PT-2026-33588

Name of the Vulnerable Software and Affected Versions CoBlocks versions prior to 3.1.17 Description The Page Builder Gutenberg Blocks – CoBlocks plugin for WordPress contains a Stored Cross-Site Scripting issue. This occurs due to insufficient output escaping of event titles, descriptions, and...

CVE-2026-40258

creationtimestamp| type| source ---|---|--- 2026-04-17 23:00:15+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mjpzopfphj2a 2026-04-17 23:00:17+00:00| seen| https://infosec.exchange/users/offseq/statuses/116422528958630190 2026-04-17 23:20:15+00:00| published-proof-of-concept|...

OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input

Summary Agent hook events could enqueue trusted system events from unsanitized external input. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Agent hook dispatch could turn externally supplied hook metadata into trusted system events,...

GHSA-7G8C-CFR3-VQQR OpenClaw: Agent hook events could enqueue trusted system events from unsanitized external input

Summary Agent hook events could enqueue trusted system events from unsanitized external input. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.10 Impact Agent hook dispatch could turn externally supplied hook metadata into trusted system events,...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization due to the heartbeat owner downgrade not properly handling untrusted webhook wake events. An attacker can maintain elevated privileges by sending specially crafted...

GHSA-G2HM-779G-VM32 OpenClaw: Heartbeat owner downgrade missed untrusted webhook wake events

Summary Heartbeat owner downgrade missed untrusted webhook wake events. Affected Packages / Versions - Package: openclaw - Ecosystem: npm - Affected versions: = 2026.4.7 = 2026.4.14 Impact Heartbeat owner downgrade logic could skip webhook wake events carrying untrusted content, preserving...

CVE-2026-27890

creationtimestamp| type| source ---|---|--- 2026-04-17 20:00:33+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mjppngjaeg26 2026-04-17 21:22:32+00:00| seen| Telegram/1afGr9vW06Zk0J3YeUW4MdlUf8TA53EPyuLeVgpLZqfvxp8 2026-04-17 21:38:56+00:00| seen|...

SUSE-SU-2026:21255-1 Security update for the Linux Kernel

The SUSE Linux Micro RT 6.0 and 6.1 kernel was updated to fix various security issues The following security issues were fixed: - CVE-2024-38542: RDMA/manaib: boundary check before installing cq callbacks bsc1226591. - CVE-2025-39817: efivarfs: Fix slab-out-of-bounds in efivarfsdcompare bsc124999...

PT-2026-37021

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.4.7 through 2026.4.13 Description A privilege escalation issue exists where the heartbeat owner downgrade logic fails to account for webhook wake events containing untrusted content. This allows attackers to send untrust...

PT-2026-33415

Name of the Vulnerable Software and Affected Versions Canto plugin for WordPress versions prior to 3.1.2 Description Missing authorization occurs due to the absence of capability checks or nonce verification in the updateOptions function. This function is exposed via two AJAX hooks: 'wp ajax...

PT-2026-37019

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.10 Description An input validation issue allows external hook metadata to be enqueued as trusted system events. Attackers can provide malicious hook names to escalate untrusted input into a higher-trust agent...

PT-2026-33523

Name of the Vulnerable Software and Affected Versions libgphoto2 versions prior to 2.5.34 Description Two functions in camlibs/ptp2/ptp-pack.c accept a data pointer without a length parameter, leading to unbounded reads. The calling function ptp unpack EOS events possesses the xsize variable but...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-007468)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-007468 advisory. In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Prevent access to vCPU events before init Another day, another syzkaller bug. KVM...

CVE-2026-40308

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mcajaxmcjsaction AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parsestr without validation, allowing injection of arbitrary parameters including a site...

CVE-2026-40308

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mcajaxmcjsaction AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parsestr without validation, allowing injection of arbitrary parameters including a site...

CVE-2026-40308 My Calendar: Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog

My Calendar is a WordPress plugin for managing calendar events. In versions 3.7.6 and below, the mcajaxmcjsaction AJAX endpoint, registered for unauthenticated users, passes user-supplied arguments through parsestr without validation, allowing injection of arbitrary parameters including a site...

Malicious code in modern-events (npm)

modern-events is a malicious npm package that when imported and using the function EventEmitter.emit... in file events.js exfiltrates local system information via telegram and slack and downloads a backdoor Win64/FaxedCook to C:/ProgramData/Policy/PublisherPolicy.tms. --- -= Per source details. D...

MAL-2026-2914 Malicious code in modern-events (npm)

modern-events is a malicious npm package that when imported and using the function EventEmitter.emit... in file events.js exfiltrates local system information via telegram and slack and downloads a backdoor Win64/FaxedCook to C:/ProgramData/Policy/PublisherPolicy.tms. --- -= Per source details. D...

WordPress Events Calendar for GeoDirectory plugin <= 2.3.25 - PHP Object Injection vulnerability

PHP Object Injection vulnerability discovered by daroo in WordPress Plugin Events Calendar for GeoDirectory versions = 2.3.25...

GHSA-RR7J-V2Q5-CHGV LangSmith SDK: Streaming token events bypass output redaction

Summary The LangSmith SDK's output redaction controls hideOutputs in JS, hideoutputs in Python do not apply to streaming token events. When an LLM run produces streaming output, each chunk is recorded as a newtoken event containing the raw token value. These events bypass the redaction pipeline...