## Summary
Saltcorn's mobile-sync routes (`POST /sync/load_changes` and `POST /sync/deletes`) interpolate user-controlled values directly into SQL template literals without parameterization, type-casting, or sanitization. Any authenticated user (role_id ≥ 80, the default "user" role) who has read …

## Summary

The `GET`, `POST`, and `DELETE` handlers under `/agents/:id/keys` in the Paperclip control-plane API only call `assertBoard(req)`, which verifies that the caller has a board-type session but does not verify that the caller has access to the company owning the target agent. A board user w…

<img width="7007" height="950" alt="01-setup" src="https://github.com/user-attachments/assets/1596b8d1-8de5-4c21-b1d2-2db41b568d7e" />

> Isolated paperclip instance running in authenticated mode (default config)
> on a clean Docker image matching commit b649bd4 (2026.411.0-canary.8, post
> the 2026…

### Summary
Due to unsafe serialization of stdio commands in the MCP adapter, an authenticated attacker can add an MCP stdio server with an arbitrary command, achieving command execution.

### Details
The vulnerability lies in a bug in the input sanitization from the “Custom MCP” configuration i…

### Summary
The OpenRemote IoT platform's rules engine contains two interrelated critical expression injection vulnerabilities that allow an attacker to execute arbitrary code on the server, ultimately achieving full server compromise.

– Unsandboxed Nashorn JavaScript Engine: JavaScript rules are e…

### Impact

String literal content passed to `cg.parse()` is injected verbatim into a `new Function()` body without sanitization. This allows an attacker to execute arbitrary system commands when user-controlled input reaches the parser. Any application exposing a math evaluation endpoint where user…

### Summary

The fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to `parse_mcp_command()`, allowing arbitrary executables like `bash`, `python`, or `/bin/sh` with inline code execution flags to pass through to subprocess execution.

### Affected Packa…

| Field | Value |
|——-|——-|
| **Affected Software** | Paperclip AI v2026.403.0 |
| **Affected Component** | Execution Workspace lifecycle (`workspace-runtime.ts`) |
| **Affected Endpoint** | `PATCH /api/execution-workspaces/:id` |
| **Deployment Modes** | All — `local_trusted` (zero auth),…

### Impact
_What kind of vulnerability is it? Who is impacted?_

**Two Command Injection vulnerabilities in electerm:**

1. **macOS Installer** (`electerm_CommandInjection_02`): A command injection vulnerability exists in `github.com/elcterm/electerm/npm/install.js:150`. The `runMac()` function appe…

`uefi-firmware` contains a heap out-of-bounds write vulnerability in the native tiano/EFI decompressor. in `uefi_firmware/compression/Tiano/Decompress.c`, `ReadCLen()` reads `Number = GetBits(Sd, CBIT)` with `CBIT = 9`, so `Number` can be as large as `511`, while the destination array `Sd->mCLen` ha…

`uefi-firmware` contains a stack out-of-bounds write vulnerability in the native tiano/EFI decompressor. in `uefi_firmware/compression/Tiano/Decompress.c`, `MakeTable()` does not validate that bit-length values read from the compressed bitstream are within the expected range (`0..16`). a crafted fir…

### Summary
Improper input validation in Microsoft QUIC allows an unauthorized attacker to elevate privileges over a network.

### Details
Improper Input Validation Integer Underflow (Wrap or Wraparound) when decoding ACK frame.

#### Patches
– Fix underflow in ACK frame parsing – 1e6e999b

### Imp…

Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands (npm, npx) accept argument flags that enable ex…

### Summary
goshs contains an SFTP authentication bypass when the documented empty-username basic-auth syntax is used. If the server is started with `-b ':pass'` together with `-sftp`, goshs accepts that configuration but does not install any SFTP password handler. As a result, an unauthenticated ne…

## Summary

The SCP middleware in `charm.land/wish/v2` is vulnerable to path traversal attacks. A malicious SCP client can read arbitrary files from the server, write arbitrary files to the server, and create directories outside the configured root directory by sending crafted filenames containing `…

### Summary
An unauthenticated debug endpoint in Dgraph Alpha exposes the full process command line, including the configured admin token from `–security "token=…"`.

This does not break token validation logic directly; instead, it discloses the credential and enables unauthorized admin-level acc…

## Summary

A path traversal vulnerability exists in [`excel-mcp-server`](https://github.com/haris-musa/excel-mcp-server) versions up to and including `0.1.7`. When running in SSE or Streamable-HTTP transport mode (the documented way to use this server remotely), an unauthenticated attacker on the n…

### Impact
A critical vulnerability was discovered in the SAML SSO implementation of Sentry. It was reported to us via our private bug bounty program.

The vulnerability allows an attacker to take over any user account by using a malicious SAML Identity Provider and another organization on the same …

### Summary

The `authenticated` middleware uses unanchored regular expressions to match public (no-auth) endpoint patterns against `ctx.request.url`. Since `ctx.request.url` in Koa includes the query string, an attacker can access any protected endpoint by appending a public endpoint path as a quer…

### Impact

`@fastify/middie` v9.3.1 and earlier incorrectly re-prefixes middleware paths when propagating them to child plugin scopes. When a child plugin is registered with a prefix that overlaps with a parent-scoped middleware path, the middleware path is modified during inheritance and silently …

## Summary

`createRouteMatcher` in `@clerk/nextjs`, `@clerk/nuxt`, and `@clerk/astro` can be bypassed by certain crafted requests, allowing them to skip middleware gating and reach downstream handlers.

Sessions are not compromised and no existing user can be impersonated – the bypass only affects …

### Impact

Hot Chocolate's `Utf8GraphQLParser` is a recursive descent parser with no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types can trigger a `StackOverflowException` on payloads as small as **40 KB**.

Because `Sta…

Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS).

If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyr…

### Impact
A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly neutralize specific syntax patterns that allow for the execution of …

### Impact
A security bypass vulnerability exists in the expression execution mechanisms of Thymeleaf up to and including 3.1.3.RELEASE. Although the library provides mechanisms to prevent expression injection, it fails to properly restrict the scope of accessible objects, allowing specific potentia…

### Impact

A configuration-dependent authentication bypass exists in OAuth2 Proxy.

Deployments are affected when all of the following are true:

* OAuth2 Proxy is configured with `–reverse-proxy`
* and at least one rule is defined with `–skip_auth_routes` or the legacy `–skip-auth-regex`

OAuth…

### Impact
A configuration-dependent authentication bypass exists in OAuth2 Proxy.

Deployments are affected when all of the following are true:

– OAuth2 Proxy is used with an `auth_request`-style integration (for example, nginx `auth_request`)
– `–ping-user-agent` is set or `–gcp-healthchecks`…

# Consensus Divergence in Transparent Sighash Hash-Type Handling

## Summary

After a refactoring, Zebra failed to validate a consensus rule that restricted the possible values of sighash hash types for V5 transactions which were enabled in the NU5 network upgrade. Zebra nodes could thus accept and …

# rk Identity Point Panic in Transaction Verification

## Summary

Orchard transactions contain a `rk` field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity (a "zero" value), however, the `orchard` crate which is used…

## Summary

Nhost automatically links an incoming OAuth identity to an existing Nhost account when the email addresses match. This is only safe when the email has been **verified by the OAuth provider**. Nhost's controller trusts a `profile.EmailVerified` boolean that is set by each provider adapter…

ZDI-CAN-29412: FlowiseAI Flowise Airtable_Agent Code Injection Remote Code Execution Vulnerability

— ABSTRACT ————————————-

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
Flowise – Flowise

— VULNERABILITY DETAILS ——…

## Summary

Feishu webhook mode accepted missing `encryptKey` configuration as valid and blank card-action callback tokens as usable lifecycle tokens. Together, those fail-open paths could allow unauthenticated webhook or card-action traffic to reach command dispatch in affected deployments.

