Advisories

Mar 2026

act: Unrestricted set-env and add-path command processing enables environment injection

act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which GitHub Actions disabled in October 2020 (CVE-2020-15228, GHSA-mfwh-5m23-j46w) due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject these commands to set arbitrary environment variables or modify the PATH for all subsequent steps in the job. This makes act strictly less secure than GitHub Actions for the same workflow file.

act: actions/cache server allows malicious cache injection

act's built-in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it — including someone anywhere on the internet — to create caches with arbitrary keys and retrieve all existing caches. If one can predict which cache keys will be used by local actions, one can create malicious caches containing whatever files one pleases, most likely allowing arbitrary remote code execution within the Docker …

Vikunja: Unauthenticated Instance-Wide Data Breach via Link Share Hash Disclosure Chained with Cross-Project Attachment IDOR

Two independently-exploitable authorization flaws in Vikunja can be chained to allow an unauthenticated attacker to download and delete every file attachment across all projects in a Vikunja instance. The ReadAll endpoint for link shares exposes share hashes (including admin-level shares) to any user with read access, enabling permission escalation. The task attachment ReadOne/GetTaskAttachment endpoint performs permission checks against a user-supplied task ID but fetches the attachment by its own sequential …

Statamic allows unauthorized content access through missing authorization in its revision controllers

Authenticated Control Panel users could view entry revisions for any collection with revisions enabled, regardless of whether they had the required collection permissions. This bypasses the authorization checks that the main entry controllers enforce, exposing entry field values and blueprint data. Users could also create entry revisions without edit permission, though this only snapshots the existing content state and does not affect published content.

splunk-otel-javaagent: Unsafe deserialization in RMI instrumentation may lead to Remote Code Execution

In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: Splunk Distribution of OpenTelemetry Java is attached as a Java agent (-javaagent) An …

OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)

The patch for CVE-2026-32013 introduced symlink resolution and workspace boundary enforcement for agents.files.get and agents.files.set. However, two other handlers in the same file (agents.create and agents.update) still use raw fs.appendFile on the IDENTITY.md file without any symlink containment check. An attacker who can place a symlink in the agent workspace can hijack the IDENTITY.md path to append attacker-controlled content to arbitrary files on the system.

OpenClaw: Symlink Traversal via IDENTITY.md appendFile in agents.create/update (Incomplete Fix for CVE-2026-32013)

The patch for CVE-2026-32013 introduced symlink resolution and workspace boundary enforcement for agents.files.get and agents.files.set. However, two other handlers in the same file (agents.create and agents.update) still use raw fs.appendFile on the IDENTITY.md file without any symlink containment check. An attacker who can place a symlink in the agent workspace can hijack the IDENTITY.md path to append attacker-controlled content to arbitrary files on the system.

OpenClaw is vulnerable to Path Traversal through path validation bypass

OpenClaw through 2026.3.23 (fixed in commit 4797bbc) contains a path traversal vulnerability in media parsing that allows attackers to read arbitrary files by bypassing path validation in the isLikelyLocalPath() and isValidMedia() functions. Attackers can exploit incomplete validation and the allowBareFilename bypass to reference files outside the intended application sandbox, resulting in disclosure of sensitive information including system files, environment files, and SSH keys.

OpenBao lacks user confirmation for OIDC direct callback mode

OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callback_mode set to direct. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the direct mode calls back directly to the API and allows an attacker …

Netty HTTP/2 CONTINUATION Frame Flood DoS via Zero-Byte Frame Bypass

A remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of CONTINUATION frames. The server's lack of a limit on the number of CONTINUATION frames, combined with a bypass of existing size-based mitigations using zero-byte frames, allows an user to cause excessive CPU consumption with minimal bandwidth, rendering the server unresponsive.

n8n: Prototype Pollution in XML and GSuiteAdmin node parameters lead to RCE

An authenticated user with permission to create or modify workflows could exploit a prototype pollution vulnerability in the GSuiteAdmin node. By supplying a crafted parameter as part of node configuration, an attacker could write attacker-controlled values onto Object.prototype. An attacker could use this prototype pollution to achieve remote code execution on the n8n instance.

n8n Vulnerable to XSS via Binary Data Inline HTML Rendering

An authenticated user with permission to create or modify workflows could craft a workflow that produces an HTML binary data object without a filename. The /rest/binary-data endpoint served such responses inline on the n8n origin without Content-Disposition or Content-Security-Policy headers, allowing the HTML to render in the browser with full same-origin JavaScript access. By sending the resulting URL to a higher-privileged user, an attacker could execute JavaScript in the victim's …

n8n Vulnerable to LDAP Filter Injection in LDAP Node

A flaw in the LDAP node's filter escape logic allowed LDAP metacharacters to pass through unescaped when user-controlled input was interpolated into LDAP search filters. In workflows where external user input is passed via expressions into the LDAP node's search parameters, an attacker could manipulate the constructed filter to retrieve unintended LDAP records or bypass authentication checks implemented in the workflow. Exploitation requires a specific workflow configuration: The LDAP node …

n8n has SQL Injection in Data Table Node via orderByColumn Expression

An authenticated user with permission to create or modify workflows could exploit a SQL injection vulnerability in the Data Table Get node. On default SQLite DB, single statements can be manipulated and the attack surface is practically limited. On PostgreSQL deployments, multi-statement execution is possible, enabling data modification and deletion.

Mattermost has an Incorrect Authorization issue

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to restrict team-level access when processing membership sync from a remote cluster, which allows a malicious remote cluster to grant a user access to an entire private team instead of only the shared channel via sending crafted membership sync messages that trigger team membership assignment. Mattermost Advisory ID: MMSA-2026-00574

Mattermost doesn't validate decompressed archive entry sizes during file extraction

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate decompressed archive entry sizes during file extraction which allows authenticated users with file upload permissions to cause a denial of service via crafted zip archives containing highly compressed entries (zip bombs) that exhaust server memory. Mattermost Advisory ID: MMSA-2026-00598.

Mattermost allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to validate Advanced Logging file target paths which allows system administrators to read arbitrary host files via malicious AdvancedLoggingJSON configuration in support packet generation. Mattermost Advisory ID: MMSA-2025-00562.

Mattermost allows authenticated guest users to enumerate user IDs outside their allowed visibility scope

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to apply view restrictions when retrieving group member IDs, which allows authenticated guest users to enumerate user IDs outside their allowed visibility scope via the group retrieval endpoint. Mattermost Advisory ID: MMSA-2026-00594.

Mattermost allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences

Mattermost versions 11.2.x <= 11.2.2, 10.11.x <= 10.11.10, 11.4.x <= 11.4.0, 11.3.x <= 11.3.1 fail to sanitize user-controlled post content in the mmctl commands terminal output which allows attackers to manipulate administrator terminals via crafted messages containing ANSI and OSC escape sequences that enable screen manipulation, fake prompts, and clipboard hijacking. Mattermost Advisory ID: MMSA-2026-00599.

libcrux: Panic in Signature Hint Decoding During Verification

During ML-DSA verification the serialized hint values are decoded as specified in algorithm 22 HintBitUnpack of FIPS 204, subsection 7.1. The algorithm requires that the cumulative hint counters per row of the hint vector are strictly increasing and below a maximum value which depends on the choice of ML-DSA parameter set (line 4). In libcrux-ml-dsa, hint decoding did not check the boundedness of the cumulative hint counter of the last …

libcrux has an Incorrect Check of Signer Response Norm During Verification

The ML-DSA verification algorithm as specified in FIPS 204, subsection 6.3 requires verifiers to check that the infinity norm of the deserialized signer response $z$ does not exceed $\gamma_1 - \beta$ (line 13 of Algorithm 8). The same check is required to be performed during signature generation. libcrux-ml-dsa did not perform this check correctly during signature verification, accepting signatures with signer response norm above the allowed maximum value. The check …

Langflow has Authenticated Code Execution in Agentic Assistant Validation

The Agentic Assistant feature in Langflow executes LLM-generated Python code during its validation phase. Although this phase appears intended to validate generated component code, the implementation reaches dynamic execution sinks and instantiates the generated class server-side. In deployments where an attacker can access the Agentic Assistant feature and influence the model output, this can result in arbitrary server-side Python execution.

Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure

A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the uma_protection role check. This allows any authenticated user with a token issued for a resource server client, even without the uma_protection role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.

Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure

A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the uma_protection role check. This allows any authenticated user with a token issued for a resource server client, even without the uma_protection role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.

Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure

A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the uma_protection role check. This allows any authenticated user with a token issued for a resource server client, even without the uma_protection role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure.

Keycloak: manage-clients permission escalates to full realm admin access

A flaw was found in Keycloak. An administrator with manage-clients permission can exploit a misconfiguration where this permission is equivalent to manage-permissions. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level.

Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the client_session_host parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0

ImageMagick has an Out-of-bounds Write via InterpretImageFilename

Due to an incorrect return value on certain platforms a pointer is incremented past the end of a buffer that is on the stack and that could result in an out of bounds write. ================================================================= ==48558==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x00016b9b7490 at pc 0x0001046d48ac bp 0x00016b9b31d0 sp 0x00016b9b31c8 WRITE of size 1 at 0x00016b9b7490 thread T0

Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code

A code injection vulnerability in ECMAScriptModuleCompiler allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside export { } declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization.

Handlebars.js has Prototype Pollution Leading to XSS through Partial Template Injection

resolvePartial() in the Handlebars runtime resolves partial names via a plain property lookup on options.partials without guarding against prototype-chain traversal. When Object.prototype has been polluted with a string value whose key matches a partial reference in a template, the polluted string is used as the partial body and rendered without HTML escaping, resulting in reflected or stored XSS.

Grafana OSS: Authorization bypass allows users with Editor role to modify protected webhook URLs without permissions

A vulnerability has been discovered in Grafana OSS where an authorization bypass in the provisioning contact points API allows users with Editor role to modify protected webhook URLs without the required alert.notifications.receivers.protected:write permission. A patched version is available at https://github.com/grafana/grafana/releases/tag/v12.3.6.

