7058 matches found
OpenClaw has a Telegram webhook request forgery (missing `channels.telegram.webhookSecret`) → auth bypass
Summary In Telegram webhook mode, if channels.telegram.webhookSecret is not set, OpenClaw may accept webhook HTTP requests without verifying Telegram’s secret token header. In deployments where the webhook endpoint is reachable by an attacker, this can allow forged Telegram updates for example...
PT-2026-20333
Name of the Vulnerable Software and Affected Versions Wavlink WL-NU516U1 versions up to 20251208 Description A flaw exists in Wavlink WL-NU516U1 that could allow for remote command injection. The issue is located in the singlePortForwardDelete function within the /cgi-bin/firewall.cgi file...
SUSE SLES12 Security Update : zabbix (SUSE-SU-2026:0483-1)
The remote SUSE Linux SLES12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:0483-1 advisory. - CVE-2024-36469: Introduced clamping for mitigation of timing attacks. bsc1240676 - CVE-2024-42325: Restricted access to user fields using...
CVE-2026-20630
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26.3. An app may be able to access protected user data...
Security update for zabbix
This update for zabbix fixes the following issues: CVE-2024-36469: Introduced clamping for mitigation of timing attacks. bsc1240676 CVE-2024-42325: Restricted access to user fields using user.get API method for users of User and Admin type, and restricted access to alert entities using alert.get...
SUSE-SU-2026:0483-1 Security update for zabbix
This update for zabbix fixes the following issues: - CVE-2024-36469: Introduced clamping for mitigation of timing attacks. bsc1240676 - CVE-2024-42325: Restricted access to user fields using user.get API method for users of User and Admin type, and restricted access to alert entities using...
PT-2026-7014
Name of the Vulnerable Software and Affected Versions UTT 进取 521G version 3.1.1-190816 Description A flaw exists in the doSystem function within the /goform/setSysAdm file. Manipulation of the passwd1 argument can result in command injection. This issue may be exploited remotely. The exploit is...
PT-2026-6903
Name of the Vulnerable Software and Affected Versions D-Link DWR-M921 version 1.1.50 Description A security issue exists in D-Link DWR-M921 version 1.1.50 related to command injection. The issue is located in the USSD Configuration component, specifically within the sub 419F20 function of the...
PT-2026-6911
Name of the Vulnerable Software and Affected Versions SourceCodester Online Class Record System version 1.0 Description A flaw exists in the processing of the /admin/message/search.php file within the software. Manipulating the term argument can result in SQL injection. This issue can be exploite...
PT-2026-6819
Name of the Vulnerable Software and Affected Versions AMSS++ version 4.31 Description AMSS++ version 4.31 has a SQL injection issue in the mail module’s maildetail.php script. The issue is present through the id parameter. An attacker can manipulate the id parameter in the...
CVE-2025-11261
A flaw was found in MediaWiki. This vulnerability, known as Cross-site Scripting XSS, occurs due to improper neutralization of input during web page generation. A remote attacker could exploit this by injecting malicious scripts into web pages. Successful exploitation could lead to arbitrary code...
PT-2026-6030
Name of the Vulnerable Software and Affected Versions Django versions prior to 6.0.2 Django versions prior to 5.2.11 Django versions prior to 4.2.28 Description A flaw in the GeoDjango RasterField implementation, specifically when using a PostGIS backend, allows remote attackers to perform SQL...
CVE-2026-1518
A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services. Mitigation To mitigate this issue, restrict administrative access to Keycloak instances. Ensure that only...
PT-2026-3939
Name of the Vulnerable Software and Affected Versions Tenda AX1803 version 1.0.0.1 Description A stack-based buffer overflow exists in the fromGetWifiGuestBasic function within the /goform/WifiGuestSet file of the Tenda AX1803. Manipulation of the guestWrlPwd, guestEn, guestSsid, hideSsid, and...
Replay Attack
Overview Affected versions of this package are vulnerable to Replay Attack via the authentication process in the S3 gateway. An attacker can gain unauthorized access or perform actions by replaying previously captured signed requests, as the system does not validate timestamps on authenticated...
PT-2026-2041
Name of the Vulnerable Software and Affected Versions code-projects Online Music Site version 1.0 Description A flaw exists in code-projects Online Music Site 1.0 that allows for SQL injection. The issue is located in an unknown function within the /Administrator/PHP/AdminAddUser.php file...
CVE-2023-49002
An issue in Xenom Technologies sinous Phone Dialer-voice Call Dialer v.1.2.5 allows an attacker to bypass intended access restrictions via interaction with com.funprime.calldialer.ui.activities.OutgoingActivity...
CVE-2023-4800
The DoLogin Security WordPress plugin before 3.7.1 does not restrict the access of a widget that shows the IPs of failed logins to low privileged users...
CVE-2018-18531
text/impl/DefaultTextCreator.java, text/impl/ChineseTextProducer.java, and text/impl/FiveLetterFirstNameTextCreator.java in kaptcha 2.3.2 use the Random rather than SecureRandom function for generating CAPTCHA values, which makes it easier for remote attackers to bypass intended access restrictio...
CVE-2009-4998
The Workplace aka WP component in IBM FileNet P8 Application Engine P8AE 3.5.1 before 3.5.1-019 and 4.0.2.x before 4.0.2.7-P8AE-FP007, in certain FileTracker configurations, does not apply a security policy to the first document added during a session, which might allow remote attackers to bypass...