CVE-2026-5455 Dialogue App ca.diagram.dialogue config.json hard-coded key

A vulnerability was determined in Dialogue App up to 4.3.2 on Android. The affected element is an unknown function of the file file res/raw/config.json of the component ca.diagram.dialogue. Executing a manipulation of the argument SEGMENTWRITEKEY can lead to use of hard-coded cryptographic key...

CVE-2026-5455

CVE-2026-5455 affects Dialogue App up to version 4.3.2 on Android. The vulnerable element is an unknown function in file res/raw/config.json of the ca.diagram.dialogue component. Manipulation of the argument SEGMENT_WRITE_KEY can lead to use of a hard-coded cryptographic key. The attack is local-...

CVE-2026-5455 Dialogue App ca.diagram.dialogue config.json hard-coded key

A vulnerability was determined in Dialogue App up to 4.3.2 on Android. The affected element is an unknown function of the file file res/raw/config.json of the component ca.diagram.dialogue. Executing a manipulation of the argument SEGMENTWRITEKEY can lead to use of hard-coded cryptographic key...

CVE-2026-5454

A vulnerability was found in GRID Organiser App up to 1.0.5 on Android. Impacted is an unknown function of the file file res/raw/app.json of the component co.gridapp.organiser. Performing a manipulation of the argument SegmentWriteKey results in use of hard-coded cryptographic key . The attack is...

CVE-2026-5454

The vulnerability CVE-2026-5454 affects GRID Organiser App up to version 1.0.5 on Android, specifically the component co.gridapp.organiser. The issue resides in the file res/raw/app.json where manipulating the SegmentWriteKey leads to use of a hard-coded cryptographic key. This attack requires lo...

Out-of-bounds Read

Overview signalk-server is an An implementation of a Signal K server for boats. Affected versions of this package are vulnerable to Out-of-bounds Read in the from field of JSON-patch operations. An attacker can access internal Node.js functions and prototype state by crafting a payload that targe...

OpenSTAManager: SQL Injection via Aggiornamenti Module

Description The Aggiornamenti Updates module in OpenSTAManager query'SET FOREIGNKEYCHECKS=0'; // Line 69: FK checks DISABLED $errors = ; $executed = 0; foreach $queries as $query try $dbo-query$query; // Line 76: DIRECT EXECUTION ++$executed; catch Exception $e $errors = $query.' - '.$e-getMessag...

GHSA-78H2-9FRX-2JM8 Go JOSE Panics in JWE decryption

Impact Decrypting a JSON Web Encryption JWE object will panic if the alg field indicates a key wrapping algorithm one ending in KW, with the exception of A128GCMKW, A192GCMKW, and A256GCMKW and the encryptedkey field is empty. The panic happens when cipher.KeyUnwrap in keywrap.go attempts to...

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception in the cipher.KeyUnwrap function when decrypting a JSON Web Encryption JWE object with a key wrapping algorithm ending in 'KW', except for 'A128GCMKW', 'A192GCMKW', and 'A256GCMKW' and the encryptedkey field is empty...

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception in the cipher.KeyUnwrap function when decrypting a JSON Web Encryption JWE object with a key wrapping algorithm ending in 'KW', except for 'A128GCMKW', 'A192GCMKW', and 'A256GCMKW' and the encryptedkey field is empty...

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception in the cipher.KeyUnwrap function when decrypting a JSON Web Encryption JWE object with a key wrapping algorithm ending in 'KW', except for 'A128GCMKW', 'A192GCMKW', and 'A256GCMKW' and the encryptedkey field is empty...

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception in the cipher.KeyUnwrap function when decrypting a JSON Web Encryption JWE object with a key wrapping algorithm ending in 'KW', except for 'A128GCMKW', 'A192GCMKW', and 'A256GCMKW' and the encryptedkey field is empty...

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception in the cipher.KeyUnwrap function when decrypting a JSON Web Encryption JWE object with a key wrapping algorithm ending in 'KW', except for 'A128GCMKW', 'A192GCMKW', and 'A256GCMKW' and the encryptedkey field is empty...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization via the Control UI bootstrap JSON process. An attacker can obtain sensitive information, such as version and assistant agent ID, by accessing the exposed payload...

Denial of Service (DoS)

Overview @openclaw/msteams is an OpenClaw Microsoft Teams channel plugin Affected versions of this package are vulnerable to Denial of Service DoS via the MS Teams webhook process. An attacker can cause resource exhaustion by sending unauthenticated requests that are parsed before proper JWT...

Denial of Service (DoS)

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Denial of Service DoS via the MS Teams webhook process. An attacker can cause resource exhaustion by sending unauthenticated requests that are parsed before proper JWT validation. Details...

OpenClaw: MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion

Summary MS Teams webhook parses body before JWT validation, enabling unauthenticated resource exhaustion Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: v2026.3.28 still parses Teams JSON after only a Bearer-prefix gate and before real JWT validation, and the...

PT-2026-30275

Summary A Server Side Request Forgery SSRF vulnerability in download bytes from url allows any actor who can control batch input JSON to make the vLLM batch runner issue arbitrary HTTP/HTTPS requests from the server, without any URL validation or domain restrictions. This can be used to target...

Fixed in Apache Tomcat 9.0.117

Moderate: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled CVE-2026-34500 CLIENTCERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used. This was fixed with commit ff589ab2. This issue was reported to the Tomcat security...

PT-2026-30233

Zulip is an open-source team collaboration tool. From version 1.4.0 to before version 11.6, ./manage.py import reads arbitrary files from the server filesystem via path traversal in uploads/records.json. A crafted export tarball causes the server to copy any file the zulip user can read into the...