## Imp…

### Summary
protobufjs compiles protobuf definitions into JS functions. Attackers can manipulate these definitions to execute arbitrary JS code.

### Details
Attackers can inject arbitrary code in the "type" fields of protobuf definitions, which will then execute during object decoding using that de…

### Summary
The CSVAgent allows providing a custom Pandas CSV read code. Due to lack of sanitization, an attacker can provide the following payload: `DataFrame({'foo': ['bar!']});import os;os.system('whoami')` that will get interpolated and executed by the server.

### Details
The code in question t…

### Summary
The OIDC authentication provider unconditionally sets `SkipClientIDCheck: true` in the `go-oidc` verifier configuration, disabling the standard audience (`aud`) claim validation at the library level. This allows tokens issued for unrelated services by the same OIDC issuer to be accepted …

### Impact
A stored code execution vulnerability in the user name field allows a low-privileged attacker to execute arbitrary code in the context of any user who passively visits a comment page, resulting in high confidentiality and integrity impact across security boundaries.

### Patches
N/A

### …

### Summary
Paperclip contains a privilege escalation vulnerability that allows an attacker with an Agent API key to execute arbitrary OS commands on the Paperclip server host.
An attacker with an agent credential can escalate privileges from the agent runtime to the Paperclip server host.
The vulne…

### Impact
This security vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an application where users can evaluate arbitrary expressions using the mathjs expression parser.

### Patches
The issue was introduced in mathjs `v13.…

### Summary

The webroot HTTP-01 challenge provider in lego is vulnerable to arbitrary file write and deletion via path traversal. A malicious ACME server can supply a crafted challenge token containing `../` sequences, causing lego to write attacker-influenced content to any path writable by the le…

### Impact

The user patching API endpoint didn't properly limit the scope of edits.

### Patches
* https://github.com/WeblateOrg/weblate/pull/18687

### References
Thanks to @tikket1 and @DavidCarliez for reporting this via GitHub. We received two individual reports for this.

### Summary
pyLoad caches `role` and `permission` in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database.

As a result, an already logged-in user can keep old (revoked) privileges until logout/ses…

### Summary

`Executrix.getCommand()` constructs shell commands by substituting temporary file paths directly into a `/bin/sh -c` string with no escaping. The `IN_FILE_ENDING` and `OUT_FILE_ENDING` configuration keys flow into those paths unmodified. A place author who sets either key to a shell met…

Dag Authors, who normally should not be able to execute code in the webserver context could craft XCom payload causing the webserver to execute arbitrary code. Since Dag Authors are already highly trusted, severity of this issue is Low.

Users are recommended to upgrade to Apache Airflow 3.2.0, whi…

A vulnerability in the `TFSMLayer` class of the `keras` package, version 3.13.0, allows attacker-controlled TensorFlow SavedModels to be loaded during deserialization of `.keras` models, even when `safe_mode=True`. This bypasses the security guarantees of `safe_mode` and enables arbitrary attacker-c…

Deserialization of Untrusted Data vulnerability in Apache Storm.

Versions Affected:
before 2.8.6.

Description:
When processing topology credentials submitted via the Nimbus Thrift API, Storm deserializes the base64-encoded TGT blob using ObjectInputStream.readObject() without any class filtering …

The organiser search in the pretalx backend rendered submission titles, speaker display names, and user names/emails into the result dropdown using `innerHTML` string interpolation. Any user who controls one of those fields (which includes any registered user whose display name is looked up by an ad…

### Summary

A Paperclip-managed `codex_local` runtime was able to access and use a Gmail connector that I had connected in the ChatGPT/OpenAI apps UI, even though I had not explicitly connected Gmail inside Paperclip or separately inside Codex.

In my environment this enabled mailbox access and a r…

## Summary

A stored cross-site scripting (XSS) vulnerability exists in SEO-related fields (SEO Title and Meta Description) in ApostropheCMS.

Improper neutralization of user-controlled input in SEO-related fields allows injection of arbitrary JavaScript into HTML contexts, resulting in stored cross…

### Summary
A stored same-origin XSS vulnerability allows any authenticated user to upload an HTML, SVG, or XHTML file as a note asset and have it executed in a victim’s browser under the application’s origin. Because the application serves these files inline without a safe content type and with…

## Summary

A Server-Side Request Forgery (SSRF) vulnerability in Kyverno's CEL HTTP library (`pkg/cel/libs/http/`) allows users with namespace-scoped policy creation permissions to make arbitrary HTTP requests from the Kyverno admission controller. This enables unauthorized access to internal servi…

### Summary

A flaw in the Java agent injection path allows a local attacker controlling a Java workload to overwrite arbitrary host files when Java injection is enabled and OBI is running with elevated privileges. The injector trusted `TMPDIR` from the target process and used unsafe file creation s…

**1. Executive Summary**
This report documents a critical security research finding in the `compressing` npm package (specifically tested on the latest **v2.1.0**). The core vulnerability is a **Partial Fix Bypass** of **CVE-2026-24884**.

The current patch relies on a purely logical string validati…

Command injection in the connect function in NietThijmen ShoppingCart 0.0.2 allows an attacker to execute arbitrary shell commands and achieve remote code execution via injection of malicious payloads into the Port field

### Summary

The DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers constructed SQL WHERE clauses by interpolating dynamic partition key values into queries without escaping. A user with the `Add Dynamic Partitions` permission could create a partition key that injects arbitrary SQL, which would…

## Summary

Several API endpoints in `authenticated` mode have no authentication at all. They respond to completely unauthenticated requests with sensitive data or allow state-changing operations. No account, no session, no API key needed.

Verified against the latest version.

Discord: sagi03581

#…

## Description

### Summary

“AirtableAgent” is an agent function provided by FlowiseAI that retrieves search results by accessing private datasets from airtable.com. “AirtableAgent” uses Python, along with `Pyodide` and `Pandas`, to get and return results.

The user’s input is directly ap…

### Impact

A configuration-dependent authentication bypass exists in OAuth2 Proxy.

Deployments are affected when all of the following are true:

* Use of `skip_auth_routes` or the legacy `skip_auth_regex` * Use of patterns that can be widened by attacker-controlled suffixes, such as `^/foo/.*/b…

### Summary

The `auth.ldap` module constructs LDAP search filters and DN strings by directly interpolating user-supplied usernames via `strings.ReplaceAll()` without any LDAP filter escaping. An attacker who can reach the SMTP submission (AUTH PLAIN) or IMAP LOGIN interface can inject arbitrary LDA…

The fix for [CVE-2026-40315](https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x783-xp3g-mqhp) added input validation to `SQLiteConversationStore` only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB — pass `tab…

### Summary

A vulnerability has been found in Dapr that allows bypassing access control policies for service invocation using reserved URL characters and path traversal sequences in method paths. The ACL normalized the method path independently from the dispatch layer, so the ACL evaluated one path…

An authenticated user with access to a kvv2 path through a policy containing a glob may be able to delete secrets they were not authorized to read or write, resulting in denial-of-service. This vulnerability did not allow a malicious user to delete secrets across namespaces, nor read any secret data…

### Summary

An improper mass assignment (JSON injection) vulnerability in the account registration endpoint of Flowise Cloud allows unauthenticated attackers to inject server-managed fields and nested objects during account creation. This enables client-controlled manipulation of ownership metadata…

## Summary

Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has no validation — it can point anywhere, including attacker-controlled servers. Since the admission controller SA has permissio…

### Impact

Server-side EL injection leading to Remote Code Execution (RCE). Affects applications that use `CDNResourceHandler` with a wildcard CDN mapping (e.g. `libraryName:*=https://cdn.example.com/*`). An attacker can craft a resource request
URL containing an EL expression in the resource name,…

### Impact
The project backup didn't filter Git and Mercurial configuration files and this could lead to remote code execution under certain circumstances.

