Server-side Request Forgery (SSRF)

Overview @openclaw/mattermost is an OpenClaw Mattermost channel plugin Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetch process in multiple channel extensions when outbound requests are made to configured base URLs without proper validation. An...

Server-side Request Forgery (SSRF)

Overview @openclaw/nextcloud-talk is an OpenClaw Nextcloud Talk channel plugin Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetch process in multiple channel extensions when outbound requests are made to configured base URLs without proper validatio...

Server-side Request Forgery (SSRF)

Overview @openclaw/bluebubbles is an OpenClaw BlueBubbles channel plugin Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the fetch process in multiple channel extensions when outbound requests are made to configured base URLs without proper validation. An...

OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)

Summary SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions Incomplete Fix for CVE-2026-28476 Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24...

GHSA-RHFG-J8JQ-7V2H OpenClaw: SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions (Incomplete Fix for CVE-2026-28476)

Summary SSRF via Unguarded Configured Base URLs in Multiple Channel Extensions Incomplete Fix for CVE-2026-28476 Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24...

[SECURITY] [DLA 4514-1] gst-plugins-base1.0 security update

----------------------------------------------------------------------- Debian LTS Advisory DLA-4514-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta March 29, 2026 https://wiki.debian.org/LTS -...

DLA-4514-1 gst-plugins-base1.0 - security update

Bulletin has no description...

Server-Side Request Forgery (SSRF)

saloonphp/saloon is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to improper validation of request endpoints allowing absolute URLs to override the base URL, which allows an attacker to redirect requests to malicious hosts and potentially exfiltrate sensitive data such...

CVE-2026-28788

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to version 0.8.6, any authenticated user can overwrite any file's content by ID through the POST /api/v1/retrieval/process/files/batch endpoint. The endpoint performs no ownership check, so a...

langflow-nightly (=1.8.0.dev24) potentially affected by CVE-2026-33873 via langflow-base (=0.7.2)

langflow-base PYPI version =0.7.2 is affected by a known vulnerability. The following packages have a transitive dependency on langflow-base and may be impacted: - langflow-nightly =1.8.0.dev24 Source cves: CVE-2026-33873 Source advisory: SNYK:PYTHON-LANGFLOWBASE-15812241...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the readflow helper in src/backend/base/langflow/api/v1/flows.py. An attacker can read, modify, or delete another user's flow by supplying that flow's UUID to the GET, PATCH, or DELETE /api/v1/flow/flowid...

Cross-site Scripting (XSS)

Overview n8n-nodes-base is a Base nodes of n8n Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Form Trigger node. An attacker can execute arbitrary scripts in the context of users visiting a published form by injecting malicious payloads, potentially leading t...

langflow-nightly (=1.8.0.dev24) potentially affected by CVE-2026-5027 via langflow-base (=0.7.2)

langflow-base PYPI version =0.7.2 is affected by a known vulnerability. The following packages have a transitive dependency on langflow-base and may be impacted: - langflow-nightly =1.8.0.dev24 Source cves: CVE-2026-5027 Source advisory: SNYK:PYTHON-LANGFLOWBASE-15842030...

langflow-nightly (=1.8.0.dev24) potentially affected by CVE-2026-5022 via langflow-base (=0.7.2)

langflow-base PYPI version =0.7.2 is affected by a known vulnerability. The following packages have a transitive dependency on langflow-base and may be impacted: - langflow-nightly =1.8.0.dev24 Source cves: CVE-2026-5022 Source advisory: SNYK:PYTHON-LANGFLOWBASE-15840036...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the downloadimage endpoint. An attacker can access and download image files belonging to any flow by knowing or guessing the flow ID and file name. Remediation There is no fixed version for langflow-base...

langflow-nightly (=1.8.0.dev24) potentially affected by CVE-2026-5026 via langflow-base (=0.7.2)

langflow-base PYPI version =0.7.2 is affected by a known vulnerability. The following packages have a transitive dependency on langflow-base and may be impacted: - langflow-nightly =1.8.0.dev24 Source cves: CVE-2026-5026 Source advisory: SNYK:PYTHON-LANGFLOWBASE-15814086...

langflow-nightly (=1.8.0.dev24) potentially affected by CVE-2026-5025 via langflow-base (=0.7.2)

langflow-base PYPI version =0.7.2 is affected by a known vulnerability. The following packages have a transitive dependency on langflow-base and may be impacted: - langflow-nightly =1.8.0.dev24 Source cves: CVE-2026-5025 Source advisory: SNYK:PYTHON-LANGFLOWBASE-15813866...

CVE-2026-27663

A vulnerability has been identified in CPCI85 Central Processing/Communication All versions V26.10, RTUM85 RTU Base All versions V26.10. The affected application contains denial-of-service DoS vulnerability. The remote operation mode is susceptible to a resource exhaustion condition when subjecte...

CVE-2026-27664

A vulnerability has been identified in CPCI85 Central Processing/Communication All versions V26.10, SICORE Base system All versions V26.10.0. The affected application contains an out-of-bounds write vulnerability while parsing specially crafted XML inputs. This could allow an unauthenticated...

EUVD-2026-16484

Open WebUI has unauthorized deletion of knowledge files...