GHSA-35HP-HQMV-8QG8 Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters

Summary Fiber cache middleware's default key generator uses only c.Path and does not include the query string. As a result, requests like /?id=1 and /?id=2 can map to the same cache key and share the same cached response. This can cause response mix-up cache poisoning-like behavior for endpoints...

Use of Cache Containing Sensitive Information

Overview Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information due to the default KeyGenerator process in the cache middleware not including query parameters when generating cache keys. An attacker can access or cause exposure of user-specific or...

Use of Cache Containing Sensitive Information

Overview Affected versions of this package are vulnerable to Use of Cache Containing Sensitive Information due to the default KeyGenerator process in the cache middleware not including query parameters when generating cache keys. An attacker can access or cause exposure of user-specific or...

Fiber's cache middleware default key generator ignores query string, causing response mix-up across distinct query parameters

Summary Fiber cache middleware's default key generator uses only c.Path and does not include the query string. As a result, requests like /?id=1 and /?id=2 can map to the same cache key and share the same cached response. This can cause response mix-up cache poisoning-like behavior for endpoints...

CVE-2026-7317

A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of the component Cache Value Handler. The manipulation results in deserialization. The attack may be...

Arbitrary Code Execution

Overview Affected versions of this package are vulnerable to Arbitrary Code Execution in crypto/algifaead.c. The authencesn cryptographic template has a 4-byte overwrite past the end of its buffer, which can be controlled to write into the page cache of any readable file. This allows a...

CVE-2026-7317 Grav CMS Cache Value FileCache.php doGet deserialization

A vulnerability was found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of the component Cache Value Handler. The manipulation results in deserialization. The attack may be...

CVE-2026-7317

Grav CMS (up to 1.7.49.5/2.0.0-beta.1) contains a deserialization vulnerability in FileCache::doGet (Cache Value Handler, file system/src/Grav/Framework/Cache/Adapter/FileCache.php). The issue allows remote exploitation with high complexity and a publicly available exploit. Upgrading to version 2...

CVE-2026-41402

OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same messageId. Attackers can exploit overly broad cache keying to bypass replay protection and deliver...

CVE-2026-41402 OpenClaw < 2026.3.31 - Webhook Replay Cache Cross-Target messageId Scope Bypass

OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same messageId. Attackers can exploit overly broad cache keying to bypass replay protection and deliver...

CVE-2026-41402

OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same messageId. Attackers can exploit overly broad cache keying to bypass replay protection and deliver...

EUVD-2026-26109

OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same messageId. Attackers can exploit overly broad cache keying to bypass replay protection and deliver...

CVE-2026-41402 OpenClaw < 2026.3.31 - Webhook Replay Cache Cross-Target messageId Scope Bypass

OpenClaw before 2026.3.31 contains a scope bypass vulnerability in webhook replay cache deduplication that allows authenticated attackers to replay messages across sibling targets using the same messageId. Attackers can exploit overly broad cache keying to bypass replay protection and deliver...

CVE-2026-41402

OpenClaw OpenClaw (npm package) is affected by CVE-2026-41402. The vulnerability is a webhook replay cache deduplication scope bypass that lets authenticated attackers replay messages across sibling targets using the same messageId. The issue arises from overly broad cache keying, enabling bypass...

CVE-2026-41395

OpenClaw prior to 2026.3.28 is affected by a webhook replay vulnerability in Plivo V3 signature verification. The system canonicalizes query ordering for signatures but hashes the raw verification URL for replay detection, allowing an attacker who captures a valid signed webhook to reorder query ...

CVE-2026-41395 OpenClaw < 2026.3.28 - Webhook Replay via Query Parameter Reordering in Plivo V3

OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification that canonicalizes query ordering for signatures but hashes raw URLs for replay detection. Attackers can reorder query parameters to bypass replay cache detection and trigger duplicate voice-call...

EUVD-2026-26103

OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification that canonicalizes query ordering for signatures but hashes raw URLs for replay detection. Attackers can reorder query parameters to bypass replay cache detection and trigger duplicate voice-call...

CVE-2026-41395 OpenClaw < 2026.3.28 - Webhook Replay via Query Parameter Reordering in Plivo V3

OpenClaw before 2026.3.28 contains a webhook replay vulnerability in Plivo V3 signature verification that canonicalizes query ordering for signatures but hashes raw URLs for replay detection. Attackers can reorder query parameters to bypass replay cache detection and trigger duplicate voice-call...

CVE-2026-41131

A flaw was found in OpenFGA, an authorization and permission engine. When certain authorization models use conditions with caching enabled, the system can incorrectly generate the same cache key for different requests. This error causes OpenFGA to reuse an outdated authorization decision,...

GHSA-R5HP-3CGJ-J6XV Spring AI's ONNX model cache defaults to world-writable predictable /tmp directory

In Spring AI, having access to a shared environment can expose the ONNX model used by the application. Affected versions: Spring AI: 1.0.0 - 1.0.5 fixed in 1.0.6, 1.1.0 - 1.1.4 fixed in 1.1.5...