### Patches
* https://github.com/WeblateOrg/weblate/pull/18549

### Workarounds
The project backup is only accessible to users who can create p…

The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value
from xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary
execution of code on the worker. Since the UI users are already highly tr…

Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which t…

kyverno’s apiCall servicecall helper implicitly injects `Authorization: Bearer …` using the kyverno controller serviceaccount token when a policy does not explicitly set an Authorization header. because `context.apiCall.service.url` is policy-controlled, this can send the kyverno serviceaccount …

### Summary

Flowise is vulnerable to a critical unauthenticated remote command execution (RCE) vulnerability. It can be exploited via a parameter override bypass using the `FILE-STORAGE::` keyword combined with a `NODE_OPTIONS` environment variable injection. This allows for the execution of arbitr…

### Summary
Kyverno's apiCall service mode automatically attaches the admission controller's ServiceAccount (SA) token to outbound HTTP requests. This results in unintended credential exposure when requests are sent to external or attacker-controlled endpoints.

The behavior is insecure-by-default a…

### Summary

CVE-2026-22039 fixed cross-namespace privilege escalation in Kyverno's `apiCall` context by validating the `URLPath` field. However, the **ConfigMap context loader has the identical vulnerability** — the `configMap.namespace` field accepts any namespace with zero validation, allowing …

### Impact

The ZIP download feature didn't verify downloaded file and it could follow symlinks outside the repository.

### Patches

* https://github.com/WeblateOrg/weblate/pull/18683

### References

Thanks to @DavidCarliez for reporting this vulnerability via GitHub.

In OpenStack Keystone before 28.0.1, the LDAP identity backend does not convert the user enabled attribute to a boolean when the user_enabled_invert configuration option is False (the default). The _ldap_res_to_model method in the UserApi class only performed string-to-boolean conversion when user_e…

### Summary

Kyverno's APICall feature contains a Server-Side Request Forgery (SSRF) vulnerability that allows users with Policy creation permissions to access arbitrary internal resources through Kyverno's high-privilege ServiceAccount. In multi-tenant Kubernetes environments, this constitutes a cl…

### Summary
A Server-Side Request Forgery (SSRF) vulnerability in Kyverno allows authenticated users to induce the admission controller to send arbitrary HTTP requests to attacker-controlled endpoints.

When a `ClusterPolicy` uses `apiCall.service.url` with variable substitution (e.g. `{{request.obj…

## Summary

wger exposes a global configuration edit endpoint at `/config/gym-config/edit` implemented by `GymConfigUpdateView`. The view declares `permission_required = 'config.change_gymconfig'` but does not enforce it because it inherits `WgerFormMixin` (ownership-only checks) instead of the proj…

### Summary
The Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 ch…

Vault is vulnerable to a denial-of-service condition where an unauthenticated attacker can repeatedly initiate or cancel root token generation or rekey operations, occupying the single in-progress operation slot. This prevents legitimate operators from completing these workflows. This vulnerability,…

If a Vault auth mount is configured to pass through the "Authorization" header, and the "Authorization" header is used to authenticate to Vault, Vault forwarded the Vault token to the auth plugin backend. Fixed in 2.0.0, 1.21.5, 1.20.10, and 1.19.16.

## Summary

Meridian v2.1.0 (`Meridian.Mapping` and `Meridian.Mediator`) shipped with nine defense-in-depth gaps reachable through its public APIs. Two are HIGH severity — the advertised `DefaultMaxCollectionItems` and `DefaultMaxDepth` safety caps are silently bypassed on the `IMapper.Map(source,…

### Summary
`basic-ftp@5.2.2` is vulnerable to denial of service through unbounded memory growth while processing directory listings from a remote FTP server. A malicious or compromised server can send an extremely large or never-ending listing response to `Client.list()`, causing the client process…

### Summary

The upload PATCH flow under `/files/:uploadId` validates the mounted request path using the still-encoded `req.path`, but the downstream tus handler later writes using the decoded `req.params.uploadId`. In deployments that use a supported custom `PSITRANSFER_UPLOAD_DIR` whose basename p…

**Summary**
endpoints.GetSessionCookie parses an attacker-supplied cookie chunk count and calls make([]string, count) with no upper bound before any token validation occurs. The function is reached on every request to an OAuth-protected proxy share, allowing an unauthenticated remote attacker to tri…

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.

This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.

Users are recommended to upgrade to version 10.4.0, which fixes the issue.

## Executive Summary:

Microsoft is releasing this security advisory to provide information about a vulnerability in System.Security.Cryptography.Xml. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in…

## Executive Summary:

Microsoft is releasing this security advisory to provide information about a vulnerability in System.Security.Cryptography.Xml. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in…

### Summary

Processing a malformed input containing a `<` character that is not followed by a `>` character anywhere in the remaining text with a SmartypantsRenderer will lead to Out of Bounds read or a panic.

### Details

The `smartLeftAngle()` function in `html/smartypants.go:367-376` performs a…

### Impact
The root level `commentable` field in the API allows access to all commentable resources within the platform, without any permission checks. All Decidim instances are impacted that have not secured the `/api` endpoint. The `/api` endpoint is publicly available with the default configurati…

### Impact
The vulnerability allows any registered and authenticated user to accept or reject any amendments. The impact is on any users who have created proposals where the amendments feature is enabled. This also elevates the user accepting the amendment as the author of the original proposal as p…

### Summary
An information disclosure vulnerability in the UDR service allows any unauthenticated attacker with access to the 5G Service Based Interface (SBI) to retrieve stored subscriber identifiers (SUPI/IMSI) with a single HTTP GET request requiring no parameters or credentials.

### Details
Th…

A heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image.

Magick frees the memory of the XML tree via the `DestroyXMLTree` function; however, this process is executed recursively with no depth limit imposed. When magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack.

### Impact

`@fastify/middie` v9.3.1 and earlier does not read the deprecated (but still functional) top-level `ignoreDuplicateSlashes` option, only reading from `routerOptions`. This creates a normalization gap: Fastify's router normalizes duplicate slashes but middie does not, allowing middleware …

### Description (as reported)

Jetty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks.

### Background

This vulnerability is a new variant discovered while researching the "Funky Chunks" HTTP request smuggling techniques:
-…

### Description (as reported)

A security vulnerability has been identified in Jetty's `JaspiAuthenticator.java`.

The root cause is a failure to consistently clear authentication metadata stored in `ThreadLocal` during certain error or incomplete authentication flows.
Specifically, after a `Gr…

### Summary
An arbitrary code execution vulnerability in the workspace runtime service allows any agent to execute shell commands on the server, exposing all environment variables including API keys, JWT secrets, and database credentials.

