original Description
OpenClaw before 2026.3.25 contains a pre-authentication rate-limit bypass vulnerability in webhook token valida…
Duplicate Advisory: OpenClaw Bypasses DM Policy Separation via Synology Chat Webhook Path Collision
This advisory has been withdrawn because it is a duplicate of GHSA-rqp8-q22p-5j9q This link is maintained to preserve external references.
### Original Description
OpenClaw before 2026.3.22 contains a webhook path route replacement vulnerability in the Synology Chat extension…
Hono: Non-breaking space prefix bypass in cookie name handling in getCookie()
A discrepancy between browser cookie parsing and `parse()` handling allows cookie prefix protections to be bypassed.
Cookie names that are treated as distinct by the browser may be normalized to the same key by `parse()`, allowing attacker-controlled cookies to override legitimate ones.…
Emissary has Stored XSS via Navigation Template Link Injection
Mustache navigation templates interpolated configuration-controlled link values
directly into `href` attributes without URL scheme validation. An administrator
who could modify the `navItems` configuration could inject `javascript:` URIs,
enabling stored cross-site scripting (XSS) agains…
rembg server is vulnerable to Server-Side Request Forgery (SSRF) and a weak default CORS configuration
The [GitHub Security Lab](https://securitylab.github.com) team has identified potential security vulnerabilities in [rembg](https://github.com/danielgatis/rembg).
We are committed to working with you to help…
DNN: Force Friend Request Acceptance
Ech0's Missing Authorization on System Logs Allows Non-Admin Information Disclosure
The system log endpoints (`GET /api/system/logs`, `GET /api/system/logs/stream`, `WS /ws/system/logs`) lack authorization checks, allowing any authenticated non-admin user to read and stream all server logs. These logs contain error stack traces, internal file paths, module names, and ar…
Vikunja: Scoped API tokens with projects.background permission can delete project backgrounds
Vikunja's scoped API token enforcement for custom project background routes is method-confused. A token with only `projects.background` can successfully delete a project background, while a token with only `projects.background_delete` is rejected.
This is a scoped-token authorization b…
Vikunja Missing Authorization on CalDAV Task Read
The CalDAV `GetResource` and `GetResourcesByList` methods fetch tasks by UID from the database without verifying that the authenticated user has access to the task's project. Any authenticated CalDAV user who knows (or guesses) a task UID can read the full task data from any project on t…
Vikunja has Broken Access Control on Label Read via SQL Operator Precedence Bug
The `hasAccessToLabel` function contains a SQL operator precedence bug that allows any authenticated user to read any label that has at least one task association, regardless of project access. Label titles, descriptions, colors, and creator information are exposed.
## Details
The acce…
CVE-2026-35642
Apache OpenMeetings has an Improper Handling of Insufficient Privileges vulnerability
This issue affects Apache OpenMeetings: fro…
CVE-2026-33005
Any registered user can query web service with their credentials and get files/sub-folders of any folder by ID (metadata only NOT contents). Metadata includes id, type, name and some other field. Full list of fields …
RustFS has an authorization bypass in multipart UploadPartCopy enables cross-bucket object exfiltration
This breaks ten…
Cosign's verify-blob-attestation reports false positive when payload parsing fails
`cosign verify-blob-attestation` may erroneously report a "Verified OK" result for attestations with malformed payloads or mismatched predicate types. For old-format bundles and detached signatures, this was due to a logic flaw in the error handling of the predicate type validation. …
Apache ActiveMQ: Improper validation and restriction of a classpath path name
In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authenticated u…
CVE-2026-33227
Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ All, Apache ActiveMQ Web, Apache ActiveMQ.
