CVE-2026-25157

OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When th...

CVE-2026-25157 OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand

OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When th...

CVE-2026-25157

OpenClaw/OpenClaw-related CVEs (CVE-2026-25157) describe OS command injection in sshNodeCommand and related SSH parsing logic, affecting macOS OpenClaw components prior to version 2026.1.29. The root causes are: (1) sshNodeCommand builds a shell script and escapes user input for a project path on...

OpenClaw/Clawdbot has OS Command Injection via Project Root Path in sshNodeCommand

Two related vulnerabilities existed in the macOS application's SSH remote connection handling CommandResolver.swift: Details The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescap...

Directory Traversal

Overview dbt-osmosis is an A dbt utility for managing YAML to make developing with dbt more delightful. Affected versions of this package are vulnerable to Directory Traversal via the YAML path handling logic in src/dbtosmosis/core/pathmanagement.py. An attacker can perform path traversal by...

CVE-2026-24812

Vulnerability in root-project root builtins/zlib modules. This vulnerability is associated with program files inftrees.C. This issue affects root: through 6.36.00-rc1...

CVE-2026-24812

Vulnerability in root-project root builtins/zlib modules. This vulnerability is associated with program files inftrees.C. This issue affects root: through 6.36.00-rc1...

AZL-75354 CVE-2026-24811 affecting package fltk 1.3.5-4

Vulnerability in root-project root builtins/zlib modules. This vulnerability is associated with program files inffast.C. This issue affects root...

CVE-2026-24811 An improper pointer arithmetic in root-project/root at builtins/zlib/inffast.c

Vulnerability in root-project root builtins/zlib modules. This vulnerability is associated with program files inffast.C. This issue affects root...

GHSA-XPQM-WM3M-F34H pnpm scoped bin name Path Traversal allows arbitrary file creation outside node_modules/.bin

Summary A path traversal vulnerability in pnpm's bin linking allows malicious npm packages to create executable shims or symlinks outside of nodemodules/.bin. Bin names starting with @ bypass validation, and after scope normalization, path traversal sequences like ../../ remain intact. Details Th...

CVE-2025-46565

Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network usi...

CVE-2025-46565 Vite's server.fs.deny bypassed with /. for files under project root

Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network usi...

CVE-2025-46565 Vite's server.fs.deny bypassed with /. for files under project root

Vite is a frontend tooling framework for javascript. Prior to versions 6.3.4, 6.2.7, 6.1.6, 5.4.19, and 4.5.14, the contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network usi...

CVE-2025-46565

CVE-2025-46565 (Vite) affects Vite < 6.3.4, < 6.2.7, < 6.1.6, < 5.4.19, and

Directory Traversal

Overview org.webjars.npm:vite is a Native-ESM powered web dev build tool Affected versions of this package are vulnerable to Directory Traversal through the server.fs.deny configuration due to improper input sanitization. An attacker can bypass server.fs.deny with /. for files under project root...

Vite's server.fs.deny bypassed with /. for files under project root

Summary The contents of files in the project root that are denied by a file matching pattern can be returned to the browser. Impact Only apps explicitly exposing the Vite dev server to the network using --host or server.host config option are affected. Only files that are under project root and a...

Vite 访问控制错误漏洞

Vite is Vite open source a new front-end building tools . Vite has an access control error vulnerability that can be exploited by an attacker to bypass the development server's protection mechanism and illegally access sensitive files outside the project root directory...

Path Traversal

hyper-bump-it is vulnerable to Path Traversal. The vulnerability is due to a lack of validating whether matched files are within the project root directory. As a result, this could lead to changes being written to files outside of the project which allows an attacker to cause files to be edited...

CVE-2023-41057 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in hyper-bump-it

hyper-bump-it is a command line tool for updating the version in project files.hyper-bump-it reads a file glob pattern from the configuration file. That is combined with the project root directory to construct a full glob pattern that is used to find files that should be edited. These matched fil...

CVE-2023-41057 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in hyper-bump-it

hyper-bump-it is a command line tool for updating the version in project files.hyper-bump-it reads a file glob pattern from the configuration file. That is combined with the project root directory to construct a full glob pattern that is used to find files that should be edited. These matched fil...