### Details
A malicious skill can instruct the agent to expl…

### Summary

A **Double Free / Use-After-Free (UAF)** vulnerability has been identified in the `IntoIter::drop` and `ThinVec::clear` implementations of the `thin_vec` crate.
Both vulnerabilities share the same root cause and can trigger memory corruption using only safe Rust code — no `unsafe` blo…

### Summary
A Server-Side Request Forgery (SSRF) vulnerability exists in FlowiseAI's POST/GET API Chain components that allows unauthenticated attackers to force the server to make arbitrary HTTP requests to internal and external systems. By injecting malicious prompt templates, attackers can bypass…

### Summary
The core security wrappers (secureAxiosRequest and secureFetch) intended to prevent Server-Side Request Forgery (SSRF) contain multiple logic flaws. These flaws allow attackers to bypass the allow/deny lists via DNS Rebinding (Time-of-Check Time-of-Use) or by exploiting the default confi…

### Summary
A Server-Side Request Forgery (SSRF) protection bypass vulnerability exists in the Custom Function feature. While the application implements SSRF protection via HTTP_DENY_LIST for axios and node-fetch libraries, the built-in Node.js `http`, `https`, and `net` modules are allowed in the N…

### Summary
In FlowiseAI, the Chatflow configuration file upload settings can be modified to allow the application/javascript MIME type. This lets an attacker upload .js files even though the frontend doesn’t normally allow JavaScript uploads. This enables attackers to persistently store malicious…

### Impact
This vulnerability impacts users of `zarf package inspect sbom` or `zarf package inspect documentation` on untrusted packages.

### Patches
#4793, now fixed in version v0.74.2

### Workarounds
Avoid inspecting unsigned packages

## Description

The `package inspect sbom` and `package insp…

Server-Side Request Forgery via SW-URL Header vulnerability in Apache SkyWalking MCP.

This issue affects Apache SkyWalking MCP: 0.1.0.

Users are recommended to upgrade to version 0.2.0, which fixes this issue.

# CVE-2026-40880: Cached Mempool Verification Bypasses Consensus Rules for Ahead-of-Tip Blocks

## Summary

A logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By carefully submitting a transaction that is valid for height `H+1` but inva…

## Summary

Webchat tool-result media normalization could pass local and UNC-style file paths into the host-side media embedding path without applying the configured local-root containment policy.

## Impact

A crafted tool-result media reference could cause the host to attempt local file reads or W…

## Summary

Matrix room control-command authorization used the effective allowlist for room traffic, which included sender IDs learned from the Matrix DM pairing store. A sender who was allowed only for a Matrix DM could therefore authorize room control commands when they also posted in a bot room.
…

## Summary

Gateway HTTP and WebSocket handlers captured the resolved bearer-auth configuration when the server started. After a SecretRef rotation, the already-running gateway could continue accepting the old bearer token until restart.

## Impact

A bearer token that should have been revoked by Se…

## Summary

QQBot media tags could read arbitrary local files through reply text.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.10`
– Patched versions: `>= 2026.4.10`

## Impact

QQBot outbound media tags in AI reply text could reference host…

## Summary

busybox and toybox applet execution weakened exec approval binding.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `>= 2026.2.23 < 2026.4.12`
– Patched versions: `>= 2026.4.12`

## Impact

Opaque multi-call binaries such as `busybox` and `to…

## Summary

Matrix profile config persistence was reachable from operator.write message tools.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.10`
– Patched versions: `>= 2026.4.10`

## Impact

Gateway `operator.write` message-tool paths could …

## Summary

Sandboxed agents could escape exec routing via host=node override.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `>= 2026.4.5 < 2026.4.10`
– Patched versions: `>= 2026.4.10`

## Impact

A sandboxed agent could request `host: "node"` and rou…

## Summary

Workspace provider auth choices could auto-enable untrusted provider plugins.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.9`
– Patched versions: `>= 2026.4.9`

## Impact

Non-interactive onboarding could select a provider auth c…

## Summary

Sandbox browser CDP relay could expose DevTools protocol on 0.0.0.0.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.10`
– Patched versions: `>= 2026.4.10`

## Impact

The sandbox browser CDP relay could bind too broadly, exposing C…

## Summary

Channel setup catalog lookups could include untrusted workspace plugin shadows.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.10`
– Patched versions: `>= 2026.4.10`

## Impact

Channel setup could resolve a workspace plugin shadow…

## Summary

Exec environment denylist missed high-risk interpreter startup variables.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.10`
– Patched versions: `>= 2026.4.10`

## Impact

The exec environment policy missed interpreter startup vari…

## Summary

Voice-call realtime WebSocket accepted oversized frames.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `>= 2026.4.9 < 2026.4.10`
– Patched versions: `>= 2026.4.10`

## Impact

The voice-call realtime WebSocket path could accept oversized fr…

## Summary

config.get redaction bypass through sourceConfig and runtimeConfig aliases.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.14`
– Patched versions: `>= 2026.4.14`

## Impact

An authenticated gateway client with config read access c…

### Summary

The text-to-speech generation endpoint (`POST /api/v1/text-to-speech/generate`) is whitelisted (no auth) and accepts a `credentialId` directly in the request body. When called without a `chatflowId`, the endpoint uses the provided `credentialId` to decrypt the stored credential (e.g., O…

### Summary

The `GET /api/v1/public-chatflows/:id` endpoint returns the full chatflow object **without sanitization** for public chatflows. Docker validation revealed this is worse than initially assessed: the `sanitizeFlowDataForPublicEndpoint` function does NOT exist in the released v3.0.13 Docke…

### Summary
A Mass Assignment vulnerability in the DocumentStore creation endpoint allows authenticated users to control the primary key (id) and internal state fields of DocumentStore entities.

Because the service uses repository.save() with a client-supplied primary key, the POST create endpoint …

Allocation of resources without limits or throttling vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpg on all (pg modules). This issue affects BC-JAVA before 1.84.

Unbounded PGP AEAD chunk size leads to pre-auth resource exhaustion.

PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the attack…

### Summary
An authorization bypass in the OAuth provider allows any authenticated low-privilege user to create OAuth clients even when the deployment configures clientPrivileges to restrict client creation. The option contract explicitly includes a create action, but the create paths never invoke t…

### Impact

A [Server-Side Request Forgery (SSRF)](https://developer.mozilla.org/en-US/docs/Web/Security/Attacks/SSRF) vulnerability exists in `@angular/platform-server` due to improper handling of URLs during Server-Side Rendering (SSR).

When an attacker sends a request such as `GET /\evil.com/ HT…

ZDI-CAN-28762: Flowise AccountService resetPassword Authentication Bypass Vulnerability

— ABSTRACT ————————————-

Trend Micro's Zero Day Initiative has identified a vulnerability affecting the following products:
Flowise – Flowise

— VULNERABILITY DETAILS —————–…

## Summary

The GraphCypherQAChain node forwards user-provided input directly into the Cypher query execution pipeline without proper sanitization. An attacker can inject arbitrary Cypher commands that are executed on the underlying Neo4j database, enabling data exfiltration, modification, or deleti…

**Summary:**
The password reset functionality on [cloud.flowiseai.com](http://cloud.flowiseai.com/) sends a reset password link over the unsecured HTTP protocol instead of HTTPS. This behavior introduces the risk of a man-in-the-middle (MITM) attack, where an attacker on the same network as the user…

### Summary
Flowise contains an authentication bypass vulnerability that allows an unauthenticated attacker to obtain OAuth 2.0 access tokens associated with a public chatflow.

By accessing a public chatflow configuration endpoint, an attacker can retrieve internal workflow data, including OAuth cr…

### Summary

`/api/v1/public-chatbotConfig/:id `ep exposes sensitive data including API keys, HTTP authorization headers and internal configuration without any authentication. An attacker with knowledge just of a chatflow UUID can retrieve credentials stored in password type fields and HTTP headers,…

### Summary

The `readRequestBody()` function in `src/transports/http/server.ts` concatenates HTTP request body chunks into a string with no size limit, allowing a remote unauthenticated attacker to crash the server via memory exhaustion with a single large HTTP POST request.