In two instances (when creating a Stomp consumer and also browsing messages in the Web console) an authentica…
fast-jwt has a ReDoS when using RegExp in allowed* leading to CPU exhaustion during token verification
### Affected Configurations
This vulnerability ONLY affects applications that:
– Use RegExp objects (not strings) in the allowedAud, allowedIss, allowedSub, allowedJti, or allowedNonce options
– Configure patterns susceptible to catastrophic backtracking
…
CVE-2026-35041
CVE-2026-39413
lightrag-hku: JWT Algorithm Confusion Vulnerability
The LightRAG API is vulnerable to a JWT algorithm confusion attack where an attacker can forge tokens by specifying 'alg': 'none' in the JWT header. Since the `jwt.decode()` call does not explicitly deny the 'none' algorithm, a crafted token without a signature will be accepted as valid, …
Vikunja has iCalendar Property Injection via CRLF in CalDAV Task Output
The CalDAV output generator builds iCalendar VTODO entries via raw string concatenation without applying RFC 5545 TEXT value escaping. User-controlled task titles containing CRLF characters break the iCalendar property boundary, allowing injection of arbitrary iCalendar properties such a…
parisneo/lollms has an insufficient session expiration vulnerability
kube-router: BGP Peer Passwords Exposed in Logs at Verbose Logging Level
When kube-router is configured with per-node BGP peer passwords using the `kube-router.io/peer.passwords` node annotation, and verbose logging is enabled (`–v=2` or higher), the raw Kubernetes node annotation map is logged verbatim — including the base64-encoded BGP MD5 passwords. Any…
next-intl has an open redirect vulnerability
Applications using the `next-intl` middleware with `localePrefix: 'as-needed'` could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative `//` or control characters stripped by the URL parser), so the middl…
Juju: In-Memory Token Store for Discharge Tokens Lacks Concurrency Safety and Persistence
The localLoginHandlers struct in the Juju API server maintains an in-memory map to store discharge tokens following successful local authentication. This map is accessed concurrently from multiple HTTP handler goroutines without any synchronization primitive protecting it. The absence o…
pypdf: Manipulated XMP metadata entity declarations can exhaust RAM
An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires parsing the XMP metadata.
### Patches
This has been fixed in [pypdf==6.10.0](https://github.com/py-pdf/pypdf/releases/tag/6.10.0).
### Workarounds
If you cannot upgrade yet, conside…
ajenti.plugin.core has race conditions in 2FA
If the 2FA was activated, it was possible during a short moment after the authentication of an user to bypass its authentication.
### Patches
This is fixed in the version 0.112. Users should upgrade to this version as soon as possible.
PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL queries
The `table_prefix` configuration value is directly used to construct SQL table identifiers without validation.
If an attacker controls this value, they can manipulate SQL query structure, leading to unauthorized data access (e.g., reading internal SQLite tables such as `sqlite_master`)…
justhtml includes multiple security fixes
`justhtml` `1.15.0` includes multiple security fixes affecting URL sanitization helpers, HTML serialization, Markdown passthrough, and several custom sanitization-policy edge cases.
These issues have different impact levels and do not all affect the default configuration in the same way…
Apache Log4j's JsonTemplateLayout produces invalid JSON output when log events contain non-finite floating-point values
Apache Log4j Core's XmlLayout fails to sanitize characters
@sveltejs/kit: Unvalidated redirect in handle hook causes Denial-of-Service
Helm Chart extraction output directory collapse via `Chart.yaml` name dot-segment
Wasmtime has improperly masked return value from `table.grow` with Winch compiler backend
Wasmtime's Winch compiler backend contains a bug where translating the `table.grow` operator causes the result to be incorrectly typed. For 32-bit tables this means that the result of the operator, internally in Winch, is tagged as a 64-bit value instead of a 32-bit value. This invalid i…
Gramps Web API: Private Sub-Object Data in Non-Private Objects Exposed to Guest Users
Users with the **Guest** role could receive private sub-object data (e.g. private alternate names, private addresses, private note/citation/media handles) through list API endpoints such as `GET /api/people/`, `GET /api/places/`, `GET /api/events/`, and all other object list endpoints.
