SUSE CVE-2025-69653

A crafted JavaScript input can trigger an internal assertion failure in QuickJS release 2025-09-13, fixed in commit 1dbba8a88eaa40d15a8a9b70bb1a0b8fb5b552e6 2025-12-11, in file gcdecrefchild in quickjs.c, when executed with the qjs interpreter using the -m option. This leads to an abort SIGABRT...

GHSA-F2FC-VC88-6W7Q @siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters

Summary Multiple Git-related API endpoints use execAsync with string interpolation of user-controlled parameters file, branch, message, commit, allowing authenticated attackers to execute arbitrary OS commands. Details The claudecodeui application provides Git integration through various API...

CVE-2026-3582

CVE-2026-3582 affects GitHub Enterprise Server. An Incorrect Authorization vulnerability allowed an authenticated user with a classic PAT lacking the repo scope to retrieve issues and commits from private/internal repositories via the search REST API, provided the user already had access to the r...

Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation

Camaleon CMS versions 2.4.5.0 through 2.9.1, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the downloadprivatefile functionality wh...

CVE-2026-1776

Camaleon CMS versions 2.4.5.0 through 2.9.0, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the downloadprivatefile functionality wh...

CAMALEON CMS 路径遍历漏洞

CAMALEON CMS is a dynamic advanced content management system developed by Owen Peredo Diaz. Versions of Camaleon CMS prior to 2.9.0 and versions before f54a77e contained a path traversal vulnerability. This vulnerability stems from path traversal in the AWS S3 uploader implementation, which could...

Camaleon CMS vulnerable to Path Traversal through AWS S3 uploader implementation

Camaleon CMS versions 2.4.5.0 through 2.9.1, prior to commit f54a77e, contain a path traversal vulnerability in the AWS S3 uploader implementation that allows authenticated users to read arbitrary files from the web server’s filesystem. The issue occurs in the downloadprivatefile functionality wh...

CVE-2026-1776

Camaleon CMS CVE-2026-1776 affects versions 2.4.5.0–2.9.0 prior to commit f54a77e, with a path traversal vulnerability in the CamaleonCmsAwsUploader AWS S3 backend. Authenticated users can trigger download_private_file to bypass path validation (valid_folder_path?) and read arbitrary files on the...

OpenClaw: system.run allow-always persistence included shell-commented payload tails

OpenClaw's system.run allowlist analysis did not honor POSIX shell comment semantics when deriving allow-always persistence entries. A caller in security=allowlist mode who received an allow-always decision could submit a shell command whose tail was commented out at runtime, for example by using...

OpenClaw's system.run allowlist approval parsing missed PowerShell encoded-command wrappers

OpenClaw's system.run shell-wrapper detection did not recognize PowerShell -EncodedCommand forms as inline-command wrappers. In allowlist mode, a caller with access to system.run could invoke pwsh or powershell using -EncodedCommand, -enc, or -e, and the request would fall back to plain argv...

EUVD-2026-10344

Keygraph Shannon contains a hard-coded API key in its router configuration that, when the router component is enabled and exposed, allows network attackers to authenticate using the publicly known static key. An attacker able to reach the router port can proxy requests through the Shannon instanc...

CVE-2026-29023

Keygraph Shannon contains a hard-coded API key in its router configuration that, when the router component is enabled and exposed, allows network attackers to authenticate using the publicly known static key. An attacker able to reach the router port can proxy requests through the Shannon instanc...

CVE-2026-29023

Keygraph Shannon contains a hard-coded API key in its router configuration that, when the router component is enabled and exposed, allows network attackers to authenticate using the publicly known static key. An attacker able to reach the router port can proxy requests through the Shannon instanc...

CVE-2026-29023 Keygraph Shannon Hard-coded Router API Key

Keygraph Shannon contains a hard-coded API key in its router configuration that, when the router component is enabled and exposed, allows network attackers to authenticate using the publicly known static key. An attacker able to reach the router port can proxy requests through the Shannon instanc...

CLSA-2026-1773046198 kernel: Fix of 31 CVEs

smb3: fix for slab out of bounds on mount to ksmbd CVE-2025-38728 - netfilter: nftsetpipapo: clamp maximum map bucket size to INTMAX CVE-2025-38201 - ALSA: usb-audio: Validate UAC3 power domain descriptors, too CVE-2025-38729 - net: atm: fix /proc/net/atm/lec handling CVE-2025-38180 - tcpbpf:...

CVE-2026-29779

UptimeFlare is a serverless uptime monitoring & status page solution, powered by Cloudflare Workers. Prior to commit 377a596, configuration file uptime.config.ts exports both pageConfig safe for client use and workerConfig server-only, contains sensitive data from the same module. Due to...

CVE-2026-29075

Mesa is an open-source Python library for agent-based modeling, simulating complex systems and exploring emergent behaviors. In version 3.5.0 and prior, checking out of untrusted code in benchmarks.yml workflow may lead to code execution in privileged runner. This issue has been patched via commi...

CVE-2026-28678

DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Credentials. Authentication tokens JWTs were stored in HTTP cookies without cryptographic protection...

CVE-2026-28678 dsa-hub-server: Clear-Text Storage of Sensitive Data

DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Credentials. Authentication tokens JWTs were stored in HTTP cookies without cryptographic protection...

CVE-2026-28678

DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Credentials. Authentication tokens JWTs were stored in HTTP cookies without cryptographic protection...