openSUSE 16 Security Update : tigervnc (openSUSE-SU-2026:20465-1)

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20465-1 advisory. - CVE-2026-34352: Fixed permissions to prevent other users from observing the screen, or modifying what is sent to the client. bsc1260871 Tenable has...

CVE-2026-39848

Dockyard is a Docker container management app. Prior to 1.1.0, Docker container start and stop operations are performed through GET requests without CSRF protection. A remote attacker can cause a logged-in administrator's browser to request /apps/action.php?action=stop&name= or...

EUVD-2026-21210

Dockyard is a Docker container management app. Prior to 1.1.0, Docker container start and stop operations are performed through GET requests without CSRF protection. A remote attacker can cause a logged-in administrator's browser to request /apps/action.php?action=stop&name= or...

CVE-2026-39848

Dockyard CVE-2026-39848 affects the Dockyard Docker container management app prior to version 1.1.0. The issue arises because start/stop operations for containers are triggered via GET requests to /apps/action.php?action=stop&name= or /apps/action.php?action=start&name= without CSRF protection, e...

CVE-2026-35618 OpenClaw < 2026.3.23 - Replay Identity Drift via Query-Only Variants in Plivo V2 Verification

OpenClaw before 2026.3.23 contains a replay identity vulnerability in Plivo V2 signature verification that allows attackers to bypass replay protection by modifying query parameters. The verification path derives replay keys from the full URL including query strings instead of the canonicalized...

CVE-2026-35618

OpenClaw OpenClaw package (Plivo V2 verification) vulnerability CVE-2026-35618 affects OpenClaw before 2026.3.23. The replay protection uses a replay key derived from the full verification URL, including query strings, instead of the base canonical URL. This allows an attacker to mint new verifie...

GHSA-CM8V-2VH9-CXF3 OpenClaw: GIT_DIR and related git plumbing env vars missing from exec env denylist (GHSA-m866-6qv5-p2fg variant)

Impact GITDIR and related git plumbing env vars missing from exec env denylist GHSA-m866-6qv5-p2fg variant. Git plumbing environment variables were not removed before host exec and could redirect Git operations. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenCla...

OpenClaw QQ Bot Extension missing SSRF Protection on All Media Fetch Paths

Impact QQ Bot Extension: Missing SSRF Protection on All Media Fetch Paths. QQ Bot media download paths were not consistently routed through the SSRF guard and allowlist policy. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a...

GHSA-3FV3-6P2V-GXWJ OpenClaw QQ Bot Extension missing SSRF Protection on All Media Fetch Paths

Impact QQ Bot Extension: Missing SSRF Protection on All Media Fetch Paths. QQ Bot media download paths were not consistently routed through the SSRF guard and allowlist policy. OpenClaw is a user-controlled local assistant. This advisory is scoped to the OpenClaw trust model and does not assume a...

RansomTrack: A Hybrid Behavioral Analysis Framework for Ransomware Detection

Ransomware poses a serious and fast-acting threat to critical systems, often encrypting files within seconds of execution. Research indicates that ransomware is the most reported cybercrime in terms of financial damage, highlighting the urgent need for early-stage detection before encryption is...

Securing Retrieval-Augmented Generation: A Taxonomy of Attacks, Defenses, and Future Directions

Retrieval-augmented generation RAG significantly enhances large language models LLMs but introduces novel security risks through external knowledge access. While existing studies cover various RAG vulnerabilities, they often conflate inherent LLM risks with those specifically introduced by RAG. I...

OpenClaw 代码问题漏洞

OpenClaw is an open-source intelligent artificial assistant developed by OpenClaw. Versions of OpenClaw prior to 2026.3.25 had code vulnerabilities. These vulnerabilities stemmed from insufficient protection configurations for multiple channel extensions, which could lead to server-side request...

📄 Microsoft Malware Protection Engine Type Confusion

Microsoft Malware Protection Engine type confusion vulnerability proof of concept exploit for an older vulnerability from 2017. ================================================================================================================================== | Title : Microsoft Malware Protection...

CVE-2026-39901

monetr is a budgeting application focused on planning for recurring expenses. Prior to 1.12.3, a transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transactions through the transaction update endpoint, despite the application explicitly blocking deleti...

CVE-2026-5900

Policy bypass in Downloads in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass of multi-download protections via a crafted HTML page. Chromium security severity: Low...

CVE-2026-35463

pyLoad is a free and open-source download manager written in Python. In 0.5.0b3.dev96 and earlier, the ADMINONLYOPTIONS protection mechanism restricts security-critical configuration values reconnect scripts, SSL certs, proxy credentials to admin-only access. However, this protection is only...

CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller

Summary The Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which writes it into the .env file via pregreplace. Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration...

GHSA-VFHX-5459-QHQH CI4MS Vulnerable to .env CRLF Injection via Unvalidated `host` Parameter in Install Controller

Summary The Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which writes it into the .env file via pregreplace. Because newline characters in the value are not stripped, an attacker can inject arbitrary configuration...

CVE-2026-30080

OpenAirInterface v2.2.0 accepts Security Mode Complete without any integrity protection. Configuration has supported integrity NIA1 and NIA2. But if an UE sends initial registration request with only security capability IA0, OpenAirInterface accepts and proceeds. This downgrade security context c...

CVE-2026-39394

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to 0.31.4.0, the Install::index controller reads the host POST parameter without any validation and passes it directly into updateEnvSettings, which...