CVE-2026-29613 OpenClaw < 2026.2.12 - Webhook Authentication Bypass via Loopback remoteAddress Trust

OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles optional plugin webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords. When the gateway operat...

EUVD-2026-9937

OpenClaw versions prior to 2026.2.12 contain a vulnerability in the BlueBubbles optional plugin webhook handler in which it authenticates requests based solely on loopback remoteAddress without validating forwarding headers, allowing bypass of configured webhook passwords. When the gateway operat...

CVE-2026-28465 OpenClaw voice-call < 2026.2.3 - Webhook Verification Bypass via Forwarded Headers

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-...

CVE-2026-28450 OpenClaw < 2026.2.12 - Unauthenticated Profile Tampering via Nostr Plugin HTTP Endpoints

OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway authentication. Remote...

EUVD-2026-9899

OpenClaw versions prior to 2026.2.12 with the optional Nostr plugin enabled expose unauthenticated HTTP endpoints at /api/channels/nostr/:accountId/profile and /api/channels/nostr/:accountId/profile/import that allow reading and modifying Nostr profiles without gateway authentication. Remote...

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the upload status SSE implementation on /uploadStatus, which publishes global upload state to any authenticated listener and includes fileid values not scoped to the requesting user. A...

CVE-2026-21628

creationtimestamp| type| source ---|---|--- 2026-03-05 10:24:08+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mgclf5gzfu2o 2026-03-05 10:30:32+00:00| seen| https://infosec.exchange/users/offseq/statuses/116176101773626475 2026-03-05 10:30:34+00:00| seen|...

CVE-2026-1757

creationtimestamp| type| source ---|---|--- 2026-03-05 08:02:32+00:00| seen| https://bsky.app/profile/slackers.it/post/3mgcdhwzheo22 2026-03-05 08:02:36+00:00| seen| https://bsky.app/profile/slackers.it/post/3mgcdi2g2lr2y 2026-03-07 12:00:55+00:00| seen|...

EUVD-2026-9705

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThemeREX N7 | Golf Club Sports & Events n7-golf-club allows PHP Local File Inclusion.This issue affects N7 | Golf Club Sports & Events: from n/a through = 2.16.0...

CVE-2026-28045

CVE-2026-28045 refers to a Local File Inclusion in the WordPress theme “N7 | Golf Club Sports & Events” by ThemeREX. The issue is described as an “Improper Control of Filename for Include/Require Statement in PHP Program,” affecting the theme up to version

CVE-2026-29052 HumHub Calendar Module: Stored XSS in Event Types

The Calendar module for HumHub enables users to create one-time or recurring events, manage attendee invitations, and efficiently track all scheduled activities. Prior to version 1.8.11, a Stored Cross-Site Scripting XSS vulnerability in the Event Types of the HumHub Calendar module impacts users...

CVE-2026-29052 HumHub Calendar Module: Stored XSS in Event Types

The Calendar module for HumHub enables users to create one-time or recurring events, manage attendee invitations, and efficiently track all scheduled activities. Prior to version 1.8.11, a Stored Cross-Site Scripting XSS vulnerability in the Event Types of the HumHub Calendar module impacts users...

CVE-2026-29127

creationtimestamp| type| source ---|---|--- 2026-03-05 04:30:32+00:00| seen| https://infosec.exchange/users/offseq/statuses/116174686146308685 2026-03-05 04:30:33+00:00| seen| https://bsky.app/profile/offseq.bsky.social/post/3mgbxmtt5zd2e 2026-03-05 05:49:24+00:00| seen|...

CRLF Injection

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to CRLF Injection via the writeSSE function when untrusted input containing carriage return or newline characters is passed to the event, id, or retry fields. An attacker can inject addition...

PT-2026-23407

Name of the Vulnerable Software and Affected Versions HumHub Calendar module versions prior to 1.8.11 Description The Calendar module for HumHub allows users to create and manage events. A stored cross-site scripting XSS issue exists in the Event Types functionality of the Calendar module for...

ALPINE-CVE-2026-2297

The import hook in CPython that handles legacy .pyc files SourcelessFileLoader is incorrectly handled in FileLoader a base class and so does not use io.opencode to read the .pyc files. sys.audit handlers for this audit event therefore do not fire...

CVE-2026-29085

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.12.4, when using streamSSE in Streaming Helper, the event, id, and retry fields were not validated for carriage return \r or newline \n characters. Because the SSE protocol uses line breaks as...

CVE-2026-2297

The import hook in CPython that handles legacy .pyc files SourcelessFileLoader is incorrectly handled in FileLoader a base class and so does not use io.opencode to read the .pyc files. sys.audit handlers for this audit event therefore do not fire...

AZL-79491 CVE-2026-2297 affecting package tensorflow 2.16.1-11

The import hook in CPython that handles legacy .pyc files SourcelessFileLoader is incorrectly handled in FileLoader a base class and so does not use io.opencode to read the .pyc files. sys.audit handlers for this audit event therefore do not fire...

CVE-2026-2297

The import hook in CPython that handles legacy .pyc files SourcelessFileLoader is incorrectly handled in FileLoader a base class and so does not use io.opencode to read the .pyc files. sys.audit handlers for this audit event therefore do not fire...