### Details

**File:**…

The SPDY/3 frame parser in spdystream does not validate
attacker-controlled counts and lengths before allocating memory. A
remote peer that can send SPDY frames to a service using spdystream can
cause the process to allocate gigabytes of memory with a small number of
malformed control frames, leadin…

### Summary
`fio_json_parse` can enter an infinite loop when it encounters a nested JSON value starting with `i` or `I`. The process spins in user space and pegs one CPU core at ~100% instead of returning a parse error. Because `iodine` vendors the same parser code, the issue also affects `iodine` w…

### Impact

_What kind of vulnerability is it? Who is impacted?_

An authentication bypass vulnerability in MinIO's `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path
allows any user who knows a valid access key to write arbitrary objects to any bucket without knowing
the secret key or providing a valid…

# Code Generation Literal Injection in Kiota

## Summary

Kiota versions **prior to 1.31.1** are affected by a code-generation literal injection vulnerability in multiple writer sinks (for example: serialization/deserialization keys, path/query parameter mappings, URL template metadata, enum/propert…

### Summary
The `trustedCertPool()` function in the TLS configuration only parses the first PEM block from CA certificate files. When a CA bundle contains multiple certificates (e.g., intermediate + root CA), only the first certificate is loaded. This silently breaks certificate chain validation for…

### Summary
A race condition between session heartbeat processing and session closure can cause the server to panic with `send on closed channel`. The `heartbeat()` method uses a blocking channel send while holding a mutex, and under specific timing with concurrent `close()` calls, this can lead to …

### Summary
When OIDC authentication fails, the full bearer token is logged at DEBUG level in plaintext. If debug logging is enabled in production, JWT tokens are exposed in application logs and any connected log aggregation system.

### Impact
An attacker with access to application logs (e.g., via …

### Summary
goshs leaks file-based ACL credentials through its public collaborator feed when the server is deployed without global basic auth. Requests to `.goshs`-protected folders are logged before authorization is enforced, and the collaborator websocket broadcasts raw request headers, including …

### Summary
goshs contains an SFTP root escape caused by prefix-based path validation. An authenticated SFTP user can read from and write to filesystem paths outside the configured SFTP root, which breaks the intended jail boundary and can expose or modify unrelated server files.

### Details
The SF…

### Summary
An improper path validation vulnerability in the UDR service allows any unauthenticated attacker with access to the 5G Service Based Interface (SBI) to create or overwrite Traffic Influence Subscriptions by supplying an arbitrary value in place of the expected `subs-to-notify` path segme…

### Summary
An improper path validation vulnerability in the UDR service allows any unauthenticated attacker with access to the 5G Service Based Interface (SBI) to read Traffic Influence Subscriptions by supplying an arbitrary value in place of the expected `subs-to-notify` path segment.

### Detail…

### Summary
An improper path validation vulnerability in the UDR service allows any unauthenticated attacker with access to the 5G Service Based Interface (SBI) to delete Traffic Influence Subscriptions by supplying an arbitrary value in place of the expected `subs-to-notify` path segment.

### Deta…

## Summary

A soundness vulnerability in the SP1 V6 recursive shard verifier allows a malicious prover to construct a recursive proof from a shard proof that the native verifier would reject.

– **Affected versions:** `>= 6.0.0, <= 6.0.2`
– **Not affected:** SP1 V5 (all versions)
– **Severity:** Hig…

### Impact

_What kind of vulnerability is it? Who is impacted?_

Two authentication bypass vulnerabilities in MinIO's `STREAMING-UNSIGNED-PAYLOAD-TRAILER` code path
allow any user who knows a valid access key to write arbitrary objects to any bucket without knowing
the secret key or providing a val…

### Summary

The public Stripe webhook endpoint fully reads the request body into memory before validating the Stripe signature. A remote unauthenticated attacker can send oversized POST bodies and cause substantial memory growth, leading to denial of service.

### Details

When Stripe webhooks are …

### Impact
Pillow did not limit the amount of GZIP-compressed data read when decoding a FITS image, making it vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation).
…

## Summary

The v2 template engine in `runtime/template/v2/template.go` imports Sprig’s `TxtFuncMap()` and removes `env` and `expandenv`, but leaves `getHostByName` available to user-controlled templates. Because ESO executes templates inside the controller process, an attacker who can create or …

The patch for GHSA-7h7q-j33q-hvpf was incomplete and still allows a stack buffer overflow for the multi frame images.

A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw occurs because the `organization.alias` is placed in…

### Impact
The translation memory API exposed unintended endpoints, which in turn didn't do proper access control.

### Patches
* https://github.com/WeblateOrg/weblate/pull/18516

### Workarounds
The CDN add-on is not enabled by default.

### References
Thanks to @spbavarva for reporting this respon…

### Impact

An authorization bypass exists in OAuth2 Proxy as part of the `email_domain` enforcement option. An attacker may be able to authenticate with an email claim such as `attacker@evil.com@company.com` and satisfy an allowed domain check for `company.com`, even though the claim is not a valid…

### Impact
When redirect following is enabled (followRedirect(true)), AsyncHttpClient forwards Authorization and Proxy-Authorization headers along with Realm credentials to arbitrary redirect targets regardless of domain, scheme, or port changes. This leaks credentials on cross-domain redirects and …

### Summary

A STARTTLS Response Injection vulnerability in MailKit allows a Man-in-the-Middle attacker to inject arbitrary protocol responses across the plaintext-to-TLS trust boundary, enabling SASL authentication mechanism downgrade (e.g., forcing PLAIN instead of SCRAM-SHA-256). The internal rea…

### Summary
The Amazon EFS CSI Driver is a Container Storage Interface driver that allows Kubernetes clusters to use Amazon Elastic File System. An issue exists where, under certain circumstances, unsanitized values in the volumeHandle and mounttargetip fields are passed directly to the mount comman…

## Summary

`HTMLHeaderTextSplitter.split_text_from_url()` validated the initial URL using `validate_safe_url()` but then performed the fetch with `requests.get()` with redirects enabled (the default). Because redirect targets were not revalidated, a URL pointing to an attacker-controlled server cou…

### Summary
Paperclip contains an arbitrary file read vulnerability that allows an attacker with an Agent API key to read files from the Paperclip server host filesystem.
The vulnerability occurs because agents are allowed to modify their own adapterConfig through the /agents/:id API endpoint.
The c…

The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidently logged to logs, those values could be seen in the logs. Azur…

### Summary
frp contains an authentication bypass in the HTTP vhost routing path when `routeByHTTPUser` is used as part of access control. In proxy-style requests, the routing logic uses the username from `Proxy-Authorization` to select the `routeByHTTPUser` backend, while the access control check u…

### Summary
The gdown library (tested on v5.2.1) is vulnerable to a Path Traversal attack within its extractall functionality. When extracting a maliciously crafted ZIP or TAR archive, the library fails to sanitize or validate the filenames of the archive members. This allow files to be written outs…

An off by one error in de MSL decoder could result in a crash when a malicous msl file is read.

A crafted image could result in an out of bounds heap write when writing a yaml or json output and that could result in a crash.

An unauthenticated attacker can send arbitrary HTML-rendered emails from a pretalx instance's configured sender address by embedding malformed HTML or markdown link syntax in a user-controlled template placeholder such as the account display name. The most direct vector is the password-reset flow: t…

Versions of the package github.com/yuin/goldmark/renderer/html before 1.7.17 are vulnerable to Cross-site Scripting (XSS) due to improper ordering of URL validation and normalization. The renderer validates link destinations using a prefix-based check (IsDangerousURL) before resolving HTML entities.…

**Summary**
The proxyUi template engine uses Go's text/template (which performs no HTML escaping) instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when time.P…

## Summary

Commit 49d0bb7 introduced a regression in sanitize-html that bypasses `allowedTags` enforcement for text inside `nonTextTagsArray` elements (`textarea` and `option`). Entity-encoded HTML inside these elements passes through the sanitizer as decoded, unescaped HTML, allowing injection of …

### Impact
When SpiceDB starts with log level `info`, the startup `"configuration"` log will include the full datastore DSN, including the plaintext password, inside `DatastoreConfig.URI`.