…
Wasmtime has out-of-bounds write or crash when transcoding component model strings
Wasmtime's implementation of transcoding strings between components contains a bug where the return value of a guest component's `realloc` is not validated before the host attempts to write through the pointer. This enables a guest to cause the host to write arbitrary transcoded string b…
Wasmtime has host panic when Winch compiler executes `table.fill`
Wasmtime's Winch compiler contains a vulnerability where the compilation of the `table.fill` instruction can result in a host panic. This means that a valid guest can be compiled with Winch, on any architecture, and cause the host to panic. This represents a denial-of-service vulnerabili…
Wasmtime segfault or unused out-of-sandbox load with `f64x2.splat` operator on x86-64
Wasmtime has a possible panic when lifting `flags` component value
Wasmtime contains a possible panic which can happen when a `flags`-typed component model value is lifted with the `Val` type. If bits are set outside of the set of flags the component model specifies that these bits should be ignored but Wasmtime will panic when this value is lifted. Thi…
Wasmtime: Panic when transcoding misaligned utf-16 strings
Wasmtime's implementation of transcoding strings into the Component Model's `utf16` or `latin1+utf16` encodings improperly verified the alignment of reallocated strings. This meant that unaligned pointers could be passed to the host for transcoding which would trigger a host panic. This …
Wasmtime: Heap OOB read in component model UTF-16 to latin1+utf16 string transcoding
Wasmtime contains a vulnerability where when transcoding a UTF-16 string to the latin1+utf16 component-model encoding it would incorrectly validate the byte length of the input string when performing a bounds check. Specifically the number of code units were checked instead of the byte …
OpenClaw: Multiple Code Paths Missing Base64 Pre-Allocation Size Checks
Multiple Code Paths Missing Base64 Pre-Allocation Size Checks.
Several base64 decode paths could allocate before enforcing decoded-size limits.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant service b…
OpenClaw B-M3: ClawHub package downloads are not enforced with integrity verification
B-M3: ClawHub package downloads are not enforced with integrity verification.
ClawHub downloads could install plugin archives without enforcing archive or per-file integrity metadata.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and …
OpenClaw Host-Exec Environment Variable Injection
OpenClaw Host-Exec Environment Variable Injection.
Host exec could inherit environment variables that influence interpreters, shells, or build tools.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenant ser…
OpenClaw: Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable
Strict browser SSRF bypass in Playwright redirect handling leaves private targets reachable.
Strict browser SSRF checks could miss Playwright request-time navigation to private targets.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model an…
OpenClaw has Browser SSRF Policy Bypass via Interaction-Triggered Navigation
Browser SSRF Policy Bypass via Interaction-Triggered Navigation.
Browser interactions could trigger navigations that bypassed the normal SSRF navigation checks.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi…
OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval
OpenClaw `node.pair.approve` placed in `operator.write` scope instead of `operator.pairing` allows unprivileged pairing approval.
The pairing approval method accepted operator.write instead of the narrower pairing scope and admin requirement for exec-capable nodes.
OpenClaw is a user-co…
OpenClaw QQ Bot Extension missing SSRF Protection on All Media Fetch Paths
QQ Bot Extension: Missing SSRF Protection on All Media Fetch Paths.
QQ Bot media download paths were not consistently routed through the SSRF guard and allowlist policy.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assum…
OpenClaw: Existing WS sessions survive shared gateway token rotation
Existing WS sessions survive shared gateway token rotation.
Rotating the shared gateway token did not disconnect existing shared-token WebSocket sessions.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a multi-tenan…
OpenClaw: /allowlist omits owner-only enforcement for cross-channel allowlist writes
/allowlist omits owner-only enforcement for cross-channel allowlist writes.
An authorized non-owner sender could attempt allowlist writes against a different channel.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a…
OpenClaw: resolvedAuth closure becomes stale after config reload
resolvedAuth closure becomes stale after config reload.
After a config reload, newly accepted gateway connections could continue using stale resolved auth state.
OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a mult…
OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard
OpenClaw `node.invoke(browser.proxy)` bypasses `browser.request` persistent profile-mutation guard.
node.invoke(browser.proxy) could mutate persistent browser profiles through a path that bypassed the browser.request guard.
OpenClaw is a user-controlled local assistant. This advisory is…
OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing
OpenClaw `device.token.rotate` mints tokens for unapproved roles, bypassing device role-upgrade pairing.
Device token rotation could mint or preserve roles/scopes that had not gone through the intended pairing approval.
OpenClaw is a user-controlled local assistant. This advisory is sco…
OpenClaw: Shared reply MEDIA – paths are treated as trusted and can trigger cross-channel local file exfiltration
Shared reply MEDIA: paths are treated as trusted and can trigger cross-channel local file exfiltration.
