GHSA-7MR4-XJXG-34G6 vulnerabilities

Vulnerabilities for packages: filebrowser, otel-cli, gcp-compute-persistent-disk-csi-driver, kyverno-policy-reporter-ui, chartmuseum, vexctl, cloudnative-pg, aws-flb-kinesis, bank-vaults, kots, etcd, falcoctl, helm, terraform-provider-time, promxy, flux-notification-controller, argo-rollouts,...

Organizational Security Resource Estimation Via Vulnerability Queueing

We provide an approach that closely estimates an organization's cyber resources directly from vulnerability timestamps, using a non-stationary queueing framework. Traditional attack-surface metrics operate on static snapshots, ignoring the core attack-defense dynamics within information systems,...

Improper Encoding or Escaping of Output

Overview org.apache.logging.log4j:log4j-core is a logging library for Java. Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output in the Log4j1XmlLayout plugin. An attacker can cause log events to be silently lost or downstream log processing systems to drop ...

CVE-2026-41679

creationtimestamp| type| source ---|---|--- 2026-04-10 16:50:27+00:00| published-proof-of-concept| https://github.com/paperclipai/paperclip/security/advisories/GHSA-68qg-g8mg-6pr7 2026-04-23 01:30:29+00:00| seen| https://infosec.exchange/users/offseq/statuses/116451431450772018 2026-04-23...

GHSA-RQR9-JWWF-WXGJ

creationtimestamp| type| source ---|---|--- 2026-04-10 14:32:10+00:00| seen| https://poliverso.org/objects/0477a01e-2ea9cd48-339e9a3e45089926 2026-04-10 23:25:22+00:00| seen| https://bsky.app/profile/infosec.skyfleet.blue/post/3mj6htagxnz2d...

EUVD-2026-21138

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability where group reaction events bypass the requireMention access control mechanism. Attackers can trigger reactions in mention-gated groups to enqueue agent-visible system events that should remain restricted...

PT-2026-31981

OpenClaw before 2026.3.22 contains a webhook reply delivery vulnerability that allows attackers to rebind chat replies to unintended users by exploiting mutable username matching instead of stable numeric user identifiers. Attackers can manipulate username changes to redirect webhook-triggered...

CVE-2026-40111

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell...

CVE-2026-35642

Technical details (affected components, root cause specifics, impacted versions, or exploits) are not publicly available in the supplied documents. Monitor for updates in connected advisories.

CVE-2026-35642

OpenClaw before 2026.3.25 contains an authorization bypass vulnerability where group reaction events bypass the requireMention access control mechanism. Attackers can trigger reactions in mention-gated groups to enqueue agent-visible system events that should remain restricted...

CVE-2026-40111 PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py)

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell...

CVE-2026-40111

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell...

CVE-2026-34578

creationtimestamp| type| source ---|---|--- 2026-04-09 16:59:15+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mj3brukrch2n 2026-04-12 12:00:02+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mjcchlxy3v24 2026-04-14 23:37:07+00:00| seen|...

Trust Boundary Violation

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Trust Boundary Violation via the process handling background runtime output injection into trusted System: events. An attacker can escalate privileges or inject unauthorized commands by...

OpenClaw: Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade

Impact Lower-trust background runtime output is injected into trusted System: events, and local async exec completion misses the intended exec-event downgrade. Lower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns...

GHSA-GFMX-PPH7-G46X OpenClaw: Lower-trust background runtime output is injected into trusted `System:` events, and local async exec completion misses the intended `exec-event` downgrade

Impact Lower-trust background runtime output is injected into trusted System: events, and local async exec completion misses the intended exec-event downgrade. Lower-trust runtime/background output could be promoted into trusted System events, allowing prompt-injection into later agent turns...

CVE-2026-40116

creationtimestamp| type| source ---|---|--- 2026-04-09 10:01:39+00:00| published-proof-of-concept| https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q5r4-47m9-5mc7 2026-04-09 23:30:43+00:00| seen| Telegram/1cCualjPQDoYUsDnolnQpk7NGC4b1xwJPWps9hRWMxLLCE 2026-04-10 06:11:40+00:00|...

PT-2026-31780

Name of the Vulnerable Software and Affected Versions PraisonAIAgents versions prior to 1.5.128 Description PraisonAIAgents is a multi-agent teams system. The memory hooks executor in PraisonAIAgents passes a user-controlled command string directly to subprocess.run with shell=True at...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.25 contained security vulnerabilities. These vulnerabilities stemmed from a group reaction event that bypassed the requireMention access control mechanism, potentially leading t...

OpenClaw Data Forgery Problem Vulnerability (CNVD-2026-16689)

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a data forgery issue vulnerability that can be exploited by an attacker to inject forged Feishu events and trigger execution by downstream tools...