PT-2026-26007

Summary OpenClaw exec approvals could be bypassed in allowlist mode when allow-always was granted through unrecognized multiplexer shell wrappers notably busybox sh -c and toybox sh -c. Affected Packages / Versions - Package: openclaw npm - Affected: = 2026.2.22-2 - Latest published vulnerable...

CVE-2026-27691

iccDEV provides a set of libraries and tools for working with ICC color management profiles. In versions up to and including 2.3.1.4, signed integer overflow in iccFromCube.cpp during multiplication triggers undefined behavior, potentially causing crashes or incorrect ICC profile generation when...

CVE-2026-27113

Liquid Prompt is an adaptive prompt for Bash and Zsh. Starting in commit cf3441250bb5d8b45f6f8b389fcdf427a99ac28a and prior to commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c on the master branch, arbitrary command injection can lead to code execution when a user enters a directory in a Git...

OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs

Vulnerability The ACP bridge accepted very large prompt text blocks and could assemble oversized prompt payloads before forwarding them to chat.send. Because ACP runs over local stdio, this mainly affects local ACP clients for example IDE integrations that send unusually large inputs. Affected...

PT-2026-6469

An attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing Path Traversal via ../ sequences. Fix:...

CVE-2026-21854

CVE-2026-21854 affects the Tarkov Data Manager. The vulnerability is an authentication bypass in the login endpoint, enabling unauthenticated access to the admin panel via a JavaScript prototype property access vulnerability combined with loose equality type coercion. Affected are versions prior ...

UBUNTU-CVE-2025-69217

coturn is a free open source implementation of TURN and STUN Server. Versions 4.6.2r5 through 4.7.0-r4 have a bad random number generator for nonces and port randomization after refactoring. Additionally, random numbers aren't generated with openssl's RANDbytes but libc's random if it's not runni...

PT-2025-53011

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to the fix included in commit aefed3e5548f Description The Linux kernel contains an issue within the qla2xxx SCSI driver related to command handling after a chip reset. A previous commit aefed3e5548f introduced...

DEBIAN-CVE-2025-40313

In the Linux kernel, the following vulnerability has been resolved: ntfs3: pretend $Extend records as regular files Since commit af153bb63a33 "vfs: catch invalid modes in mayopen" requires any inode be one of SIFDIR/SIFLNK/SIFREG/SIFCHR/SIFBLK/ SIFIFO/SIFSOCK type, use SIFREG for $Extend records...

UBUNTU-CVE-2025-59777

NULL pointer dereference vulnerability exists in GNU libmicrohttpd v1.0.2 and earlier. The vulnerability was fixed in commit ff13abc on the master branch of the libmicrohttpd Git repository, after the v1.0.2 tag. A specially crafted packet sent by an attacker could cause a denial-of-service DoS...

EUVD-2021-19576

Malware in sbrugna...

Unity Linux 20.1070e Security Update: libtiff (UTSA-2025-680642)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-680642 advisory. Null source pointer passed as an argument to memcpy function within TIFFReadDirectory in tifdirread.c in libtiff versions from 4.0 to 4.3.0 could lead to Denial of...

EUVD-2025-4079

Malicious code in bioql PyPI...

CVE-2025-61584

serverless-dns is a RethinkDNS resolver that deploys to Cloudflare Workers, Deno Deploy, Fastly, and Fly.io. Versions through abd including 0.1.30 have a vulnerability where the pr.yml GitHub Action interpolates in an unsafe manner untrusted input, specifically the...

CVE-2025-59046

The npm package interactive-git-checkout is an interactive command-line tool that allows users to checkout a git branch while it prompts for the branch name on the command-line. It is available as an npm package and can be installed via npm install -g interactive-git-checkout. Versions up to and...

CVE-2025-58750 rAthena missing bound check in chclif_parse_moveCharSlot

rAthena is an open-source cross-platform massively multiplayer online role playing game MMORPG server. Versions prior to commit 0cc348b are missing a bound check in chclifparsemoveCharSlot that can result in reading and writing out of bounds using input from the user. The problem has been fixed i...

CVE-2025-53545

Press, a Frappe custom app that runs Frappe Cloud, manages infrastructure, subscription, marketplace, and software-as-a-service SaaS. Users can circumvent 2FA login for users due to a lack of server side validation for the same. This vulnerability is fixed in commit...

CVE-2025-53546 Folo allows secrets exfiltration via `pull_request_target`

Folo organizes feeds content into one timeline. Using pullrequesttarget on .github/workflows/auto-fix-lint-format-commit.yml can be exploited by attackers, since untrusted code can be executed having full access to secrets from the base repo. By exploiting the vulnerability is possible to...

CVE-2025-38134

CVE-2025-38134 in Linux kernel: The usb: acpi: fix prevents a NULL pointer dereference in usb_acpi_add_usb4_devlink() due to usb_hub_to_struct_hub() returning NULL in certain hub teardown scenarios. The issue could lead to an access to hub->ports[...] if NULL, and was mitigated by guards in ot...

CVE-2024-29897

CreateWiki is Miraheze's MediaWiki extension for requesting & creating wikis. It is possible for users with delete or suppressrevision on any wiki in the farm to access suppressed wiki requests by going to the request's entry on Special:RequestWikiQueue on the wiki where they have these rights. T...