Forge has signature forgery in RSA-PKCS due to ASN.1 extra field

RSASSA PKCS#1 v1.5 signature verification accepts forged signatures for low public exponent keys (e=3). Attackers can forge signatures by stuffing “garbage” bytes within the ASN structure in order to construct a signature that passes verification, enabling Bleichenbacher style forgery. This issue is similar to CVE-2022-24771, but adds bytes in an addition field within the ASN structure, rather than outside of it. Additionally, forge does not validate that signatures include a …

Forge has signature forgery in Ed25519 due to missing S > L check

Ed25519 signature verification accepts forged non-canonical signatures where the scalar S is not reduced modulo the group order (S >= L). A valid signature and its S + L variant both verify in forge, while Node.js crypto.verify (OpenSSL-backed) rejects the S + L variant, as defined by the specification. This class of signature malleability has been exploited in practice to bypass authentication and authorization logic (see CVE-2026-25793, CVE-2022-35961). Applications relying …

Forge has Denial of Service via Infinite Loop in BigInteger.modInverse() with Zero Input

A Denial of Service (DoS) vulnerability exists in the node-forge library due to an infinite loop in the BigInteger.modInverse() function (inherited from the bundled jsbn library). When modInverse() is called with a zero value as input, the internal Extended Euclidean Algorithm enters an unreachable exit condition, causing the process to hang indefinitely and consume 100% CPU. Affected Package Package name: node-forge (npm: node-forge) Repository: https://github.com/digitalbazaar/forge Affected versions: All versions (including …

dd-trace-java: Unsafe deserialization in RMI instrumentation may lead to remote code execution

In versions of dd-trace-java prior to 1.60.3, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. On JDK version 16 and earlier, an attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: dd-trace-java is attached as a …

Craft CMS: Authorized asset "preview file" requests bypass allows users without asset access to retrieve private preview metadata

An authenticated low-privileged user can call assets/preview-file for an asset they are not authorized to view and still receive preview response data (previewHtml) for that private asset. The returned preview HTML included a private preview image route containing the target private assetId, even though canView was false for the attacker account.

Convict has Prototype Pollution via startsWith() function

A prototype pollution vulnerability exists in the latest version of the convict npm package (6.2.4). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input started with a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype.

Convict has prototype pollution via load(), loadFile(), and schema initialization

Two unguarded prototype pollution paths exist, not covered by previous fixes: config.load() / config.loadFile() — overlay() recursively merges config data without checking for forbidden keys. Input containing proto or constructor.prototype (e.g. from a JSON file) causes the recursion to reach Object.prototype and write attacker-controlled values onto it. Schema initialization — passing a schema with constructor.prototype.* keys to convict({…}) causes default-value propagation to write directly to Object.prototype at startup. Depending on …

Contrast BadAML injection allows arbitrary code execution

An attacker with control over the host (which is assumed in the attacker model of Contrast) can execute malicious AML code to gain arbitrary code execution within the confidential guest. AML is byte code embedded in ACPI tables that are passed from the host (QEMU) to the guest firmware (OVMF), and then passed from OVMF to the Linux kernel. The Linux kernel has an interpreter that executes the AML code. …

Cilium L7 proxy may bypass Kubernetes NetworkPolicy for same-node traffic

Ingress Network Policies are not enforced for traffic from pods to L7 Services (Envoy, GAMMA) with a local backend on the same node, when Per-Endpoint Routing is enabled and BPF Host Routing is disabled. Per-Endpoint Routing is disabled by default, but is automatically enabled in deployments using cloud IPAM, including Cilium ENI on EKS (eni.enabled), AlibabaCloud ENI (alibabacloud.enabled), Azure IPAM (azure.enabled, but not AKS BYOCNI), and some GKE deployments (gke.enabled; …

brace-expansion: Zero-step sequence causes process hang and memory exhaustion

A brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. The loop in question: https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184 test() is one of https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113 The increment is computed as Math.abs(0) = 0, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of …

BentoML has Dockerfile Command Injection via system_packages in bentofile.yaml

The docker.system_packages field in bentofile.yaml accepts arbitrary strings that are interpolated directly into Dockerfile RUN commands without sanitization. Since system_packages is semantically a list of OS package names (data), users do not expect values to be interpreted as shell commands. A malicious bentofile.yaml achieves arbitrary command execution during bentoml containerize / docker build.

AVideo: Unauthenticated IDOR in playlistsVideos.json.php Exposes Private Playlist Contents

The objects/playlistsVideos.json.php endpoint returns the full video contents of any playlist by ID without any authentication or authorization check. Private playlists (including watch_later and favorite types) are correctly hidden from listing endpoints via playlistsFromUser.json.php, but their contents are directly accessible through this endpoint by providing the sequential integer playlists_id parameter.

AVideo: Unauthenticated Access to Scheduler Plugin Endpoints Leaks Scheduled Tasks, Email Content, and User Mappings

Three list.json.php endpoints in the Scheduler plugin lack any authentication check, while every other endpoint in the same plugin directories (add.json.php, delete.json.php, index.php) requires User::isAdmin(). An unauthenticated attacker can retrieve all scheduled tasks (including internal callback URLs and parameters), admin-composed email messages, and user-to-email targeting mappings by sending simple GET requests.

AVideo: IDOR in AI Plugin Allows Stealing Other Users' AI-Generated Metadata and Transcriptions

The AI plugin's save.json.php endpoint loads AI response objects using an attacker-controlled $_REQUEST['id'] parameter without validating that the AI response belongs to the specified video. An authenticated user with AI permissions can reference any AI response ID — including those generated for other users' private videos — and apply the stolen AI-generated content (titles, descriptions, keywords, summaries, or full transcriptions) to their own video, effectively exfiltrating the information.

AVideo has SQL Injection via Partial Prepared Statement — videos_id Concatenated Directly into Query

In objects/like.php, the getLike() method constructs a SQL query using a prepared statement placeholder (?) for users_id but directly concatenates $this->videos_id into the query string without parameterization. An attacker who can control the videos_id value (via a crafted request) can inject arbitrary SQL, bypassing the partial prepared-statement protection.

AVideo has Plaintext Video Password Storage

AVideo allows content owners to password-protect individual videos. The video password is stored in the database in plaintext — no hashing, salting, or encryption is applied. If an attacker gains read access to the database (via SQL injection, a database backup, or misconfigured access controls), they obtain all video passwords in cleartext.

AVideo has an Unauthenticated Video Password Brute-Force Vulnerability via Unrate-Limited Boolean Oracle

The get_api_video_password_is_correct API endpoint allows any unauthenticated user to verify whether a given password is correct for any password-protected video. The endpoint returns a boolean passwordIsCorrect field with no rate limiting, CAPTCHA, or authentication requirement, enabling efficient offline-speed brute-force attacks against video passwords.

Astro: Unauthenticated Path Override via `x-astro-path` / `x_astro_path`

The @astrojs/vercel serverless entrypoint reads the x-astro-path header and x_astro_path query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel's platform-level path restrictions entirely. The override preserves the original HTTP method and body, so this isn't limited to GET. POST, PUT, DELETE all land on the rewritten path. A Firewall rule blocking /admin/* does nothing when the request …

Astro: Remote allowlist bypass via unanchored matchPathname wildcard

This issue concerns Astro's remotePatterns path enforcement for remote URLs used by server-side fetchers such as the image optimization endpoint. The path matching logic for /* wildcards is unanchored, so a pathname that contains the allowed prefix later in the path can still match. As a result, an attacker can fetch paths outside the intended allowlisted prefix on an otherwise allowed host. In our PoC, both the allowed path and …

Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention

In a Cross-Site Request Forgery attack, untrusted web content causes browsers to send authenticated requests to web servers which use cookies for authentication. While the web content is prevented from reading the request's response due to the Cross-Origin Request Sharing (CORS) protocol, an attacker may be able to cause side effects in the server ("CSRF" attack), or learn something about the response via timing analysis ("XS-Search" attack). Apollo Server has …

Apollo Server: Browser bug allows for bypass of XS-Search (read-only Cross-Site Request Forgery) prevention

In a Cross-Site Request Forgery attack, untrusted web content causes browsers to send authenticated requests to web servers which use cookies for authentication. While the web content is prevented from reading the request's response due to the Cross-Origin Request Sharing (CORS) protocol, an attacker may be able to cause side effects in the server ("CSRF" attack), or learn something about the response via timing analysis ("XS-Search" attack). Apollo Server has …

Apollo Router Core: Browser Bug Enables Bypass of XS-Search Prevention via Read-Only Cross-Site Request Forgery

In a Cross-Site Request Forgery attack, untrusted web content causes browsers to send authenticated requests to web servers which use cookies for authentication. While the web content is prevented from reading the request's response due to the Cross-Origin Request Sharing (CORS) protocol, the attacker may be able to cause side effects in the server ("CSRF" attack), or learn something about the response via timing analysis ("XS-Search" attack). Apollo Router has …

yaml is vulnerable to Stack Overflow via deeply nested YAML collections

Parsing a YAML document with yaml may throw a RangeError due to a stack overflow. The node resolution/composition phase uses recursive function calls without a depth bound. An attacker who can supply YAML for parsing can trigger a RangeError: Maximum call stack size exceeded with a small payload (~2–10 KB). The RangeError is not a YAMLParseError, so applications that only catch YAML-specific errors will encounter an unexpected exception type. Depending …

WeChat Pay callback signature verification bypassed when Host header is localhost

The verify_wechat_sign() function in src/Functions.php unconditionally skips all signature verification when the PSR-7 request reports localhost as the host. An attacker can exploit this by sending a crafted HTTP request to the WeChat Pay callback endpoint with a Host: localhost header, bypassing the RSA signature check entirely. This allows forging fake WeChat Pay payment success notifications, potentially causing applications to mark orders as paid without actual payment.

Vikunja has SSRF via Todoist/Trello Migration File Attachment URLs that Allows Reading Internal Network Resources

The migration helper functions DownloadFile and DownloadFileWithHeaders in pkg/modules/migration/helpers.go make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment.

