Security, Privacy, and Ethical Risks in OpenClaw

This paper systematically investigates the security, privacy, and ethical risks, as well as the traceability challenges of OpenClaw, a locally executable AI agent system for natural language interaction and real-world task completion. While OpenClaw shows strong potential for personal assistance,...

tickets SQL注入漏洞

Tickets is an open-source public safety scheduling and tracking application developed by Open ISES. Versions of tickets prior to 3.44.2 contained a SQL injection vulnerability. This vulnerability stemmed from the fact that the values of latitude, longitude, callsign, mph, altitude, and timestamp,...

MCP Gateway: Authority-injection and JWT/session bypass via the unauthenticated router hair-pin "router-key" / "mcp-init-host" path

Summary The MCP router extproc exposes an initialize-method code path that, when a request carries an mcp-init-host header, bypasses the gateway JWT session validator and rewrites the upstream :authority header to whatever the caller chooses, gated only by a single shared header value router-key...

Security Bulletin: Watsonx.data Input Interpretation Vulnerability Could Enable Improper External Service Access

Summary Watonx.data could allow an authenticated user to interact with external services improperly due to interpretation conflicts of user supplied input. This can affect watsonx.data. Vulnerability Details CVEID:CVE-2025-36141 DESCRIPTION: IBM Lakehouse could allow an authenticated user to...

SUSE CVE-2026-1527

ImpactWhen an application passes user-controlled input to the upgrade option of client.request, an attacker can inject CRLF sequences \r\n to: Inject arbitrary HTTP headers Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services Redis, Memcached, Elasticsearch The...

Bearlyfy Hits Russian Firms with Custom GenieLocker Ransomware

A pro-Ukrainian group called Bearlyfy has been attributed to more than 70 cyber attacks targeting Russian companies since it first surfaced in the threat landscape in January 2025, with recent attacks leveraging a custom Windows ransomware strain codenamed GenieLocker. "Bearlyfy also known as...

CVE-2025-67752 OpenEMR Has Disabled SSL Certificate Verification in HTTP Client

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, OpenEMR's HTTP client wrapper oeHttp/oeHttpRequest disables SSL/TLS certificate verification by default verify: false, making all external HTTPS connections vulnerable ...

EUVD-2025-208104

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, OpenEMR's HTTP client wrapper oeHttp/oeHttpRequest disables SSL/TLS certificate verification by default verify: false, making all external HTTPS connections vulnerable ...

CVE-2025-67752 OpenEMR Has Disabled SSL Certificate Verification in HTTP Client

OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 7.0.4, OpenEMR's HTTP client wrapper oeHttp/oeHttpRequest disables SSL/TLS certificate verification by default verify: false, making all external HTTPS connections vulnerable ...

EUVD-2025-203863

The Gutenberg Essential Blocks – Page Builder for Gutenberg Blocks & Patterns plugin for WordPress is vulnerable to unauthorized access of data due to a missing or incorrect capability checks on the getinstagramaccesstokencallback, googlemapapikeysavecallback and getsiteinfo functions in all...

Minder does not sandbox http.send in Rego programs

Impact Minder users may fetch content in the context of the Minder server, which may include URLs which the user would not normally have access to for example, if the Minder server is behind a firewall or other network partition. Patches...

GO-2025-3982 Rancher sends sensitive information to external services through the `/meta/proxy` endpoint in github.com/rancher/rancher

Rancher sends sensitive information to external services through the /meta/proxy endpoint in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive...

EUVD-2018-8771

Malware in sbrugna...

CVE-2025-9029

The WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to missing authorization via the wdkithandlereviewsubmission function in versions less than, or equal to, 1.2.16. This is due to the plugin not properly verifyin...

EUVD-2025-32417

The WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress is vulnerable to missing authorization via the wdkithandlereviewsubmission function in versions less than, or equal to, 1.2.16. This is due to the plugin not properly verifyin...

CVE-2025-9029

CVE-2025-9029 concerns the WordPress plugin WDesignKit (Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder). The vulnerability is a missing authorization flaw in the function wdkit_handle_review_submission for versions

PT-2025-40618

Name of the Vulnerable Software and Affected Versions WDesignKit – Elementor & Gutenberg Starter Templates, Patterns, Cloud Workspace & Widget Builder plugin for WordPress versions through 1.2.16 Description The WDesignKit plugin for WordPress does not properly verify user authorization, allowing...

EUVD-2025-31337

Malicious code in bioql PyPI...

EUVD-2025-27697

Malicious code in bioql PyPI...

CVE-2025-54468 Rancher sends sensitive information to external services through the `/meta/proxy` endpoint

A vulnerability has been identified within Rancher Manager whereby Impersonate-Extra- headers are being sent to an external entity, for example amazonaws.com, via the /meta/proxy Rancher endpoint. These headers may contain identifiable and/or sensitive information e.g. email addresses...