EUVD-2026-36130

Russh: SSH identification parsing accepted non-canonical client banners and did not bound pre-banner input...

CVE-2026-41483

OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without any size limit. An attacker w...

CVE-2026-43899

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, An incomplete mitigation for CVE-2025-55733 leaves DeepChat vulnerable to an arbitrary protocol execution bypass RCE. While the patch correctly restricted...

PT-2026-43064

Name of the Vulnerable Software and Affected Versions hackney versions 2.0.0-beta.1 through 4.0.0 Description An infinite loop exists in the Alt-Svc response header parser within src/hackney altsvc.erl. When the parse token/2 function receives a byte that is not a token, whitespace, or comma such...

Hackney 安全漏洞

Hackney is a program library from Hackney, Inc. A security vulnerability exists in Hackney versions 2.0.0-beta.1 through prior to 4.0.1, which stems from the Alt-Svc response header parser's inability to guarantee forward progress, potentially leading to infinite loops and CPU exhaustion...

@antv/l7 (>=2.1.13 <=2.25.10), @antv/l7-component (>=2.0.0-beta.1 <=2.25.10) +13 more potentially affected by unknown CVE via @antv/l7-utils (>=2.0.0-beta.1 <=2.25.9)

@antv/l7-utils NPM version =2.0.0-beta.1, =2.1.13, =2.0.0-beta.1, =2.0.0-beta.1, =2.1.13, =2.1.13, =2.10.0, =2.1.13, =2.10.0, =2.1.13, =2.1.13, =2.1.13, =2.0.0-beta.1, =2.10.0, =1.0.0, =1.0.17, =1.0.18 Source cves: unknown CVE Source advisory: SNYK:JS-ANTVL7UTILS-16754432...

4house-libts-places-autocomplete (=1.0.0), @77sol-ui/atoms (>=5.1.0 <=5.4.0) +278 more potentially affected by unknown CVE via jest-canvas-mock (>=2.0.0-beta.1 <=2.5.2)

jest-canvas-mock NPM version =2.0.0-beta.1, =5.1.0, =1.0.1, =1.0.0, =1.0.0, =0.0.0, =0.0.1-react-native, =2.1.0-alpha.0, =2.1.0-alpha.0, =2.1.0-alpha.0, =2.1.0-alpha.250, =2.1.0-alpha.250, =0.0.5, =0.0.6, =0.3.113, =0.5.0 and more Source cves: unknown CVE Source advisory:...

CVE-2026-44515 Nextcloud News: Authenticated blind SSRF via feed URL

Nextcloud News is an RSS/Atom feed reader. Prior to 28.3.0-beta.1, Nextcloud News allows authenticated users to add feeds by providing a feed URL via the web interface or the API. In affected versions, an authenticated attacker could provide a URL pointing to internal/private IP ranges or...

CVE-2026-43900

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, a Cross-Site Scripting XSS vulnerability exists due to a discrepancy between the backend validation layer and the frontend browser rendering engine. The SVGSanitizer...

CVE-2026-43899

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, An incomplete mitigation for CVE-2025-55733 leaves DeepChat vulnerable to an arbitrary protocol execution bypass RCE. While the patch correctly restricted...

CVE-2026-43899 DeepChat: Incomplete Fix for CVE-2025-55733 leads to Remote Code Execution via Markdown Links bypassing `isValidExternalUrl`

DeepChat is an open-source artificial intelligence agent platform that unifies models, tools, and agents. Prior to v1.0.4-beta.1, An incomplete mitigation for CVE-2025-55733 leaves DeepChat vulnerable to an arbitrary protocol execution bypass RCE. While the patch correctly restricted...

CVE-2026-41483

OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without any size limit. An attacker w...

Missing Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Missing Authorization via the browser interaction routes. An attacker can access arbitrary files by bypassing navigation guards and leveraging browser act/evaluate interactions to pivot...

Permissive List of Allowed Inputs

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Permissive List of Allowed Inputs via the memoryget function. An attacker can access arbitrary Markdown files within the workspace root by supplying crafted paths, thereby bypassing...

CVE-2026-41483 Unbounded HTTP response body read in OpenTelemetry.Resources.Azure

OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure VM instance metadata service and reads the response body into memory without any size limit. An attacker w...

CVE-2026-41483

OpenTelemetry.Resources.Azure (Azure VM resource detector) suffers from unbounded HTTP response body reads in AzureVmMetaDataRequestor when contacting the Azure VM metadata endpoint, causing unbounded memory usage and potential DoS. The issue affects versions 1.15.0-beta.1 and earlier; it is fixe...

OpenTelemetry 安全漏洞

OpenTelemetry is an open-source, vendor-neutral, open-source observability framework developed by OpenTelemetry. Versions of OpenTelemetry 1.15.0-beta.1 and earlier contain security vulnerabilities. These vulnerabilities stem from the AzureVmMetaDataRequestor class, which reads response bodies...

Arbitrary Code Injection

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Arbitrary Code Injection in the setup-api.js loading process. An attacker can execute arbitrary code by placing a malicious setup-api.js file in the extensions// directory of a repository...

Insufficient Session Expiration

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficient Session Expiration in the webhook authentication process. An attacker can continue to access protected webhook routes using a previously valid secret even after the secret ha...

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition due to a race condition in the process that reads and verifies files before returning bytes. An attacker can access data outside the intend...