Linux Distros Unpatched Vulnerability : CVE-2026-3446

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - When calling base64.b64decode or related functions the decoding process would stop after encountering the first padded quad regardless of whether there was more...

Prototype Pollution

Overview langsmith is a Client library to connect to the LangSmith Observability and Evaluation Platform. Affected versions of this package are vulnerable to Prototype Pollution via constructor.prototype in the baseAssignValue function. An attacker can modify the Object.prototype by supplying...

LangSmith Client SDKs has Prototype Pollution in langsmith-sdk via Incomplete `__proto__` Guard in Internal lodash `set()`

GHSA-fw9q-39r9-c252: Prototype Pollution via Incomplete Lodash set Guard in langsmith-sdk Severity: Medium CVSS 5.6 Status: Fixed in 0.5.18 --- Summary The LangSmith JavaScript/TypeScript SDK langsmith contains an incomplete prototype pollution fix in its internally vendored lodash set utility. T...

@saltcorn/admin-models (>=1.6.0-alpha.0 <=1.6.0-beta.12), @saltcorn/base-plugin (>=1.6.0-alpha.0 <=1.6.0-beta.12) +5 more potentially affected by unknown CVE via @saltcorn/data (>=1.6.0-alpha.0 <=1.6.0-beta.3)

@saltcorn/data NPM version =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-alpha.0, =1.6.0-beta.12 Source cves: unknown CVE Source advisory: OSV:GHSA-59XV-588H-2VMM...

CVE-2026-3446

CVE-2026-3446 affects Python’s base64 decoding (base64.b64decode and related functions). The root cause is that the decoder stops after the first padded quad, potentially leaving additional data unprocessed. This can cause data to be accepted and then processed differently by other implementation...

EUVD-2026-21116

OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fail to properly guard configured base URLs against SSRF attacks. Attackers can exploit unprotected fetch calls against configured endpoints to rebind requests to blocked internal...

Duplicate Advisory: OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rhfg-j8jq-7v2h. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fa...

GHSA-8J7F-G9GV-7JHC Duplicate Advisory: OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-rhfg-j8jq-7v2h. This link is maintained to preserve external references. Original Description OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fa...

PT-2026-32017

Name of the Vulnerable Software and Affected Versions Base64 affected versions not specified Description The decoding process using base64.b64decode or related functions would halt upon encountering the first padded quad, even if additional data remained. This could result in the acceptance of da...

CVE-2026-35644

OpenClaw before 2026.3.22 contains an information disclosure vulnerability that allows attackers with operator.read scope to expose credentials embedded in channel baseUrl and httpUrl fields. Attackers can access gateway snapshots via config.get and channels.status endpoints to retrieve sensitive...

CVE-2026-35644 OpenClaw < 2026.3.22 - Credential Exposure via baseUrl Fields in Gateway Snapshots

OpenClaw before 2026.3.22 contains an information disclosure vulnerability that allows attackers with operator.read scope to expose credentials embedded in channel baseUrl and httpUrl fields. Attackers can access gateway snapshots via config.get and channels.status endpoints to retrieve sensitive...

CVE-2026-35629 OpenClaw < 2026.3.25 - Server-Side Request Forgery via Unguarded Configured Base URLs in Channel Extensions

OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fail to properly guard configured base URLs against SSRF attacks. Attackers can exploit unprotected fetch calls against configured endpoints to rebind requests to blocked internal...

CVE-2026-35629

CVE-2026-35629 affects OpenClaw before version 2026.3.25. The issue is SSRF via unguarded configured base URLs in multiple channel extensions, where unprotected fetch() calls can rebinding requests to blocked internal destinations and access restricted resources. Impact per sources is limited to ...

CVE-2026-35629 OpenClaw < 2026.3.25 - Server-Side Request Forgery via Unguarded Configured Base URLs in Channel Extensions

OpenClaw before 2026.3.25 contains a server-side request forgery vulnerability in multiple channel extensions that fail to properly guard configured base URLs against SSRF attacks. Attackers can exploit unprotected fetch calls against configured endpoints to rebind requests to blocked internal...

CVE-2026-35618

OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized...

CVE-2026-40113

PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openaimodel, openaikey, and openaibase without validating that these values do not contain commas. gcloud use...

Allocation of Resources Without Limits or Throttling

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to missing pre-allocation size checks in the base64 decoding process. An attacker can cause excessive memory allocation by providi...

gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free security update

An update is available for gstreamer1-plugins-bad-free, gstreamer1-plugins-good, gstreamer1-plugins-ugly-free, gstreamer1-plugins-base. This update affects Rocky Linux 10. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

RLSA-2026:6259 Important: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, gstreamer1-plugins-good, and gstreamer1-plugins-ugly-free security update

GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer. Security Fixes: GStreamer: GStreamer: Arbitrary code execution via ASF file processing CVE-2026-2920 GStreamer:...

RLSA-2026:6750 Important: gstreamer1-plugins-bad-free, gstreamer1-plugins-base, and gstreamer1-plugins-good security update

GStreamer is a streaming media framework based on graphs of filters which operate on media data. The gstreamer1-plugins-bad-free package contains a collection of plug-ins for GStreamer. Security Fixes: GStreamer: GStreamer: Arbitrary code execution via ASF file processing CVE-2026-2920 GStreamer:...