Lucene search
K

89756 matches found

Snyk
Snyk
added 2026/05/06 11:16 p.m.9 views

Improper Verification of Cryptographic Signature

Overview @axonflow/sdk is an AxonFlow SDK - Add invisible AI governance to your applications in 3 lines of code Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the lack of exposure of the HMAC-SHA256 signing key in the SDK's typed API,...

8.2CVSS5.8AI score
Exploits0References3
Snyk
Snyk
added 2026/05/06 11:15 p.m.7 views

Improper Verification of Cryptographic Signature

Overview Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature due to the lack of exposure of the HMAC-SHA256 signing key in the SDK's typed API, which prevents verification of the X-AxonFlow-Signature header on incoming webhook deliveries. An attack...

8.2CVSS5.8AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/05/06 10:31 p.m.8 views

misp-modules website - Missing CSRF protection in the website home blueprint

A Cross-Site Request Forgery vulnerability in the MISP Modules website allowed an attacker to cause an authenticated user to submit unintended requests to the home endpoint. The vulnerability was due to the home blueprint being exempted from CSRF protection. This could allow modification of sessi...

9.3CVSS5.8AI score0.00185EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/05/06 10:31 p.m.9 views

Cross-site Request Forgery (CSRF)

Overview misp-modules is a MISP modules are autonomous modules that can be used for expansion and other services in MISP Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF through the home blueprint, which was exempted from CSRF protection. An attacker can perform...

9.3CVSS5.5AI score0.00185EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/06 10:31 p.m.8 views

misp-modules has nsafe remote resource fetching in expansion

An unsafe remote resource fetching vulnerability existed in MISP Modules expansion modules. The htmltomarkdown module accepted arbitrary HTTPS URLs without sufficient validation, which could allow Server-Side Request Forgery against loopback, private, or link-local network resources. Additionally...

5.8CVSS6AI score0.00102EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2026/05/06 10:31 p.m.13 views

Server-side Request Forgery (SSRF)

Overview misp-modules is a MISP modules are autonomous modules that can be used for expansion and other services in MISP Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the htmltomarkdown and qrcode modules when handling remote resource fetching. An attacke...

8.3CVSS5.5AI score0.00102EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/06 10:8 p.m.16 views

PraisonAI has an SSRF bypass

Summary The URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. Details The current PraisonAI project uses validateurl to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by...

9.8CVSS5.9AI score0.00378EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/05/06 10:8 p.m.7 views

GHSA-Q9PW-VMHH-384G PraisonAI has an SSRF bypass

Summary The URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. Details The current PraisonAI project uses validateurl to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by...

9.8CVSS5.9AI score0.00378EPSS
Exploits1References3
Snyk
Snyk
added 2026/05/06 10:8 p.m.12 views

Server-side Request Forgery (SSRF)

Overview praisonaiagents is a Praison AI agents for completing complex tasks with Self Reflection Agents Affected versions of this package are vulnerable to Server-side Request Forgery SSRF due to the validateurl function usage of urlparse that treats \ as regular character when extracting host...

9.8CVSS5.8AI score0.00378EPSS
Exploits1References2
EUVD
EUVD
added 2026/05/06 9:31 p.m.6 views

EUVD-2026-28164

OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket endpoint that allows attackers to pivot to untrusted second-hop targets. The webSocketDebuggerUrl response field is not properly validated, enabling attackers to redirect connections t...

7.7CVSS5.9AI score0.00265EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/06 9:31 p.m.9 views

EUVD-2026-28197

OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto function that fails to validate outbound photo URLs through the SSRF guard. Attackers can bypass SSRF protection by providing malicious photo URLs to the Zalo Bot API, enabling unauthoriz...

8.6CVSS5.8AI score0.00291EPSS
Exploits0References4
EUVD
EUVD
added 2026/05/06 9:31 p.m.7 views

EUVD-2026-28172

OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger navigation without complete SSRF policy enforcement. Browser press/type style interactions, including pressKey and type submit flows, can bypass post-action security checks to execute...

7.7CVSS5.9AI score0.00264EPSS
Exploits0References6
EUVD
EUVD
added 2026/05/06 9:31 p.m.20 views

EUVD-2026-28199

OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skips URL validation. Attackers can bypass SSRF protections by sending crafted image URLs to uploadC2CMedia and uploadGroupMedia endpoints to relay unintended requests...

6.3CVSS5.8AI score0.00236EPSS
Exploits0References4
OSV
OSV
added 2026/05/06 9:31 p.m.8 views

GHSA-R747-33R4-RMJW Duplicate Advisory: OpenClaw: QQBot direct media upload skipped URL SSRF validation

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-c4qg-j8jg-42q5. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.20 contains a server-side request forgery vulnerability in QQBot direct media upload that skip...

6.3CVSS5.7AI score0.00236EPSS
Exploits0References4
OSV
OSV
added 2026/05/06 9:31 p.m.5 views

GHSA-W7RC-VVGX-PJ45 Duplicate Advisory: OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xq94-r468-qwgj. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allo...

6.3CVSS5.7AI score0.00199EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/05/06 9:31 p.m.9 views

Duplicate Advisory: OpenClaw validates Zalo outbound photo URLs through the SSRF guard

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-2hh7-c75g-qj2r. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.22 contains a server-side request forgery vulnerability in the Zalo plugin's sendPhoto functio...

8.6CVSS5.7AI score0.00291EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 9:31 p.m.27 views

Duplicate Advisory: OpenClaw: Browser SSRF hostname validation could be bypassed by DNS rebinding

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xq94-r468-qwgj. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.10 contains a server-side request forgery vulnerability in browser navigation policy that allo...

6.3CVSS5.7AI score0.00199EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 9:31 p.m.18 views

Duplicate Advisory: OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f7fh-qg34-x2xh. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket...

7.7CVSS5.9AI score0.00265EPSS
Exploits0References5Affected Software1
Github Security Blog
Github Security Blog
added 2026/05/06 9:31 p.m.14 views

Duplicate Advisory: OpenClaw: Browser press/type interaction routes missed complete navigation guard coverage

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-536q-mj95-h29h. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.10 contains an incomplete navigation guard vulnerability that allows attackers to trigger...

7.7CVSS5.8AI score0.00264EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2026/05/06 9:31 p.m.5 views

GHSA-3R56-7HHR-VFG9 Duplicate Advisory: OpenClaw: CDP /json/version WebSocket URL could pivot to untrusted second-hop targets

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-f7fh-qg34-x2xh. This link is maintained to preserve external references. Original Description OpenClaw before 2026.4.5 contains a server-side request forgery vulnerability in the CDP /json/version WebSocket...

7.7CVSS5.9AI score0.00265EPSS
Exploits0References4
Rows per page
Query Builder