Vikunja has Cross-Project Information Disclosure via Task Relations — Missing Authorization Check on Related Task Read

When the Vikunja API returns tasks, it populates the related_tasks field with full task objects for all related tasks without checking whether the requesting user has read permission on those tasks' projects. An authenticated user who can read a task that has cross-project relations will receive full details (title, description, due dates, priority, percent completion, project ID, etc.) of tasks in projects they have no access to.

Vikjuna: Webhook BasicAuth Credentials Exposed to Read-Only Project Collaborators via API

The GET /api/v1/projects/:project/webhooks endpoint returns webhook BasicAuth credentials (basic_auth_user and basic_auth_password) in plaintext to any user with read access to the project. While the existing code correctly masks the HMAC secret field, the BasicAuth fields added in a later migration were not given the same treatment. This allows read-only collaborators to steal credentials intended for authenticating against external webhook receivers.

Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation

The LinkSharing.ReadAll() method allows link share authenticated users to list all link shares for a project, including their secret hashes. While LinkSharing.CanRead() correctly blocks link share users from reading individual shares via ReadOne, the ReadAllWeb handler bypasses this check by never calling CanRead(). An attacker with a read-only link share can retrieve hashes for write or admin link shares on the same project and authenticate with them, escalating to full …

Vikjuna: IDOR in Task Attachment ReadOne Allows Cross-Project File Access and Deletion

TaskAttachment.ReadOne() queries attachments by ID only (WHERE id = ?), ignoring the task ID from the URL path. The permission check in CanRead() validates access to the task specified in the URL, but ReadOne() loads a different attachment that may belong to a task in another project. This allows any authenticated user to download or delete any attachment in the system by providing their own accessible task ID with a …

Vikjuna Bypasses Webhook SSRF Protections During OpenID Connect Avatar Download

The DownloadImage function in pkg/utils/avatar.go uses a bare http.Client{} with no SSRF protection when downloading user avatar images from the OpenID Connect picture claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system.

Unauthenticated SSRF Vulnerability in Streamlit on Windows (NTLM Credential Exposure)

Streamlit Open Source Security Advisory 1. Impacted Products Streamlit Open Source versions prior to 1.54.0 running on Windows hosts. 2. Introduction Snowflake Streamlit Open Source addressed a security vulnerability affecting Windows deployments related to improper handling and validation of filesystem paths within component request handling. The vulnerability was reported through the responsible disclosure program and has been remediated in Streamlit Open Source version 1.54.0. This issue affects only Streamlit deployments …

Two LiteLLM versions published containing credential harvesting malware

After an API Token exposure from an exploited trivy dependency, two new releases of litellm were uploaded to PyPI containing automatically activated malware, harvesting sensitive credentials and files, and exfiltrating to a remote API. Anyone who has installed and run the project should assume any credentials available to litellm environment may have been exposed, and revoke/rotate thema ccordingly.

thumbler allows OS Command Injection

thumbler through 1.1.2 allows OS command injection via the input, output, time, or size parameter in the thumbnail() function because user input is concatenated into a shell command string passed to child_process.exec() without proper sanitization or escaping.

textract is vulnerable to OS Command Injection

textract through 2.5.0 is vulnerable to OS Command Injection via the file path parameter in multiple extractors. When processing files with malicious filenames, the filePath is passed directly to child_process.exec() in lib/extractors/doc.js, rtf.js, dxf.js, images.js, and lib/util.js with inadequate sanitization

Seafile Server has multiple stored XSS vulnerabilities

Multiple Stored XSS vulnerabilities exist in Seafile Server version 13.0.15,13.0.16-pro,12.0.14 and prior and fixed in 13.0.17, 13.0.17-pro, and 12.0.20-pro, via the Seadoc (sdoc) editor. The application fails to properly sanitize WebSocket messages regarding document structure updates. This allows authenticated remote attackers to inject malicious JavaScript payloads via the src attribute of embedded Excalidraw whiteboards or the href attribute of anchor tags.

Saloon is vulnerable to SSRF and credential leakage via absolute URL in endpoint overriding base URL

When building the request URL, Saloon combined the connector's base URL with the request endpoint. If the endpoint was a valid absolute URL (e.g. https://attacker.example.com/callback), the code used that URL as-is and ignored the base URL. The request—and any authentication headers, cookies, or tokens attached by the connector—was then sent to the attacker-controlled host. If the endpoint could be influenced by user input or configuration (e.g. redirect_uri, callback URL), this …

Saloon has a Fixture Name Path Traversal Vulnerability

Fixture names were used to build file paths under the configured fixture directory without validation. A name containing path segments (e.g. ../traversal or ../../etc/passwd) resulted in a path outside that directory. When the application read a fixture (e.g. for mocking) or wrote one (e.g. when recording responses), it could read or write files anywhere the process had access. If the fixture name was derived from user or attacker-controlled input (e.g. …

Requests has Insecure Temp File Reuse in its extract_zipped_paths() utility function

The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one.

Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching

picomatch is vulnerable to a method injection vulnerability (CWE-1321) affecting the POSIX_REGEX_SOURCE object. Because the object inherits from Object.prototype, specially crafted POSIX bracket expressions (e.g., [[:constructor:]]) can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression. This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it …

Picomatch has a ReDoS vulnerability via extglob quantifiers

picomatch is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as +() and (), especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Examples of problematic patterns include +(a|aa), +(|?), +(+(a)), *(+(a)), and +(+(+(a))). In local reproduction, these patterns caused multi-second event-loop blocking with relatively short …

OpenTelemetry: Unsafe Deserialization in RMI Instrumentation may Lead to Remote Code Execution

In versions prior to 2.26.1, the RMI instrumentation registered a custom endpoint that deserialized incoming data without applying serialization filters. An attacker with network access to a JMX or RMI port on an instrumented JVM could exploit this to potentially achieve remote code execution. All three of the following conditions must be true to exploit this vulnerability: OpenTelemetry Java instrumentation is attached as a Java agent (-javaagent) An RMI endpoint …

OpenHands is Vulnerable to Command Injection through its Git Diff Handler

A Command Injection vulnerability exists in the get_git_diff() method at openhands/runtime/utils/git_handler.py:134. The path parameter from the /api/conversations/{conversation_id}/git/diff API endpoint is passed unsanitized to a shell command, allowing authenticated attackers to execute arbitrary commands in the agent sandbox. The user is already allowed to instruct the agent to execute commands, but this bypasses the normal channels.

OpenHands is Vulnerable to Command Injection through its Git Diff Handler

A Command Injection vulnerability exists in the get_git_diff() method at openhands/runtime/utils/git_handler.py:134. The path parameter from the /api/conversations/{conversation_id}/git/diff API endpoint is passed unsanitized to a shell command, allowing authenticated attackers to execute arbitrary commands in the agent sandbox. The user is already allowed to instruct the agent to execute commands, but this bypasses the normal channels.

NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead

An unauthenticated remote attacker can crash the entire nats-server process by sending a single malicious WebSocket frame (15 bytes after the HTTP upgrade handshake). The server fails to validate the RFC 6455 §5.2 requirement that the most significant bit of a 64-bit extended payload length must be zero. The resulting uint64 → int conversion produces a negative value, which bypasses the bounds clamp and triggers an unrecovered panic in the …

NATS: Pre-auth remote server crash via WebSocket frame length overflow in wsRead

An unauthenticated remote attacker can crash the entire nats-server process by sending a single malicious WebSocket frame (15 bytes after the HTTP upgrade handshake). The server fails to validate the RFC 6455 §5.2 requirement that the most significant bit of a 64-bit extended payload length must be zero. The resulting uint64 → int conversion produces a negative value, which bypasses the bounds clamp and triggers an unrecovered panic in the …

n8n's Source Control SSH Configuration Uses StrictHostKeyChecking=no

When the Source Control feature is configured to use SSH, the SSH command used for git operations explicitly disabled host key verification. A network attacker positioned between the n8n instance and the remote Git server could intercept the connection and present a fraudulent host key, potentially injecting malicious content into workflows or intercepting repository data. This issue only affects instances where the Source Control feature has been explicitly enabled and …

n8n: LDAP Email-Based Account Linking Allows Privilege Escalation and Account Takeover

When LDAP authentication is enabled, n8n automatically linked an LDAP identity to an existing local account if the LDAP email attribute matched the local account's email. An authenticated LDAP user who could control their own LDAP email attribute could set it to match another user's email — including an administrator's — and upon login gain full access to that account. The account linkage persisted even if the LDAP email was …

n8n is Vulnerable to Credential Theft via Name-Based Resolution and Permission Checker Bypass in Community Edition

An authenticated user with the global:member role could exploit chained authorization flaws in n8n's credential pipeline to steal plaintext secrets from generic HTTP credentials (httpBasicAuth, httpHeaderAuth, httpQueryAuth) belonging to other users on the same instance. The attack abuses a name-based credential resolution path that does not enforce ownership or project scope, combined with a bypass in the credentials permission checker that causes generic HTTP credential types to be skipped during …

n8n has In-Process Memory Disclosure in its Task Runner

An authenticated user with permission to create or modify workflows could use the JavaScript Task Runner to allocate uninitialized memory buffers. Uninitialized buffers may contain residual data from the same Node.js process — including data from prior requests, tasks, secrets, or tokens — resulting in information disclosure of sensitive in-process data. Task Runners must be enabled using N8N_RUNNERS_ENABLED=true. In external runner mode, the impact is limited to data within the …

n8n Has External Secrets Authorization Bypass in Credential Saving

An authenticated user without permission to list external secrets could reference a secret by the external name in a credential and retrieve its plaintext value when saving the credential. This bypassed the externalSecret:list permission check and allowed access to secrets stored in connected vaults without admin or owner privileges. This issue requires the instance to have an external secrets vault configured. The attacker must know or be able to guess …

n8n Has Authorization Bypass in OAuth Callback via N8N_SKIP_AUTH_ON_OAUTH_CALLBACK

When the N8N_SKIP_AUTH_ON_OAUTH_CALLBACK environment variable is set to true, the OAuth callback handler skips ownership verification of the OAuth state parameter. This allows an attacker to trick a victim into completing an OAuth flow against a credential object the attacker controls, causing the victim's OAuth tokens to be stored in the attacker's credential. The attacker can then use those tokens to execute workflows in their name. This issue only affects …

Modoboa has OS Command Injection

exec_cmd() in modoboa/lib/sysutils.py always runs subprocess calls with shell=True. Since domain names flow directly into shell command strings without any sanitization, a Reseller or SuperAdmin can include shell metacharacters in a domain name to run arbitrary OS commands on the server.

Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user discovery flow. Mattermost Advisory ID: MMSA-2026-00590

Mattermost allows attackers to take over arbitrary user accounts via overly permissive substring matching flaw

Mattermost versions 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, 10.11.x <= 10.11.11 fail to properly validate user identity in the OpenID {{IsSameUser()}} comparison logic, which allows an attacker to take over arbitrary user accounts via an overly permissive substring matching flaw in the user discovery flow. Mattermost Advisory ID: MMSA-2026-00590

LiquidJS has Exponential Memory Amplification through its replace_first Filter $& Pattern

The replace_first filter in LiquidJS uses JavaScript's String.prototype.replace() which interprets $& as a backreference to the matched substring. The filter only charges memoryLimit for the input string length, not the amplified output. An attacker can achieve exponential memory amplification (up to 625,000:1) while staying within the memoryLimit budget, leading to denial of service.

fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host from Untrusted Connections

When trustProxy is configured with a restrictive trust function (e.g., a specific IP like trustProxy: '10.0.0.1', a subnet, a hop count, or a custom function), the request.protocol and request.host getters read X-Forwarded-Proto and X-Forwarded-Host headers from any connection — including connections from untrusted IPs. This allows an attacker connecting directly to Fastify (bypassing the proxy) to spoof both the protocol and host seen by the application.

AVideo's GET-Based CSRF in setPermission.json.php Enables Privilege Escalation via Arbitrary Permission Modification

The plugin/Permissions/setPermission.json.php endpoint accepts GET parameters for a state-changing operation that modifies user group permissions. The endpoint has no CSRF token validation, and the application explicitly sets session.cookie_samesite=None on session cookies. This allows an unauthenticated attacker to craft a page with <img> tags that, when visited by an admin, silently grant arbitrary permissions to the attacker's user group — escalating the attacker to near-admin access.

AVideo: Video Moderator Privilege Escalation via Ownership Transfer Enables Arbitrary Video Deletion

A user with the "Videos Moderator" permission can escalate privileges to perform full video management operations — including ownership transfer and deletion of any video — despite the permission being documented as only allowing video publicity changes (Active, Inactive, Unlisted). The root cause is that Permissions::canModerateVideos() is used as an authorization gate for full video editing in videoAddNew.json.php, while videoDelete.json.php only checks ownership, creating an asymmetric authorization boundary exploitable via …

AVideo: Unauthenticated CDN Configuration Takeover via Empty Default Key Bypass and Mass-Assignment

The CDN plugin endpoints plugin/CDN/status.json.php and plugin/CDN/disable.json.php use key-based authentication with an empty string default key. When the CDN plugin is enabled but the key has not been configured (the default state), the key validation check is completely bypassed, allowing any unauthenticated attacker to modify the full CDN configuration — including CDN URLs, storage credentials, and the authentication key itself — via mass-assignment through the par request parameter.

AVideo: Remote Code Execution via PHP Temp File in Encoder downloadURL

The downloadVideoFromDownloadURL() function in objects/aVideoEncoder.json.php saves remote content to a web-accessible temporary directory using the original URL's filename and extension (including .php). By providing an invalid resolution parameter, an attacker triggers an early die() via forbiddenPage() before the temp file can be moved or cleaned up, leaving an executable PHP file persistently accessible under the web root at videos/cache/tmpFile/.

AVideo: Full-Read SSRF Through Unvalidated statsURL Parameter in plugin/Live/test.php

The plugin/Live/test.php endpoint accepts a URL via the statsURL parameter and fetches it server-side using file_get_contents(), curl_exec(), or wget, returning the full response content in the HTML output. The only validation is a trivial regex (/^http/) that does not block requests to internal/private IP ranges or cloud metadata endpoints. The codebase provides isSSRFSafeURL() which blocks private IPs and resolves DNS to prevent rebinding, but this endpoint does not call it. …

AVideo vulnerable to Stored XSS via html_entity_decode() Reversing xss_esc() Sanitization in Channel About Field

A sanitization order-of-operations flaw in the user profile "about" field allows any registered user to inject arbitrary JavaScript that executes when other users visit their channel page. The xss_esc() function entity-encodes input before strip_specific_tags() can match dangerous HTML tags, and html_entity_decode() on output reverses the encoding, restoring the raw malicious HTML.

AVideo Vulnerable to Remote Code Execution via MIME/Extension Mismatch in ImageGallery File Upload

The ImageGallery::saveFile() method validates uploaded file content using finfo MIME type detection but derives the saved filename extension from the user-supplied original filename without an allowlist check. An attacker can upload a polyglot file (valid JPEG magic bytes followed by PHP code) with a .php extension. The MIME check passes, but the file is saved as an executable .php file in a web-accessible directory, achieving Remote Code Execution.

AVideo Vulnerable to OS Command Injection via Unsanitized `users_id` and `liveTransmitionHistory_id` in Restreamer Log File Path

The restreamer endpoint constructs a log file path by embedding user-controlled users_id and liveTransmitionHistory_id values from the JSON request body without any sanitization. This log file path is then concatenated directly into shell commands passed to exec(), allowing an authenticated user to achieve arbitrary command execution on the server via shell metacharacters such as $() or backticks.

AVideo is Vulnerable to SQL Injection through Subscribe Endpoint via Unsanitized user_id Parameter

The Subscribe::save() method in objects/subscribe.php concatenates the $this->users_id property directly into an INSERT SQL query without sanitization or parameterized binding. This property originates from $_POST['user_id'] in both subscribe.json.php and subscribeNotify.json.php. An authenticated attacker can inject arbitrary SQL to extract sensitive data from any database table, including password hashes, API keys, and encryption salts.

AVideo has Pre-Captcha User Enumeration and Account Status Disclosure in Password Recovery Endpoint

The password recovery endpoint at objects/userRecoverPass.php performs user existence and account status checks before validating the captcha. This allows an unauthenticated attacker to enumerate valid usernames and determine whether accounts are active, inactive, or banned — at scale and without solving any captcha — by observing three distinct JSON error responses.

AVideo has Path Traversal in pluginRunDatabaseScript.json.php Enables Arbitrary SQL File Execution via Unsanitized Plugin Name

The objects/pluginRunDatabaseScript.json.php endpoint accepts a name parameter via POST and passes it to Plugin::getDatabaseFileName() without any path traversal sanitization. This allows an authenticated admin (or an attacker via CSRF) to traverse outside the plugin directory and execute the contents of any install/install.sql file on the filesystem as raw SQL queries against the application database.

AVideo has a Blind SQL Injection in Live Schedule Reminder via Unsanitized live_schedule_id in Scheduler_commands::getAllActiveOrToRepeat()

The remindMe.json.php endpoint passes $_REQUEST['live_schedule_id'] through multiple functions without sanitization until it reaches Scheduler_commands::getAllActiveOrToRepeat(), which directly concatenates it into a SQL LIKE clause. Although intermediate functions (new Live_schedule(), getUsers_idOrCompany()) apply intval() internally, they do so on local copies within ObjectYPT::getFromDb(), leaving the original tainted variable unchanged. Any authenticated user can perform time-based blind SQL injection to extract arbitrary database contents.

AVideo Allows Unauthenticated Live Stream Control via Token Verification URL Override in control.json.php

The standalone live stream control endpoint at plugin/Live/standAloneFiles/control.json.php accepts a user-supplied streamerURL parameter that overrides where the server sends token verification requests. An attacker can redirect token verification to a server they control that always returns {"error": false}, completely bypassing authentication. This grants unauthenticated control over any live stream on the platform, including dropping active publishers, starting/stopping recordings, and probing stream existence.

AVideo Allows Unauthenticated Access to AD_Server reports.json.php that Exposes Ad Campaign Analytics and User Data

The plugin/AD_Server/reports.json.php endpoint performs no authentication or authorization checks, allowing any unauthenticated attacker to extract ad campaign analytics data including video titles, user channel names, user IDs, ad campaign names, and impression/click counts. The HTML counterpart (reports.php) and CSV export (getCSV.php) both correctly enforce User::isAdmin(), but the JSON API was left unprotected.

Activitypub-Federation has SSRF via 0.0.0.0 bypass in activitypub-federation-rust v4_is_invalid()

The v4_is_invalid() function in activitypub-federation-rust (src/utils.rs) does not check for Ipv4Addr::UNSPECIFIED (0.0.0.0). An unauthenticated attacker controlling a remote domain can point it to 0.0.0.0, bypass the SSRF protection introduced by the fix for CVE-2025-25194 (GHSA-7723-35v7-qcxw), and reach localhost services on the target server.