### Patches
v1.51.1

### Workarounds
Change the log level to `warn` or `error`.

### Summary

> [!IMPORTANT]
> There is no plan to fix this issue as `OpenTelemetry.Exporter.Jaeger` was deprecated in 2023. It is for informational purposes only.

`OpenTelemetry.Exporter.Jaeger` may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observ…

### Impact

`@fastify/static` v9.1.0 and earlier decodes percent-encoded path separators (`%2F`) before filesystem resolution, but Fastify's router treats them as literal characters. This creates a routing mismatch: route guards on `/admin/*` do not match `/admin%2Fsecret.html`, but @fastify/static …

### Summary

A path traversal vulnerability in `LocalFolderExtractor` allows an attacker to write arbitrary files with attacker-controlled content into sibling directories when a crafted RAR archive is extracted.

### Example

Given an extraction directory set to `/tmp/extract`, a crafted archive wi…

## Summary

The token exchange path accepts RFC7636-invalid `code_verifier` values (including one-character strings) for `S256` PKCE flows.
Because short/weak verifiers are accepted and failed verifier attempts do not consume the authorization code, an attacker who intercepts an authorization code…

### Summary
A broken access control vulnerability allows unauthenticated users to retrieve note assets directly from the asset download endpoint when they know both the note UUID and asset UUID. This exposes the full contents of private note assets without authentication, even when the associated bo…

In viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write that can result in a crash.

### Impact

Up to 1.0.0 of `home-assitant-cli` (or `hass-cli` for short) an unrestricted environment was used to handle Jninja2 templates instead of a sandboxed one. The user-supplied input within Jinja2 templates was rendered locally with no restrictions. This gave users access to Python's internal…

**Detection Method:** Kolega.dev Deep Code Scan

| Attribute | Value |
|—|—|
| Location | packages/server/src/enterprise/utils/tempTokenUtils.ts:31-34 |
| Practical Exploitability | Medium |
| Developer Approver | faizan@kolega.ai |

### Description
The encryption key for token encryption has a …

**Detection Method:** Kolega.dev Deep Code Scan

| Attribute | Value |
|—|—|
| Location | packages/server/src/enterprise/middleware/passport/index.ts:55 |
| Practical Exploitability | High |
| Developer Approver | faizan@kolega.ai |

### Description
Express session secret has a weak default valu…

**Detection Method:** Kolega.dev Deep Code Scan

| Attribute | Value |
|—|—|
| Severity | Critical |
| Location | packages/server/src/enterprise/middleware/passport/index.ts:29-34 |
| Practical Exploitability | High |
| Developer Approver | faizan@kolega.ai |

### Description
JWT secrets have we…

An heap use after free when reading an invalid XMP profile could result in a crash due to an heap use after free when printing the values.

Heap out-of-bounds write in the JP2 encoder with when a user specifies an invalid sampling index.

The JXL encoder has an heap write overflow when a user specifies that the image should be encoded as 16 bit floats.

The -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read.

A stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested expression.

### Authorization bypass via certificate bag manipulation in sigstore/timestamp-authority verifier

An authorization bypass vulnerability exists in sigstore/timestamp-authority verifier (timestamp-authority/v2/pkg/verification): `VerifyTimestampResponse` function correctly verifies the certificate c…

## Summary

`MarkdownBody`, the shared component used to render every Markdown surface in the Paperclip UI (issue documents, issue comments, chat threads, approvals, agent details, export previews, etc.), passes `urlTransform={(url) => url}` to `react-markdown`. That override replaces `react-markdow…

### Summary

There is no CSRF protection on the cache feature on most integrations clients.

### Details
In `authlib.integrations.starlette_client.OAuth`, no CSRF protection is set up when using the cache parameter. When _not_ using the cache parameter, the use of SessionMiddleware ties the client t…

### Impact
The `serviceAccounts` and `notServiceAccounts` fields in AuthorizationPolicy incorrectly interpret dots (`.`) as a regular expression matcher. Because `.` is a valid character in a service account name, an `AuthorizationPolicy` ALLOW rule targeting SA e.g. `cert-manager.io` also matches `…

## Summary

The `@apostrophecms/color-field` module bypasses color validation for values prefixed with `–` (intended for CSS custom properties), but performs no HTML sanitization on these values. When styles containing attacker-controlled color values are rendered into `<style>` tags — both in th…

A flaw was found in KubeVirt's Role-Based Access Control (RBAC) evaluation logic. The authorization mechanism improperly truncates subresource names, leading to incorrect permission evaluations. This allows authenticated users with specific custom roles to gain unauthorized access to subresources, p…

Stored Cross-Site Scripting (XSS) via Unsanitized Topology Metadata in Apache Storm UI

Versions Affected: before 2.8.6

Description: The Storm UI visualization component interpolates topology metadata including component IDs, stream names, and grouping values directly into HTML via innerHTML in p…

Vault’s PKI engine’s ACME validation did not reject local targets when issuing http-01 and tls-alpn-01 challenges. This may lead to these requests being sent to local network targets, potentially leading to information disclosure. Fixed in Vault Community Edition 2.0.0 and Vault Enterprise 2.0.0…

### Impact

`@fastify/static` v9.1.0 and earlier serves directory listings outside the configured static root when the `list` option is enabled. A request such as `/public/../outside/` causes `dirList.path()` to resolve a directory outside the root via `path.join()` without a containment check.

A r…

### Summary
I have discovered a critical Missing Authentication vulnerability on the /api/v1/loginmethod endpoint. The API allows unauthenticated users (guests) to retrieve the full SSO configuration of any organization by simply providing an organizationId. The response includes sensitive OAuth cre…

Summary
The unaccess handler (controller/unaccess.go) contains a logical error in its ownership guard: when a frontend record has environment_id = NULL (the marker for admin-created global frontends), the condition short-circuits to false and allows the deletion to proceed without any ownership veri…

## Summary

The `choices` and `counts` query parameters in the Apostrophe CMS REST API allow unauthenticated users to extract distinct field values for any schema field that has a registered query builder, completely bypassing `publicApiProjection` restrictions that are intended to limit which field…

## Summary

The LangSmith SDK's output redaction controls (hideOutputs in JS, hide_outputs in Python) do not apply to streaming token events. When an LLM run produces streaming output, each chunk is recorded as a new_token event containing the raw token value. These events bypass the redaction pipel…

The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace}

Thanks to Prasanth Sundararajan for reporting this vulnerability.

### Summary

A denial of service vulnerability exists when parsing crafted `multipart/form-data` requests with large preamble or epilogue sections.

### Details

Two inefficient multipart parsing paths could be abused with attacker-controlled input.

Before the first multipart boundary, the parser h…

When `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds.

### Impact
An unauthenticated p2p peer can cause the `RequestMacroChain` message handler task to panic by sending a `RequestMacroChain` message where the first locator hash that is on the victim’s main chain is a micro block hash (not a macro block hash).

In `RequestMacroChain::handle`, the hand…

An integer overflow in the despeckle operation causes a heap buffer overflow on 32-bit builds that will result in an out of bounds write.

