PT-2026-31899

Name of the Vulnerable Software and Affected Versions Checkmk versions prior to 2.5.0b4 and prior to 2.4.0p26 Description A flaw exists in Checkmk that allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands through a crafted service...

Checkmk 安全漏洞

Checkmk is an IT monitoring platform developed by Checkmk Corporation. Versions of Checkmk prior to 2.5.0b4 and 2.4.0p26 contained security vulnerabilities. These vulnerabilities stemmed from Livestatus injection during notification testing modes, allowing authenticated users to inject arbitrary...

CVE-2026-33456

Livestatus injection in the notification test mode in Checkmk 2.5.0b4 and 2.4.0p26 allows an authenticated user with access to the notification test page to inject arbitrary Livestatus commands via a crafted service description...

OpenClaw 安全漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.25 contained security vulnerabilities. These vulnerabilities stemmed from a validation notification bypass that circumvented direct message policy checks and resulted in...

EUVD-2026-21051

A vulnerability was found in FoundationAgents MetaGPT up to 0.8.1. Impacted is the function getmimetype of the file metagpt/utils/common.py. The manipulation results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. The project was...

CVE-2026-40109

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

CVE-2026-40109 Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

CVE-2026-40109

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

CVE-2026-40109 Flux notification-controller GCR Receiver missing email validation allows unauthorized reconciliation triggering

Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. Prior to 1.8.3, the gcr Receiver type in Flux notification-controller does not validate the email claim of Google OIDC tokens used for Pub/Sub push authentication. This allows any...

CVE-2026-40109

CVE-2026-40109 affects Flux notification-controller (GitOps Toolkit) prior to version 1.8.3. The vulnerability lies in the gcr Receiver type not validating the email claim of Google OIDC tokens used for Pub/Sub push authentication, allowing any valid Google-issued token to authenticate against th...

CVE-2026-39366

WWBN AVideo is an open source video platform. In versions 26.0 and prior, the PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions...

PT-2026-31735

Name of the Vulnerable Software and Affected Versions Flux notification-controller versions prior to 1.8.3 Description Flux notification-controller is the event forwarder and notification dispatcher for the GitOps Toolkit controllers. The gcr Receiver type does not validate the email claim of...

notification-controller 数据伪造问题漏洞

Notification-Controller is a GitOps notification controller open source in the Flux project. Versions of Notification-Controller prior to 1.8.3 had a data manipulation vulnerability. This vulnerability stemmed from the lack of verification of the email claim for Google OIDC tokens, which could...

EUVD-2026-19878

WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php...

WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php

Summary The PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly deduplicate...

GHSA-MMW7-WQ3C-WF9P WWBN AVideo Affected by a PayPal IPN Replay Attack Enabling Wallet Balance Inflation via Missing Transaction Deduplication in ipn.php

Summary The PayPal IPN v1 handler at plugin/PayPalYPT/ipn.php lacks transaction deduplication, allowing an attacker to replay a single legitimate IPN notification to repeatedly inflate their wallet balance and renew subscriptions. The newer ipnV2.php and webhook.php handlers correctly deduplicate...

CVE-2026-39401

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an updateevent key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privile...

CVE-2026-39401

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an updateevent key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privile...

EUVD-2026-19925

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an updateevent key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privile...

CVE-2026-39401 Privilege Escalation via update_event Job Output in Cronicle

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an updateevent key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privile...