@grackle-ai/server: Unescaped Error String in renderPairingPage() HTML Template

The renderPairingPage() function embeds the error parameter directly into HTML without escaping: const errorHtml = error ? &lt;p style=&#34;color:#e74c3c&#34;&gt;${error}&lt;/p&gt; : ""; All current call sites pass hardcoded strings, so this is not exploitable today. However, the function is architecturally fragile — if a future code change passes user-controlled or dynamic content into the error parameter, it would create an XSS vulnerability. The renderAuthorizePage() function in the same file correctly uses …

@grackle-ai/server JSON.parse lacks try-catch logic in its gRPC Service AdapterConfig Handling

JSON.parse(env.adapterConfig) is called without error handling in three locations within the gRPC service. While the data originates from the server's own SQLite database and should always be valid JSON, database corruption, migration errors, or unexpected state could cause an unhandled exception that crashes the gRPC handler. Additionally, the parsed result is cast as Record<string, unknown> and passed to adapter methods without property validation, creating a theoretical prototype pollution surface if …

@grackle-ai/server has Missing WebSocket Origin Header Validation

The WebSocket upgrade handler in the server validates authentication (API key token or session cookie) but does not check the Origin header. A malicious webpage on a different origin could initiate a WebSocket connection to ws://localhost:3000/ws if it can leverage the user's session cookie (which is SameSite=Lax, allowing top-level navigations). This enables cross-origin WebSocket hijacking — if a user visits a malicious site while a Grackle session is active, the …

@grackle-ai/server has Missing Content-Security-Policy and X-Frame-Options Headers

The HTTP server does not set Content-Security-Policy, X-Frame-Options, or X-Content-Type-Options headers on any response. This reduces defense-in-depth against XSS, clickjacking, and MIME-sniffing attacks. While the current XSS attack surface is small (React-markdown is configured safely, no dangerouslySetInnerHTML, Vite does not generate source maps), the absence of these headers means any future XSS vulnerability would have no secondary defense layer. Affected code: packages/server/src/index.ts — all res.writeHead() calls only set Content-Type, with …

@grackle-ai/server has a Missing Secure Flag on Session Cookie

The session cookie is set with HttpOnly; SameSite=Lax; Path=/ but does not include the Secure flag. This means the cookie will be sent over plain HTTP connections. Since the server binds to 127.0.0.1 by default and uses HTTP (not HTTPS), this is acceptable for localhost use. However, when –allow-network is used to bind to 0.0.0.0, cookies could be transmitted over insecure network connections and intercepted by an attacker. Affected code: …

@grackle-ai/powerline Runs Without Authentication by Default

When –token is not provided and GRACKLE_POWERLINE_TOKEN is not set, the PowerLine gRPC server runs with zero authentication. A warning is logged ("NO AUTH (development only)") but nothing prevents deployment in this state. Any client that can reach the PowerLine port can spawn agent sessions, access credential tokens, and execute code. The default binding is 127.0.0.1 (loopback only), which limits exposure to the local machine. However, if PowerLine is accidentally …

@grackle-ai/mcp has a workspace authorization bypass in its knowledge_search MCP tool

The knowledge_search and knowledge_get_node MCP tools are included in SCOPED_TOOLS (visible to scoped agents) but their handlers do not receive authContext and do not enforce workspace scoping. A scoped agent in Workspace A can supply an arbitrary workspaceId parameter to search or retrieve knowledge graph nodes from Workspace B, bypassing workspace isolation boundaries. This is a cross-workspace data leakage vulnerability affecting any deployment where multiple workspaces contain sensitive knowledge graph …

Undertow: Denial of Service via Multipart/Form-Data Parsing on HTTP GET Requests

A flaw was found in Undertow. A remote attacker could exploit this vulnerability by sending an HTTP GET request containing multipart/form-data content. If the underlying application processes parameters using methods like getParameterMap(), the server prematurely parses and stores this content to disk. This could lead to resource exhaustion, potentially resulting in a Denial of Service (DoS).

Trivy ecosystem supply chain was briefly compromised

On March 19, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.4 release, force-push 76 of 77 version tags in aquasecurity/trivy-action to credential-stealing malware, and replace all 7 tags in aquasecurity/setup-trivy with malicious commits. On March 22, 2026, a threat actor used compromised credentials to publish a malicious Trivy v0.69.5 and v0.69.6 DockerHub images.

Spring Cloud Config Server: Path Traversal via Profile Parameter Allows Arbitrary File Access

Vulnerability in Spring Cloud when substituting the profile parameter from a request made to the Spring Cloud Config Server configured to the native file system as a backend, because it was possible to access files outside of the configured search directories.This issue affects Spring Cloud: from 3.1.X before 3.1.13, from 4.1.X before 4.1.9, from 4.2.X before 4.2.3, from 4.3.X before 4.3.2, from 5.0.X before 5.0.2.

Scriban: Uncontrolled Memory Allocation via string.pad_left/pad_right Allows Remote Denial of Service

The built-in string.pad_left and string.pad_right template functions in Scriban perform no validation on the width parameter, allowing a template expression to allocate arbitrarily large strings in a single call. When Scriban is exposed to untrusted template input — as in the official Scriban.AppService playground deployed on Azure — an unauthenticated attacker can trigger ~1GB memory allocations with a 39-byte payload, crashing the service via OutOfMemoryException.

Scriban: Denial of Service via Unbounded Cumulative Template Output Bypassing LimitToString

The LimitToString safety limit (default 1MB since commit b5ac4bf) can be bypassed to allocate approximately 1GB of memory by exploiting the per-call reset of _currentToStringLength in ObjectToString. Each template expression rendered through TemplateContext.Write(SourceSpan, object) triggers a separate top-level ObjectToString call that resets the length counter to zero, and the underlying StringBuilderOutput has no cumulative output size limit. An attacker who can supply a template can cause an out-of-memory condition in …

Scriban has Uncontrolled Recursion in `object.to_json` Causing Unrecoverable Process Crash via StackOverflowException

The object.to_json builtin function in Scriban performs recursive JSON serialization via an internal WriteValue() static local function that has no depth limit, no circular reference detection, and no stack overflow guard. A Scriban template containing a self-referencing object passed to object.to_json triggers unbounded recursion, causing a StackOverflowException that terminates the hosting .NET process. This is a fatal, unrecoverable crash — StackOverflowException cannot be caught by user code in .NET.

Scriban has Multiple Denial-of-Service Vectors via Unbounded Resource Consumption During Expression Evaluation

Scriban's expression evaluation contains three distinct code paths that allow an attacker who can supply a template to cause denial of service through unbounded memory allocation or CPU exhaustion. The existing safety controls (LimitToString, LoopLimit) do not protect these paths, giving applications a false sense of safety when evaluating untrusted templates.

Scriban has an authorization bypass due to stale include cache surviving TemplateContext.Reset()

TemplateContext.Reset() claims that a TemplateContext can be reused safely on the same thread, but it does not clear CachedTemplates. If an application pools TemplateContext objects and uses an ITemplateLoader that resolves content per request, tenant, or user, a previously authorized include can be served to later renders without calling TemplateLoader.Load() again.

PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token

PinchTab v0.7.7 through v0.8.4 contain incomplete request-throttling protections for auth-checkable endpoints. In v0.7.7 through v0.8.3, a fully implemented RateLimitMiddleware existed in internal/handlers/middleware.go but was not inserted into the production HTTP handler chain, so requests were not subject to the intended per-IP throttle. In the same pre-v0.8.4 range, the original limiter also keyed clients using X-Forwarded-For, which would have allowed client-controlled header spoofing if the middleware had been enabled. v0.8.4 addressed …

PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution

PinchTab v0.8.4 contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell -Command string using a needle derived from the profile path. In v0.8.4, that string interpolation escapes backslashes but does not safely neutralize other PowerShell metacharacters. If an attacker can launch an instance using a crafted profile name and then trigger the cleanup path, they …

PinchTab: OS Command Injection via Profile Name in Windows Cleanup Routine Enables Arbitrary Command Execution

PinchTab v0.8.4 contains a Windows-only command injection issue in the orphaned Chrome cleanup path. When an instance is stopped, the Windows cleanup routine builds a PowerShell -Command string using a needle derived from the profile path. In v0.8.4, that string interpolation escapes backslashes but does not safely neutralize other PowerShell metacharacters. If an attacker can launch an instance using a crafted profile name and then trigger the cleanup path, they …

PinchTab: API Bearer Token Exposed in URL Query Parameter via Server Logs and Intermediary Systems

PinchTab v0.7.8 through v0.8.3 accepted the API token from a token URL query parameter in addition to the Authorization header. When a valid API credential is sent in the URL, it can be exposed through request URIs recorded by intermediaries or client-side tooling, such as reverse proxy access logs, browser history, shell history, clipboard history, and tracing systems that capture full URLs. This issue is an unsafe credential transport pattern …

PinchTab has Unauthenticated Blind SSRF in Task Scheduler via Unvalidated callbackUrl

PinchTab v0.8.3 contains a server-side request forgery issue in the optional scheduler's webhook delivery path. When a task is submitted to POST /tasks with a user-controlled callbackUrl, the v0.8.3 scheduler sends an outbound HTTP POST to that URL when the task reaches a terminal state. In that release, the webhook path validated only the URL scheme and did not reject loopback, private, link-local, or other non-public destinations. Because the v0.8.3 …

Parse Server: Denial of Service via unindexed database query for unconfigured auth providers

An unauthenticated attacker can cause Denial of Service by sending authentication requests with arbitrary, unconfigured provider names. The server executes a database query for each unconfigured provider before rejecting the request, and since no database index exists for unconfigured providers, each request triggers a full collection scan on the user database. This can be parallelized to saturate database resources.

Parse Server has SQL Injection through aggregate and distinct field names in PostgreSQL adapter

An attacker with master key access can execute arbitrary SQL statements on the PostgreSQL database by injecting SQL metacharacters into field name parameters of the aggregate $group pipeline stage or the distinct operation. This allows privilege escalation from Parse Server application-level administrator to PostgreSQL database-level access. Only Parse Server deployments using PostgreSQL are affected. MongoDB deployments are not affected.

Parse Server exposes auth data via /users/me endpoint

An authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data, bypassing auth adapter sanitization. An attacker who obtains a user's session token can extract MFA secrets to generate valid TOTP codes indefinitely.

