CVE-2026-25673

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. URLField.topython in Django calls urllib.parse.urlsplit, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial o...

CVE-2026-25673

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. URLField.topython in Django calls urllib.parse.urlsplit, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial o...

CVE-2026-25673 Potential denial-of-service vulnerability in URLField via Unicode normalization on Windows

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. URLField.topython in Django calls urllib.parse.urlsplit, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial o...

CVE-2026-25673

An issue was discovered in 6.0 before 6.0.3, 5.2 before 5.2.12, and 4.2 before 4.2.29. URLField.topython in Django calls urllib.parse.urlsplit, which performs NFKC normalization on Windows that is disproportionately slow for certain Unicode characters, allowing a remote attacker to cause denial o...

CVE-2025-30044

In the endpoints "/cgi-bin/CliniNET.prd/utils/usrlogstatsimple.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", "/cgi-bin/CliniNET.prd/utils/userlogstat2.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl", the parameters are not sufficiently normalized, which enables code injection...

Allocation of Resources Without Limits or Throttling

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through improper handling of client IP address normalization in the authentication rate-limiting process. An attacker can increase the...

GHSA-5847-RM3G-23MW OpenClaw has hook auth rate limiter bypass via IPv4-mapped IPv6 client key variants

Vulnerability The hook authentication throttle keyed failed attempts by raw socket remoteAddress text. IPv4 and IPv4-mapped IPv6 forms of the same client for example 1.2.3.4 and ::ffff:1.2.3.4 were treated as different clients, allowing separate rate-limit buckets. Impact An attacker could split...

PT-2026-22741

Name of the Vulnerable Software and Affected Versions Django versions 6.0 through 6.0.2 Django versions 5.2 through 5.2.11 Django versions 4.2 through 4.2.28 Django versions 5.0.x and earlier Django versions 4.1.x and earlier Django versions 3.2.x and earlier Description The URLField.to python...

Django 安全漏洞

Django is a Python-based open-source web framework developed by the Django Foundation. This framework includes an object-oriented mapper, view system, template system, etc. Versions of Django prior to 6.0.3, 5.2.12, and 4.2.29 contained security vulnerabilities. These vulnerabilities stemmed from...

PT-2026-26402

Summary Feishu allowlist authorization could be bypassed by display-name collision. Details channels.feishu.allowFrom is documented as an ID-based allowlist open id list, but Feishu policy matching accepted mutable sender display names in the same namespace. An attacker could set a display name...

OpenClaw has unbounded memory growth in Zalo webhook via query-string key churn (unauthenticated DoS)

Summary Unauthenticated requests to a reachable Zalo webhook endpoint could trigger unbounded in-memory key growth by varying query strings on the same valid webhook route. Impact An attacker could cause memory pressure and potential process instability or OOM, degrading availability. Fix Webhook...

GHSA-WR6M-JG37-68XH OpenClaw has unbounded memory growth in Zalo webhook via query-string key churn (unauthenticated DoS)

Summary Unauthenticated requests to a reachable Zalo webhook endpoint could trigger unbounded in-memory key growth by varying query strings on the same valid webhook route. Impact An attacker could cause memory pressure and potential process instability or OOM, degrading availability. Fix Webhook...

CVE-2025-48567

In multiple locations, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

CVE-2025-48567

In multiple locations, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

CVE-2025-48567

In multiple locations, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

CVE-2025-48567

In multiple locations, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

CVE-2025-48567

In multiple locations, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for...

CVE-2025-48567

CVE-2025-48567 involves a bypass of a file path filter intended to restrict access to sensitive directories, caused by incorrect Unicode normalization. This can enable local escalation of privilege; exploitation requires user interaction. The CVE is referenced across multiple sources (NVD, Red Ha...

GHSA-R4WM-X892-VJMX Nest has a Fastify URL Encoding Middleware Bypass

Impact What kind of vulnerability is it? Who is impacted? A NestJS application using @nestjs/platform-fastify can allow bypass of any middleware when Fastify path-normalization options e.g., ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter are enabled. In affected route-scoped...

Nest has a Fastify URL Encoding Middleware Bypass

Impact What kind of vulnerability is it? Who is impacted? A NestJS application using @nestjs/platform-fastify can allow bypass of any middleware when Fastify path-normalization options e.g., ignoreTrailingSlash, ignoreDuplicateSlashes, useSemicolonDelimiter are enabled. In affected route-scoped...