“`
==1551685==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xea2fb818 at pc 0x56cbc42a bp 0xffc4ce48 sp 0xffc4ce38
WRITE of size 8 at 0xea2fb818 thr…

### Impact

When a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filtering out localhost or link local ips. This can result in sensitive data being distributed to Envoy proxies via xDS co…

### Impact
Weblate repository-boundary validation relies on string prefix checks on resolved absolute paths. In multiple code paths, the check uses startswith against the repository root path. This is not path-segment aware and can be bypassed when the external path shares the same string prefix as …

### Impact
A user with the `project.edit` permission (granted by the per-project "Administration" role) can configure machine translation service URLs pointing to arbitrary internal network addresses. During configuration validation, Weblate makes an HTTP request to the attacker-controlled URL and r…

### Impact
The ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects.

### Patches
* https://github.com/WeblateOrg/weblate/pull/18550

### References
This issue was reported by @spbavarva via GitHub.

### Summary

The `InboxHandlingService` logs the full content of every incoming inbox message at INFO level (`logger.info("Received message: {}", message)`). Inbox messages are wrappers around outbox message data, which can contain highly sensitive information such as personal data (PII), citizen id…

## Summary

The `set_session_cookie_secure` `before_request` handler in `src/pyload/webui/app/__init__.py` reads the `X-Forwarded-Proto` header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the **global** Flask configuration `SESSION_COOKIE_S…

### Impact
In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP server. This allows a malicious client to bypass authentication.

Only mitmproxy instances using the `proxyauth` option with LDAP are affected. This option …

### Impact
`go-git` may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations.

If a remote repository responds to the initial `/info/refs` request with a redirect to a different host, go-git updates the session endpoint to the redirected location…

### Summary
The `CipherEngine` in Mojic v2.1.3 uses a standard equality operator (`!==`) to verify the HMAC-SHA256 integrity seal during the decryption phase. This creates an Observable Timing Discrepancy (CWE-208), allowing a potential attacker to bypass the file integrity check via a timing attack…

## Summary

The approval-resolution endpoints (`POST /approvals/:id/approve`, `/reject`, `/request-revision`) accept a client-supplied `decidedByUserId` field in the request body and write it verbatim into the authoritative `approvals.decidedByUserId` column — without cross-checking it against the…

### Impact
The translation memory API exposed unintended endpoints, which in turn didn't do proper access control.

### Patches
* https://github.com/WeblateOrg/weblate/pull/18513

### Workarounds
Blocking access to `/api/memory/` in the HTTP server removes access to this feature.

### References
Thi…

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Apache PDFBox Examples.

This issue affects the
ExtractEmbeddedFiles example in Apache PDFBox: from 2.0.24 through 2.0.36, from 3.0.0 through 3.0.7.

Users are recommended to update to version 2.0.37 or…

### Impact
The webhook add-on did not utilize existing SSRF protection.

### Patches
* https://github.com/WeblateOrg/weblate/pull/18815

### Workarounds
Disabling the add-on would avoid misusing this.

### References
Thanks to @Lihfdgjr for reporting this via GitHub.

A vulnerability in Zebra's JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of retu…

# CVE-2026-40881: addr/addrv2 Deserialization Resource Exhaustion

## Summary

When deserializing `addr` or `addrv2` messages, which contain vectors of addresses, Zebra would fully deserialize them up to a maximum length (over 233,000) that was derived from the 2 MiB message size limit. This is much…

## Summary

The QMD backend `memory_get` read path accepted arbitrary workspace Markdown paths that were inside the workspace but outside the canonical memory locations or indexed QMD result set.

## Impact

When the QMD backend was enabled, a caller with access to `memory_get` could read arbitrary …

### Impact

A path traversal vulnerability was discovered in YARD <= 0.9.41 when using yard server to serve documentation. This bug would allow unsanitized HTTP requests to access arbitrary files on the machine of a yard server host under certain conditions.

The original patch in [GHSA-xfhh-rx56-rx…

On Windows, Claude Code loaded system-wide default configuration from `C:\ProgramData\ClaudeCode\managed-settings.json` without validating directory ownership or access permissions. Because the `ProgramData` directory is writable by non-administrative users by default and the `ClaudeCode` subdirecto…

## Summary

CDP /json/version WebSocket URL could pivot to untrusted second-hop targets.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.5`
– Patched versions: `>= 2026.4.5`

## Impact

A browser profile could trust a CDP `/json/version` respon…

## Summary

OpenClaw's outbound host-media attachment read helper could enable host-local file reads based on global or agent-level read access without also honoring sender and group-scoped tool policy. In channel deployments that used `toolsBySender` or group policy to deny `read` for less-trusted …

## Summary

Browser press/type interaction routes missed complete navigation guard coverage.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.10`
– Patched versions: `>= 2026.4.10`

## Impact

Some browser press/type style interactions could tri…

## Summary

Browser interaction routes could pivot into local CDP and regain file reads.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.9`
– Patched versions: `>= 2026.4.9`

## Impact

Browser act/evaluate interactions could trigger navigation…

## Summary

Existing-session browser interaction routes bypassed SSRF policy enforcement.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.10`
– Patched versions: `>= 2026.4.10`

## Impact

Existing-session browser interaction routes could conti…

## Summary

Browser tabs action select and close routes bypassed SSRF policy.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.10`
– Patched versions: `>= 2026.4.10`

## Impact

The browser `/tabs/action` select and close branches could operate …

## Summary

Nostr profile mutation routes allowed operator.write config persistence.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.10`
– Patched versions: `>= 2026.4.10`

## Impact

Nostr plugin HTTP profile routes could persist profile confi…

## Summary

screen_record outPath bypassed workspace-only filesystem guard.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.10`
– Patched versions: `>= 2026.4.10`

## Impact

The node-host screen recording tool could honor an `outPath` outside …

## Summary

Browser SSRF policy default allowed private-network navigation.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.14`
– Patched versions: `>= 2026.4.14`

## Impact

Browser SSRF protection could allow private-network navigation by def…

## Summary

Browser SSRF hostname validation could be bypassed by DNS rebinding.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.10`
– Patched versions: `>= 2026.4.10`

## Impact

Browser navigation policy could validate a hostname/IP resolutio…

## Summary

QQBot reply media URL handling could trigger SSRF and re-upload fetched bytes.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.12`
– Patched versions: `>= 2026.4.12`

## Impact

QQBot reply media URLs could be treated as trusted med…

## Summary

Workspace .env could inject OpenClaw runtime-control variables.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.9`
– Patched versions: `>= 2026.4.9`

## Impact

A malicious workspace `.env` file could set OpenClaw runtime-control va…

## Summary

Discord event cover images bypassed sandbox media normalization.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `>= 2026.4.7 < 2026.4.10`
– Patched versions: `>= 2026.4.10`

## Impact

Discord event cover image parameters could bypass the sa…

## Summary

Empty approver lists could grant explicit approval authorization.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.12`
– Patched versions: `>= 2026.4.12`

## Impact

For helper-backed channels, an empty resolved approver list could b…

## Summary

Agent hook events could enqueue trusted system events from unsanitized external input.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.10`
– Patched versions: `>= 2026.4.10`

## Impact

Agent hook dispatch could turn externally supp…

## Summary

Shell-wrapper detection missed env-argv assignment injection forms.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `>= 2026.2.22 < 2026.4.12`
– Patched versions: `>= 2026.4.12`

## Impact

Exec preflight handling missed shell-wrapper and arg…

## Summary

Memory dreaming config persistence was reachable from operator.write commands.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `>= 2026.4.5 < 2026.4.10`
– Patched versions: `>= 2026.4.10`

## Impact

A write-scoped gateway path could toggle p…

## Summary

Heartbeat owner downgrade missed local async exec completion events.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `>= 2026.3.31 < 2026.4.10`
– Patched versions: `>= 2026.4.10`

## Impact

Local background exec completion text could be miss…

## Summary

Heartbeat owner downgrade missed untrusted webhook wake events.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `>= 2026.4.7 < 2026.4.14`
– Patched versions: `>= 2026.4.14`

## Impact

Heartbeat owner downgrade logic could skip webhook wake e…

## Summary

Browser snapshot and screenshot routes could expose internal page content after navigation.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.14`
– Patched versions: `>= 2026.4.14`

## Impact

Authenticated browser tool callers could …

## Summary

Collect-mode queue batches could reuse the last sender authorization context.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `< 2026.4.14`
– Patched versions: `>= 2026.4.14`

## Impact

Collect-mode queued messages from different senders cou…

## Summary

Sandbox noVNC helper route exposed interactive browser session credentials.