NATS: Message tracing can be redirected to arbitrary subject

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server supports telemetry on messages, using the per-message NATS headers. Problem Description A valid client which uses message tracing headers can indicate that the trace messages can be sent to an arbitrary valid subject, including those to which the client does not have publish permission. The payload is …

NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers. NATS messages can have headers. Problem Description The nats-server offers a Nats-Request-Info: message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their …

NATS: Leafnode connections allow spoofing of Nats-Request-Info identity headers

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers. NATS messages can have headers. Problem Description The nats-server offers a Nats-Request-Info: message header, providing information about a request. This is supposed to provide enough information to allow for account/user identification, such that NATS clients could make their …

NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server offers a Nats-Request-Info: message header, providing information about a request. Problem Description The NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials …

NATS Server: Incomplete Stripping of Nats-Request-Info Header Allows Identity Spoofing

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server offers a Nats-Request-Info: message header, providing information about a request. Problem Description The NATS message header Nats-Request-Info: is supposed to be a guarantee of identity by the NATS server, but the stripping of this header from inbound messages was not fully effective. An attacker with valid credentials …

NATS Server panic via malicious compression on leafnode port

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. When configured to accept leafnode connections (for a hub/spoke topology of multiple nats-servers), then the default configuration allows for negotiating compression; a malicious remote NATS server can trigger a server panic via that compression. Problem Description If the nats-server has the "leafnode" configuration enabled (not default), then anyone who …

NATS Server panic via malicious compression on leafnode port

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. When configured to accept leafnode connections (for a hub/spoke topology of multiple nats-servers), then the default configuration allows for negotiating compression; a malicious remote NATS server can trigger a server panic via that compression. Problem Description If the nats-server has the "leafnode" configuration enabled (not default), then anyone who …

NATS JetStream has an authorization bypass through its Management API

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore. Problem Description Users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Affected Versions Any …

NATS JetStream has an authorization bypass through its Management API

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The persistent storage feature, JetStream, has a management API which has many features, amongst which are backup and restore. Problem Description Users with JetStream admin API access to restore one stream could restore to other stream names, impacting data which should have been protected against them. Affected Versions Any …

NATS is vulnerable to MQTT hijacking via Client ID

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server provides an MQTT client interface. Problem Description Sessions and Messages can by hijacked via MQTT Client ID malfeasance. Affected Versions Any version before v2.12.6 or v2.11.15 Workarounds None. Resources This document is canonically: https://advisories.nats.io/CVE/secnote-2026-06.txt GHSA advisory: https://github.com/nats-io/nats-server/security/advisories/GHSA-fcjp-h8cc-6879 MITRE CVE entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-33215

NATS has pre-auth server panic via leafnode handling

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers. Problem Description A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Affected Versions Any version before v2.12.6 or v2.11.15 Workarounds Disable leafnode support if not needed. Restrict network …

NATS has pre-auth server panic via leafnode handling

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server allows hub/spoke topologies using "leafnode" connections by other nats-servers. Problem Description A client which can connect to the leafnode port can crash the nats-server with a certain malformed message pre-authentication. Affected Versions Any version before v2.12.6 or v2.11.15 Workarounds Disable leafnode support if not needed. Restrict network …

NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. One authentication model supported is mTLS, deriving the NATS client identity from properties of the TLS Client Certificate. Problem Description When using mTLS for client identity, with verify_and_map to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing …

NATS has mTLS verify_and_map authentication bypass via incorrect Subject DN matching

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. One authentication model supported is mTLS, deriving the NATS client identity from properties of the TLS Client Certificate. Problem Description When using mTLS for client identity, with verify_and_map to derive a NATS identity from the client certificate's Subject DN, certain patterns of RDN would not be correctly enforced, allowing …

NATS has MQTT plaintext password disclosure

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server provides an MQTT client interface. Problem Description For MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Affected Versions Any version before v2.12.6 or v2.11.15 Workarounds Ensure monitoring end-points are adequately secured. Best practice remains to …

NATS has MQTT plaintext password disclosure

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server provides an MQTT client interface. Problem Description For MQTT deployments using usercodes/passwords: MQTT passwords are incorrectly classified as a non-authenticating identity statement (JWT) and exposed via monitoring endpoints. Affected Versions Any version before v2.12.6 or v2.11.15 Workarounds Ensure monitoring end-points are adequately secured. Best practice remains to …

NATS credentials are exposed in monitoring port via command-line argv

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server provides an optional monitoring port, which provides access to sensitive data. The nats-server can take certain configuration options on the command-line instead of requiring a configuration file. Problem Description If a nats-server is run with static credentials for all clients provided via argv (the command-line), then those …

NATS allows MQTT clients to bypass ACL checks

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server provides an MQTT client interface. Problem Description When using ACLs on message subjects, these ACLs were not applied in the $MQTT.> namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Affected Versions Any version before v2.12.6 or v2.11.15 Workarounds None.

NATS allows MQTT clients to bypass ACL checks

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server provides an MQTT client interface. Problem Description When using ACLs on message subjects, these ACLs were not applied in the $MQTT.> namespace, allowing MQTT clients to bypass ACL checks for MQTT subjects. Affected Versions Any version before v2.12.6 or v2.11.15 Workarounds None.

NATS is vulnerable to pre-auth DoS through WebSockets client service

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients. Problem Description A malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a …

NATS is vulnerable to pre-auth DoS through WebSockets client service

Background NATS.io is a high performance open source pub-sub distributed communication technology, built for the cloud, on-premise, IoT, and edge computing. The nats-server offers a WebSockets client service, used in deployments where browsers are the NATS clients. Problem Description A malicious client which can connect to the WebSockets port can cause unbounded memory use in the nats-server before authentication; this requires sending a corresponding amount of data. This is a …

MobSF has SQL Injection in its SQLite Database Viewer Utils

MobSF's read_sqlite() function in mobsf/MobSF/utils.py (lines 542-566) uses Python string formatting (%) to construct SQL queries with table names read from a SQLite database's sqlite_master table. When a security analyst uses MobSF to analyze a malicious mobile application containing a crafted SQLite database, attacker-controlled table names are interpolated directly into SQL queries without parameterization or escaping. This allows an attacker to: Cause Denial of Service – A malicious table name …

JustHTML is vulnerable to XSS via code fence breakout in <pre> content

to_markdown() is vulnerable when serializing attacker-controlled <pre> content. The <pre> handler emits a fixed three-backtick fenced code block, but writes decoded text content into that fence without choosing a delimiter longer than any backtick run inside the content. An attacker can place backticks and HTML-like text inside a sanitized <pre> element so that the generated Markdown closes the fence early and leaves raw HTML outside the code block. When that …

GoDoxy has a Path Traversal Vulnerability in its File API

The file content API endpoint at /api/v1/file/content is vulnerable to path traversal. The filename query parameter is passed directly to path.Join(common.ConfigBasePath, filename) where ConfigBasePath = "config" (a relative path). No sanitization or validation is applied beyond checking that the field is non-empty (binding:"required"). An authenticated attacker can use ../ sequences to read or write files outside the intended config/ directory, including TLS private keys, OAuth refresh tokens, and any file …

fido2-lib is vulnerable to DoS via cbor-extract heap buffer over-read in CBOR attestation parsing

fido2-lib v3.x depends on cbor-x (~1.6.0), which optionally pulls in cbor-extract (C++ native addon). cbor-extract <= 2.2.0 has a heap buffer over-read in extractStrings() — a 5-byte CBOR payload crashes Node.js with SIGSEGV. No JS exception, no try/catch, process dead. The crash triggers during WebAuthn registration when the server decodes the attestation object. An attacker sends a crafted authenticator response to the registration endpoint — single request, unauthenticated, instant kill. …

Craft CMS' anonymous "assets/image-editor" calls return private asset editor metadata to unauthorized users

A low-privileged authenticated user can call assets/image-editor with the ID of a private asset they cannot view and still receive editor response data, including focalPoint. The endpoint returns private editing metadata without per-asset authorization validation. Root-cause analysis: actionImageEditor() accepts assetId from the request body. The asset is loaded, and the focal-point data is read. Response returns html and focalPoint. No explicit authorization check is applied before the response.

Craft CMS is Vulnerable to Authenticated Remote Code Execution via Malicious Attached Behavior

A Remote Code Execution (RCE) vulnerability exists in Craft CMS 5.x and 4.x that bypasses the security fixes for GHSA-7jx7-3846-m7w7 and GHSA-255j-qw47-wjh5. This vulnerability can be exploited by any authenticated user with control panel access. The existing patches add cleanseConfig() to assembleLayoutFromPost() and various FieldsController actions to strip Yii2 behavior/event injection keys (as and on prefixed keys). However, the fieldLayouts parameter in ElementIndexesController::actionFilterHud() is passed directly to FieldLayout::createFromConfig() without any …

ConcreteCMS is vulnerable to Denial of Service During Bulk Downloads

ConcreteCMS v9.4.7 contains a Denial of Service (DoS) vulnerability in the File Manager component. The 'download' method in 'concrete/controllers/backend/file.php' improperly manages memory when creating zip archives. It uses 'ZipArchive::addFromString' combined with 'file_get_contents', which loads the entire content of every selected file into PHP memory. An authenticated attacker can exploit this by requesting a bulk download of large files, triggering an Out-Of-Memory (OOM) condition that causes the PHP-FPM process to terminate …

Authelia: Improper Neutralization of Input During Web Page Generation Leads to Potential Cross-site Scripting

Official Weighted Severity Rating: Low This exploit is very unlikely to be the case for most users as it requires configuration of the Content Security Policy template value. Below represents a safe value, any other value other than unconfigured should be very carefully evaluated regardless of the fix. server: headers: csp_template: '' AUTHELIA_SERVER_HEADERS_CSP_TEMPLATE= Provided the following conditions are met: The Content Security Policy: Has been disabled or modified from the …

Astro: Memory exhaustion DoS due to missing request body size limit in Server Islands

Astro's Server Islands POST handler buffers and parses the full request body as JSON without enforcing a size limit. Because JSON.parse() allocates a V8 heap object for every element in the input, a crafted payload of many small JSON objects achieves ~15x memory amplification (wire bytes to heap bytes), allowing a single unauthenticated request to exhaust the process heap and crash the server. The /_server-islands/[name] route is registered on all …

Apache Artemis: Unauthorized Temporary Address Creation via OpenWire Protocol

Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user which has the "createDurableQueue" permission but does not have the "createAddress" permission and address auto-creation is disabled. In this circumstance, a temporary address will be created whereas the attempt to create the non-durable subscription …

