Insufficient Verification of Data Authenticity

Overview org.webjars.npm:electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the webContents.executeJavaScript function. An attacker...

Hidden Functionality

Overview org.webjars.npm:electron is a framework which lets you write cross-platform desktop applications using JavaScript, HTML and CSS. Affected versions of this package are vulnerable to Hidden Functionality via the commandLineSwitches webPreference. An attacker can inject arbitrary command-li...

ROS-20260403-73-0031

A vulnerability in the mips/kernel/process.c component of the Linux kernel is related to pointer dereferencing errors. Exploitation of the vulnerability allows an attacker to cause a denial of service...

PT-2026-30256

Emlog is an open source website building system. Prior to version 2.6.8, the backend upgrade interface accepts remote SQL and ZIP URLs via GET parameters. The server first downloads and executes the SQL file, then downloads the ZIP file and extracts it directly into the web root directory. This...

PT-2026-30008

Impact A service worker running in a session could spoof reply messages on the internal IPC channel used by webContents.executeJavaScript and related methods, causing the main-process promise to resolve with attacker-controlled data. Apps are only affected if they have service workers registered...

Focalboard 安全漏洞

Focalboard is a multilingual, self-hosted project management tool open source by Mattermost Community. Version 8.0 of Focalboard contains a security vulnerability. This vulnerability stems from the lack of verification of file ownership during the upload process, which may allow authenticated...

EUVD-2025-209194

The issue was addressed with improved memory handling. This issue is fixed in macOS Sequoia 15.6. Processing a maliciously crafted image may corrupt process memory...

GHSA-J9PV-RRCJ-6PFX OpenClaw: SSH-based sandbox backends pass unsanitized process.env to child processes

Summary SSH-based sandbox backends pass unsanitized process.env to child processes Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Shipped SSH sandbox paths leaked unsanitized env into local SSH child processes, but remote leakage needs non-default SSH env...

Incorrect Authorization

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Incorrect Authorization in the heartbeat process. An attacker can gain unauthorized access to restricted resources by exploiting context inheritance to bypass sandbox restrictions through...

Replay Attack

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Replay Attack in the callback process. An attacker can alter the origin of a Plivo callback before it is rejected by replaying a captured valid callback for a live call. Remediation Upgra...

EUVD-2026-18350

A Time-of-Check to Time-of-Use TOCTOU race condition vulnerability in Balena Etcher for Windows prior to v2.1.4 allows attackers to escalate privileges and execute arbitrary code via replacing a legitimate script with a crafted payload during the flashing process...

CVE-2026-30332

A Time-of-Check to Time-of-Use TOCTOU race condition vulnerability in Balena Etcher for Windows prior to v2.1.4 allows attackers to escalate privileges and execute arbitrary code via replacing a legitimate script with a crafted payload during the flashing process...

CVE-2026-30287

An arbitrary file overwrite vulnerability in Deep Thought Industries ACE Scanner PDF Scanner v1.4.5 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure...

CVE-2026-30292

An arbitrary file overwrite vulnerability in Docudepot PDF Reader: PDF Viewer APP v1.0.34 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure...

CVE-2026-4947

Addressed a potential insecure direct object reference IDOR vulnerability in the signing invitation acceptance process. Under certain conditions, this issue could have allowed an attacker to access or modify unauthorized resources by manipulating user-supplied object identifiers, potentially...

CVE-2026-30332

A Time-of-Check to Time-of-Use TOCTOU race condition vulnerability in Balena Etcher for Windows prior to v2.1.4 allows attackers to escalate privileges and execute arbitrary code via replacing a legitimate script with a crafted payload during the flashing process...

Etcher 安全漏洞

Etcher is an operating system image burning tool developed by balena. Versions of Etcher prior to 2.1.4 contained security vulnerabilities. These vulnerabilities were caused by race conditions, allowing attackers to replace legitimate scripts with malicious payloads during the burning process,...

CVE-2026-30332

Balena Etcher for Windows versions before 2.1.4 is vulnerable to a TOCTOU race during flashing. An attacker can replace a temporary .cmd file created in a user-writable temp directory with a crafted payload, which is then executed with elevated privileges via Windows UAC, allowing privilege escal...

PT-2026-29795

A Time-of-Check to Time-of-Use TOCTOU race condition vulnerability in Balena Etcher for Windows prior to v2.1.4 allows attackers to escalate privileges and execute arbitrary code via replacing a legitimate script with a crafted payload during the flashing process...

PT-2026-38110

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 148.0.7778.96 Description A use after free issue in Fullscreen on Windows allows a remote attacker who has compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. Use...