A crafted shared reply MEDIA reference could cause another channel to read a local file path as trusted generated media.
OpenClaw is a user-controlled local assistant. This advisory i…
OpenClaw: strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts
strictInlineEval explicit-approval boundary bypassed by approval-timeout fallback on gateway and node exec hosts.
The approval-timeout fallback could allow inline eval commands that strictInlineEval was meant to require explicit approval for.
OpenClaw is a user-controlled local assistan…
Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed to APIs
“`python
h = Hash(SHA256())
b.update(buf[::-1])
“`
would read past the end of the buffer on Python >3.11
quarkus-openapi-generator extension has Zip Slip Path Traversal in ApicurioCodegenWrapper class
A path traversal vulnerability was discovered in the quarkus-openapi-generator extension
### Details
The `unzip()` method in `ApicurioCodegenWrapper.java` extracts ZIP entries without validating that the resolved file path stays within the intended output directory. At line 101, the des…
pretix: API leaks check-in data between events of the same organizer
LiquidJS: `renderFile()` / `parseFile()` bypass configured `root` and allow arbitrary file read
The published npm package `liquidjs@10.25.0` on Linux 6.17.0 with Node v22.22.1. A `Liquid` instance configured with an empty temporary di…
Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses
`ipRestriction()` does not canonicalize IPv4-mapped IPv6 client addresses (e.g. `::ffff:127.0.0.1`) before applying IPv4 allow or deny rules. In environments such as Node.js dual-stack, this can cause IPv4 rules to fail to match, leading to unintended authorization behavior.
## Details
…
Hono: Path traversal in toSSG() allows writing files outside the output directory
A path traversal issue in `toSSG()` allows files to be written outside the configured output directory during static site generation. When using dynamic route parameters via `ssgParams`, specially crafted values can cause generated file paths to escape the intended output directory.
## …
openclaw-claude-bridge: sandbox is not effective – `–allowed-tools ""` does not restrict available tools
openclaw-claude-bridge v1.1.0
## Issue
v1.1.0 spawns the Claude Code CLI subprocess with `–allowed-tools ""` and the release notes + README claim this **"disables all CLI tools"** for sandboxing. This claim is incorrect.
Per the Claude Code CLI documentation, `–allowed-tools` (alia…
Parse Server's Endpoint `/sessions/me` bypasses `_Session` `protectedFields`
The `GET /sessions/me` endpoint returns `_Session` fields that the server operator explicitly configured as protected via the `protectedFields` server option. Any authenticated user can retrieve their own session's protected fields with a single request. The equivalent `GET /sessions` an…
skilleton has improper input handling in repository/path processing
`skilleton` versions prior to `0.3.1` include security-related weaknesses in repository normalization and path handling logic.
Version `0.3.1` contains fixes and additional test coverage for these issues.
## Affected Versions
`<0.3.1`
## Patched Versions
`>=0.3.1`
## Impact
In af…
Parse Server has a login timing side-channel reveals user existence
The login endpoint response time differs measurably depending on whether the submitted username or email exists in the database. When a user is not found, the server responds immediately. When a user exists but the password is wrong, a bcrypt comparison runs first, adding significant lat…
File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check
The `resourceGetHandler` in `http/resource.go` returns full text file content without checking the `Perm.Download` permission flag. All three other content-serving endpoints (`/api/raw`, `/api/preview`, `/api/subtitle`) correctly verify this permission before serving content. A user with…
File Browser has an access rule bypass via HasPrefix without trailing separator in path matching
The `Matches()` function in `rules/rules.go` uses `strings.HasPrefix()` without a trailing directory separator when matching paths against access rules. A rule for `/uploads` also matches `/uploads_backup/`, granting or denying access to unintended directories. Verified against v2.62.2 (commit …
Apache Cassandra has sensitive Information Leak in cqlsh
Users are recommended to upgrade to version 4.0.20, which fixes this issue.
—
Description…
OpenClaw: Android accepted cleartext remote gateway endpoints and sent stored credentials over ws://
Before OpenClaw 2026.4.2, Android accepted non-loopback cleartext `ws://` gateway endpoints and would send stored gateway credentials over that connection. Discovery beacons or setup codes could therefore steer the client onto a cleartext remote endpoint.
