Insufficient Verification of Data Authenticity

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the cron process. An attacker can cause untrusted events to be labeled as trusted system events by triggering isolated cron agent runs...

MAL-2026-3039 Malicious code in process-app-task (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e9459ef3208e8a07fbb99a80ce6bc5f0a6b9c6511da51241bac7c034632b7e1 The package process-app-task was found to contain malicious code. Source: ghsa-malware e03db779eee12801bb79b31d14cb5519f499b54a039c4428b125a23c26a652...

Malicious code in process-app-task (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 8e9459ef3208e8a07fbb99a80ce6bc5f0a6b9c6511da51241bac7c034632b7e1 The package process-app-task was found to contain malicious code. Source: ghsa-malware e03db779eee12801bb79b31d14cb5519f499b54a039c4428b125a23c26a652...

[SECURITY] Fedora 44 Update: qt6-qtremoteobjects-6.10.3-1.fc44

Qt Remote Objects QtRO is an inter-process communication IPC module devel oped for Qt...

CVE-2026-31653

A flaw was found in the Linux kernel's Data Access MONitor DAMON subsystem. When a process being monitored by DAMON terminates unexpectedly, a memory leak can occur because a control structure is not properly deallocated. This can lead to a gradual consumption of system memory, potentially causin...

CVE-2026-35369

An argument parsing error in the kill utility of uutils coreutils incorrectly interprets kill -1 as a request to send the default signal SIGTERM to PID -1. Sending a signal to PID -1 causes the kernel to terminate all processes visible to the caller, potentially leading to a system crash or massi...

CVE-2026-31567

A flaw was found in the Linux kernel. When the pmrestoregfpmask function is invoked during certain hibernation processes, it can erroneously trigger a warning. This leads to the generation of spurious false warning messages in system logs, which may obscure legitimate issues and cause minor...

CVE-2026-31621

The CVE-2026-31621 issue affects the Linux kernel bnge driver: on failure of auxiliary_device_add(), the error path calls auxiliary_device_uninit() but does not return, causing a null dereference when cleanup runs bnge_aux_dev_release() (bd->auxr_dev is freed and then dereferenced). Red Hat re...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the compilePipeline process. An attacker can execute arbitrary shell commands during the build process by supplying a crafted configuration file that sets pipeline.uses to a value containing directory traversal...

CVE-2026-33318

Actual is a local-first personal finance tool. Prior to version 26.4.0, any authenticated user including BASIC role can escalate to ADMIN on servers migrated from password authentication to OpenID Connect. Three weaknesses combine: POST /account/change-password has no authorization check, allowin...

CVE-2026-41325

Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint site/blueprints/users/.... It is also possible to customize th...

EUVD-2026-25371

Kirby is an open-source content management system. Kirby's user permissions control which user role is allowed to perform specific actions to content models in the CMS. These permissions are defined for each role in the user blueprint site/blueprints/users/.... It is also possible to customize th...

Oracle Business Process Management Suite (12.2.1.4.0) (April 2026 CPU)

The version of Oracle Business Process Management Suite installed on the remote host is affected by a vulnerability, as referenced in the April 2026 CPU advisory: - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware component: Document Service...

Oracle Business Process Management Suite (14.1.2.0.0) (April 2026 CPU)

The version of Oracle Business Process Management Suite installed on the remote host is affected by a vulnerability, as referenced in the April 2026 CPU advisory: - Vulnerability in the Oracle Business Process Management Suite product of Oracle Fusion Middleware component: Composer Apache Commons...

CVE-2026-26210

KTransformers through 0.5.3 contains an unsafe deserialization vulnerability in the balanceserve backend mode where the scheduler RPC server binds a ZMQ ROUTER socket to all interfaces with no authentication and deserializes incoming messages using pickle.loads without validation. Attackers can...

CVE-2026-41357

OpenClaw before 2026.3.31 contains an environment variable leakage vulnerability in SSH-based sandbox backends that pass unsanitized process.env to child processes. Attackers can exploit this by leveraging non-default SSH environment forwarding configurations to leak sensitive environment variabl...

cmd/go: golang: Go (golang) and cmd/go: Arbitrary Code Execution via malicious SWIG file names

A flaw was found in the Go programming language golang and its command-line tool cmd/go. A remote attacker could exploit this during the build process by crafting malicious SWIG Simplified Wrapper and Interface Generator file names that contain "cgo" and specific payloads. This could lead to code...

CVE-2026-6919

Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. Chromium security severity: High...

CVE-2026-3259

A Generation of Error Message Containing Sensitive Information vulnerability in the Materialized View Refresh mechanism in Google BigQuery on Google Cloud Platform allows an authenticated user to potentially disclose sensitive data using a crafted materialized view that triggers a runtime error...

xfs: stop reclaim before pushing AIL during unmount

...