Apache Artemis: Unauthorized Temporary Address Creation via OpenWire Protocol

Incorrect Authorization (CWE-863) vulnerability in Apache Artemis, Apache ActiveMQ Artemis exists when an application using the OpenWire protocol attempts to create a non-durable JMS topic subscription on an address that doesn't exist with an authenticated user which has the "createDurableQueue" permission but does not have the "createAddress" permission and address auto-creation is disabled. In this circumstance, a temporary address will be created whereas the attempt to create the non-durable subscription …

A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution

PinchTab v0.8.3 through v0.8.5 allow arbitrary JavaScript execution through POST /wait and POST /tabs/{id}/wait when the request uses fn mode, even if security.allowEvaluate is disabled. POST /evaluate correctly enforces the security.allowEvaluate guard, which is disabled by default. However, in the affected releases, POST /wait accepted a user-controlled fn expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy. This is a …

A PinchTab Security Policy Bypass in /wait Allows Arbitrary JavaScript Execution

PinchTab v0.8.3 through v0.8.5 allow arbitrary JavaScript execution through POST /wait and POST /tabs/{id}/wait when the request uses fn mode, even if security.allowEvaluate is disabled. POST /evaluate correctly enforces the security.allowEvaluate guard, which is disabled by default. However, in the affected releases, POST /wait accepted a user-controlled fn expression, embedded it directly into executable JavaScript, and evaluated it in the browser context without checking the same policy. This is a …

Sprig Plugin for Craft CMS potentially discloses sensitive information via Sprig Playground

Admin users, and users with explicit permission to access the Sprig Playground, could potentially expose the security key, credentials, and other sensitive configuration data, in addition to running the hashData() signing function. This issue was mitigated in versions 3.7.2 and 2.15.2 by disabling access to the Sprig Playground entirely when devMode is disabled, by default. It is possible to override this behaviour using a new enablePlaygroundWhenDevModeDisabled that defaults to false. …

Roadiz has Server-Side Request Forgery (SSRF) in roadiz/documents

This vulnerability allows an authenticated attacker to read any file on the server's local file system that the web server process has access to, including highly sensitive environment variables, database credentials, and internal configuration files. | Field | Details | | :— | :— | | Vulnerability Class | Server-Side Request Forgery (SSRF) & Local File Inclusion (LFI) | | Affected Component | RZ\Roadiz\Documents\DownloadedFile::fromUrl() | | Prerequisites | Authenticated user …

Rails has a possible XSS vulnerability in its Action View tag helpers

When a blank string is used as an HTML attribute name in Action View tag helpers, the attribute escaping is bypassed, producing malformed HTML. A carefully crafted attribute value could then be misinterpreted by the browser as a separate attribute name, possibly leading to XSS. Applications that allow users to specify custom HTML attributes are affected.

Rails Active Storage has possible Path Traversal in DiskService

Active Storage's DiskService#path_for does not validate that the resolved filesystem path remains within the storage root directory. If a blob key containing path traversal sequences (e.g. ../) is used, it could allow reading, writing, or deleting arbitrary files on the server. Blob keys are expected to be trusted strings, but some applications could be passing user input as keys and would be affected.

Keycloak has Improper Access Control that allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false

A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity.

jsrsasign: Incomplete Comparison Allows DSA Private Key Recovery via Biased Nonce Generation

Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recover the private key by exploiting the incorrect compareTo checks that accept out-of-range candidates and thus bias DSA nonces during signature generation.

jsrsasign: DSA signatures or X.509 certificates can be forged via DSA domain-parameter validation in KJUR.crypto.DSA.setPublic

Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that X509.verifySignature() accepts by supplying malicious domain parameters such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash.

jsrsasign: Division by Zero Allows Invalid JWK Modulus to Cause Deterministic Zero Output in RSA Operations

Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide “invalid key” errors by supplying a JWK whose modulus decodes to zero.

HybridAuth Has Improper SSL Certificate Validation in Curl HTTP Client

A vulnerability was found in HybridAuth up to 3.12.2. This issue affects some unknown processing of the file src/HttpClient/Curl.php of the component SSL Handler. The manipulation of the argument curlOptions results in improper certificate validation. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is assessed as difficult. The project was informed of the problem early through an issue report but has not responded …

H3: Unbounded Chunked Cookie Count in Session Cleanup Loop may Lead to Denial of Service

The setChunkedCookie() and deleteChunkedCookie() functions in h3 trust the chunk count parsed from a user-controlled cookie value (__chunked__N) without any upper bound validation. An unauthenticated attacker can send a single request with a crafted cookie header (e.g., Cookie: h3=__chunked__999999) to any endpoint using sessions, causing the server to enter an O(n²) loop that hangs the process.

H3 has an Open Redirect via Protocol-Relative Path in redirectBack() Referer Validation

The redirectBack() utility in h3 validates that the Referer header shares the same origin as the request before using its pathname as the redirect Location. However, the pathname is not sanitized for protocol-relative paths (starting with //). An attacker can craft a same-origin URL with a double-slash path segment that passes the origin check but produces a Location header interpreted by browsers as a protocol-relative redirect to an external domain.

DigitalOcean Droplet Agent: Command Injection via Metadata Service Endpoint

A command injection vulnerability exists in DigitalOcean Droplet Agent through 1.3.2. The troubleshooting actioner component (internal/troubleshooting/actioner/actioner.go) processes metadata from the metadata service endpoint and executes commands specified in the TroubleshootingAgent.Requesting array without adequate input validation. While the code validates that artifacts exist in the validInvestigationArtifacts map, it fails to sanitize the actual command content after the "command:" prefix. This allows an attacker who can control metadata responses to inject and …

cbor2 has a Denial of Service via Uncontrolled Recursion in cbor2.loads

The cbor2 library is vulnerable to a Denial of Service (DoS) attack caused by uncontrolled recursion when decoding deeply nested CBOR structures. This vulnerability affects both the pure Python implementation and the C extension (_cbor2). The C extension correctly uses Python's C-API for recursion protection (Py_EnterRecursiveCall), but this mechanism is designed to prevent a stack overflow by raising a RecursionError. In some environments, this exception is not caught, thus causing …

Briefcase: Windows MSI Installer Privilege Escalation via Insecure Directory Permissions

If a developer uses Briefcase to produce an Windows MSI installer for a project, and that project is installed for All Users (i.e., per-machine scope), the installation process creates an directory that inherits all the permissions of the parent directory. Depending on the location chosen by the installing user, this may allow a low privilege but authenticated user to replace or modify the binaries installed by the application. If an …

Pygments has Regular Expression Denial of Service (ReDoS) due to Inefficient Regex for GUID Matching

A security flaw has been discovered in pygments before 2.20.0. The impacted element is the function AdlLexer of the file pygments/lexers/archetype.py. The manipulation results in inefficient regular expression complexity. The attack is only possible with local access. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Free5GC AMF is vulnerable to DoS through its HandleRegistrationComplete function

A weakness has been identified in Free5GC 4.1.0. Affected is the function HandleRegistrationComplete of the file internal/gmm/handler.go of the component AMF. Executing a manipulation can lead to denial of service. The attack may be performed from remote. This patch is called 52e9386401ce56ea773c5aa587d4cdf7d53da799. It is best practice to apply a patch to resolve this issue.

NFS CSI driver for Kubernetes is Vulnerable to Path Traversal through Volume Identifier Parameter

A vulnerability was discovered in the Kubernetes CSI Driver for NFS where the subDir parameter in volume identifiers was insufficiently validated. Attackers with the ability to create PersistentVolumes referencing the NFS CSI driver could craft volume identifiers containing path traversal sequences (../). During volume deletion or cleanup operations, the driver could operate on unintended directories outside the intended managed path within the NFS export. This may lead to deletion or …

MindSQL is vulnerable to Code Injection through its ask_db function

A vulnerability was found in Mindinventory MindSQL up to 0.2.1. Impacted is the function ask_db of the file mindsql/core/mindsql_core.py. Performing a manipulation results in code injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Embedded Malicious Code in Trivy binary

On March 19, 2026, threat actor TeamPCP used compromised credentials to publish a malicious Trivy v0.69.4 release containing a credential-stealing payload. The malware extracts secrets from process memory and filesystem locations including SSH keys, cloud provider credentials, Kubernetes tokens, and environment variables. Stolen data is encrypted using AES-256-CBC with RSA-4096 hybrid encryption and exfiltrated via HTTP POST to attacker infrastructure at scan.aquasecurtiy[.]org (typosquatted domain). As a fallback, stolen GitHub PATs …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Embedded Malicious Code (CanisterWorm)

This package version was compromised as part of the CanisterWorm supply chain attack, which originated from the Trivy security scanner compromise by threat actor TeamPCP on March 19, 2026. The malicious code deploys a persistent backdoor via systemd, exfiltrates npm tokens and credentials, and uses an Internet Computer Protocol (ICP) canister as a dead-drop C2 server. Any computer that has this package installed or running should be considered fully compromised. …

Duplicate Advisory: OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vqx8-9xxw-f2m7. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state transitions, potentially causing incorrect call …

Duplicate Advisory: OpenClaw's system.run shell-wrapper positional argv carriers could execute hidden commands under misleading approval text

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-6rcp-vxwf-3mfp. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.24 contain a command injection vulnerability in the system.run shell-wrapper that allows attackers to execute hidden commands by injecting positional argv carriers after inline shell payloads. Attackers can craft misleading approval text while executing arbitrary commands through trailing positional arguments that bypass …

Duplicate Advisory: OpenClaw's system.run approval TOCTOU via mutable symlink cwd target on node host

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mwcg-wfq3-4gjc. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain a time-of-check-time-of-use vulnerability in approval-bound system.run execution where the cwd parameter is validated at approval time but resolved at execution time. Attackers can retarget a symlinked cwd between approval and execution to bypass command execution restrictions and execute arbitrary commands …

Duplicate Advisory: OpenClaw's Slack reaction/pin sender-policy consistency issue in non-message ingress

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rm2p-j3r7-4x4j]. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 fail to consistently apply sender-policy checks to reaction_* and pin_* non-message events before adding them to system-event context. Attackers can bypass configured DM policies and channel user allowlists to inject unauthorized reaction and pin events from restricted senders.