## Impact
A user who followed …
OpenClaw: Shared-secret comparison call sites leaked length information through timing
Before OpenClaw 2026.4.2, several shared-secret comparison call sites still used early length-mismatch checks instead of the shared fixed-length comparison helper. Those paths could leak secret-length information through measurable timing differences.
## Impact
The affected paths expos…
OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders
Before OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates.
## Impact
Cross-conversation or cross-sender collisions cou…
OpenClaw: Trailing-dot localhost CDP hosts could bypass remote loopback protections
Before OpenClaw 2026.4.2, remote CDP discovery could return a trailing-dot localhost host such as `localhost.` and bypass OpenClaw's loopback-host normalization. That let a non-loopback remote CDP profile pivot the follow-up connection back onto localhost.
## Impact
A hostile discovery…
OpenClaw: pnpm dlx approvals did not bind local script operands
Before OpenClaw 2026.4.2, `pnpm dlx` approval planning did not bind local script operands the same way as related `pnpm exec` flows. A local script approved through a `pnpm dlx` path could be replaced before execution without invalidating the approval.
## Impact
An operator could appro…
OpenClaw: Windows-compatible env override keys could bypass system.run approval binding
Before OpenClaw 2026.4.2, system-run approval binding normalized environment override keys differently from host execution. Windows-compatible keys could be omitted from the approval binding while still being injected at execution time.
## Impact
An approved command could run with atta…
OpenClaw: Gateway hello snapshots exposed host config and state paths to non-admin clients
Before OpenClaw 2026.4.2, the Gateway `connect` success snapshot exposed local `configPath` and `stateDir` metadata to non-admin clients. Low-privilege authenticated clients could learn host filesystem layout and deployment details that were not needed for their role.
## Impact
A non-a…
OpenClaw: Untrusted workspace channel shadows could execute during built-in channel setup
Before OpenClaw 2026.4.2, built-in channel setup and login could resolve an untrusted workspace channel shadow before the plugin was explicitly trusted. A malicious workspace plugin that claimed a bundled channel id could execute during channel setup even while still disabled.
## Impact…
OpenClaw: Read-scoped identity-bearing HTTP clients could kill sessions via /sessions/:sessionKey/kill
Before OpenClaw 2026.4.2, `POST /sessions/:sessionKey/kill` did not enforce write scopes in identity-bearing HTTP modes. A caller limited to read-only operator scopes could still terminate a running subagent session.
## Impact
A read-scoped caller could perform a write-class control-pl…
OpenClaw: iOS A2UI bridge trusted generic local-network pages for agent.request dispatch
Before OpenClaw 2026.4.2, the iOS A2UI bridge treated generic local-network pages as trusted bridge origins. A page loaded from a local-network or tailnet host could trigger agent.request dispatch without the stricter trusted-canvas origin check.
## Impact
A loaded attacker-controlled pa…
OpenClaw: QQ Bot structured payloads could read arbitrary local files
Before OpenClaw 2026.4.2, QQ Bot structured media payloads could read local files from attacker-chosen paths. A crafted structured payload could escape QQ Bot-owned media roots and cause arbitrary file reads on the host.
## Impact
Prompt-influenced structured payload output could exfil…
OpenClaw: OpenShell mirror mode could delete arbitrary remote directories when roots were mis-scoped
Before OpenClaw 2026.4.2, the OpenShell mirror backend accepted arbitrary absolute `remoteWorkspaceDir` and `remoteAgentWorkspaceDir` values. In mirror mode, those paths were then used as the target of remote cleanup and overwrite operations.
## Impact
If an attacker could influence th…
OpenClaw: Pairing pending-request caps were enforced per channel instead of per account
Before OpenClaw 2026.3.31, pending pairing-request caps were enforced per channel file instead of per account. On multi-account channel setups, requests from other accounts could fill the shared pending window and block new pairing challenges on an unaffected account.
## Impact
This is…
MLflow is vulnerable to Stored Cross-Site Scripting (XSS) caused by unsafe parsing of YAML-based MLmodel artifacts in its web interface
MLflow is vulnerable to an authorization bypass affecting the AJAX endpoint