OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.31 contained security vulnerabilities. These vulnerabilities stemmed from configuration management issues, where the migration process incorrectly treated empty arrays as missin...

Fedora 44 : roundcubemail (2026-6d293b6889)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-6d293b6889 advisory. Version 1.7-rc6 This is hopefully the last release candidate for the next major version 1.7 of Roundcube Webmail. It provides a fix to recently...

CVE-2026-41369

OpenClaw prior to 2026.3.31 is affected by insufficient environment variable sanitization in host execution paths. The vulnerability concerns the sanitization of environment variables related to packages, registries, Docker, compilers, and TLS overrides, allowing an attacker to inject malicious v...

CVE-2026-41323

Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to versions 1.18.0-rc1, 1.17.2-rc1, and 1.16.4, Kyverno's apiCall feature in ClusterPolicy automatically attaches the admission controller's ServiceAccount token to outgoing HTTP requests. The service URL has n...

PT-2026-34840

Open Source Social Network OSSN is open-source social networking software developed in PHP. Versions prior to 9.0 are vulnerable to resource exhaustion. An attacker can upload a specially crafted image with extreme pixel dimensions e.g., $10000 times 10000$ pixels. While the compressed file size ...

CVE-2026-41335

OpenClaw before 2026.3.31 contains an information disclosure vulnerability in the Control Interface bootstrap JSON that exposes version and assistant agent identifiers. Attackers can extract sensitive fingerprinting information from the Control UI bootstrap payload to identify system versions and...

Flowise 代码问题漏洞

Flowise is an open-source tool developed by FlowiseAI, designed for easily building LLM applications. Prior versions of Flowise, such as 3.1.0, contained code vulnerabilities. These vulnerabilities stemmed from multiple logical flaws in the security wrapper, allowing attackers to bypass the...

GHSA-4JVX-93H3-F45H OpenC3 COSMOS allows arbitrary writes to plugins directory via path-traversed config filenames

Summary OpenC3 COSMOS contains a design flaw in the savetoolconfig function that allows saving tool configuration files at arbitrary locations inside the shared /plugins directory tree by supplying crafted configuration filenames. Although the implementation sufficiently mitigates standard path...

EUVD-2026-22857

The e-shot™ form builder plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.2. The eshotformbuilderupdatefielddata AJAX handler lacks any capability checks currentusercan or nonce verification checkajaxreferer/wpverifynonce. The function is...

CVE-2026-40907

WWBN AVideo is an open source video platform. In versions 29.0 and prior, the endpoint plugin/Live/view/Liverestreams/list.json.php contains an Insecure Direct Object Reference IDOR vulnerability that allows any authenticated user with streaming permission to retrieve other users' live restream...

Quantum Networks router 访问控制错误漏洞

The Quantum Networks router is a network routing device developed by the Indian company Quantum Networks. The Quantum Networks router QN-I-470 has a vulnerability related to access control. This vulnerability stems from improper and insecure default configurations of the web-based management...

CivetWeb 代码问题漏洞

CivetWeb is an open-source web server developed by Civetweb, designed to be easy to use, powerful, and capable of being embedded in C/C++. It offers optional support for CGI, SSL, and Lua. Version 1.16 of CivetWeb contains a code vulnerability. This vulnerability stems from search paths in servic...

WWBN AVideo 安全漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo prior to 29.0 contained security vulnerabilities. These vulnerabilities stemmed from an insecure direct object reference in the plugin/Live/view/Liverestreams/list.json.php endpoint...

EUVD-2026-23660

An example of BashOperator in Airflow documentation suggested a way of passing dagrun.conf in the way that could cause unsanitized user input to be used to escalate privileges of UI user to allow execute code on worker. Users should review if any of their own DAGs have adopted this incorrect advi...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization through the operator.write configuration. An attacker can modify and persist unauthorized profile configurations by sending crafted HTTP requests to affected...

Claude Code 安全漏洞

Claude Code is an open-source terminal-native AI programming tool developed by Anthropic. Versions of Claude Code prior to 2.1.75 contained a security vulnerability. This vulnerability stemmed from the lack of verification of directory ownership or access permissions when loading system-wide...

[SECURITY] Fedora 44 Update: libkscreen-6.6.4-1.fc44

LibKScreen is a library that provides access to current configuration of connected displays and ways to change the configuration...

SUSE CVE-2026-33435

Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update...

Arbitrary Command Injection

Overview Affected versions of this package are vulnerable to Arbitrary Command Injection via the spawn function. An attacker can execute arbitrary shell commands on the server and access sensitive environment variables, including API keys, authentication secrets, and database credentials, by...

EUVD-2026-23215

In rsync 3.0.1 through 3.4.1, receivexattr relies on an untrusted length value during a qsort call, leading to a receiver use-after-free. The victim must run rsync with -X aka --xattrs. On Linux, many but not all common configurations are vulnerable. Non-Linux platforms are more widely vulnerable...