CVE-2026-32001

OpenClaw versions prior to 2026.2.22 contain an authentication bypass vulnerability that allows clients authenticated with a shared gateway token to connect as role=node without device identity verification. Attackers can exploit this by claiming the node role during WebSocket handshake to inject...

CVE-2026-32815

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the WebSocket endpoint /ws allows unauthenticated connections when specific URL parameters are provided ?app=siyuan&id=auth&type=auth. This bypass, intended for the login page to keep the kernel alive, allows any...

Malicious code in whatnot-events (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 660bfcc33bb74e7ed20b985e9e50f5ade9988def6cf29a9a31a9107ea619ed64 The package whatnot-events was found to contain malicious code. Source: ossf-package-analysis...

MAL-2026-1581 Malicious code in whatnot-events (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 660bfcc33bb74e7ed20b985e9e50f5ade9988def6cf29a9a31a9107ea619ed64 The package whatnot-events was found to contain malicious code. Source: ossf-package-analysis...

CVE-2026-27067

creationtimestamp| type| source ---|---|--- 2026-03-19 08:16:17+00:00| seen| https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2026-27067 2026-03-19 09:27:30+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mhfoqpykwv2f 2026-03-19 09:30:34+00:00| seen|...

CVE-2026-25443

creationtimestamp| type| source ---|---|--- 2026-03-19 08:16:17+00:00| seen| https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2026-25443 2026-03-19 09:23:25+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mhfojfxrgx2c 2026-03-19 09:24:51+00:00| seen|...

CVE-2026-25445

creationtimestamp| type| source ---|---|--- 2026-03-19 08:16:17+00:00| seen| https://www.incibe.es/incibe-cert/alerta-temprana/vulnerabilidades/cve-2026-25445 2026-03-19 09:23:31+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mhfojmvq5n2s 2026-03-19 09:24:39+00:00| seen|...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Improper Neutralization of Special Element...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection'. The vulnerability exists in the handling of Server-Sent Events SSE when streaming plain text data. An attacker can inject crafted data int...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview org.springframework:spring-webmvc is a package that provides Model-View-Controller MVC architecture and ready components that can be used to develop flexible and loosely coupled web applications. Affected versions of this package are vulnerable to Improper Neutralization of Special...

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements in Output Used by a Downstream Component 'Injection'. The vulnerability exists in the handling of Server-Sent Events SSE when streaming plain text data. An attacker can inject crafted data int...

PT-2026-26454

Name of the Vulnerable Software and Affected Versions Spring Foundation versions 5.3.0 through 5.3.46 Spring Foundation versions 6.1.0 through 6.1.25 Spring Foundation versions 6.2.0 through 6.2.16 Spring Foundation versions 7.0.0 through 7.0.5 Description Spring MVC and WebFlux applications are...

VMware Spring Foundation 安全漏洞

VMware Spring Foundation is an application development framework provided by the American company VMware, which offers enterprise-level infrastructure support for application development. There are security vulnerabilities in VMware Spring Foundation versions 7.0.5 and earlier, 6.2.16 and earlier...

h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields

Summary createEventStream in h3 is vulnerable to Server-Sent Events SSE injection due to missing newline sanitization in formatEventStreamMessage and formatEventStreamComment. An attacker who controls any part of an SSE message field id, event, data, or comment can inject arbitrary SSE events to...

CRLF Injection

Overview org.webjars.npm:h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to CRLF Injection via unsanitized input in the formatEventStreamMessage and formatEventStreamComment functions. An attacker can inject arbitrary...

CRLF Injection

Overview h3 is a Minimal HTTP framework built for high performance and portability. Affected versions of this package are vulnerable to CRLF Injection via unsanitized input in the formatEventStreamMessage and formatEventStreamComment functions. An attacker can inject arbitrary Server-Sent Events...

GHSA-22CC-P3C6-WPVM h3 has a Server-Sent Events Injection via Unsanitized Newlines in Event Stream Fields

Summary createEventStream in h3 is vulnerable to Server-Sent Events SSE injection due to missing newline sanitization in formatEventStreamMessage and formatEventStreamComment. An attacker who controls any part of an SSE message field id, event, data, or comment can inject arbitrary SSE events to...

Malicious code in advertising-events (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9e784ce1a0573b476f4232dcdc6136efaa217d3483765875dbea0aae015542d The package advertising-events was found to contain malicious code...

MAL-2026-1648 Malicious code in advertising-events (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f9e784ce1a0573b476f4232dcdc6136efaa217d3483765875dbea0aae015542d The package advertising-events was found to contain malicious code...

CVE-2026-30884

creationtimestamp| type| source ---|---|--- 2026-03-18 06:00:29+00:00| seen| https://infosec.exchange/users/offseq/statuses/116248649929823937 2026-03-18 06:00:33+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mhcspot2qw2n 2026-03-18 12:42:18+00:00| seen|...