OpenClaw: Matrix thread root and reply context bypass sender allowlist

Summary Matrix thread root and reply context bypass sender allowlist Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Real in shipped v2026.3.28 Matrix because fetched thread-root/reply context bypasses sender allowlists, with unreleased mainline filtering fix...

GHSA-RG8M-3943-VM6Q OpenClaw: Matrix thread root and reply context bypass sender allowlist

Summary Matrix thread root and reply context bypass sender allowlist Current Maintainer Triage - Status: open - Normalized severity: medium - Assessment: Real in shipped v2026.3.28 Matrix because fetched thread-root/reply context bypasses sender allowlists, with unreleased mainline filtering fix...

PT-2026-35761

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.3.31 Description An allowlist bypass exists in Matrix thread root and reply context handling due to improper validation of message senders. This allows attackers to fetch thread-root and reply context messages...

@dojo/cli-test-intern (>=0.1.0 <=2.0.0-beta3.1), express_mvc (>=4.1.1 <=4.3.10) +7 more potentially affected by CVE-2026-4800 via lodash-amd (>=4.16.4 <=4.17.23)

lodash-amd NPM version =4.16.4, =0.1.0, =4.1.1, =3.4.0, =0.0.1, =1.0.14, =0.0.7, =0.0.1, =0.1.5 - xirtam--matrix-operations =0.1.3 Source cves: CVE-2026-4800 Source advisory: OSV:GHSA-R5FR-RJXR-66JC...

@dojo/cli-test-intern (>=0.1.0 <=2.0.0-beta3.1), express_mvc (>=4.1.1 <=4.3.10) +7 more potentially affected by CVE-2021-23337 +1 more via lodash-amd (>=4.16.4 <=4.17.23)

lodash-amd NPM version =4.16.4, =0.1.0, =4.1.1, =3.4.0, =0.0.1, =1.0.14, =0.0.7, =0.0.1, =0.1.5 - xirtam--matrix-operations =0.1.3 Source cves: CVE-2021-23337, CVE-2026-4800 Source advisory: SNYK:JS-LODASHAMD-15869626...

CVE-2026-34534

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger a heap-buffer-overflow HBO in CIccMpeSpectralMatrix::Describe. The issue is observable under AddressSanitizer as an out-of-bounds heap read when...

EUVD-2026-17695

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger a heap-buffer-overflow HBO in CIccMpeSpectralMatrix::Describe. The issue is observable under AddressSanitizer as an out-of-bounds heap read when...

CVE-2026-34534

iccDEV’s CVE-2026-34534 describes a heap-buffer-overflow in CIccMpeSpectralMatrix::Describe() triggered by processing a crafted ICC profile. Before version 2.3.1.6, this can cause an out-of-bounds heap read observable under AddressSanitizer when running iccDumpProfile on a malicious profile. The ...

CVE-2026-34534

iccDEV provides a set of libraries and tools for working with ICC color management profiles. Prior to version 2.3.1.6, a crafted ICC profile can trigger a heap-buffer-overflow HBO in CIccMpeSpectralMatrix::Describe. The issue is observable under AddressSanitizer as an out-of-bounds heap read when...

Incorrect Authorization

Overview @openclaw/matrix is an OpenClaw Matrix channel plugin Affected versions of this package are vulnerable to Incorrect Authorization via the DM access check process. An attacker can interact with unpaired or unauthorized DM peers by sending verification notices that bypass intended access...

OpenClaw: Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers

Summary Matrix Verification Notices Bypass Matrix DM Policy and Reply to Unpaired DM Peers Affected Packages / Versions - Package: openclaw - Affected versions: = 2026.3.24 - First patched version: 2026.3.25 - Latest published npm version at verification time: 2026.3.24 Details Matrix verificatio...

CVE-2026-3984

A weakness has been identified in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This vulnerability affects unknown code of the file saveupathlete.php. This manipulation of the argument aname causes cross site scripting. It is possible to initiate the attack remotely. Th...

CVE-2026-33501

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user...

CVE-2026-3912

CVE-2026-3912 affects TIBCO ActiveMatrix BusinessWorks and Enterprise Administrator. The issue is an injection vulnerability arising from validation/sanitisation gaps for user-supplied input, leading to information disclosure (including accessible local files and host system details) and potentia...

CVE-2026-33501

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user...

CVE-2026-33501

WWBN AVideo is an open source video platform. In versions up to and including 26.0, the endpoint plugin/Permissions/View/Usersgroupspermissions/list.json.php lacks any authentication or authorization check, allowing unauthenticated users to retrieve the complete permission matrix mapping user...

EUVD-2026-11533

A weakness has been identified in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This vulnerability affects unknown code of the file saveupathlete.php. This manipulation of the argument aname causes cross site scripting. It is possible to initiate the attack remotely. Th...

EUVD-2026-11532

A security flaw has been discovered in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This affects an unknown part of the file save-games.php. The manipulation of the argument gamename results in cross site scripting. The attack may be performed from remote. The exploit...

CVE-2026-3983

A security flaw has been discovered in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This affects an unknown part of the file save-games.php. The manipulation of the argument gamename results in cross site scripting. The attack may be performed from remote. The exploit...

CVE-2026-3984 Campcodes Division Regional Athletic Meet Game Result Matrix System save_up_athlete.php cross site scripting

A weakness has been identified in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This vulnerability affects unknown code of the file saveupathlete.php. This manipulation of the argument aname causes cross site scripting. It is possible to initiate the attack remotely. Th...