Duplicate Advisory: OpenClaw's Signal reaction-only status events could, in limited cases, be enqueued before access checks

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-792q-qw95-f446. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain an access control vulnerability in signal reaction notification handling that allows unauthorized senders to enqueue status events before authorization checks are applied. Attackers can exploit the reaction-only event path in event-handler.ts to queue signal reaction status lines for sessions without …

Duplicate Advisory: OpenClaw's shell startup env injection bypasses system.run allowlist intent (RCE class)

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xgf2-vxv2-rrmg. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 fail to sanitize shell startup environment variables HOME and ZDOTDIR in the system.run function, allowing attackers to bypass command allowlist protections. Remote attackers can inject malicious startup files such as .bash_profile or .zshenv to achieve arbitrary code execution before allowlist-evaluated commands …

Duplicate Advisory: OpenClaw's sandboxed sessions_spawn now enforces sandbox inheritance for cross-agent spawns

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-p7gr-f84w-hqg5. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.3.1 fail to enforce sandbox inheritance during cross-agent sessions_spawn operations, allowing sandboxed sessions to create child processes under unsandboxed agents. An attacker with a sandboxed session can exploit this to spawn child runtimes with sandbox.mode set to off, bypassing runtime confinement restrictions.

Duplicate Advisory: OpenClaw's inbound media downloads could exceed configured byte limits before rejection across multiple channels

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rxxp-482v-7mrh. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 fail to consistently enforce configured inbound media byte limits before buffering remote media across multiple channel ingestion paths. Remote attackers can send oversized media payloads to trigger elevated memory usage and potential process instability.

Duplicate Advisory: OpenClaw's gateway tokenless Tailscale auth applied to HTTP routes

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hff7-ccv5-52f8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.21 incorrectly apply tokenless Tailscale header authentication to HTTP gateway routes, allowing bypass of token and password requirements. Attackers on trusted networks can exploit this misconfiguration to access HTTP gateway routes without proper authentication credentials.

Duplicate Advisory: OpenClaw's andbox browser noVNC observer lacked VNC authentication

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-25gx-x37c-7pph. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.21 sandbox browser entrypoint launches x11vnc without authentication for noVNC observer sessions, allowing unauthenticated access to the VNC interface. Remote attackers on the host loopback interface can connect to the exposed noVNC port to observe or interact with the sandbox browser without …

Duplicate Advisory: OpenClaw: workspace path guard bypass on non-existent out-of-root symlink leaf

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-mgrq-9f93-wpp5. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.26 contain a path traversal vulnerability in workspace boundary validation that allows attackers to write files outside the workspace through in-workspace symlinks pointing to non-existent out-of-root targets. The vulnerability exists because the boundary check improperly resolves aliases, permitting the first write operation …

Duplicate Advisory: OpenClaw: system.run approval identity mismatch could execute a different binary than displayed

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hwpq-rrpf-pgcq. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain an approval-integrity bypass vulnerability in system.run where rendered command text is used as approval identity while trimming argv token whitespace, but runtime execution uses raw argv. An attacker can craft a trailing-space executable token to execute a different binary than …

Duplicate Advisory: OpenClaw: Slack system events bypass sender authorization in member and message subtype handlers

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-v8cg-4474-49v8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.26 fail to enforce sender authorization in member and message subtype system event handlers, allowing unauthorized events to be enqueued. Attackers can bypass Slack DM allowlists and per-channel user allowlists by sending system events from non-allowlisted senders through message_changed, message_deleted, and thread_broadcast …

Duplicate Advisory: OpenClaw: BlueBubbles beta plugin webhook auth hardening (remove passwordless fallback)

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-5mx2-2mgw-x8rm. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.21 BlueBubbles webhook handler contains a passwordless fallback authentication path that allows unauthenticated webhook events in certain reverse-proxy or local routing configurations. Attackers can bypass webhook authentication by exploiting the loopback/proxy heuristics to send unauthenticated webhook events to the BlueBubbles plugin.

Duplicate Advisory: OpenClaw reuses the gateway auth token in the owner ID prompt hashing fallback

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-v6x2-2qvm-6gv8. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.22 reuse gateway.auth.token as a fallback hash secret for owner-ID prompt obfuscation when commands.ownerDisplay is set to hash and commands.ownerDisplaySecret is unset, creating dual-use of authentication secrets across security domains. Attackers with access to system prompts sent to third-party model providers can …

Duplicate Advisory: OpenClaw Node system.run approval context-binding weakness in approval-enabled host=node flows

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-hjvp-qhm6-wrh2. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.26 contain an approval context-binding weakness in system.run execution flows with host=node that allows reuse of previously approved requests with modified environment variables. Attackers with access to an approval id can exploit this by reusing an approval with changed env input, bypassing …

Duplicate Advisory: OpenClaw has cross-account DM pairing authorization bypass via unscoped pairing store access

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vjp8-wprm-2jw9. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.26 contains an authorization bypass vulnerability in the pairing-store access control for direct message pairing policy that allows attackers to reuse pairing approvals across multiple accounts. An attacker approved as a sender in one account can be automatically accepted in another account …

Duplicate Advisory: OpenClaw has browser trace/download path symlink escape in temp output handling

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-36h3-7c54-j27r. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain a symlink traversal vulnerability in browser trace and download output path handling that allows local attackers to escape the managed temp root directory. An attacker with local access can create symlinks to route file writes outside the intended temp directory, …

Duplicate Advisory: OpenClaw has an improper sandbox configuration vulnerability

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-43x4-g22p-3hrq. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.21 contain an improper sandbox configuration vulnerability that allows attackers to execute arbitrary code by exploiting renderer-side vulnerabilities without requiring a sandbox escape. Attackers can leverage the disabled OS-level sandbox protections in the Chromium browser container to achieve code execution on the …

Duplicate Advisory: OpenClaw has a Trusted-proxy Control UI pairing bypass which allows unpaired node sessions

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vvgp-4c28-m3jm. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.25 contain an authentication bypass vulnerability in the trusted-proxy Control UI pairing mechanism that accepts client.id=control-ui without proper device identity verification. An authenticated node role websocket client can exploit this by using the control-ui client identifier to skip pairing requirements and gain …

Duplicate Advisory: OpenClaw ACP client has permission auto-approval bypass via untrusted tool metadata

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-7jx5-9fjg-hp4m. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.23 contain an authorization bypass vulnerability in the ACP client that auto-approves tool calls based on untrusted toolCall.kind metadata and permissive name heuristics. Attackers can bypass interactive approval prompts for read-class operations by spoofing tool metadata or using non-core read-like names to …

webpki: CRLs not considered authoritative by Distribution Point due to faulty matching logic

If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored. The impact was that correct provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates. This vulnerability is …

Vikunja’s Improper Access Control Enables Bypass of Administrator-Imposed Account Disablement

A flaw in Vikunja’s password reset logic allows disabled users to regain access to their accounts. The ResetPassword() function sets the user’s status to StatusActive after a successful password reset without verifying whether the account was previously disabled. By requesting a reset token through /api/v1/user/password/token and completing the reset via /api/v1/user/password/reset, a disabled user can reactivate their account and bypass administrator-imposed account disablement.

Vikunja Affected by DoS via Image Preview Generation

Vulnerability: Unbounded image decoding and resizing during preview generation lets an attacker exhaust CPU and memory with highly compressed but extremely large-dimension images. Affected code: Decoding without bounds: task_attachment.go:GetPreview Resizing path: resizeImage Endpoint invoking preview: GetTaskAttachment Impact: First preview generation per attachment can allocate large memory and spend significant CPU; multiple attachments or concurrent requests can degrade or crash the service. CVSS v3.1: 7.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config

There is a potential vulnerability in Traefik's TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that …

Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config

There is a potential vulnerability in Traefik's TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that …

Traefik has a Potential mTLS Bypass via Fragmented TLS ClientHello Causing Pre-SNI Sniff Fallback to Default Non-mTLS TLS Config

There is a potential vulnerability in Traefik's TLS SNI pre-sniffing logic related to fragmented ClientHello packets. When a TLS ClientHello is fragmented across multiple records, Traefik's SNI extraction may fail with an EOF and return an empty SNI. The TCP router then falls back to the default TLS configuration, which does not require client certificates by default. This allows an attacker to bypass route-level mTLS enforcement and access services that …

Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration

There is a potential vulnerability in Traefik's BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. A timing attack vulnerability exists in …

Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration

There is a potential vulnerability in Traefik's BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. A timing attack vulnerability exists in …

Traefik Affected by BasicAuth Middleware Timing Attack Allows Username Enumeration

There is a potential vulnerability in Traefik's BasicAuth middleware that allows username enumeration via a timing attack. When a submitted username exists, the middleware performs a bcrypt password comparison taking ~166ms. When the username does not exist, the response returns immediately in ~0.6ms. This ~298x timing difference is observable over the network and allows an unauthenticated attacker to reliably distinguish valid from invalid usernames. A timing attack vulnerability exists in …

tar-rs incorrectly ignores PAX size headers if header size is nonzero

As part of CVE-2025-62518 the astral-tokio-tar project was changed to correctly honor PAX size headers in the case where it was different from the base header. However, it was missed at the time that this project (the original Rust tar crate) had a conditional logic that skipped the PAX size header in the case that the base header size was nonzero - almost the inverse of the astral-tokio-tar issue. The …

tar-rs `unpack_in` can chmod arbitrary directories by following symlinks

When unpacking a tar archive, the tar crate's unpack_dir function uses fs::metadata() to check whether a path that already exists is a directory. Because fs::metadata() follows symbolic links, a crafted tarball containing a symlink entry followed by a directory entry with the same name causes the crate to treat the symlink target as a valid existing directory — and subsequently apply chmod to it. This allows an attacker to modify …