56 matches found
MAL-2026-4447 Malicious code in @spcsn/taro-cli (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 10e2baba3a5166ecf1196146e1b2a8771836b25bd7f8d56979e3e277a3de9625 The package's postinstall script probes https://taro.jd.com/ and then invokes its own CLI to run npm install...
Directory Traversal
Overview getgrav/grav is a Modern, Crazy Fast, Ridiculously Easy and Amazingly Powerful Flat-File CMS. Affected versions of this package are vulnerable to Directory Traversal via the FormFlash process when the sessionid parameter mapped to form-flash-id in POST requests is not properly sanitized...
TP-Link TL-WR841N 安全漏洞
The TP-Link TL-WR841N is a router produced by the TP-Link company. The TP-Link TL-WR841N v13 version has a security vulnerability. This vulnerability stems from the use of DES-CBC encryption in the TDDPv2 debugging protocol, where the key is predictable. This could allow unauthorized attackers to...
Exploit for Missing Authentication for Critical Function in Projectsend
ProjectSend CVE-2024-11680 Exploit This is a proof-of-concept...
GHSA-9P23-P2M4-2R4M Fleet vulnerable to SQL Injection in MDM bootstrap package by authenticated team or global admin
Summary A SQL Injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet database, and inject arbitrary content into team configs v...
CVE-2026-33032
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP Model Context Protocol integration exposes two HTTP endpoints: /mcp and /mcpmessage. While /mcp requires both IP whitelisting and authentication AuthRequired middleware, the /mcpmessage endpoi...
CVE-2026-33032
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP Model Context Protocol integration exposes two HTTP endpoints: /mcp and /mcpmessage. While /mcp requires both IP whitelisting and authentication AuthRequired middleware, the /mcpmessage endpoi...
CVE-2026-34386 Fleet vulnerable to SQL injection in MDM bootstrap package by authenticated team or global admin
Fleet is open source device management software. Prior to 4.81.0, a SQL injection vulnerability in Fleet's MDM bootstrap package configuration allows an authenticated user with Team Admin or Global Admin privileges to modify arbitrary team configurations, exfiltrate sensitive data from the Fleet...
CVE-2026-32061
OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversa...
CVE-2026-32061
OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversa...
CVE-2026-32061
OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversa...
CVE-2026-32061 OpenClaw < 2026.2.17 - Arbitrary File Read via $include Directive Path Traversal
OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversa...
CVE-2026-32061 OpenClaw < 2026.2.17 - Arbitrary File Read via $include Directive Path Traversal
OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversa...
CVE-2026-32061
OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversa...
EUVD-2026-11152
OpenClaw versions prior to 2026.2.17 contain a path traversal vulnerability in the $include directive resolution that allows reading arbitrary local files outside the config directory boundary. Attackers with config modification capabilities can exploit this by specifying absolute paths, traversa...
CVE-2026-32061
OpenClaw vulnerability CVE-2026-32061 affects OpenClaw versions prior to 2026.2.17, where the include directive resolution is susceptible to a path traversal that allows reading arbitrary local files outside the config directory boundary. Exploitation requires config modification privileges and c...
CVE-2026-28456
OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import, allowing code execution. An attacker with gateway configuration modification access can load and...
CVE-2026-28456 OpenClaw 2026.1.5 < 2026.2.14 - Arbitrary Code Execution via Unsafe Hook Module Path Handling
OpenClaw versions 2026.1.5 prior to 2026.2.14 contain a vulnerability in the Gateway in which it does not sufficiently constrain configured hook module paths before passing them to dynamic import, allowing code execution. An attacker with gateway configuration modification access can load and...
OpenClaw 访问控制错误漏洞
OpenClaw is an open-source intelligent artificial assistant. Versions of OpenClaw prior to 2026.2.12 had a access control vulnerability. This vulnerability stemmed from the Nostr plugin exposing unvalidated HTTP endpoints, which could allow remote attackers to read sensitive configuration file da...
PT-2026-24671
Vulnerability Path traversal in config $include resolution allowed arbitrary local file reads outside the config directory boundary CWE-22. Attack Vectors 1. If an attacker can modify OpenClaw config, they can set $include to absolute paths for example /etc/passwd and read files accessible to the...