## Affected Packages / Versions

– Package: `openclaw`
– Ecosystem: npm
– Affected versions: `>= 2026.2.21 < 2026.4.10`
– Patched versions: `>= 2026.4.10`

## Impact

The sandbox noVNC helper route could be reac…

Improper neutralization of special elements used in an LDAP query ('LDAP injection') vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcprov on all (prov modules). This vulnerability is associated with program files LDAPStoreHelper.

This issue affects BC-JAVA: from 1.74 before 1.84.

### Summary
Saltcorn validates the post-login `dest` parameter with a string check that only blocks `:/` and `//`. Because all WHATWG-compliant browsers normalise backslashes (`\`) to forward slashes (`/`) for special schemes, a payload such as `/\evil.com/path` slips through `is_relative_url()`, is…

### Impact
An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing an image using `/FlateDecode` with large size values.

### Patches
This has been fixed in [pypdf==6.10.2](https://github.com/py-pdf/pypdf/releases/tag/6.10.2).

### Work…

### Impact
An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires loading a PDF with a large trailer `/Size` value in incremental mode.

### Patches
This has been fixed in [pypdf==6.10.2](https://github.com/py-pdf/pypdf/releases/tag/6.10.2).

### Workarou…

### Impact
An attacker who uses this vulnerability can craft a PDF which leads to the RAM being exhausted. This requires accessing a stream compressed using `/FlateDecode` with a `/Predictor` unequal 1 and large predictor parameters.

### Patches
This has been fixed in [pypdf==6.10.2](https://github…

### Summary

The attacker provides an intranet address through the base url field configured in the Execute Flow node
→ Bypass checkDenyList / resolveAndValidate in httpSecurity.ts (not called)
→ Causes the server to initiate an HTTP request to any internal network address, read cloud metadata,…

### Summary

Flowise introduced SSRF protections through a centralized HTTP security wrapper (`httpSecurity.ts`) that implements deny-list validation and IP pinning logic.

However, multiple tool implementations directly import and invoke raw HTTP clients (`node-fetch`, `axios`Instead of using the s…

## Summary

The Faiss and SimpleStore (LlamaIndex) vector store implementations accept a `basePath` parameter from user-controlled input and pass it directly to filesystem write operations without any sanitization. An authenticated attacker can exploit this to write vector store data to arbitrary lo…

### Summary

`TemplateLookup.get_template()` is vulnerable to path traversal when a URI starts with `//` (e.g., `//../../../secret.txt`). The root cause is an inconsistency between two slash-stripping implementations:

– `Template.__init__` strips **one** leading `/` using `if`/slice
– `TemplateLook…

### Details

A buffer overflow vulnerability exists in `Zlib::GzipReader`.

The `zstream_buffer_ungets` function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can…

JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors.
Users are advised to upgrade to Airflow version that contains fix.

Users are recommended to upgrade to version 3.2.0, which fixes this issue.

# Stored XSS via Unescaped License Attribution Fields

## Summary

The `AbstractLicenseModel.attribution_link` property in `wger/utils/models.py` constructs HTML strings by directly interpolating user-controlled fields (`license_author`, `license_title`, `license_object_url`, `license_author_url`, `…

### Summary

The plugin security validator in PySpector uses AST-based static analysis to prevent dangerous code from being loaded as plugins. The blocklist implemented in `PluginSecurity.validate_plugin_code` is incomplete and can be bypassed using several Python constructs that are not checked. An…

### Impact

An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large `/Size` values or object streams with wrong large `/N` values.

### Patches

This has been fixed in [pypdf==6.10.1](https://github.com/py-pdf/pypdf…

### Affected Components
– DSF FHIR Server with enabled [bearer-token authentication](https://dsf.dev/operations/v2.1.0/fhir/oidc.html) or [back-channel logout](https://dsf.dev/operations/v2.1.0/fhir/oidc.html).
– DSF BPE Server with enabled [bearer-token authentication](https://dsf.dev/operations/v2…

### Affected Components
DSF FHIR Server with enabled [OIDC authentication](https://dsf.dev/operations/v2.1.0/fhir/oidc.html).
DSF BPE Server with enabled [OIDC authentication](https://dsf.dev/operations/v2.1.0/bpe/oidc.html).

### Summary
OIDC-authenticated sessions had no configured maximum inactiv…

: Use of a Broken or Risky Cryptographic Algorithm vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA bcpkix on all (pkix modules).

PKIX draft CompositeVerifier accepts empty signature sequence as valid.

This issue affects BC-JAVA: from 1.49 before 1.84.

## Summary

The `ConformityCheck` class in `giskard-checks` rendered the `rule` parameter through Jinja2's default `Template()` constructor. Because the `rule` string is silently interpreted as a Jinja2 template, a developer may not realize that template expressions embedded in rule definitions are…

### Summary

The incomplete fix for SiYuan's bazaar README rendering enables the Lute HTML sanitizer but fails to block `<iframe>` tags, allowing stored XSS via `srcdoc` attributes containing embedded scripts that execute in the Electron context.

### Affected Package

– **Ecosystem:** Go
– **Packag…

### Impact
REST API endpoints like `/xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties` list all available pages as part of the metadata for database list properties, which can exhaust available resources on large wikis.

### Pat…

### Impact
A reflected cross-site scripting vulnerability (XSS) in the compare view between revisions of a page allows executing JavaScript code in the user's browser. If the current user is an admin, this can not only affect the current user but also the confidentiality, integrity and availability …

## Summary

A command injection vulnerability exists in Podman's HyperV machine backend. The VM image path is inserted into a PowerShell double-quoted string without sanitization, allowing `$()` subexpression injection.

## Affected Code

**File**: `pkg/machine/hyperv/stubber.go:647`

“`go
resize :…

### Summary
goshs contains a cross-site request forgery issue in its state-changing HTTP GET routes. An external attacker can cause an already authenticated browser to trigger destructive actions such as `?delete` and `?mkdir` because goshs relies on HTTP basic auth alone and performs no CSRF, `Orig…

### Summary
A fail-open request handling flaw in the UDR service causes the `/nudr-dr/v2/policy-data/subs-to-notify/{subsId}` PUT handler to continue processing requests even after request body retrieval or deserialization errors.

This may allow unintended modification of existing Policy Data notif…

### Impact

Stored cross-site scripting (XSS) via crafted metric names in the Prometheus web UI:

* **Old React UI + New Mantine UI:** When a user hovers over a chart tooltip on the Graph page, metric names containing HTML/JavaScript are injected into `innerHTML` without escaping, causing arbitrary …

Before Airflow 3.2.0, it was unclear that secure Airflow deployments require the Deployment Manager to take appropriate actions and pay attention to security details and security model of Airflow. Some assumptions the Deployment Manager could make were not clear or explicit enough, even though Airfl…