CVE-2026-45385

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.5, an IDOR vulnerability exists in the Channels feature of Open WebUI, allowing any channel member to modify messages sent by other members including administrators within the same...

Authorization Bypass Through User-Controlled Key

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key through the updatemessagebyid and deletemessagebyid handlers in channels.py. An attacker can overwrite or remove another member’s group or direct message conte...

CVE-2026-41348 OpenClaw < 2026.3.31 - Group DM Channel Allowlist Bypass via Discord Slash Commands

OpenClaw before 2026.3.31 contains an authorization bypass vulnerability in Discord slash command and autocomplete paths that fail to enforce group DM channel allowlist restrictions. Authorized Discord users can bypass channel restrictions by invoking slash commands, allowing access to restricted...

OpenClaw 路径遍历漏洞

OpenClaw is an intelligent artificial assistant open-sourced by OpenClaw. OpenClaw suffers from a path traversal vulnerability that can be exploited by an attacker to bypass group message access control...

GHSA-534W-2VM4-89XR OpenClaw's Zalo group sender allowlist bypass permits unauthorized GROUP dispatch

A missing group-sender authorization check in the Zalo plugin allowed unauthorized GROUP messages to enter agent dispatch paths in configurations intended to restrict group traffic. Impact When Zalo group handling was configured with allowlist-style controls, a sender not present in the intended...

OpenClaw's Zalo group sender allowlist bypass permits unauthorized GROUP dispatch

A missing group-sender authorization check in the Zalo plugin allowed unauthorized GROUP messages to enter agent dispatch paths in configurations intended to restrict group traffic. Impact When Zalo group handling was configured with allowlist-style controls, a sender not present in the intended...

CVE-2025-24972

Discourse is an open-source discussion platform. Prior to versions 3.3.4 on the stable branch and 3.4.0.beta5 on the beta branch, in specific circumstances, users could be added to group direct messages despite disabling direct messaging in their preferences. Versions 3.3.4 and 3.4.0.beta5 contai...

CVE-2025-24972 Discourse may bypass user preference when adding users to chat groups

Discourse is an open-source discussion platform. Prior to versions 3.3.4 on the stable branch and 3.4.0.beta5 on the beta branch, in specific circumstances, users could be added to group direct messages despite disabling direct messaging in their preferences. Versions 3.3.4 and 3.4.0.beta5 contai...

CVE-2024-47130

The goTenna Pro App allows unauthenticated attackers to remotely update the local public keys used for P2P and group messages. It is advised to update your app to the current release for enhanced encryption protocols...

CVE-2024-47130 Missing Authentication for Critical Function in goTenna Pro

The goTenna Pro App allows unauthenticated attackers to remotely update the local public keys used for P2P and group messages. It is advised to update your app to the current release for enhanced encryption protocols...

CVE-2024-47130 Missing Authentication for Critical Function in goTenna Pro

The goTenna Pro App allows unauthenticated attackers to remotely update the local public keys used for P2P and group messages. It is advised to update your app to the current release for enhanced encryption protocols...

CVE-2024-47130

CVE-2024-47130 describes a Missing Authentication for a Critical Function in the goTenna Pro App, enabling unauthenticated attackers to remotely update the local public keys used for P2P and group messages. Connected sources indicate this affects the goTenna Pro App (Pro series) with high impact ...

PT-2024-29981 · Espressif · Esp-Now

Name of the Vulnerable Software and Affected Versions: ESP-NOW Component affected versions not specified Description: The ESP-NOW Component provides a connectionless Wi-Fi communication protocol. An Out-of-Bound OOB vulnerability was discovered in the implementation of the ESP-NOW group type...

ESP-NOW 缓冲区错误漏洞

ESP-NOW is a Wi-Fi communication protocol open-sourced by Espressif Systems. A buffer error vulnerability exists in ESP-NOW versions 2.5.1 and earlier, which stems from a failure to check the addrsnum field when implementing ESP-NOW group type messages, which could lead to memory corruption relat...

PT-2022-15815 · Erpnext · Erpnext

Name of the Vulnerable Software and Affected Versions: ERPNext versions v11.0.0-beta through v13.0.2 Description: The issue concerns missing authorization in the chat rooms functionality. A low-privileged attacker can send direct or group messages to any member or group, impersonating themselves ...

Authentication flaw

A vulnerability, which was classified as critical, was found in WoWonder. Affected is the file /requests.php which is responsible to handle group messages. The manipulation of the argument groupid allows posting messages in other groups. It is possible to launch the attack remotely but it might...

CVE-2022-1753 WoWonder Group requests.php access control

A vulnerability, which was classified as critical, was found in WoWonder. Affected is the file /requests.php which is responsible to handle group messages. The manipulation of the argument groupid allows posting messages in other groups. It is possible to launch the attack remotely but it might...

CVE-2022-1753 WoWonder Group requests.php access control

A vulnerability, which was classified as critical, was found in WoWonder. Affected is the file /requests.php which is responsible to handle group messages. The manipulation of the argument groupid allows posting messages in other groups. It is possible to launch the attack remotely but it might...

Envato WoWonder 安全漏洞

Envato WoWonder is an application from the Australian company Envato. It provides a PHP social networking script. A security vulnerability exists in Envato WoWonder. An attacker could use this vulnerability to post messages in other groups via the groupid operation...

PT-2021-23075 · Discourse · Discourse

Name of the Vulnerable Software and Affected Versions: Discourse versions prior to the latest commit Description: Discourse is a platform for community discussion. In affected versions, any private message that includes a group had its title and participating user exposed to users that do not hav...